Privacy Policy

Last Updated: February 2025

1. Introduction

Gimble ("we," "our," or "the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our healthcare savings application.

Please read this privacy policy carefully. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

• Email address
• Name (optional)

2.2 Financial Information

When you connect your accounts through our integration partners, you authorize us to access certain financial information on your behalf, including:

• Credit card transaction history (via Plaid)
• Explanation of benefits reports (via Flexpa)
• HSA account information (via our HSA management partner)

2.3 Employment Information (Business Accounts)

For employers using Gimble to manage employee benefits:

• Employee census data (name, date of birth, zip code, dependents)
• Payroll integration data (via Finch)

2.4 Technical Information

We may automatically collect certain technical information, including:

• Browser type and version
• Device type
• IP address
• Pages visited and time spent on pages
• Error logs for troubleshooting

3. How We Use Your Information

We use the information we collect to:

• Identify and track your healthcare spending from credit card transactions
• Match transactions with explanation of benefits reports
• Manage and optimize your HSA investments
• Generate insurance quotes and benefit comparisons (for employers)
• Maintain and improve the Service
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns
• Ensure the security of the Service

4. Data Storage and Retention

Gimble is designed with privacy in mind:

• Backend infrastructure: Your data is stored securely using Convex.dev as our backend platform with daily automated backups.
• Temporary session data: Authentication tokens are stored temporarily in encrypted sessions and are deleted when you log out or your session expires.
• Technical logs: We retain technical logs for up to 90 days for security and troubleshooting purposes.
• Financial and healthcare data: We retain transaction, receipt, and prescription data for up to 7 years to support tax compliance and future HSA withdrawals.
• User-initiated deletion: You can delete your data at any time from within the app. Upon deletion, all your records are permanently removed from our systems.

5. Third-Party Integrations

Gimble integrates with the following third-party services to provide our functionality:

• Plaid: We use Plaid to securely access your credit card transaction history. Plaid's use of your data is governed by their privacy policy.
• Flexpa: We use Flexpa to access your explanation of benefits reports from your insurance provider. Flexpa's use of your data is governed by their privacy policy.
• Finch: For employer accounts, we use Finch to sync employee data from payroll systems. Finch's use of your data is governed by their privacy policy.
• HSA Management Partner: We partner with an HSA custodian to manage your health savings account and investments.
• Clerk: We use Clerk for authentication services. Clerk's use of your data is governed by their privacy policy.

6. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in the following circumstances:

• With your consent: When you explicitly authorize us to share information.
• Service providers: With trusted third-party service providers who assist in operating our Service, subject to confidentiality agreements.
• Legal requirements: When required by law, court order, or governmental authority.
• Safety: To protect the rights, property, or safety of Gimble, our users, or others.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• TLS/SSL encryption for all data in transit
• Encryption at rest for stored data
• Secure authentication through OAuth 2.0
• Regular security assessments
• Access controls and authentication requirements
• Secure session management
• Hosting on Vercel with enterprise-grade security

8. Your Rights and Choices

You have the following rights regarding your information:

• Access: You can view your financial and healthcare spending information through the Service.
• Disconnect accounts: You can disconnect your linked accounts at any time through the Service settings or through Plaid and Flexpa directly.
• Delete your data: You can delete all your data from within the app at any time.
• Logout: You can end your session at any time, which clears your session data.
• Contact: You can contact us with questions about your data.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take steps to delete that information.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: privacy@gimble.us

13. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). Please contact us for more information about exercising these rights.