Knot/Privacy
DRAFT — not legal advice. This Privacy Policy is a working draft pending review and ratification by a licensed attorney. It is not yet in force and should not be relied upon. We publish it here for transparency while we prepare for beta.

Privacy Policy

Draft v1 · Last updated: June 2026

Who we are

Knot is a personal finance app operated by Knot Finance, based in Karnataka, India. Knot Finance is currently a sole operator with incorporation pending; it is not yet a registered company. This policy and your use of Knot are governed by the laws of India and the state of Karnataka.

What data we collect

Knot stores the financial data you give us — transactions (amount, currency, category, date, and any note or description you add), budgets, accounts, savings goals, and any bank statements you upload for parsing. Your net worth is calculated as a sum of the account balances you enter or that we derive from your transactions; we do not pull live balances from your bank ourselves for this figure. We also store the basic account profile needed to keep you signed in (email, display name, and a password hashed and managed by Supabase Auth).

If you choose to save bank-portal login credentials for statement retrieval, those credentials are encrypted at rest using AES-256-GCM with a unique initialization vector per record. They are never sent to any AI provider; they are decrypted only momentarily, server-side, to unlock a password-protected statement file you have asked us to parse.

How AI processes your data, and who processes it

Knot uses AI to parse uploaded statements, suggest categories, answer questions in the assistant, and generate insights. To do this, the relevant portion of your financial data is sent to external AI sub-processors. We want to be exact about who that is and what they receive:

  • OpenAI (model gpt-4o-mini, our primary provider) — used for statement extraction, categorization, the chat assistant, and insights. OpenAI processes this data in the United States. Per OpenAI's API terms, data sent through their API is not used to train their models by default; that is OpenAI's representation, not a guarantee we can independently make on their behalf.
  • Google Gemini (model gemini-2.5-flash, our fallback) — used only when OpenAI fails or is rate-limited. Google also processes this data in the United States. Google's terms indicate that some Gemini endpoints may use submitted content to improve their service; we minimize this exposure through our routing, but we cannot eliminate it on Google's behalf.

What we send, and what we don't.Insights and the assistant are designed to send the minimum data necessary — typically a summary of your finances such as category totals, amounts, and dates. Today, the assistant's context still includes the descriptions of your most recent transactions; we are in the process of removing transaction descriptions from what the assistant sends, and we will update this policy when that change is live rather than claim it before it is. We never send AI providers your saved bank-portal credentials.

Because OpenAI and Google process this data in the United States, your data is transferred outside India when AI features run. Indian law (the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025) currently permits such transfers; we disclose it here so your consent is informed.

Sharing with a partner (Couple Mode)

Couple Mode is off by default and only takes effect if you link with a partner and turn sharing on. When you do, your partner sees combined totals only — summed figures such as combined cash flow and combined net worth. Your partner does not see your individual transaction rows. Shared totals are limited to activity from the date you linked accounts onward, and you can mark any individual transaction as private so it is excluded from the combined totals entirely.

How long we keep data, and what we don't keep

  • We keep your account data for as long as your account is active. When you delete your account, your data is deleted, cascading across our data tables.
  • Your conversations with the AI assistant are stored only in your browser's session storage on your device — they are not saved to our servers. Because there is no server-side copy, there is no server retention period or purge schedule for chat; the history clears when your browser session ends.
  • Uploaded statement files are deleted after parsing on a best-effort basis once extraction completes.

What we don't do

  • We do not sell your data to anyone.
  • We do not use your data for cross-context behavioral advertising.
  • We do not use your statement contents to train our own models.
  • We do not share your individual transactions with your partner — Couple Mode shares combined totals only (see above).

Your rights and controls

Depending on where you live, you may have rights under the Digital Personal Data Protection Act, 2023 (India), the California Consumer Privacy Act as amended by the CPRA (United States), PIPEDA and Quebec's Law 25 (Canada), and other applicable laws. These generally include the right to access, correct, and delete your data, and to know who we share it with. In Knot you can:

  • Edit or delete individual transactions, or delete your entire account, at any time from Settings.
  • Choose whether to link a partner, and mark any transaction as private when one is linked.
  • Withdraw consent by deleting your account. (Some rights, such as data export and per-purpose consent toggles, are not yet built and are planned for a future release; we will not claim them until they exist.)

Contact and grievances

Questions, requests, or grievances about your data? Email hello@knot.app. (This contact address will be finalized before this policy is published.)