tinyCFO is an informational financial management tool. Connect your financial accounts once through secure third-party providers and then query your data in plain English. You get organized visibility into your finances plus forecasts and summaries, all on a read-only basis.

Yes. All data is encrypted in transit and at rest using 256-bit AES encryption. We never store your bank login credentials or passwords. Connections are handled through trusted third-party providers and are always read-only. You can revoke access to any account at any time.

Does tinyCFO provide financial advice?

No. tinyCFO is not a registered investment adviser, broker-dealer, or tax professional. The service does not constitute financial, investment, legal, or tax advice. All information is for informational purposes only.

How much does it cost?

tinyCFO has one simple plan at $8.33/month (billed yearly at $100/year) or $12.00/month billed monthly. Cancel anytime with no fees.

Privacy Policy | tinyCFO

1.Introduction

Our Privacy-First Commitment

At tinyCFO, privacy is one of our most important values. We built this platform with privacy-by-design principles because we believe users should never have to choose between powerful financial tools and strong data protection. We limit data collection to what is strictly necessary to deliver, maintain, and improve the Services. Protecting your financial information and query history is fundamental to our mission.

We do not sell your personal information or Financial Data. We never monetize your data through sale or sharing for advertising. As used in this Policy, “sell” has the meaning given under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”) — the disclosure of personal information to a third party for monetary or other valuable consideration. We do not engage in such activity. We also do not share Financial Data, AI interaction logs, or query history with unaffiliated third parties for their own marketing, advertising, or data-monetization purposes.

This Privacy Policy (“Policy”) describes how 7th Street Research, Co., a Delaware corporation doing business as tinyCFO (“Company,” “we,” “us,” or “our”), collects, uses, discloses, and protects your personal information when you access or use our AI-first personal finance application, website, and related services (collectively, the “Services”). This Policy is incorporated into and forms part of our Terms of Service. By using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

We process personal information (including Financial Data) in compliance with all applicable U.S. state privacy laws, including the CCPA/CPRA, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and any other comprehensive state privacy statute in effect. We provide the rights and notices required under those statutes and honor opt-out preference signals, including Global Privacy Control. For state-specific details, see Section 7.

2.Information We Collect

We collect the following categories of information:

2.1 Information You Provide

Identifiers and contact data (name, email address, phone number, username)
Account registration details and profile preferences
Payment information (if you subscribe to paid features)
User Content, including natural-language queries, instructions, feedback, and any other inputs you submit

2.2 Financial Data

Transaction histories, balances, holdings, income/expense categorizations, and other financial information retrieved from your Connected Accounts solely through third-party data providers (such as Plaid or equivalent services). We do not receive, store, or have access to your login credentials, passwords, or security credentials for any external financial institution.

2.3 Automatically Collected Information

Device and usage data (IP address, device type, operating system, browser type, app version, and interaction logs)
Query and AI interaction data (the full content and context of your natural-language queries, the AI Outputs generated in response, timestamps, and metadata about those interactions)
Cookies, pixels, and similar tracking technologies (as described in our Cookie Policy, if published separately)

2.4 Information from Third Parties

We receive Financial Data from third-party data providers you authorize and may receive limited verification or fraud-prevention data from service providers.

2.5 Sensitive Information

We treat financial account information, certain query data that could reveal financial goals or life events, and any inferred sensitive categories as sensitive personal information and apply heightened protections. We limit the use of sensitive personal information to what is strictly necessary to provide the Services, as required by the CCPA/CPRA and similar state laws. We do not collect or infer sensitive characteristics (such as race, religion, or health data) except as strictly necessary for service delivery or legal compliance.

2.6 Third-Party AI Client and MCP Data

When you connect a Third-Party AI Client to your tinyCFO account via OAuth, we collect and store:

OAuth authorization tokens issued to the Third-Party AI Client
MCP tool call metadata (tool name, timestamp, success or error status) for audit logging and abuse prevention
The identity of the authorized Third-Party AI Client and the scopes granted

Financial account connections (via Plaid) are handled separately and are described in Section 2.2 above.

3.How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Services, including account aggregation, natural-language query processing, search, filtering, summaries, and forecasts
Generate and deliver AI Outputs based on your Financial Data and User Content
Operate, debug, and enhance our models (AI or otherwise), your queries and the resulting AI Outputs may be monitored, logged, stored, and used (in de-identified or aggregated form where feasible) to train, fine-tune, and improve our artificial intelligence systems. We limit such use to internal research and product development and do not use it to provide financial, investment, legal, or tax advice
Personalize your experience and respond to your support requests
Detect, prevent, and respond to fraud, security incidents, or misuse
Comply with legal obligations, enforce our Terms of Service, and protect our rights
Conduct internal analytics, research, and product development (including aggregated, de-identified data for industry insights)
Communicate with you about the Services, updates, or marketing (with your ability to opt out of promotional communications)

All uses are consistent with our position as an informational tool only. We never use your data to provide regulated financial advice or to sell to third parties.

4.How We Share Your Information

We share information only in the following limited circumstances:

4.1 Service Providers and Third-Party Data Aggregators

We share Financial Data and necessary identifiers with third-party data providers (e.g., Plaid or equivalent) solely to enable account connections and refreshes. These providers act on your behalf and are contractually required to protect your data. We also share data with other service providers (hosting, analytics, payment processing, AI infrastructure providers such as large-language-model hosts, security, and customer support) who are bound by confidentiality and use restrictions.

4.2 Affiliates

We may share data within our corporate family for operational purposes, but not for independent marketing.

4.3 Legal and Compliance

We may disclose information to comply with law, court orders, regulatory requests, or to protect the safety, rights, or property of the Company, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to continued protection under this Policy.

4.5 With Your Consent

We may share data in other ways if you explicitly consent.

4.6 No Sale of Personal Information

We do not sell your personal information. As defined by the CCPA/CPRA, a “sale” means the disclosure of personal information to a third party for monetary or other valuable consideration. We do not engage in such activity and have not sold personal information in the preceding twelve (12) months.

We do not share your personal information for cross-context behavioral advertising. Under certain state laws, “sharing” for targeted advertising constitutes a regulated activity separate from “selling.” We do not engage in such sharing. We do not share Financial Data, AI interaction logs, or query history with unaffiliated third parties for their own marketing, advertising, or data-monetization purposes. If our practices ever change, we will provide you with prior notice and the ability to opt out before any such sharing occurs.

4.7 MCP Server and Consumer-Directed Data Sharing

When you authorize a Third-Party AI Client via OAuth or API key, your Financial Data is transmitted to that AI client in response to MCP tool calls. This is consumer-directed data sharing: you choose when and which AI client to connect, and you initiate the authorization.

Once Financial Data is delivered to the Third-Party AI Client, it is subject to that provider’s privacy policy and data practices, not ours. We do not control how any Third-Party AI Client processes, stores, or retains data received from MCP tool calls. Your bank connections are handled separately via Plaid.

We log which MCP tools are called and when (for audit trails and abuse prevention) but do not log the full content of responses sent to AI clients
This sharing is consistent with the principles of CFPB Section 1033 and consumer-directed data access rights
Data shared via MCP is provided solely for your personal financial analysis and informational use
You can revoke MCP access at any time by revoking the API key in your tinyCFO account settings, which immediately stops all future tool calls

5.Data Security and Information Security Program

We maintain a comprehensive written information security program with reasonable administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of your personal and financial information. Our program is aligned with industry-standard frameworks, including the AICPA Trust Services Criteria (which underpin the SOC 2 framework), and with applicable state data security requirements.

Our information security program includes:

A designated security coordinator responsible for overseeing the program
Regular risk assessments to identify and address threats to the security, confidentiality, and integrity of personal information
Encryption in transit (TLS 1.2+) and AES-256-GCM field-level encryption for sensitive credentials such as access tokens
Versioned, rotatable encryption keys with support for zero-downtime key rotation
Access controls limiting employee and system access to personal information on a need-to-know basis
Vendor management and due diligence for service providers who handle personal information
Employee security training and awareness programs
Incident response procedures, including notification to affected users as required by applicable law

However, no security system is infallible. You are responsible for safeguarding your Account credentials and promptly notifying us of any suspected breach. In the event of a data incident that requires notification under applicable law, we will notify affected users as required.

6.Your Rights and Choices

Marketing and Promotional Communications. You may opt out of promotional emails or texts by following the unsubscribe instructions or contacting us.

Cookies and Tracking. You may manage cookie preferences through your browser settings; however, disabling certain cookies may limit Service functionality.

Do Not Track / Global Privacy Control. We honor Global Privacy Control (“GPC”) signals and other recognized universal opt-out mechanisms where required by applicable state law. When we detect a GPC signal, we treat it as a valid opt-out of the “sale” and “sharing” of personal information for the associated browser or device.

U.S. State Privacy Rights. Depending on your state of residence, you may have some or all of the following rights under applicable state privacy laws (subject to identity verification and applicable exceptions):

Right to know / access — request the categories and specific pieces of personal information we have collected about you
Right to delete — request deletion of personal information we have collected from you
Right to correct — request correction of inaccurate personal information
Right to opt out — opt out of the "sale" or "sharing" of personal information, or of targeted advertising or profiling that produces legal or similarly significant effects
Right to limit use of sensitive personal information — restrict our processing of sensitive data to what is strictly necessary
Right to data portability — obtain your personal information in a portable, readily usable format
Right to non-discrimination — exercise your rights without receiving discriminatory treatment

To exercise any of these rights, submit a verifiable request by email to support@tinycfo.ai or through any in-app privacy portal we may provide. We will verify your identity before fulfilling requests and will respond within the timeframe required by applicable law (typically 45 days, extendable once by an additional 45 days with notice). You may appeal any denial. Authorized agents must provide written proof of authorization.

For California residents, additional details about categories of data collected, disclosed, and sold/shared in the preceding 12 months are available upon request. See Section 7 for jurisdiction-specific notices.

7.State-Specific Privacy Notices

We comply with all applicable U.S. state privacy and consumer-protection statutes. The following notices supplement the rest of this Policy for residents of states with comprehensive privacy laws:

7.1 California (CCPA/CPRA)

If you are a California resident, you have the rights described in Section 6 above as well as the following additional rights: (i) the right to know the categories of sources from which we collected your personal information, the business or commercial purpose for collecting it, and the categories of third parties with whom we shared it; (ii) the right to opt out of the sale or sharing of personal information; and (iii) the right to limit the use and disclosure of sensitive personal information to purposes necessary to perform the Services. We have not sold or shared (as defined by the CCPA/CPRA) personal information in the preceding twelve (12) months. Categories of personal information collected, disclosed for a business purpose, or sold/shared in the prior 12 months are available upon request by contacting support@tinycfo.ai. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA. Financial incentive programs, if any, will be described separately with their material terms.

7.2 Virginia (VCDPA)

Virginia residents have the right to access, correct, delete, obtain a portable copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not process personal data for any of these prohibited purposes. To exercise your rights or appeal a decision, contact us at support@tinycfo.ai. If your appeal is denied, you may contact the Virginia Attorney General.

7.3 Colorado (CPA)

Colorado residents have similar rights to access, correct, delete, obtain a portable copy of, and opt out of the processing of personal data for targeted advertising, sale, or certain profiling. We honor universal opt-out mechanisms (including GPC) as required by Colorado law. To exercise your rights or appeal a decision, contact us at support@tinycfo.ai. If your appeal is denied, you may contact the Colorado Attorney General.

7.4 Connecticut (CTDPA)

Connecticut residents have the right to access, correct, delete, obtain a portable copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling. We honor universal opt-out mechanisms as required by Connecticut law. To exercise your rights or appeal a decision, contact us at support@tinycfo.ai. If your appeal is denied, you may contact the Connecticut Attorney General.

7.5 Utah (UCPA)

Utah residents have the right to access and delete personal data and to opt out of the processing of personal data for targeted advertising or sale. To exercise your rights, contact us at support@tinycfo.ai.

7.6 Other States

We monitor the enactment and effective dates of comprehensive privacy laws in all U.S. states, including but not limited to the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), and the Montana Consumer Data Privacy Act (MCDPA). As additional state statutes take effect, we will update this section to provide the required notices and will honor all rights and obligations under those laws. If the Company later offers money-transmission, lending, or other regulated services, additional state-specific licensing and consumer-protection disclosures will be added to this Policy and our Terms of Service.

8.Children's Privacy

The Services are not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected such data, we will delete it promptly.

9.Data Retention

We retain your information only as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Financial Data is retained while your Connected Accounts remain linked or as required for service delivery; queries and AI interaction logs are retained in de-identified or aggregated form for model improvement for up to 24 months after account deletion unless longer retention is required by law. You may delete your Account at any time through the Services, after which we will delete or anonymize your personal information subject to legal retention requirements.

10.International Transfers

The Services are hosted in the United States. If you access the Services from outside the United States, your information may be transferred to and processed in the United States. We use appropriate safeguards (such as standard contractual clauses where required) to protect your information during any international transfer.

11.Changes to This Privacy Policy

We may update this Policy from time to time. We will notify you of material changes by posting the revised Policy with a new Effective Date, and, where required by law, by email or in-app notice. Your continued use of the Services after the Effective Date constitutes acceptance of the updated Policy.

12.Contact Information

If you have questions or concerns about this Policy, wish to exercise your rights, or would like to submit a complaint, please contact us at:

tinyCFO (a DBA of 7th Street Research, Co.)
169 Madison Ave STE 15124
New York, NY 10016
Email: support@tinycfo.ai

← Back to home