BackNexWealth
PrivacyEffective April 16, 2026

Privacy Policy

This policy explains what information NexWealth collects, how we use it, and the controls you have over your data. We believe transparency is the foundation of trust.

We never sell your data
Your financial data is yours. We never sell, rent, or trade it to third parties for marketing.
Full AI transparency
We disclose exactly what data is sent to AI models and how it's processed — with complete audit trails.
Delete anytime
Download or permanently delete all your data from Settings at any time — no questions asked.

1. Information We Collect

We collect different categories of information depending on how you interact with NexWealth:

a) Account Data

  • Email address (required for authentication)
  • Display name (optional, provided during registration)
  • Avatar URL (optional)
  • Password hash (bcrypt, never stored in plaintext)
  • Email verification status and verification codes (temporary, expire after 10 minutes)
  • Risk tolerance level (1–10 scale)
  • Onboarding completion status

b) Financial Data

  • Bank account information — institution name, account name, last 4 digits (mask), and balance data retrieved through Plaid
  • Brokerage account data — provider name, account identifier, connection status, and access tokens (encrypted)
  • Portfolio data — total value, cash balance, daily performance, and linked brokerage account references
  • Investment positions — stock symbols, company names, share counts, cost basis, market value, and daily performance
  • Trade orders — buy/sell records, quantities, symbols, fill prices, and order status
  • Tax lots — cost basis tracking, share quantities, and acquisition dates for tax reporting

c) Goal & Planning Data

  • Financial goals (name, type, target amount, current progress, target date, monthly contribution amounts)
  • Deposit schedules (frequency, amount, source bank account, next transfer date, active/paused status)

d) Conversation Data

  • Chat thread metadata (title, creation date)
  • Chat messages (user queries, AI responses, system messages, and tool call results)

e) Security & Audit Data

  • Audit logs recording user actions (sign-in, email verification, data changes) with timestamps, IP addresses, and metadata
  • Session tokens (JWT, signed with HS256 via HMAC)

2. How We Use Your Information

We process your information for the following purposes:

  • Service Delivery. Portfolio aggregation, goal tracking, deposit scheduling, performance analytics, and rebalancing recommendations.
  • AI Advisory. Your portfolio data, goals, and deposit schedules are passed to Anthropic Claude via structured tool calls so the AI can provide contextualized financial insights.
  • Authentication & Security. Email-based OTP verification, session management, and audit trail maintenance for fraud prevention.
  • Communication. Transactional emails (verification codes) and, with your consent, weekly summary emails and milestone notifications.
  • Service Improvement. Aggregated, anonymized usage patterns to improve features, performance, and user experience.

3. AI Processing & Transparency

NexWealth uses Anthropic Claude as its AI engine. We are fully transparent about what data is shared with AI models and how it is processed.
  • What is sent to the AI. When you ask the AI a question, the AI may call structured tools to retrieve your portfolio summary, goal progress, deposit schedules, or run scenario projections. Only the minimum data needed to answer your question is retrieved and shared with the model.
  • What is NOT sent. Your password, session tokens, Plaid access tokens, Alpaca API keys, bank account numbers, and brokerage access credentials are never sent to the AI model.
  • No training on your data. We do not use your personal data or conversations to fine-tune or train AI models. Anthropic's usage policy states that data sent via the API is not used for model training.
  • Audit trail. All significant user actions are recorded in immutable audit logs with timestamps and IP addresses, enabling you to review your account activity history.
  • Advisory only. The AI system is configured in advisory-only mode. It can read your data through approved tool calls but cannot execute trades, transfer funds, or modify your account settings.

4. How We Share Information

We never sell, rent, or trade your personal data for marketing purposes. We share information only in the following limited circumstances:

  • Sub-Processors. With the third-party service providers listed in Section 5 to deliver core Service features.
  • Legal Requirements. If required by law, subpoena, court order, or to protect the rights, property, or safety of GazeFi AI LLC, our users, or the public.
  • Business Transfers. In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity with equivalent privacy protections.
  • With Your Consent. For any other purpose with your explicit consent.

5. Sub-Processors

The following third-party services may process your data as part of NexWealth's operation:

ProviderData Processed
PlaidBank credentials, account metadata, balances, transactions
AlpacaBrokerage positions, orders, account equity
AnthropicConversation content, portfolio summaries, goal data (via tool calls)
ResendEmail address, display name (for verification emails)
NeonAll persistent user data (encrypted at rest)
VercelRequest logs, serverless function execution, edge caching

6. Cookies & Session Management

NexWealth uses a minimal, security-focused approach to cookies:

CookiePurposeDuration
nexwealth_sessionSigned JWT session token for authentication30 days
  • Our session cookie is HttpOnly (inaccessible to client-side JavaScript), Secure in production (transmitted only over HTTPS), and uses SameSite=Lax to prevent CSRF attacks.
  • The JWT payload contains your user ID, email, and expiration timestamp. It is signed with HMAC SHA-256.
  • We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

7. Data Retention

Data CategoryRetention Period
Account dataUntil account deletion + 30-day purge window
Financial dataUntil account deletion (cascade delete with user)
Chat historyUntil account deletion (cascade delete with user)
Session tokens30 days (auto-expiration)
Verification codes10 minutes (auto-expiration, then nullified)
Audit logsRetained for security compliance, anonymized after account deletion

Financial data is cascade-deleted when your user account is removed. Brokerage and bank provider relationships are not affected by deletion.

8. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit. All communications are encrypted via HTTPS/TLS.
  • Encryption at rest. Data stored in Neon PostgreSQL is encrypted at rest using AES-256.
  • Password hashing. Passwords are hashed using bcrypt with a cost factor of 10 and are never stored in plaintext.
  • Session security. JWTs are signed with HMAC SHA-256. Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • Webhook verification. Plaid and Alpaca webhook payloads are verified via HMAC SHA-256 signatures.
  • Input validation. All user inputs are validated server-side using Zod schemas before processing.
  • Audit logging. Security-relevant actions are logged with user ID, action type, resource, IP address, and timestamp.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right to Access
Request a copy of all personal data we hold about you. Available via Settings → Data & Privacy → Download My Data.
Right to Rectification
Update or correct inaccurate personal data through your account Settings or by contacting us.
Right to Deletion
Permanently delete your account and all associated data via Settings → Data & Privacy → Delete Account. This action is irreversible.
Right to Data Portability
Download your data in a machine-readable format via the Download feature in Settings.
Right to Object
Object to specific processing activities. Contact us to exercise this right.
Right to Restrict Processing
Request that we limit how we process your data in certain circumstances.

To exercise any of these rights, email privacy@nexwealth.app or use the self-service features in your account Settings. We respond to all data rights requests within 30 days.

10. Children's Privacy

NexWealth is not designed for or directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a child under 18, we will promptly delete the account and associated data.

11. International Data Transfers

NexWealth is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on standard contractual clauses and equivalent safeguards where applicable to ensure your data is protected in accordance with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least 30 days' notice for material changes via email or in-app notification. The “Effective” date at the top of this page will be updated accordingly. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your privacy rights, please contact us:

GazeFi AI LLC — Privacy Team

254 Chapman Rd Ste 208, Newark, DE 19702, USA

Privacy inquiries: privacy@nexwealth.app

General support: support@nexwealth.app

Website: www.nexwealth.app