Privacy Policy

1. Introduction

Lorica is a personal debt management and budgeting web application developed by Automate100, LLC ("we," "us," or "Lorica"). Lorica helps users analyze debt, create payoff plans (e.g., Avalanche method with user overrides), accumulate funds for creditor payments, and optionally automate scheduled ACH debits from their checking account to support accelerated debt payoff according to their selected strategy.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service. It covers integrations with third parties including Plaid (for read-only financial account linking), Stripe (for subscription billing), Synctera (for optional embedded banking and Dedicated Accounts via a sponsor bank), and Spinwheel (for user-directed creditor payments).

We do not sell your personal information for targeted advertising or similar purposes. By using Lorica, you agree to this policy.

If applicable under the Gramm-Leach-Bliley Act (GLBA) and Regulation P, we provide a separate GLBA Privacy Notice detailing our practices for nonpublic personal information (NPI), delivered at account opening and annually thereafter. This Privacy Policy supplements but does not replace any such GLBA notice. You may request a paper copy at no charge by contacting privacy@trylorica.com.

2. Information We Collect

We collect only the information necessary to provide our service:

• Account and Login Information: Email address, password (hashed), and basic profile details provided during signup.
• Financial Data via Plaid (with your explicit consent during linking): Read-only access to account balances, transaction history, masked account and routing numbers, and creditor or payee details. We do not collect, store, or have access to your full bank login credentials, passwords, or sensitive authentication tokens.
• Payment and Subscription Data: Billing information processed securely by Stripe. We do not store full card numbers or sensitive payment information ourselves.
• Dedicated Account Data (optional): If you choose to open a Dedicated Account for pooled funds or creditor payments, you do so directly through Synctera's interface. The sponsor bank handles all identity verification, Customer Identification Program (CIP), and BSA/AML screening — we do not receive or store raw CIP data such as SSN, date of birth, or government-issued ID in identifiable form. We maintain operational logs of user consents, authorizations, and timestamps in our backend (Xano) solely to facilitate the service and meet applicable recordkeeping obligations.
• Usage and Device Data: IP address, browser type, device information, pages visited, and analytics collected via Xano (backend) and WeWeb (frontend).
• Voluntary Information: Debt details, payoff preferences, or responses to suggestions for third-party services that you choose to provide.

Some information we process — including financial account data and debt details — may constitute sensitive personal information under applicable state privacy laws. We use and disclose such information only to provide the services you have requested and as otherwise permitted by law.

3. How We Use Your Information

We use your information to:

• Provide debt analysis, personalized payoff recommendations, budgeting tools, and fund accumulation tracking.
• Facilitate optional automated ACH debits from your linked checking account — only after your explicit authorization, and draws never exceed your available balance or advance funds.
• Process Stripe subscriptions for service access.
• Enable user-directed creditor payments via Spinwheel. We do not communicate directly with creditors or reorder payments without your approval.
• Suggest opt-in referrals to non-profit debt counseling, debt settlement organizations, or legal resources if your situation warrants. We do not receive affiliate compensation that affects your fund flows.
• Improve the service, debug issues, and ensure security.
• Comply with legal obligations, including responding to lawful subpoenas or regulatory requests.

We do not use automated decision-making or profiling in a way that produces legal or similarly significant effects on you without prior notice and, where required, your consent.

4. Sharing Your Information

We share information only as necessary and do not sell it for targeted advertising:

• Service Providers: Plaid (plaid.com/legal), Stripe (stripe.com/privacy), Xano, WeWeb, Synctera and the sponsor bank, and Spinwheel. All providers are bound by strict data protection contracts.
• As Required by Law: To comply with legal processes, protect rights and safety, or prevent fraud.
• Affiliate Referrals (optional, with your consent): If you consent to a referral suggestion, we may share your name, email, and a summary of your debt situation with a recommended third-party organization. You may withdraw this consent at any time by contacting privacy@trylorica.com.

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA, including for cross-context behavioral advertising. You can manage your Plaid connections at any time via the Plaid Portal at my.plaid.com.

5. Data Security

We use industry-standard security measures including HTTPS/TLS 1.3 encryption in transit, AES-256 encryption at rest via Xano, strict access controls, and multi-factor authentication across all internal systems. We regularly review and update our safeguards in accordance with our Information Security Policy.

No Lorica personnel have signatory authority, unsupervised view-only access, or control over debits or credits outside your pre-authorized schedule. In the event of a security breach involving your personal information, we will notify you and applicable regulators as required by law — including within 30 days to the FTC where required under the GLBA Safeguards Rule.

6. Data Retention

We retain personal information only as long as necessary to provide the service, fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

• Operational logs, consent records, and authorization timestamps are retained for up to 5 years after account closure or last transaction, consistent with Bank Secrecy Act recordkeeping requirements where applicable.
• Plaid-linked financial data is not stored long-term beyond active use for features such as income detection or suitability checks. Historical transaction data is managed per Plaid's data retention policies.
• After account termination or upon a valid deletion request, we delete or anonymize personal information except as required by law. Retention periods may vary based on applicable state and federal requirements.

7. Your Rights

You may at any time:

• Access, correct, or delete your data by contacting privacy@trylorica.com.
• Revoke consents — including unlinking Plaid accounts via the dashboard or Plaid Portal, toggling creditor connections, or canceling automated payments — with immediate effect on future actions.
• Opt out of non-essential processing or affiliate referral suggestions.
• Unsubscribe from waitlist or marketing communications at any time.

Depending on your location, you may have additional rights under U.S. state privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Indiana, and others. These may include rights to:

• Know the categories and sources of personal data collected and shared.
• Opt out of targeted advertising, profiling, or sale or sharing of personal data (we do not engage in these practices).
• Limit use of sensitive personal information.
• Appeal decisions and exercise rights free from discrimination.

We honor Global Privacy Control (GPC) and universal opt-out signals where required by law. Submit requests to privacy@trylorica.com. We verify identity as needed and respond within statutory timelines (generally 45 days, extendable where permitted). You may designate an authorized agent to act on your behalf with written proof of authorization or a power of attorney.

8. Children's Privacy

Our service is not directed to children under 13 (or 16 in some jurisdictions) and we do not knowingly collect personal information from minors. If you believe we may have inadvertently collected information from a child, please contact privacy@trylorica.com and we will delete such information as promptly as practicable.

9. Changes to This Policy

We will notify you of material changes via email or in-app notice at least twenty-one (21) days before the effective date and will post the updated policy with a new effective date. Continued use of the service after the effective date constitutes acceptance of the updated policy. If you do not agree to a change, you may close your account before the change takes effect.

10. Contact Us

For privacy-related questions, requests, or concerns:

If your privacy concerns have not been resolved to your satisfaction, you may contact your state Attorney General or applicable privacy regulator. California residents may contact the California Privacy Protection Agency at cppa.ca.gov. Virginia residents may contact the Virginia Attorney General's Consumer Protection Section.

Version 2.0  |  Prepared by Automate100, LLC d/b/a Lorica  |  Pending counsel review prior to launch.