← Back to home

Privacy Policy

Last updated 2026-05-29

Summary

Owed helps you discover unclaimed money you may be entitled to. To do that we collect financial profile information you provide (income range, employer history, household data) and run scans against public databases and curated rule sets. We do not sell your data. We do not custody any money you recover.

What we collect

  • Account information. Email and password (hashed).
  • Onboarding profile. Legal name, date of birth, state(s) you have lived in, employer history, education, military service, dependents, marital status, income bucket (range, not exact amount), property ownership, subscriptions, and similar fields you enter in Stages 1-5.
  • Family Heritage data (opt-in). If you opt into Family Heritage Scan, the names, dates of death, and states of deceased relatives you provide.
  • Payment information. Stripe collects card details directly; we receive only the transaction ID and amount.
  • Documents you upload. Tax returns, pay stubs, medical bills, and similar artifacts if you choose to upload them (Sprint 4 feature).
  • Scan output. The findings and recommendations our scanners generate from your inputs.
  • Operational data. Server logs, IP address, user agent, error reports (via Sentry), and analytics events (via Vercel Analytics) to keep the service running.

We do not ask for your Social Security Number in the MVP. We do not request bank-account or credit-card login credentials.

How we use it

  • Run our scanners (16 categories) to identify money or benefits you may be entitled to.
  • Generate Recovery Plans and conversational copilot guidance.
  • Process payments and provide customer support.
  • Send transactional emails (account, payment, scan completion).
  • Improve our calibration accuracy (we track which findings users report as true positives — see calibration metrics — to recalibrate baseline confidence per scanner).

AI providers and PII redaction

Some scanners call third-party AI services to structure search results or generate guidance:

  • Anthropic (Claude API). Used by all scanners that need natural-language structuring. We redact direct identifiers (full SSN, exact DOB beyond birth year, full street address) via an internal lib/prompt-redact wrapper before sending prompts. We are working to finalize a Business Associate Agreement and Zero-Retention agreement; until those are in place we limit which inputs are routed through Claude.
  • Perplexity (Sonar API). Used by external-search scanners (Unclaimed Property, Class Actions, 401(k) Esquecido, Estate Search) to query public databases. We pass minimally identifying queries (e.g., full name + state) and rely on the homonym-flagging safeguards built into each scanner.

We do not send health-condition data, government identification numbers, or document images to AI providers in the MVP.

Service providers

  • Supabase — database, authentication, file storage (Postgres with Row-Level Security; PII encrypted at rest).
  • Stripe — payment processing.
  • Anthropic — AI scanner structuring (see above).
  • Perplexity AI — external search scanners (see above).
  • OpenAI — embeddings for semantic matching (Class Actions × purchase history).
  • Resend — transactional email.
  • Vercel — hosting + analytics.
  • Sentry — error monitoring.

All providers are bound by contracts that limit their use of your data to providing services to Owed.

How long we keep it

We retain your account and scan results until you delete your account, plus a short grace period for backup rotation. After deletion, we keep only the records required for legal compliance (tax records, fraud-prevention logs).

Security

Data is encrypted in transit (HTTPS) and at rest (Supabase native encryption). Row-Level Security enforces that each user can only read their own data — verified by our automated audit:rls-coverage check on every commit. We minimize PII collection by design (no SSN in MVP, income as ranges, etc).

Your rights

You can update or delete your account at any time from Settings. California residents have additional rights described in our CCPA notice. Residents of other states with comparable laws (CO, CT, UT, VA) may exercise equivalent rights by emailing us.

Children

Owed is intended for adults age 18 or older. We do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will delete it promptly.

Changes

We will update this page with a new “Last updated” date if our practices change. For material changes, we will notify account holders by email.

Contact

Privacy questions: privacy@owed.app

This notice does not constitute legal advice. Owed is reviewing this content with US legal counsel prior to public launch.