Last Updated: May 22, 2026
This Privacy Notice applies to the processing of personal information by Gnomi App Corp (GNOMI) including on our mobile application, our website at gnomi.com and our other online or offline offerings (collectively, the Services).
We may update this Privacy Notice from time to time. If we do, we'll let you know by posting the updated Privacy Notice on our website, and/or we may also send other communications.
We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources.
We may collect personal information from third-party services when you connect GNOMI with social media accounts (Reddit, LinkedIn, Meta, X) or use third-party login services.
We may use your personal information to provide you with marketing messages and offers via email campaigns, as permitted by applicable law.
Important: We use your usage and search activity to help train our and third-party AI models. If you use our Social Connections feature, we also use your social media interaction information to train AI models and provide personalized news recommendations. When shared with third-party AI models, providers may retain this information. Please don't share sensitive information like passwords or financial data.
We may engage in automated decision making, including profiling, to deliver customized content based on your interactions with the Services.
We may disclose information to comply with legal requests, protect rights and safety, enforce policies, or assist with investigations.
Your information may be disclosed in connection with mergers, acquisitions, or other corporate transactions.
You may have the right to:
Personal information may be transferred, processed, and stored anywhere in the world, including countries with different data protection laws. For transfers from the EU/UK, we may use EU Standard Contractual Clauses as safeguards.
We store personal information as long as you use the Services, or as necessary to fulfill purposes, provide Services, resolve disputes, and comply with legal obligations.
This section applies to personal information subject to EU or UK GDPR. In some cases, providing personal information may be required by law or contract. We will inform you of consequences if you choose not to provide required information.
The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe your child has uploaded information in violation of applicable law, please contact us.
GNOMI App Corp. (“Sponsor”) collects and processes personal information submitted by entrants, including name, email address, country or state of residence, and information required to verify eligibility and deliver prizes. This information is used solely to administer the promotion, prevent fraud, verify eligibility, and fulfill prizes.
For entrants located in the European Economic Area or United Kingdom, Sponsor processes personal data based on the performance of a contract (administration of the promotion) and Sponsor’s legitimate interests in operating and securing the promotion. If entrants choose to receive marketing communications, processing is based on consent. Entry into the promotion is not conditioned on providing marketing consent.
Sponsor may use service providers to assist with promotion administration, communications, analytics, and prize fulfillment. Personal data may be transferred to and processed in the United States or other countries where Sponsor or its service providers operate, subject to appropriate legal safeguards where required.
Personal data is retained for up to twelve (12) months after the promotion ends and then deleted or anonymized unless longer retention is required for legal or regulatory purposes. The promotion is open only to individuals who are at least 18 years old or the age of majority in their jurisdiction.
Depending on applicable law, entrants may have the right to request access to, correction or deletion of their personal data, restrict or object to processing, or request data portability. Entrants in the EEA or UK may also lodge a complaint with their local data protection authority. U.S. residents may have additional privacy rights under applicable state laws.
Requests regarding personal data may be submitted to: privacy@gnomi.com
GDPR and Applicable Privacy Law Compliance Documentation
This Data Retention and Disposal Policy defines how GNOMI retains, protects, deletes, anonymizes, and securely disposes of company, customer, user, financial integration, brokerage, banking, portfolio, transaction, technical, operational, and vendor-managed data. The purpose of this policy is to ensure that data is retained only for legitimate business, product, security, contractual, legal, and compliance purposes and is deleted, anonymized, or securely disposed of when no longer required.
GNOMI maintains this defined and enforced Data Retention and Disposal Policy to support compliance with applicable data privacy and data protection laws, including the General Data Protection Regulation (GDPR) where GDPR applies to GNOMI processing activities. This policy is designed to operationalize GDPR-aligned retention and disposal principles, including storage limitation, data minimization, purpose limitation, integrity and confidentiality, accountability, and lawful handling of data subject deletion and restriction requests.
GNOMI’s retention and disposal controls are intended to ensure that personal data is not retained longer than necessary for the purposes for which it is collected or otherwise lawfully processed, unless continued retention is required for legal, regulatory, contractual, security, fraud-prevention, accounting, audit, dispute-resolution, or legitimate business purposes.
Where GNOMI processes user-authorized financial account or portfolio information through Plaid or similar providers, GNOMI applies retention and disposal controls designed to limit retention of financial integration data to the period necessary to provide authorized functionality, maintain security, satisfy contractual obligations, prevent fraud, and comply with applicable law.
This policy applies to all data collected, processed, stored, transmitted, or maintained by GNOMI or by third-party service providers acting on GNOMI’s behalf. This includes production systems, cloud services, application databases, user account systems, financial integration systems, portfolio analytics systems, AI-generated financial intelligence systems, financial analysis systems, Plaid integrations, brokerage account integrations, banking integrations, security logs, analytics environments, customer support tools, vendor platforms, corporate records, backups, and disaster recovery systems.
This policy applies to GNOMI employees, contractors, consultants, service providers, and other authorized personnel who create, access, manage, store, process, transmit, retain, delete, or dispose of data on behalf of GNOMI.
GNOMI retains data only for as long as necessary to provide and improve its services, support authorized user functionality, maintain security, satisfy contractual and legal obligations, conduct business operations, and protect GNOMI, its partners, and its users. When data is no longer required, GNOMI deletes, anonymizes, aggregates, or securely disposes of it using appropriate administrative, technical, and procedural controls.
Retention periods are based on data type, purpose of processing, user relationship, legal basis, business need, contractual obligations, regulatory requirements, and security requirements. GNOMI periodically reviews retention and disposal practices to confirm that they remain appropriate for its business, products, systems, vendors, and applicable privacy obligations.
GNOMI retains user-authorized financial integration data only for as long as necessary to provide the authorized financial intelligence functionality requested by the user, including portfolio analysis, diversification analysis, portfolio sentiment generation, AI-generated financial insights, fraud prevention, and integration support.
GNOMI classifies data based on sensitivity, processing purpose, applicable obligations, and operational use. Retention and disposal controls are applied according to the nature of the data and the systems where it resides.
GNOMI applies retention periods according to the categories below. Specific periods may be adjusted where required by law, contract, security need, technical system requirements, or approved business necessity. Where a specific retention period is not legally required, GNOMI retains data only as long as needed for the applicable purpose and then deletes, anonymizes, or securely disposes of it.
| Data Category | Primary Purpose | Retention Standard | Disposal Method |
|---|---|---|---|
| Account and user profile data | Account operation, authentication, user support, service delivery | Retained while the account is active and for a limited period after closure as needed for security, fraud prevention, legal, audit, or support purposes. | Deletion, anonymization, or secure purge from active systems. |
| User-authorized financial integration data | Providing authorized financial intelligence features, user-requested functionality, integration support, and security | Retained only while the user maintains the authorized financial connection or while necessary to provide authorized financial intelligence functionality, maintain security, prevent fraud, support lawful business operations, comply with contractual obligations, or satisfy legal and regulatory requirements. Revoked, disconnected, expired, or inactive integrations are deleted, deactivated, anonymized, or token-revoked according to operational and legal requirements. | Deletion from active systems, secure token revocation, anonymization, restricted archival retention where legally required, or secure disposal. |
| AI-generated financial insights and portfolio analytics | Portfolio intelligence, diversification analysis, sentiment analysis, AI chat functionality, user-requested analytics | Retained while associated user accounts remain active and functionality remains enabled, subject to deletion requests, security requirements, legal obligations, and operational necessity | Deletion, anonymization, aggregation, or secure disposal |
| Support and communications records | Customer support, issue resolution, quality assurance, and compliance | Retained as needed to resolve requests, maintain service records, and support business or legal requirements. | Deletion or secure archive disposal upon expiration. |
| Security, access, and audit logs | Security monitoring, fraud prevention, incident detection, access review, audit, and system integrity | Retained for a period appropriate to the security purpose, system requirements, and legal or contractual obligations. | Scheduled expiration, secure purge, or restricted archive disposal. |
| Billing, tax, corporate, and legal records | Accounting, tax, corporate governance, audit, contract administration, and legal compliance | Retained for the period required by applicable law, audit standards, contract, or corporate governance requirements. | Secure disposal after expiration of legal or business need. |
| Aggregated, anonymized, or de-identified data | Analytics, product improvement, research, reporting, and business intelligence | May be retained for longer periods where the data is not reasonably identifiable and is outside the scope of personal data under applicable law. | Ongoing use, further aggregation, or disposal when no longer needed. |
| Backups and disaster recovery data | Business continuity, security recovery, and system restoration | Retained according to backup lifecycle schedules and overwritten or purged through normal backup rotation unless subject to legal hold. | Scheduled overwrite, expiration, or secure destruction. |
GNOMI enforces data deletion and disposal through administrative, technical, and procedural controls. Disposal methods are selected based on the data type, system, sensitivity, retention requirement, and technical feasibility.
Where GDPR or other applicable privacy law applies, GNOMI processes data subject requests relating to access, correction, deletion, restriction, objection, and portability in accordance with applicable legal requirements and lawful exceptions. GNOMI evaluates requests based on the requester’s identity, the nature of the data, the applicable legal basis, system requirements, and any lawful obligation to retain data.
Upon verified account closure or verified deletion request, GNOMI deletes, anonymizes, or restricts applicable personal data from active systems unless retention is required or permitted for legal, regulatory, contractual, security, fraud-prevention, accounting, audit, dispute-resolution, or legitimate business purposes. Where data cannot be immediately deleted from backups, it is protected from ordinary use and removed through the applicable backup lifecycle.
Where technically feasible and legally permitted, GNOMI processes verified requests to disconnect financial integrations, revoke financial access tokens, delete associated portfolio analytics data, and remove AI-generated financial insights associated with user-authorized financial integrations.
GNOMI may suspend normal retention or deletion schedules when data is subject to a legal hold, dispute, investigation, regulatory request, audit requirement, security incident, contractual obligation, accounting obligation, or other lawful business requirement. Data subject to a legal hold or approved exception is retained only for as long as the exception applies and is then returned to the applicable retention and disposal process. Security, fraud-prevention, anti-abuse, dispute-resolution, audit, regulatory review, or other lawful compliance obligations may require limited continued retention of financial integration records or security-related financial metadata.
When GNOMI uses third-party service providers to store or process data, GNOMI requires appropriate retention and disposal handling through vendor review, contractual obligations where applicable, and operational controls. For providers acting as processors or service providers, GNOMI expects retention, deletion, confidentiality, security, and assistance obligations to be addressed in applicable agreements, data processing terms, or vendor controls.
GNOMI reviews vendor data handling practices as appropriate to the nature of the service, the sensitivity of the data, and applicable privacy and security requirements. Where GNOMI receives a verified deletion request that applies to data held by a vendor or processor, GNOMI takes reasonable steps to communicate or execute the deletion, restriction, or anonymization request through the applicable vendor workflow, subject to lawful exceptions.
GNOMI evaluates Plaid and other financial integration providers for appropriate contractual, privacy, security, retention, deletion, confidentiality, and regulatory compliance controls.
Where required, GNOMI implements appropriate GDPR-compliant data transfer safeguards for cross-border processing involving financial integration data.
Data contained in backups or disaster recovery systems may persist for a limited period after deletion from active production systems. Backup data is protected from unauthorized access and is subject to lifecycle controls, retention schedules, and scheduled overwrite or deletion. GNOMI does not use backup data for ordinary business processing after an applicable deletion request, except where restoration is required for security, disaster recovery, legal, or operational necessity. Financial integration data and AI-generated financial insights retained within backup systems remain subject to access restrictions, encryption controls, lifecycle management, and secure overwrite procedures.
GNOMI management, security, engineering, product, operations, and compliance personnel are responsible for applying this policy within their areas of responsibility. Employees and contractors must follow approved retention, deletion, access control, and disposal procedures. Unauthorized retention, export, copying, or disposal of data outside approved processes is prohibited.
This policy is reviewed at least annually and upon material changes to GNOMI’s products, systems, vendors, data processing activities, legal requirements, contractual obligations, or security posture. Reviews are intended to confirm that retention standards, disposal procedures, GDPR-aligned practices, vendor controls, and operational enforcement remain appropriate and effective. Reviews must consider new financial integration features, AI financial analysis functionality, portfolio analytics systems, changes to Plaid integrations, and evolving privacy or financial-data obligations.
GNOMI maintains this policy as active company documentation for data retention, deletion, and disposal. This policy is designed to support compliance with applicable data privacy laws, including GDPR where applicable, and to provide a defined and enforceable framework for how GNOMI retains, deletes, anonymizes, and disposes of data.
Approved by GNOMI management as an active company policy for Data Retention and Disposal, including GDPR-aligned retention and deletion practices.
Including GDPR and Applicable Privacy Law Controls
The purpose of this Information Security Policy is to define GNOMI’s security governance requirements and operational controls for protecting information assets from unauthorized access, disclosure, alteration, loss, misuse, disruption, or destruction. This policy supports GNOMI’s compliance with applicable information security, privacy, financial data, consumer protection, and data protection obligations, including GDPR requirements where applicable. This policy also governs the protection of user-authorized financial account information, brokerage integrations, banking integrations, portfolio analytics systems, and AI-generated financial insights processed through Plaid or similar financial integration providers.
This policy applies to all GNOMI employees, founders, officers, contractors, consultants, service providers, vendors, systems, applications, cloud environments, databases, source code repositories, production assets, corporate devices, user data, partner data, and any other information assets used to deliver GNOMI products and services.
This policy applies to company, customer, user, financial, technical, operational, authentication, API, and vendor-managed data, including user-authorized brokerage account data, banking relationship data, portfolio holdings, transaction metadata, financial integration tokens, AI-generated portfolio analysis, and financial intelligence outputs, including personal data, sensitive data, and regulated data processed by or on behalf of GNOMI.
GNOMI designs and operates its security program to support compliance with all applicable information security and privacy laws, rules, regulations, and contractual requirements relevant to its operations, including, where applicable:
Where laws, contracts, or partner requirements impose stricter obligations than this policy, the stricter standard applies. GNOMI periodically reviews this policy to ensure it remains aligned with applicable legal, regulatory, partner, and security requirements.
GNOMI applies privacy-by-design and security-by-design principles to systems and processes that involve personal data. Where GDPR applies, GNOMI’s security and privacy controls are designed to support the following principles:
GNOMI supports data subject rights processes, including access, correction, deletion, restriction, portability, and objection where applicable. Requests are evaluated under applicable law and GNOMI’s internal privacy, security, retention, and legal hold requirements.
GNOMI identifies, evaluates, mitigates, and monitors information security risks that may affect confidentiality, integrity, availability, privacy, or legal compliance. Risk review may include system architecture, data flows, vendor dependencies, authentication controls, access privileges, production environments, new product features, third-party integrations, and incident history.
Material risks are escalated to appropriate management for remediation, acceptance, transfer, or additional controls. Risk treatment decisions must consider legal requirements, partner obligations, user impact, security impact, and business continuity.
Risk assessments must consider financial integrations, Plaid dependencies, AI-generated financial analysis functionality, portfolio analytics systems, financial-data access controls, model outputs, and third-party financial data flows.
GNOMI classifies and protects data according to sensitivity, business value, legal obligations, and risk. Data categories may include public, internal, confidential, sensitive, personal, financial, authentication, source code, security, and partner data.
GNOMI enforces access controls designed to limit access to production assets, cloud resources, administrative tools, systems, source code repositories, and sensitive data. Access is granted based on role, business need, least privilege, and approval requirements.
GNOMI uses appropriate technical safeguards to protect sensitive data, credentials, and communications. Encryption must be used for sensitive data in transit and applied to sensitive data at rest where supported and appropriate. Secrets, tokens, certificates, keys, and credentials must be stored in approved secure systems and protected against unauthorized use or disclosure.
Keys and credentials must be rotated, disabled, or revoked when compromised, no longer needed, or when personnel or vendor access changes. Credentials must not be shared between users except where approved service account controls are used.
Plaid API credentials, financial integration tokens, OAuth credentials, webhook secrets, refresh tokens, and related financial integration secrets must be encrypted, securely stored, and protected against unauthorized access.
GNOMI maintains logging and monitoring practices appropriate to its systems and risk profile. Logs may include authentication events, administrative activity, application events, system activity, production changes, access changes, and security-relevant errors or alerts.
GNOMI incorporates security into software development and product delivery. Security requirements are considered during design, development, testing, deployment, and maintenance of GNOMI systems.
GNOMI evaluates third-party vendors, processors, subprocessors, and integration partners based on the type of data processed, services provided, operational dependency, security posture, legal obligations, and contractual requirements.
GNOMI maintains incident response procedures to identify, investigate, contain, remediate, document, and communicate security incidents. Security incidents may include unauthorized access, data exposure, credential compromise, system compromise, data loss, malware, service disruption, or suspected breach of confidentiality, integrity, or availability.
GNOMI retains information only for as long as reasonably necessary for the purpose for which it was collected or processed, including product delivery, user account management, security, fraud prevention, analytics, legal compliance, financial records, contractual obligations, dispute resolution, and legitimate business operations.
GNOMI personnel and contractors with access to company systems, production assets, or sensitive data must follow this policy and applicable security procedures. Personnel are expected to protect credentials, use approved systems, report suspected security incidents, and handle data according to classification and need-to-know requirements.
Security and privacy awareness may be provided through onboarding, role-specific guidance, internal communications, and ongoing updates as GNOMI’s products, risks, and compliance obligations evolve.
Personnel with access to financial integration systems or user-authorized financial data may receive additional guidance regarding financial-data handling, privacy obligations, secure processing, phishing prevention, token security, and incident escalation procedures.
GNOMI maintains reasonable measures to support continuity and availability of critical services. Controls may include cloud resilience, backups, monitoring, incident escalation, vendor dependency review, disaster recovery planning, and operational response procedures based on system criticality and risk. Business continuity planning should consider dependencies on Plaid and other financial integration providers, including availability risks, vendor outages, token failures, and financial integration service disruptions.
Any exception to this policy must be approved by appropriate GNOMI management based on business need, risk, compensating controls, duration, and legal or contractual requirements. Exceptions must be documented where appropriate and reviewed periodically until remediated or formally accepted.
Failure to comply with this policy may result in access revocation, remediation requirements, vendor action, disciplinary action, contract termination, or other measures appropriate to the nature and severity of the violation. GNOMI may investigate suspected violations and take corrective action to protect company systems, users, partners, and data.
GNOMI is the controller of personal information processed under this Privacy Notice.
If you have questions about our privacy practices or want to exercise your rights, please contact us at support@gnomi.com.