OPENWEALTH PRIVACY POLICY

Last Updated: October 25, 2025

INTRODUCTION

ACO TECH SOLUTIONS LLC ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the OpenWealth platform ("Platform"), including our website, mobile applications, and related services.

Please read this Privacy Policy carefully. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, do not use the Platform.

1. INFORMATION WE COLLECT

We collect several types of information from and about users of the Platform:

1.1 Information You Provide to Us

Account Registration Information:

  • Full name
  • Email address
  • Password (encrypted)
  • Phone number (optional)
  • Date of birth
  • Country of residence

Profile and Investment Preference Information:

  • Investment goals and objectives
  • Risk tolerance
  • Investment experience level
  • Time horizon
  • Financial situation information (optional)

Communication Information:

  • Messages you send through the Platform
  • Customer support inquiries
  • Feedback and survey responses
  • Communication preferences

1.2 Financial Account Information

When you connect your investment accounts to the Platform, we collect:

  • Account numbers and identifiers
  • Account balances and valuations
  • Holdings and positions (stocks, bonds, ETFs, mutual funds, etc.)
  • Transaction history
  • Performance data and returns
  • Asset allocation and diversification data
  • Dividend and interest income
  • Cost basis and tax lot information

Important: We use third-party service providers to establish read-only connections to your financial accounts. We do not store your brokerage login credentials or passwords. Account connections are secured using industry-standard OAuth authentication protocols and encryption.

1.3 Automatically Collected Information

When you access or use the Platform, we automatically collect:

Device Information:

  • Device type and model
  • Operating system and version
  • Browser type and version
  • Screen resolution
  • Device identifiers (UDID, IDFA, Android ID)

Usage Information:

  • Pages visited and features used
  • Time and date of access
  • Duration of sessions
  • Click patterns and navigation paths
  • Search queries within the Platform
  • Interactions with AI features

Technical Information:

  • IP address
  • Geolocation data (country, region, city)
  • Referring/exit pages
  • Log files and error reports
  • Application performance metrics

1.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies to collect information and improve our services:

  • Essential Cookies: Necessary for Platform operation and security
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with the Platform
  • Marketing Cookies: Used to deliver relevant advertisements (with your consent)

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of the Platform.

2. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

2.1 Providing and Improving the Platform

  • Creating and managing your account
  • Aggregating and displaying your portfolio data
  • Generating AI-powered portfolio analysis and insights
  • Providing personalized investment research and recommendations
  • Operating, maintaining, and improving Platform features
  • Developing new products, services, and features
  • Understanding user behavior and preferences
  • Troubleshooting and debugging technical issues

2.2 AI Model Training and Improvement

We may use aggregated, anonymized, or de-identified data to:

  • Train and improve our AI and machine learning models
  • Enhance the accuracy of portfolio analysis algorithms
  • Develop better investment insights and recommendations
  • Conduct research and analytics

Important: We do not use your personally identifiable information or specific portfolio holdings to train AI models that would be accessible to other users. All training data is aggregated and anonymized to protect your privacy.

2.3 Communications and Customer Support

  • Responding to your inquiries and support requests
  • Sending service-related notifications and updates
  • Providing customer service and technical assistance
  • Sending educational content and investment insights (with consent)
  • Conducting surveys and gathering feedback

2.4 Security and Fraud Prevention

  • Verifying your identity and preventing fraud
  • Detecting and preventing unauthorized access
  • Monitoring for suspicious activity
  • Protecting against security threats and vulnerabilities
  • Complying with legal obligations and regulatory requirements

2.5 Legal and Compliance

  • Enforcing our Terms of Service and other agreements
  • Complying with legal obligations and court orders
  • Responding to lawful requests from authorities
  • Protecting our rights, property, and safety
  • Resolving disputes and addressing complaints

3. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information to third parties. We may share your information in the following circumstances:

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

  • Financial data aggregation services (e.g., Plaid, Yodlee)
  • Cloud hosting and storage providers (e.g., AWS, Google Cloud)
  • Authentication services (e.g., Firebase)
  • Analytics and monitoring services
  • Customer support platforms
  • Email and communication services
  • Payment processors (if applicable)

These service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed.

3.2 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, warrants)
  • Government or regulatory requests
  • Law enforcement investigations
  • National security requirements

3.4 Protection of Rights

We may disclose information to:

  • Protect the rights, property, or safety of the Company, users, or others
  • Enforce our Terms of Service
  • Prevent fraud or illegal activities
  • Respond to emergency situations

3.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, marketing, analytics, or other purposes.

4. DATA SECURITY

We implement industry-standard security measures to protect your information:

4.1 Technical Safeguards

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Secure authentication protocols (OAuth 2.0, JWT tokens)
  • Password hashing using industry-standard algorithms (bcrypt)
  • Regular security audits and penetration testing
  • Intrusion detection and prevention systems
  • Firewall protection and DDoS mitigation

4.2 Organizational Safeguards

  • Access controls and role-based permissions
  • Employee training on data protection and privacy
  • Confidentiality agreements with employees and contractors
  • Incident response and data breach procedures
  • Regular backups and disaster recovery plans

4.3 Security Limitations

While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the security of your account credentials and for all activities under your account.

5. DATA RETENTION

We retain your information for as long as necessary to:

  • Provide the Platform and fulfill the purposes described in this Privacy Policy
  • Comply with legal, tax, accounting, and regulatory obligations
  • Resolve disputes and enforce our agreements
  • Maintain business records and analytics

When information is no longer necessary, we will securely delete or anonymize it in accordance with our data retention policies and applicable laws. Some information may be retained in backup systems for a limited period.

6. YOUR PRIVACY RIGHTS

Depending on your location, you may have certain rights regarding your personal information:

6.1 General Rights

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information (subject to legal exceptions)
  • Portability: Request a copy of your information in a structured, machine-readable format
  • Opt-out: Opt out of marketing communications
  • Object: Object to certain processing of your information

6.2 California Residents (CCPA/CPRA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about the categories and specific pieces of personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit: Limit use and disclosure of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

6.3 European Residents (GDPR Rights)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

  • Right of Access: Obtain confirmation of processing and access to personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of personal data ("right to be forgotten")
  • Right to Restriction: Request restriction of processing
  • Right to Data Portability: Receive personal data in a portable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@openwealth.ai. We will respond to your request within the timeframes required by applicable law (typically 30-45 days). We may need to verify your identity before processing your request.

7. CHILDREN'S PRIVACY

The Platform is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 18, we will delete that information promptly.

8. INTERNATIONAL DATA TRANSFERS

We are based in the United States, and your information will be processed and stored in the United States. If you are located outside the United States, please note that the United States may not provide the same level of data protection as your jurisdiction.

For transfers from the EEA, UK, or Switzerland, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

By using the Platform, you consent to the transfer of your information to the United States and other countries where we operate.

9. THIRD-PARTY SERVICES AND LINKS

The Platform may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you use.

When you connect your financial accounts through third-party aggregation services (such as Plaid), those services' privacy policies also apply to the information they collect.

10. DO NOT TRACK SIGNALS

Some web browsers have a "Do Not Track" (DNT) feature that signals websites you visit that you do not want to be tracked. The Platform currently does not respond to DNT signals. However, you can control cookies and tracking through your browser settings and our cookie preferences tool.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on the Platform with a new "Last Updated" date
  • Sending an email notification to the address associated with your account
  • Displaying a prominent notice on the Platform

Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you should stop using the Platform and close your account.

12. GRAMM-LEACH-BLILEY ACT (GLBA) COMPLIANCE

While we are not currently required to register as a financial institution under the Gramm-Leach-Bliley Act (GLBA), we voluntarily adopt many of its privacy and security standards as best practices:

  • We do not share nonpublic personal information with non-affiliated third parties for marketing purposes
  • We maintain administrative, technical, and physical safeguards to protect customer information
  • We limit access to information to those who need it to provide services
  • We provide clear privacy notices and disclosures

13. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

ACO TECH SOLUTIONS LLC

Privacy Officer

Email: privacy@openwealth.ai

Website: www.openwealth.ai

For California residents exercising CCPA rights:

Email: privacy@openwealth.ai

Subject Line: "California Privacy Rights Request"

For European residents exercising GDPR rights or lodging complaints:

Email: dpo@openwealth.ai

Data Protection Officer

14. CONSENT

BY USING THE OPENWEALTH PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, DISCLOSURE, AND PROCESSING OF YOUR INFORMATION AS DESCRIBED HEREIN.