Effective date: [TO BE SET ON LAUNCH, PLACEHOLDER]. Version: V1 (Friends-and-Family Beta). Status: AI-drafted, pending bar-admitted counsel review before public launch.
Friends-and-family beta. This Privacy Policy governs limited pre-launch use of SharedAnchor. SharedAnchor will publish a counsel-reviewed Privacy Policy before opening signups to the general public.
This Privacy Policy ("Policy") explains how SharedAnchor, Inc. ("SharedAnchor," "we," "our," or "us") collects, uses, discloses, and retains personal information when you use the SharedAnchor web application at app.sharedanchor.com and the SharedAnchor iOS and Android mobile apps (collectively, the "Service").
This Policy applies to individuals who create accounts or use the Service. SharedAnchor is available only to individuals who are at least 18 years of age and reside in the United States.
The current version of SharedAnchor is a limited pre-launch beta available by invitation. This Policy reflects the features and data practices active at the time of writing. Features and data practices may change before general availability; material changes will be communicated as described in Section 14.
SharedAnchor is a co-parenting financial record-keeping platform. SharedAnchor does not hold, transmit, transfer, escrow, settle, or take custody of user funds at any time. SharedAnchor is not a bank, money transmitter, money services business, payment processor, or escrow agent.
For subscription billing, SharedAnchor uses Stripe, Inc. Stripe stores the subscribing co-parent's payment card details. SharedAnchor receives and stores only the card brand (for example, Visa) and last four digits for display purposes. SharedAnchor does not receive or store card numbers, expiration dates, or CVVs.
SharedAnchor does not collect:
SharedAnchor uses the information it collects for the following purposes only:
SharedAnchor does not use your personal information for targeted advertising, behavioral profiling, cross-context behavioral advertising, or to train SharedAnchor's AI models. SharedAnchor's AI subprocessors are engaged on commercial terms that do not use your content to train their models, as further described in Section 6.
SharedAnchor applies the following structural privacy and safety protections to every account, regardless of whether you have enabled additional safety settings:
These same protections are stated in our Terms of Service Section 7.
SharedAnchor uses the following third-party service providers to operate the Service. Each subprocessor handles data under its own terms and privacy policy.
Active at launch:
| Subprocessor | Role | Data sent |
|---|---|---|
| Stripe, Inc. | Subscription billing and payment card storage | Subscriber email, billing address, and payment card details (card data is stored by Stripe; SharedAnchor does not receive or store card numbers) |
| Railway | Application, database (PostgreSQL), and Redis hosting (US) | All application data at rest and in transit, hosted in US regions |
| Cloudflare R2 | Receipt and PDF object storage (encrypted at rest) | Uploaded receipt files and generated PDF exports |
| Resend | Transactional email delivery | Recipient email address and message body for account, billing, and notification emails |
| Sentry | Error tracking (user-identifying content excluded from error payloads) | Stack traces, error metadata, and account UUID. Payment amounts, names, and message content are excluded |
| BetterStack | Logs and uptime monitoring (payment amounts and names excluded from logs) | Request logs and uptime probes |
| Vercel | Static asset hosting | Web app static assets; request metadata for page loads |
| Anthropic (Claude) | AI assistant features, where enabled (messages are not used to train AI models) | Text of your messages to the AI assistant and SharedAnchor's AI responses |
| Google (Gemini) | AI features, where enabled (subject to Google's data-use terms) | Receipt images (photos or PDFs of receipts) submitted for OCR text extraction |
Deferred, not active at launch:
| Subprocessor | Role | Data sent |
|---|---|---|
| Twilio | SMS alerts (activation planned at 100+ co-parent pairs; not active in beta) | Not active in beta. When activated: recipient phone number and short message body |
SharedAnchor will update this list when subprocessors are added or removed. Material changes will be communicated in accordance with Section 14 (Changes to This Privacy Policy).
SharedAnchor does not sell your personal information. SharedAnchor does not share your personal information for cross-context behavioral advertising.
SharedAnchor may disclose your personal information to law enforcement, government agencies, or other third parties when required to do so by law, subpoena, court order, or other legal process, or when SharedAnchor in good faith believes disclosure is necessary to protect SharedAnchor's legal rights, to protect the safety of any person, or to prevent illegal activity. SharedAnchor will attempt to notify you of such requests to the extent permitted by law.
If SharedAnchor is involved in a merger, acquisition, reorganization, sale of assets, or similar transaction, your personal information may be transferred as part of that transaction. SharedAnchor will notify you before your personal information is transferred and becomes subject to a different privacy policy.
SharedAnchor uses two separate third-party AI providers for distinct purposes.
When you use the SharedAnchor AI assistant, the text of your messages and SharedAnchor's responses are sent to Anthropic, our AI subprocessor, so Anthropic can generate replies. Under Anthropic's commercial API terms, these messages are not used to train Anthropic's AI models. SharedAnchor does not send your receipt images, expense records, or custody-calendar data to Anthropic except as text content you choose to include in a message.
AI conversation content is retained only as long as needed to operate the conversation.
Your AI chat history and activity are private to you. SharedAnchor does not share one co-parent's AI conversations or AI activity with the other co-parent, and does not use one co-parent's AI history to personalize the other co-parent's experience.
AI suggestions are generated by software and may be incomplete or inaccurate. The AI assistant does not provide legal, tax, financial, medical, or safety advice, and does not create any professional or advisory relationship between you and SharedAnchor.
When you upload a receipt photo or PDF, SharedAnchor sends the image to Google Gemini, our OCR subprocessor, to extract merchant, date, total, and line-item text. Google's handling of the image is subject to Google's Gemini API terms; SharedAnchor does not control how Google retains or uses the image beyond what those terms permit. The text Gemini extracts is shown to you as a draft pre-fill; SharedAnchor does not write the extracted text to the append-only ledger until you accept the draft.
The receipt image itself continues to be stored in Cloudflare R2, encrypted at rest. If you do not want a particular receipt processed by a third-party AI provider, do not attach that receipt; expenses can be recorded without an attached receipt.
SharedAnchor does not collect, store, or process your bank credentials, bank account or routing numbers, Venmo login credentials, Venmo balances, or Venmo transaction history. When you use "Pay via Venmo," SharedAnchor opens the Venmo app or website with a pre-filled recipient handle, amount, and memo; the payment itself happens entirely inside Venmo under Venmo's own terms and privacy policy. SharedAnchor receives no confirmation back from Venmo. The only payment information SharedAnchor stores is what you and your co-parent type into SharedAnchor: the external payment record (amount, date, memo, recipient handle) and any confirmation or dispute event either of you submits. Subscription billing is separate: Stripe stores the subscribing co-parent's payment card information for the $7/month pair subscription. See Terms of Service Sections 4 and 5 for the full payment-role disclosure.
SharedAnchor's financial and custody records, including expenses, external payment records, custody schedules, day overrides, swap requests, and related events, are stored as append-only records. SharedAnchor does not update or delete these records once created. Corrections and amendments are made by appending new entries that supersede earlier entries; the original entry remains in the ledger.
Each legal-fact record carries a SHA-256 hash of the prior record in its table, forming a continuous hash chain. A daily Merkle root is computed at 00:05 UTC and recorded to provide a tamper-evident snapshot of the ledger at that point in time. SharedAnchor makes no representation that this structure makes records "court-admissible"; admissibility is determined by the rules of evidence applicable in your jurisdiction.
For records that are part of SharedAnchor's append-only legal-fact ledger (expenses, external payment records, custody schedules, day overrides, swap requests, and related events), correction is performed by appending a new entry that supersedes the original; the original entry is preserved.
Account-level data (your email address, display name, password hash, and device tokens) is deleted when you request deletion of your account, as described in Section 9.
Append-only legal-fact ledger records may be retained, in a form stripped of direct identifiers to the extent feasible, for up to six years following the date the record was created. Deletion of these records is constrained by the legal-retention exception in California Civil Code §1798.105(d)(1) (transaction completion), §1798.105(d)(3) (security and fraud detection), and §1798.105(d)(5) (legal obligation). This carve-out is required to preserve the integrity of the SHA-256 hash chain and the daily Merkle root. Retained records are stripped of direct identifiers (name, email, and other direct identifiers) to the extent feasible, consistent with the SHA-256 hash-chain integrity requirements described in Terms of Service Section 6.
If you are a California resident, you have the following rights regarding your personal information:
To exercise any of these rights, email privacy@sharedanchor.com. We will respond within 45 days as required by California law. You may also designate an authorized agent to make a request on your behalf; we will require reasonable verification of the agent's authority.
SharedAnchor does not collect sensitive personal information as defined under the California Privacy Rights Act.
SharedAnchor collects only a child's first name and birth year when you add a child to your co-parenting record. SharedAnchor does not collect a child's full date of birth, Social Security number, school name, address, or photograph. Birth year is collected at year granularity only; no more granular date is stored.
SharedAnchor is not directed at children under 13 and does not knowingly collect personal information directly from children under 13. The Service is available only to individuals who are at least 18 years of age. SharedAnchor's data collection practices regarding children's information are structured to remain below the COPPA collection floor.
If you believe SharedAnchor has inadvertently collected personal information from a child under 13, please contact us at privacy@sharedanchor.com and we will delete it promptly.
SharedAnchor takes reasonable technical and organizational measures to protect your personal information, including:
No security measure is perfect or impenetrable. SharedAnchor cannot guarantee that unauthorized third parties will never be able to defeat these measures. In the event of a data security incident, SharedAnchor will notify affected users as required by applicable state law.
SharedAnchor uses session cookies that are strictly necessary for authentication and maintaining your logged-in state. These cookies are not used for advertising.
SharedAnchor does not deploy third-party advertising trackers, social media pixels, or cross-site analytics at launch. Sentry and BetterStack, disclosed in Section 5, receive limited technical metadata (error events and uptime probe results) for service reliability purposes.
SharedAnchor does not use cookies to build behavioral profiles or to serve targeted advertising.
SharedAnchor's services are operated and hosted in the United States. If you access the Service from outside the United States, your personal information will be transferred to, processed, and stored in the United States. By using the Service, you consent to the transfer of your personal information to the United States. SharedAnchor is not currently offered in the European Union or United Kingdom.
SharedAnchor may update this Policy from time to time. When we do, we will post the updated Policy at app.sharedanchor.com/privacy and update the Effective Date at the top of this document. For material changes, we will provide additional notice by email to your registered address.
Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you must stop using the Service and close your account before the effective date.
Privacy and data-rights requests: privacy@sharedanchor.com
Support and account matters: support@sharedanchor.com
SharedAnchor, Inc. Mailing address available upon written request to support@sharedanchor.com.
Last updated: April 2026