Privacy Policy

Effective 2026-07-18 ยท Applies to the Steward iOS app (bundle com.sullyk.steward) and this website.

This is written to be read, not skimmed past. It says plainly what data the app touches, what a third party (Plaid) necessarily sees to link your bank, and what never leaves your phone.

Categorization and chat run on your iPhone. No OpenAI, no Gemini, no third-party AI API โ€” ever. Your questions about your money are never sent anywhere.

The short version

โœ…

No account, no login, no password

Steward has no user accounts and no servers that identify you. There is nothing to breach because there is nothing stored about you off your device.

โœ…

The AI never phones home

Categorization, chat, and your weekly digest all run in an on-device model (Gemma-class, via LiteRT-LM) on your iPhone. We don't operate any AI servers, so there is nowhere for your questions or transactions to go.

โš ๏ธ

Transactions do transit Plaid

Linking a bank means Plaid fetches your transactions and delivers them to your phone โ€” that is how bank linking works industry-wide, and we won't claim otherwise.

โœ…

No analytics, no ad tracking, no tracking SDKs

v1 ships with zero analytics or crash-reporting SDKs. App Tracking Transparency (ATT): none โ€” we don't request tracking permission because we don't track.

โœ…

Nothing is ever sold

Your data is never sold, rented, or used to train any model, ours or anyone else's. Our business model is your subscription, not your data.

What data the app touches, and where it goes

This table mirrors the privacy "nutrition label" Steward declares to Apple. It lists every category of data the app could touch, and states plainly what happens to it.

Data typeWhat we doWhy
Financial info (transactions, balances, account details) Not collected by us Transactions travel bank โ†’ Plaid โ†’ your phone. Our token-exchange backend is stateless: it holds a Plaid access token only for the duration of a single request and stores nothing โ€” no database, no logs of your financial data. Plaid itself processes this data under its own privacy policy as our service provider (see below) โ€” that's the one honest caveat in "not collected."
Bank login / credentials Never touches Steward You authenticate inside Plaid's own secure Link flow. Your bank username and password are never visible to, or transmitted through, our app or backend.
Chat questions / AI content Not collected Inference runs on-device (LiteRT-LM). Your questions about your spending never leave your iPhone, in any build.
Identifiers, usage data, diagnostics, analytics Not collected No analytics SDK and no crash reporter ship in v1. If that ever changes, this policy and the App Store label change with it, first.
Contact info (name, email, phone) Not collected There is no account system. Nothing to sign up for beyond your device passcode.
Purchases / subscription status Handled by Apple Subscriptions run entirely through StoreKit. Apple processes payment and manages your receipt; the app only reads your entitlement status on-device to unlock features.
AI model download No personal data sent A one-time ~2.4 GB model file is fetched from a public model host. The request that fetches it contains no data about you or your finances.

What Plaid does

Plaid is the connector Steward uses to link your bank โ€” the same one used by Venmo, Chime, and most U.S. fintech apps. When you link an account:

This is the one place in Steward's story where "your data never leaves your phone" would be dishonest. Bank linking requires a data path through a connector โ€” Plaid is that path, once, on the way in. Nothing about your transactions goes anywhere else after that.

What "on-device AI" actually means

Steward downloads a compact open-weights language model (Gemma-class, ~2.4 GB) once, over Wi-Fi, and runs it locally using Apple's on-device inference (LiteRT-LM). Concretely:

Data retention and deletion

Your transactions, categories, rules, and chat history are stored in a local database on your iPhone only. You can delete everything โ€” the full local database, back to a blank slate โ€” at any time from Settings. Because we don't hold a copy anywhere else, deleting it on your phone is the entire deletion: there is no server-side copy to separately request removal of.

Tracking & advertising

Steward does not use advertising, does not use an ad network, and does not request App Tracking Transparency permission, because it does not track you across apps or websites. There are no third-party analytics SDKs in v1.

Children's privacy

Steward is not directed at children and is not intended for use by anyone under 17, consistent with its Finance category placement.

Changes to this policy

If Steward's architecture ever changes in a way that affects this policy โ€” for example, adding an analytics SDK or a server-side data store โ€” this page and the App Store privacy label will be updated first, and the change will be described plainly, not buried in a version bump.

Contact

Questions about this policy or your data:

me@sullyk.com