This Privacy Policy explains how Nuviter LLC ("Nuviter," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use the Nuviter mobile application, website, and related services (collectively, the "Services").

1) Information We Collect

1.1 Information You Provide

We may collect information you provide directly, including:

• Account information (name, email address, login credentials)

• Profile information (username, preferences)

• Communications with us (support requests, feedback)

• User-generated content (group posts, comments)

1.2 Financial & Portfolio Data (via Third Parties)

If you choose to connect a brokerage account, we may receive financial information through third-party providers such as SnapTrade, including:

• Account identifiers

• Holdings, balances, and positions

• Transaction history

• Portfolio performance data

We do not receive or store your brokerage login credentials.

1.3 Automatically Collected Information

We may automatically collect:

• Device identifiers

• App usage data

• IP address

• Crash logs and diagnostics

2) How We Use Information

We use information to:

• Provide and operate the Services

• Display portfolio analytics and research tools

• Generate AI-assisted summaries and insights

• Facilitate community features

• Improve functionality and user experience

• Comply with legal obligations

We do not sell your personal information.

3) AI & Automated Processing

We may use automated systems and AI models to analyze data and generate educational content. AI outputs are informational only and may be inaccurate or incomplete. Human review is not guaranteed.

4) Sharing & Disclosure of Information

We may share information:

• With service providers (e.g., SnapTrade, cloud hosting, analytics)

• When required by law or legal process

• To protect rights, safety, or prevent fraud

• In connection with a merger, acquisition, or asset sale

Third-party providers are authorized to use data only as necessary to provide their services.

5) Data Retention

We retain personal information only as long as necessary to provide the Services, comply with legal obligations, or resolve disputes. You may request deletion of your account subject to legal requirements.

6) Security

We implement reasonable administrative, technical, and organizational safeguards to protect information. However, no system is completely secure and we cannot guarantee absolute security.

7) Your Rights & Choices

Depending on your location, you may have rights to:

• Access or update your information

• Request deletion of your data

• Withdraw consent for data processing

Requests may be made by contacting us.

8) Third-Party Services

The Services integrate with third-party providers (including brokerages). Their use of your data is governed by their own privacy policies and terms. We are not responsible for third-party practices.

9) Children’s Privacy

The Services are not intended for children under 13. We do not knowingly collect personal data from children.

10) Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Services or by email.

11) Contact Us

Nuviter LLC
6910 MS Highway 389
Email: legal@nuviter.com

Important Notice: Nuviter is a technology platform and not a financial institution, broker-dealer, or investment adviser. Portfolio data is provided by third-party services and may be inaccurate or delayed.

Nuviter Privacy Policy

NEW PRIVACY POLICY BECOMING EFFECTIVE WITH NEXT APP UPDATE

Effective Date: 05/18/2026

Last Updated: 05/18/2026

Nuviter, Inc. or Nuviter LLC, as applicable, “Nuviter,” “we,” “us,” or “our,” provides a personal finance application that helps users track accounts, transactions, investments, budgets, goals, forecasts, and related financial insights.

This Privacy Policy explains how we collect, use, disclose, retain, and protect information when you use Nuviter’s website, mobile application, backend services, and related products.

1. Information We Collect

We collect information you provide directly, information generated through your use of Nuviter, and information you authorize us to receive from third-party financial data providers such as Plaid.

Account Information

We may collect:

• Name

• Email address

• Username

• Profile photo

• Authentication identifiers

• Subscription or billing status

• App preferences and settings

Financial Account Information

If you connect financial accounts through Plaid or another authorized data provider, we may receive read-only financial data, including:

• Account names, types, subtypes, masks, and balances

• Transaction history, dates, descriptions, merchants, categories, and amounts

• Investment account information

• Investment holdings, securities, quantities, prices, cost basis, and values

• Investment transactions such as buys, sells, dividends, fees, and transfers

• Liability information such as credit cards, loans, mortgages, balances, rates, and repayment details

• Institution names and connection metadata

Nuviter does not receive your bank login credentials from you. Financial account connections are handled through third-party providers such as Plaid.

Usage and Device Information

We may collect:

• Device type and operating system

• App version

• IP address

• Log data

• Crash reports

• Feature usage

• Performance diagnostics

• Approximate location derived from IP address

User-Generated Information

You may provide:

• Budgets

• Goals

• Notes

• Categories

• Watchlists

• Portfolio preferences

• Financial planning assumptions

• Other information you enter into the app

2. How We Use Information

We use information to:

• Provide and operate Nuviter

• Connect and sync read-only financial account data

• Display balances, holdings, transactions, budgets, and goals

• Generate financial insights, summaries, forecasts, and analytics

• Improve categorization and personalization

• Maintain account security

• Detect fraud, abuse, bugs, and service issues

• Provide customer support

• Manage subscriptions and account status

• Comply with legal, regulatory, and contractual obligations

• Improve our products and develop new features

We do not use connected financial account data to initiate payments, move money, trade securities, or transfer assets unless we separately disclose and obtain authorization for such features.

3. Read-Only Financial Access

Nuviter is designed to use connected financial data on a read-only basis.

This means:

• We use financial data to show your financial picture and provide insights.

• We do not initiate bank transfers.

• We do not initiate investment trades.

• We do not move money between accounts.

• We do not change your external financial accounts.

If Nuviter later adds any money movement, brokerage transfer, payment, or trading functionality, we will provide additional disclosures and request separate authorization.

4. Plaid and Financial Data Providers

Nuviter may use Plaid or similar providers to let you connect financial accounts. When you connect an account, you authorize the provider to access and share selected financial data with Nuviter.

Your use of Plaid may also be subject to Plaid’s own privacy policy and terms. You can learn more at Plaid’s Privacy Policy.

You may disconnect linked financial accounts through Nuviter or, where supported, through your financial institution or Plaid.

5. How We Share Information

We do not sell your personal financial data.

We may share information with:

• Service providers that host, secure, analyze, or support Nuviter

• Financial data providers such as Plaid

• Authentication and cloud infrastructure providers

• Payment processors for subscription billing

• Analytics and diagnostics providers

• Legal, compliance, or security advisors

• Government authorities when required by law

• Successors in a merger, acquisition, financing, or sale of assets

Service providers are only permitted to use information as needed to provide services to us and must protect the information appropriately.

6. No Sale of Personal Financial Data

We do not sell your connected financial account data, transaction history, investment holdings, or liability data to advertisers, data brokers, or unaffiliated third parties.

We do not use your connected financial account data for third-party behavioral advertising.

7. Data Retention

We retain information for as long as reasonably necessary to:

• Provide Nuviter

• Maintain your account

• Sync connected financial data

• Comply with legal obligations

• Resolve disputes

• Enforce agreements

• Maintain security and audit records

When you disconnect a financial account, we will stop future syncing for that account. We may retain historical app data unless you request deletion or unless deletion is required by law.

When you delete your Nuviter account, we will delete or de-identify personal information unless retention is required for legal, security, fraud prevention, accounting, or compliance purposes.

8. Security

We use administrative, technical, and physical safeguards designed to protect personal information.

These safeguards may include:

• Encryption in transit

• Encryption at rest

• Encryption of financial access tokens

• Server-side storage of Plaid access tokens

• Access controls

• Multi-factor authentication for internal systems

• Audit logging

• Least-privilege permissions

• Vendor security review

• Monitoring and incident response procedures

No security system is perfect, and we cannot guarantee absolute security.

9. Your Choices and Rights

Depending on where you live, you may have rights to:

• Access your personal information

• Correct inaccurate information

• Delete your information

• Export certain information

• Withdraw consent

• Disconnect linked financial accounts

• Opt out of certain data sharing

• Appeal a privacy request decision

To exercise these rights, contact us at:

legal@nuviter.com

We may need to verify your identity before fulfilling your request.

10. Children’s Privacy

Nuviter is not intended for children under 13, and we do not knowingly collect personal information from children under 13.

11. Financial, Investment, and Tax Disclaimer

Nuviter may provide financial insights, budgeting tools, investment analytics, projections, or educational information. Nuviter does not provide legal, tax, investment, accounting, or financial advisory services unless expressly stated in a separate agreement.

Insights and forecasts are informational only and should not be relied upon as personalized financial advice.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you as required by law, such as through the app, email, or website notice.

13. Contact Us

Nuviter6910 MS Highway 389support@nuviter.com

Nuviter Information Security Policy

Effective Date: 05/18/2026Owner: Newt ThomasReview Frequency: At least annually

1. Purpose

This Information Security Policy establishes Nuviter’s security program for protecting user information, financial account data, authentication data, application systems, cloud infrastructure, source code, and business operations.

The purpose of this policy is to reduce the risk of unauthorized access, disclosure, alteration, loss, misuse, or destruction of sensitive information.

2. Scope

This policy applies to:

• Nuviter employees, contractors, and service providers

• Nuviter applications, APIs, databases, cloud systems, and source code

• User personal information

• Connected financial account data

• Plaid tokens and financial data provider credentials

• Logs, analytics, support records, and operational data

3. Security Governance

Nuviter will designate a qualified individual responsible for overseeing the information security program.

Responsibilities include:

• Maintaining this policy

• Performing risk assessments

• Reviewing access controls

• Managing security incidents

• Reviewing vendors

• Coordinating remediation

• Reporting material risks to leadership

4. Data Classification

Nuviter classifies data as follows:

Restricted Data

• Plaid access tokens

• Financial account data

• Transaction history

• Investment holdings

• Liability data

• Authentication secrets

• Encryption keys

• Government identifiers, if collected

Confidential Data

• User profile information

• Subscription status

• Support requests

• Internal business records

• Non-public product plans

Internal Data

• Internal documentation

• Operational metrics

• Non-public engineering materials

Public Data

• Marketing content

• Public website content

• Published policies

Restricted Data requires the strongest controls.

5. Encryption

Nuviter will use encryption to protect sensitive information.

Minimum requirements:

• TLS for data in transit

• Encryption at rest for databases and storage

• Encrypted Plaid access tokens

• Encryption keys managed separately from encrypted data

• Cloud KMS or equivalent key management for sensitive credentials

• No financial access tokens stored in plaintext

• No secrets committed to source code

Plaid access tokens must be decrypted only inside trusted backend services and only for the time needed to call Plaid.

6. Access Control

Nuviter follows least-privilege access.

Requirements:

• Access granted only when needed for job responsibilities

• Administrative access limited to authorized personnel

• Multi-factor authentication required for production systems

• Shared accounts prohibited where technically feasible

• Production database access restricted and logged

• Access reviewed at least quarterly

• Access removed promptly when no longer needed

7. Plaid Token Handling

Plaid access tokens are highly sensitive and must be handled as Restricted Data.

Rules:

• Never expose Plaid access tokens to the mobile app

• Never log Plaid access tokens

• Never store Plaid access tokens in plaintext

• Never send Plaid access tokens to analytics tools

• Store tokens encrypted using KMS-backed encryption

• Decrypt tokens only server-side

• Revoke or remove Plaid Items when users disconnect accounts

• Separate sandbox, development, and production credentials

8. Application Security

Nuviter will maintain secure development practices, including:

• Code review for security-sensitive changes

• Dependency updates

• Secret scanning

• Input validation

• Authentication and authorization checks

• Server-side enforcement of user ownership

• Secure API design

• Rate limiting where appropriate

• Error handling that avoids leaking sensitive data

Client apps must not be trusted to enforce access control. Backend services must verify authorization.

9. Firestore and Database Security

Financial data stored in databases must be user-scoped.

Requirements:

• Users may only access their own data

• Client writes to Plaid-synced financial data should be disabled or tightly controlled

• Backend services perform financial data syncs

• Security rules reviewed before release

• Sensitive fields excluded from logs and analytics

• Production data access audited

10. Logging and Monitoring

Nuviter will maintain logs needed for security, reliability, and compliance.

Logs must not include:

• Plaid access tokens

• Bank credentials

• Full financial account numbers

• Raw secrets

• Encryption keys

• Sensitive personal information unless strictly necessary

Security events may include:

• Login events

• Failed authentication attempts

• Account connection events

• Account disconnection events

• Privileged access

• Token decryption events

• Administrative actions

• Suspicious activity

11. Vendor Management

Nuviter will evaluate vendors that access, process, store, or transmit sensitive information.

Vendor review may include:

• Security documentation

• Privacy policy

• Data processing terms

• Compliance posture

• Breach notification commitments

• Access controls

• Encryption practices

Critical vendors may include:

• Plaid

• Firebase / Google Cloud

• Payment processors

• Analytics providers

• Crash reporting providers

• Email providers

12. Incident Response

Nuviter will maintain an incident response process for suspected or confirmed security incidents.

The process includes:

• Identification

• Containment

• Investigation

• Eradication

• Recovery

• User notification when required

• Regulatory notification when required

• Post-incident review

Potential incidents include:

• Unauthorized access to user data

• Exposure of Plaid tokens

• Misconfigured database rules

• Lost or compromised credentials

• Malware or account compromise

• Unauthorized production access

13. Data Retention and Disposal

Nuviter will retain sensitive information only as long as needed for business, legal, security, and compliance purposes.

When data is no longer needed, Nuviter will delete, de-identify, or securely dispose of it.

When a user disconnects a financial account, Nuviter will stop future syncing. When a user deletes their account, Nuviter will delete or de-identify personal data unless retention is legally or operationally required.

14. Employee and Contractor Security

Employees and contractors with access to sensitive systems must:

• Use strong authentication

• Protect devices

• Avoid storing sensitive data locally

• Report suspected incidents promptly

• Follow least-privilege practices

• Protect confidential company and user information

15. Business Continuity

Nuviter will maintain reasonable backup, recovery, and continuity practices for critical systems.

Backups containing sensitive data must be protected with appropriate access controls and encryption.

16. Policy Review

This policy will be reviewed at least annually and after significant changes to:

• Product functionality

• Data collected

• Infrastructure

• Vendors

• Legal requirements

• Security incidents