Privacy

1. Controller; Contact

General Wealth Inc. is the data controller for personal data collected through the Service, unless otherwise agreed in writing. Privacy contact: Legal Department, General Wealth Inc., 228 Park Ave S PMB 933875, New York, NY 10003-1502, USA; legal@monty.tax. If you are a data subject in the EU/UK and require a DPA or have transfer-specific questions, contact the address above.

2. What We Collect

We collect only the data necessary to provide and improve the Service, and to comply with legal obligations. Categories include but are not limited to:

• Account information: name, email, business name, entity type, role/title, billing info.
• Financial data (via integrations): transaction histories, merchant names, amounts, dates, account metadata obtained from third-party connectors such as Teller or Plaid.
• Transaction evidence (via Google integration): calendar metadata (meeting titles, attendees, locations, timestamps) and Gmail headers/metadata (subject lines, sender/recipient headers) to identify receipts and invoices.
• User-provided business data: workspace/home-office square footage, business vehicle usage, and other information you voluntarily provide.
• Usage and diagnostics: logs, device information, IP address, and analytics needed to operate, secure, and improve the Service.

We do not collect or process content of personal emails or non-business calendar entries except where you explicitly grant permission for a specific purpose (for example, support troubleshooting).

3. How We Use Personal Data (Purposes and Legal Bases)

We use personal data only for specified, legitimate purposes:

• To provide the Service: ingesting and organizing transaction and evidence data, automated categorization, receipt matching, and preparing the Tax Package. (Legal basis: performance of contract.)
• Verification and audit substantiation: cross-referencing calendar metadata and email headers with transactions to provide explainable evidence for business expenses. (Legal basis: legitimate interests - to maintain product integrity and help you substantiate business expenses.)
• Product improvement and research: aggregated, pseudonymized or de-identified data for improving Intelligent Grouping algorithms.
• Customer support and troubleshooting: with your consent or as necessary to resolve issues.
• Legal compliance and safety: to meet legal obligations and protect the rights, property or safety of Monty and its users.

If you are in the EU/EEA/UK and believe a different legal basis is required for a particular processing activity, please contact us for the applicable DPA or additional information.

4. Google API Limited Use and Related Promises

When you connect Google via Composio, Monty uses only the data necessary for the Service and complies with Google's API Services User Data Policy, including Limited Use restrictions. We will not use Google data for advertising, remarketing, or profiling for third-party ad targeting. Human access to Gmail content or Calendar content is not permitted except when you explicitly grant access for a narrow troubleshooting purpose. For technical details, please consult Google's developer policy.

5. Sharing and Disclosure

We do not sell personal data. We may share data with:

• Financial Data Providers: Monty uses Plaid Inc. ("Plaid") to gather your data from financial institutions. By using the Service, you grant Monty the right, power, and authority to act on your behalf to access and transmit your personal and financial information from your relevant financial institution. You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with Plaid's Privacy Policy.
• Your designees: if you export and choose to share your Tax Package with a tax professional, CPA, or other third party, you control that transfer.
• Legal and safety disclosures: where required by law (subpoena, court order), to respond to government requests, or to protect safety and enforce our Terms.
• Corporate transactions: in connection with a merger, acquisition, sale of assets, or financing, but only subject to confidentiality and buyer obligations to honor privacy commitments.

6. International Transfers and Safeguards

Monty is based in the United States and processes data in the U.S. Transfers from the EEA/UK to the U.S. are effectuated under appropriate safeguards (for example, Standard Contractual Clauses or UK IDTA/appropriate agreements when required) or other lawful mechanisms. We review transfer obligations regularly and implement required supplemental measures where applicable. See ICO guidance for international transfers and safeguards.

7. Retention and Deletion

Retention while active: We retain User Data for as long as your account is active so you can access multi-year comparisons and records. Retention periods are documented in our internal retention schedule and justified per data category.

Account deletion: If you request deletion or delete your account, we will purge personal and financial data from our primary production systems within seven (7) days.

Backups: Encrypted backups may retain data for a limited period (typically up to 30 days) after deletion before being overwritten or destroyed according to our lifecycle policy. We will provide reasonable information about retention timelines on request.

We will not retain data longer than necessary and maintain a documented retention schedule for each category of personal data.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Measures include: encryption at rest (AES-256) and in transit (TLS 1.2+; TLS 1.3 where supported), access controls and least-privilege, employee security training, and vendor security assessments (including SOC 2 reviews where available). We perform regular security reviews and penetration testing.

If we determine a security incident has affected your personal data, we will notify you and regulators as required by law without undue delay and in accordance with applicable breach-notification obligations.

9. Your Rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, restriction or objection to processing, data portability, and withdrawal of consent where processing is based on consent.

In California: rights under the CCPA/CPRA (right to know, delete, correct, opt-out of sale/sharing) - Monty does not sell personal information. For California privacy rights and to submit a request, use legal@monty.tax or the web form (if available).

To exercise rights, contact legal@monty.tax. We will respond within applicable legal timeframes (generally 30 days; we may extend once for complex requests with notice). If you are not satisfied, you may lodge a complaint with your supervisory authority (EU/UK) or appropriate state regulator.

10. Minors

The Service is intended for business users and does not knowingly collect information from children under the age of 16 (or higher minimum age required by local law). If we learn that a minor's personal data has been provided without necessary parental/guardian consent, we will delete that data.

11. Third-Party Links and Third-Party Policies

The Service may contain links to third-party sites or services. We are not responsible for third-party privacy practices; please review their policies before sharing personal information.

12. Changes to This Policy

We may update this Policy to reflect changes in law, regulation, or our processing practices. For material changes we will provide notice (for example, email or in-app notice) before the change takes effect. Continued use after such notice constitutes acceptance.

13. Additional Legal and Regulatory Notes

We comply with applicable requirements for international transfers and maintain appropriate contractual safeguards (SCCs/IDTA) where required. See ICO guidance on international transfers for details. Because U.S. state privacy laws are evolving, we continuously monitor legal developments (including new state laws and enforcement trends) and may update our practices accordingly. Recent developments in state privacy law underscore the need for documented minimization and retention practices.

14. Contact and Complaints

For privacy requests, DPA requests, data transfers questions, or complaints: legal@monty.tax or postal mail to the address in Section 1.