Alto (“Alto,” “we,” “our,” or “us”) respects your privacy and is committed to handling personal information responsibly and transparently. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you:
- visit our website at https://myalto.ca
- use Alto’s mobile applications and related services (together, the “Services”)
- communicate with us directly (including support, email, and community channels)
For the purposes of this Privacy Policy, “personal information” means information about an identifiable individual, as defined under applicable Canadian privacy laws. This Privacy Policy does not apply to the privacy practices of third parties you may access through or in connection with Alto (for example, your financial institution, app stores, Discord, Plaid, Stripe, or other third-party platforms), except to the extent that those third parties process personal information on our behalf as our service providers.
If you have any questions, concerns, or requests relating to this Privacy Policy, you can contact us at:
contact@myalto.ca (the “Contact Information”).
1) Quick Answers to Common Questions
Does Alto have access to my money?
No. Alto receives read-only financial data from connected institutions and integrations. Alto cannot move funds or execute transactions on your behalf.
Does Alto see or store my banking login credentials?
No. Alto does not store or retain your banking credentials. When you connect accounts using third-party providers (such as Plaid), your credentials are handled directly by those providers.
Does Alto sell my personal information?
No. We do not sell personal information.
Is my information secure?
We use technical and organizational safeguards consistent with industry standards, including encryption and access controls. No system is perfectly secure, but we design the Services with security in mind and work to protect your information.
2) What Information We Collect
We collect personal information in the following ways:
A. Information you provide directly
When you create an account, subscribe, contact support, or interact with our community, we may collect:
- name and email address
- username and profile information you provide (including community channels such as Discord, if used)
- subscription and billing details (for example, last four digits of a card and billing metadata; payment processing is handled by third-party providers such as Stripe)
- phone number (if you enable multi-factor authentication)
- data you upload or submit through the Services (including transaction files or financial entries you provide)
B. Usage and device information
When you use the Services, we may collect information about how you access and use them, including:
- log-in events and feature usage
- app interactions and settings
- device identifiers, operating system, browser type
- IP address and approximate location (derived from IP)
- diagnostic, crash, performance, and troubleshooting data
- referral/exit URLs and other technical logs
C. Information you provide through interactive features
You may provide information through interactive features we make available. If you use a feature that integrates with a third party (for example, paying for a subscription via Stripe or using community features), information may be shared between Alto and those third parties depending on the integration and your settings.
D. Financial data from third-party sources (connected accounts & wallets)
Alto allows you to connect accounts or import transaction data. Depending on the connection method, we may receive:
- transaction data (amounts, dates, merchant or description, category)
- account metadata (account name/type, balances)
- wallet metadata and holdings (for connected crypto wallets, where applicable)
We do not store banking or crypto wallet passwords. We only request and receive read-only data.
E. Other information from third-party sources
We may receive information about you from other sources, such as service providers you use to access or engage with our Services (for example, Discord or other integrations you choose). This information may include demographic information, contact information, and platform profile information, as well as technical details such as connection type, settings, operating system, browser type, IP address, device identifiers, and crash data.
F. Non-personal / aggregated information
We may generate aggregated or anonymized data that does not identify you (for example, usage metrics). We may use this information to improve Alto, analyze trends, and improve user experience.
3) Children and Age Restrictions
Alto is not intended for individuals under 18 years of age, and we do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us personal information, please contact us and we will take appropriate steps to address the issue.
4) Connected Financial Information (More Details)
Bank transaction data
If you connect financial accounts through Plaid (or another provider), Alto may receive:
- transaction details (amounts, dates, types, descriptions)
- account details (account name, type, and balance)
Crypto wallet data (if applicable)
If you connect wallet data through an API or another integration, Alto may receive:
- your integration token/key (where required to enable read-only access)
- wallet holdings and related metadata (asset types and amounts)
We use this information to provide the Services and display analytics, budgeting insights, and related features.
5) How We Use Personal Information
We use personal information to operate, maintain, and improve the Services, including to:
- create and manage your account
- provide and personalize the Services and features
- provide customer support, troubleshooting, and respond to inquiries
- process subscriptions and payments (through third-party providers)
- send important service communications (for example, security alerts, account changes, policy updates)
- improve and develop products, features, and user experience
- enforce our Terms of Service and protect the integrity of the Services
- comply with legal obligations and respond to lawful requests
- display or repost public testimonials or feedback (where appropriate)
- for any other purpose you consent to, or as otherwise permitted or required by law
6) Marketing Communications and CASL (Canada Anti-Spam Legislation)
Where required by Canada’s Anti-Spam Legislation (CASL) and other applicable laws, Alto will obtain your consent before sending you commercial electronic messages (“CEMs”), such as marketing emails or promotional messages about Alto’s products, services, offers, or updates.
We may send you CEMs in the following situations:
- Express consent: where you actively opt in (for example, by checking a box or subscribing to marketing updates); and/or
- Implied consent: where permitted by CASL (for example, where you have an existing business relationship with Alto, subject to legal time limits and other requirements)
Unsubscribe / Withdrawal of consentYou can withdraw your consent and unsubscribe from marketing communications at any time:
- by using the unsubscribe link included in our marketing emails; or
- by contacting us using the Contact Information.
We will process unsubscribe requests in accordance with CASL requirements (generally within 10 business days). Even if you unsubscribe from marketing messages, we may still send you non-promotional service communications that are necessary to administer your account or provide the Services (for example, security notifications, billing notices, or changes to our Terms or this Privacy Policy).
7) Consent and Your Choices
We generally collect, use, and disclose personal information with your consent, except where permitted or required by law. You may withdraw consent at any time (subject to legal or contractual restrictions) by contacting us using the Contact Information.
If you withdraw consent for certain processing activities, you may not be able to use some or all of the Services.
8) Cookies and Similar Technologies
We use cookies and similar technologies to:
- enable core site/app functionality
- remember preferences
- understand usage patterns
- measure performance and improve the Services
Information collected may include device and browser information, IP address, and activity on our website. Some of these technologies may involve behavioural tracking.
Your choices:
- You can control cookies in your browser settings.
- You can opt out of certain online interest-based advertising by visiting www.youradchoices.ca.
- If you want to opt out of certain tracking specifically related to Alto, contact us using the Contact Information.
Disabling cookies may affect the availability or functionality of parts of the Services.
9) When We Share Personal Information
We may share personal information in the following circumstances:
A. With service providers (processors)
We share information with third-party vendors who support the Services (for example, hosting, infrastructure, analytics, customer support tools, email delivery, payment processors, and financial connectivity providers). These service providers are authorized to use personal information only as needed to provide services to Alto.
B. With your direction or consent
We may disclose information when you request it, authorize it, or use a feature that requires disclosure to a third party.
C. Corporate transactions
If Alto is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to appropriate confidentiality protections.
D. Legal and safety reasons
We may disclose personal information if we believe it is necessary to:
- comply with applicable law, regulation, legal process, or lawful request
- protect the rights, property, or safety of Alto, our users, or others
- investigate fraud or security issues
- enforce our agreements
10) Service Providers and Third-Party Processors (Detailed List)
We use third-party service providers (including processors) to help us operate, deliver, secure, and improve the Services. These vendors may process personal information on Alto’s behalf, under contractual obligations designed to protect confidentiality and security and to limit use to providing services to Alto.
Depending on how you use the Services, personal information may be processed by the following providers:
| Provider | Purpose / Role | Typical Data Processed |
|---|---|---|
| Stripe | Subscription and payment processing | Billing metadata, transaction IDs, partial payment instrument details (e.g., last four digits), payment status |
| Plaid | Secure banking data synchronization (read-only connectivity) | Financial account metadata, balances, transaction details (amount, date, merchant/description), institution identifiers |
| Supabase | Database and file storage infrastructure | Account profile information, app data, user-generated content/files (if applicable), application records |
| Railway | Application hosting / infrastructure | Service logs, IP address, device and diagnostic data, operational metadata |
| Vercel | Website and/or application hosting and delivery | IP address, web request logs, device/browser information, performance metrics |
| Loop.so | Email services and communications delivery | Email address, message delivery events (opens/clicks where enabled), content of communications |
| OpenAI | Large language model services (where enabled within the Services) | Inputs you submit to AI-enabled features, outputs generated, and limited metadata necessary to operate the feature |
| GitHub | Code hosting and collaboration infrastructure (and/or CI/CD pipelines) | Operational metadata, audit logs, and limited technical information used to maintain Alto’s software systems |
Important notes:
- Some providers may process information outside of Canada, including in the United States. See International Transfers below for more details.
- Plaid connectivity is designed to be read-only, meaning Alto cannot move funds or initiate transactions on your behalf.
- Payment details are processed by Stripe. Alto does not store full payment card numbers.
- AI-enabled features (if available) are optional. We do not use AI providers to access your banking credentials.
If you would like additional information about our service providers, including information about cross-border processing and safeguards, you may contact us using the Contact Information.
11) International Transfers
Alto may store or process personal information outside of Canada (for example, in the United States) through our service providers. When personal information is transferred outside Canada, it may be subject to the laws of the destination jurisdiction and accessible to law enforcement or regulatory authorities in accordance with those laws.
We use contractual and other appropriate safeguards to help protect personal information when it is processed by service providers.
If you would like more information about Alto’s international processing and safeguards, contact us.
12) Data Security
We take reasonable measures designed to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. Safeguards may include:
- encryption in transit and at rest (where appropriate)
- access controls and authentication procedures
- vendor due diligence and security reviews
- monitoring and logging for security events
No method of transmission or storage is completely secure. You are responsible for keeping your login credentials confidential and for using appropriate security measures on your devices.
13) Retention and Deletion
We retain personal information only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law (for example, for legal, tax, or accounting reasons).
Examples of retention practices may include:
- If you start a trial and do not subscribe, we may delete or de-identify your data within a reasonable period after the trial ends (typically within 30 days).
- If you cancel a subscription, we may delete or de-identify your data within a reasonable period after cancellation (typically within 30 days), unless we must retain certain information for legal or operational reasons.
- If you request deletion, we will take reasonable steps to delete your personal information, subject to legal and operational constraints.
We may also de-identify information so it no longer identifies you, and we may retain and use de-identified information for analytics and product improvement.
14) Access and Correction Requests
Depending on your province of residence and applicable law, you may have rights to:
- request access to personal information we hold about you
- request correction of inaccurate information
- inquire about how we use or disclose your information
- file a complaint about our privacy practices
We will respond within timelines required by applicable law and may require identity verification. In certain circumstances, access may be limited or refused as permitted by law (for example, where disclosure would reveal personal information about another individual or privileged/confidential information).
To make a request, contact us using the Contact Information.
15) Accountability and Privacy Contact
Alto is responsible for personal information under its control and has designated an individual (or team) responsible for privacy compliance.
To contact Alto’s privacy lead, email: contact@myalto.ca
(Please include “Privacy” in the subject line.)
16) Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post updates on this page and revise the “Last Modified” date. If changes are material, we will provide additional notice as appropriate (for example, via the Services or by email).
Your continued use of the Services after an update means you accept the updated policy.
17) Governing Law and Dispute Resolution (Ontario)
This Privacy Policy is governed by the laws of the Province of Ontario and the applicable laws of Canada. Any dispute, claim, or proceeding arising out of or relating to this Privacy Policy or Alto’s privacy practices will be brought exclusively in the courts located in Ontario, Canada, and you irrevocably attorn to the jurisdiction of those courts.