Privacy Policy

1. Who we are

Fiat Growth, LLC("Fiat Growth," "WalletGrower," "we," "us," or "our") operates WalletGrower (the "Site" or "Service"), available at walletgrower.com and app.walletgrower.com. For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA / CPRA"), we are the "controller" (or equivalent) of the personal data we collect about you through the Service.

For privacy-related questions or to exercise your rights, contact us at hello@walletgrower.com or by mail at: Fiat Growth, LLC, [registered business address — to be provided on request]. We do not currently appoint a designated EU/UK representative under Article 27 GDPR / Article 27 UK GDPR; EU/UK users may contact us directly at the email above.

2. What this policy covers

This Privacy Policy applies to personal data processed in connection with: our website (walletgrower.com), our authenticated app (app.walletgrower.com), our Walley AI chatbot, our Earn marketplace (games, surveys, deals, cashback), our financial-product matching (credit cards, loans, mortgages, deposits, insurance), our email newsletter and lifecycle emails, and any related WalletGrower services. It does notapply to third-party websites we link to, third-party offers you visit after leaving our Service, or providers' processing under their own privacy policies (we link to each provider's privacy policy on our Sub-Processors page).

3. Personal data we collect

3.1 Information you provide

When you create an account, subscribe to the newsletter, save a calculator scenario, chat with Walley, contact support, or participate in the Earn marketplace, we collect: name (first / last), email address, hashed password (for password-based accounts), the contents of any messages you send us or to Walley, your inputs to our financial calculators (income, debt, savings goals, etc.) when you save a scenario, and — for surveys you opt into — the responses you provide.

3.2 Information collected automatically

We automatically collect: IP address, approximate location (country, region, city — derived from IP), device identifiers (browser, OS, device type, screen size), referrer URL, pages viewed, time on page, clicks, search terms within our Site, and similar telemetry. This is collected via cookies, server logs, and Vercel's edge-network headers (see Section 7 on cookies).

3.3 Information from third parties

When you sign in with Google (OAuth), we receive your Google account email, profile name, and profile picture URL. When you participate in the Earn marketplace, our partner Besitos Corporation, LLC notifies us of your earning events (offer completions, survey completions, wallet balance changes). When you apply for a financial product through our partner Engine Tech, Inc., we receive a confirmation that the application was submitted (we do not receive your social-security number, full date of birth, or other application-form data unless you also entered it on our side).

4. How we use your data — and our legal basis

For users in the EU, UK, and Switzerland, the GDPR / UK GDPR / FADP require us to identify a legal basis for each processing purpose. The table below sets that out. (Users elsewhere can ignore the legal-basis column; the purposes apply to all users.)

5. Who we share your data with

We do not sell or rent your personal information. We share data with the following categories of recipients, on the legal bases listed above:

5.1 Sub-processors (service providers)

We use a small number of third-party processors to operate the Service: Vercel (hosting), Supabase (database + auth), Anthropic (Walley AI), Besitos Corporation (Earn marketplace + wallet + cashout + surveys), Engine Tech (financial-product matching), Resend (transactional email), Beehiiv (newsletter CRM), Cloudflare (Turnstile bot protection), Google (OAuth + opt-in Analytics), and payout rails like Tango Card / PayPal / Venmo (via Besitos). Each of these acts on our written instructions under a data-processing agreement that limits how your data may be used. The complete and current list, with location and data categories, is on our Sub-Processors page.

5.2 Affiliate / advertising partners

When you click an affiliate link or apply for a financial product we recommend, we share with the partner only what is necessary to attribute the click and (if you complete an application) the confirmation that you came from us. We do not share your name, email, or account contents with affiliate partners purely for tracking. See our Disclosure Policy for how affiliate revenue works.

5.3 Legal and corporate transactions

We may disclose data to law enforcement or regulatory authorities when required by law (subpoena, court order, or comparable EU/UK instrument) and during a corporate transaction such as a merger, acquisition, financing, or sale of assets. In a corporate transaction we will require the receiving party to honor this policy or notify users of any change.

6. International data transfers

WalletGrower is operated from the United States. Most of our sub-processors are also US-based. If you are in the EU, UK, Switzerland, or another jurisdiction with cross-border transfer restrictions, your data is transferred to the US under one of the following mechanisms:

• EU Standard Contractual Clauses (SCCs) — Module 2 (controller-to-processor) when we transfer data to a US-based sub-processor. We have signed SCCs with each sub-processor that requires them, including Besitos under our Data Processing Addendum (Exhibit C of our partner agreement).
• UK International Data Transfer Addendum (IDTA) for UK-origin data.
• Swiss FADP equivalent provisions for Switzerland-origin data, with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the supervisory authority.
• Adequacy decisions where applicable.

For EU users, the supervisory authority designated under our SCCs is the Irish Data Protection Commission (Clause 17 of the SCCs).

7. Cookies and similar technologies

We use cookies and similar storage (localStorage, sessionStorage) to remember you, keep you logged in, secure your session, understand how the Site is used, and (with your consent) personalize content and measure advertising performance. We classify them as:

• Strictly necessary (no consent required) — authentication, session, security, fraud prevention, load-balancing. The Service does not work without these.
• Functional (default on; can be disabled in your browser) — remembering display preferences, saved scenario state.
• Analytics (consent required in EU/UK/CH) — Google Analytics 4, Vercel Analytics aggregated metrics.
• Marketing / attribution (consent required in EU/UK/CH) — affiliate click IDs, retargeting pixels (only when we run paid acquisition campaigns).

We display a cookie consent banner on your first visit. You can change your choice at any time via the "Cookie preferences" link in the footer of every page.

9. Earn marketplace, wallet, and surveys

The WalletGrower Earn marketplace (games, surveys, cashback offers, deals) and the user wallet are powered by Besitos Corporation, LLC as our processor. When you participate, the following data is shared with Besitos: your account identifier (Supabase user ID), first/last name, email address, IP address, country, device identifiers, click events on offers, conversion events, and — for surveys you opt into — your survey responses. Besitos uses this data only to provide the service to you (deliver offers, credit your wallet, process cashouts, prevent fraud) and acts under our written DPA.

Surveys are separately consented. Survey responses are shared with research providers who source the survey inventory; some questions may be demographic in nature. You will be asked to give explicit consent at the start of your first survey, and we retain that consent record for the term of your account plus 12 months as required by our partner agreement. You may withdraw survey consent at any time by contacting us; new surveys will not be offered after withdrawal but data already collected may be retained for legal-defense purposes per the retention schedule below.

Cashout requires identity verification at certain thresholds (KYC, anti-money-laundering). Required identity data is collected by Besitos at cashout time per their flow — we do not collect or store SSNs, government IDs, or full dates of birth.

Geographic availability.The Earn marketplace is available in select countries, including some EU/EEA countries. EU/EEA participants' data is transferred to Besitos under EU SCCs (see Section 6).

10. Data retention

We retain personal data only for as long as necessary for the purpose it was collected, plus a reasonable buffer for legal-defense and dispute-resolution purposes. Specifically:

• Account data — for as long as your account is active. After account deletion: removed from active systems within 30 days; backups expire on a 90-day rolling cycle.
• Newsletter / email-subscriber records — until you unsubscribe + 30 days, after which we keep only your email hash on a suppression list to honor your unsubscribe.
• Walley chat logs — 12 months by default; longer if needed for ongoing dispute or legal claim.
• Earnings / wallet ledger — for as long as required by tax and accounting law (typically 7 years for US tax records).
• Surveys consent records — term of your account + 12 months (per Exhibit D of our Besitos partner agreement).
• Server logs / security telemetry — 90 days for raw logs; longer for aggregated metrics.
• Backups — point-in-time database backups are retained on a 90-day rolling cycle.

11. Your rights (EU / UK / Swiss residents)

Under the GDPR, UK GDPR, and Swiss FADP, you have the following rights with respect to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure("right to be forgotten") — request deletion of your data, subject to legal-retention exceptions.
• Right to restriction of processing — pause our processing while a dispute is resolved.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interest (including direct marketing), and we must stop unless we have compelling grounds.
• Right to withdraw consent — for any processing based on consent (e.g., the newsletter, surveys, analytics cookies). Withdrawal does not affect lawful processing carried out before withdrawal.
• Right to lodge a complaint with a supervisory authority — typically your local data-protection authority. For complaints about our SCC-based transfers, the lead authority is the Irish Data Protection Commission (dataprotection.ie).

To exercise any of these rights, email hello@walletgrower.com. We will respond within 30 days (extendable by 60 additional days for complex requests, with notice). Verifying your identity may be required.

12. Your rights (California residents — CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA / CPRA:

• Right to knowwhat categories of personal information we've collected, the sources, the purposes, and the categories of third parties we've shared it with.
• Right to deletepersonal information we've collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing— we do not sell personal information and do not "share" it for cross-context behavioral advertising as defined by the CPRA.
• Right to limit use of sensitive personal information— we do not use sensitive PI for purposes that would trigger this right (we don't infer characteristics from sensitive PI).
• Right of non-discrimination — we will not deny you service, charge a different price, or provide a lower quality experience for exercising any of these rights.

Submit requests at hello@walletgrower.com. We will respond within 45 days (extendable by 45 days with notice).

13. Children's privacy

WalletGrower is not directed to and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@walletgrower.com and we will delete it promptly.

14. Security

We use industry-standard administrative, technical, and physical safeguards: encryption in transit (HTTPS / TLS 1.2+), encryption at rest for our databases, role-based access controls, audit logging, regular dependency scanning and security review, and row-level security on user-scoped tables. No system is 100% secure; in the event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authority(ies) consistent with GDPR's 72-hour requirement and equivalent obligations elsewhere.

15. Third-party links

Our Service contains links to third-party websites (financial providers, news sources, partners). We are not responsible for the privacy practices of those sites. Review their privacy policies before submitting personal information.

16. Changes to this policy

We may update this policy. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by email (to subscribers) and/or by a banner on the Site. Continued use after the effective date of a change indicates acceptance.

17. Contact us

For privacy questions, data-subject requests, or to exercise any right described above:

• Email: hello@walletgrower.com
• Web: walletgrower.com/contact
• Sub-processor list: walletgrower.com/sub-processors

Fiat Growth, LLC operates WalletGrower. This policy is governed by the laws of the State of Delaware (United States) for users outside the EU/UK/Switzerland; EU/UK/Swiss users retain the protections of their local data-protection law. Nothing in this policy is intended to limit any non-waivable rights you have under applicable law.