Privacy Policy
1. Introduction
This privacy policy describes how the Argus Platform ("Platform") collects, uses, stores, and protects your information. The Platform is operated by Argus Technologies Corporation ("Argus," "we," "us," or "our"), a Delaware C Corporation, on behalf of your financial advisor's firm ("your Firm").
Your Firm uses the Platform to manage financial data, aggregate accounts, analyze portfolios, and generate reports on your behalf. Argus provides the technology infrastructure; your Firm determines the scope of services offered to you through the Platform.
This policy applies to all individuals whose personal or financial information is stored in the Platform ("you" or "your"). By using the Platform, you acknowledge that your information will be handled as described in this policy.
2. Information We Collect
We may collect the following categories of information, depending on the services used and features enabled by your Firm.
Information you provide directly
- Account information: email address, display name, and authentication credentials (managed by our identity provider)
Information collected through account linking
When you or your Firm connects a financial account through our account linking feature (powered by Plaid), we receive:
- Account details: financial institution name, account type and subtype, account mask (last four digits)
- Account balances: current, available, and credit limit balances
- Transaction history: transaction descriptions, amounts, dates, and categories
By using the account linking feature, you acknowledge Plaid's End User Privacy Policy, available at plaid.com/legal. Plaid's collection and use of your information is governed by their privacy policy.
Information collected through document upload
When your Firm uploads financial documents (brokerage statements, tax returns, or similar) on your behalf, we extract:
- Financial statement data: portfolio positions, asset and liability balances, account activity, and supporting values
- Document metadata: file name, page count, content fingerprint, and upload date
Uploaded documents are stored in encrypted object storage. The extracted structured data is stored in our database.
Information collected through your Firm
Your Firm may provide:
- Household structure: the relationship between family members, trusts, LLCs, or other entities managed together
- Entity relationships: connections between accounts, holdings, and legal entities
- Cash flow projections: income streams, expense forecasts, and scenario parameters
Sensitive personal information
Depending on the services enabled by your Firm, the Platform may collect:
- Government-issued identifiers: Social Security Number, Tax Identification Number, or Employer Identification Number
- Full financial account numbers
Sensitive personal information is encrypted using envelope encryption with dedicated encryption keys managed in a cloud key management service. It is never stored in plaintext, never included in application logs, and never transmitted to third parties. You have the right to limit the use of your sensitive personal information to what is necessary to provide the services requested by your Firm.
Information collected automatically
When you access the Platform, we automatically collect:
- Authentication events: login timestamps and session activity
- Usage metadata: API request identifiers used for troubleshooting and security monitoring
We do not use tracking cookies, session recording, behavioral profiling, or cross-site advertising technologies. We collect limited, privacy-preserving product telemetry to understand feature adoption, navigation patterns, and error rates. This telemetry consists of explicit named events only (for example, "a document was uploaded" or "an error occurred on a page"). It never includes your name, email address, financial data, account numbers, government identifiers, household identifiers, or any other personal or financial information. Telemetry data is pseudonymized using one-way hashing and stored in memory only — no cookies or local storage are used. You may disable telemetry by contacting your Firm's administrator.
3. Sources of Information
We collect information from three sources:
| Source | Categories collected |
|---|---|
| Directly from you | Account information (email, display name), authentication credentials |
| From third-party services on your behalf | Financial account details, balances, and transaction history (via Plaid) |
| From your Firm | Uploaded financial documents, household structure, entity relationships, cash flow parameters |
4. How We Use Your Information
We use your information for the following purposes:
- Providing services: aggregating financial accounts, extracting data from uploaded documents, building portfolio analytics, generating balance sheets and financial statements, and projecting cash flows — all on behalf of your Firm
- Security and fraud prevention: authenticating your identity, enforcing access controls, monitoring for unauthorized access, and maintaining audit trails
- Service operations: troubleshooting errors, monitoring system performance, and maintaining service availability
- Compliance: satisfying regulatory obligations, responding to lawful requests, and maintaining records required by applicable law
We do not use your information for advertising, marketing to third parties, profiling, or any purpose unrelated to the services provided through your Firm.
5. How We Share Your Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
We share your information only in the following circumstances:
Service providers
We share information with service providers that process data on our behalf under written agreements that restrict their use of the data to the services they provide to us. Our service providers include:
| Provider | Purpose | Data shared |
|---|---|---|
| Google Cloud Platform | Infrastructure (compute, database, storage, encryption) | All Platform data (encrypted at rest with customer-managed keys) |
| Plaid | Financial account linking and data aggregation | Account credentials (encrypted), account details, balances, transactions |
| Firebase (Google Identity Platform) | User authentication | Email address, authentication events |
| Doppler | Application configuration and secrets management | No consumer data (application secrets only) |
| Sentry | Error tracking and diagnostics | Error traces with personal information redacted before transmission |
| Datadog | Application performance monitoring | System metrics and traces with no consumer financial data |
| PostHog | Privacy-preserving product telemetry | Anonymized feature adoption events, navigation patterns, and error rates — no personal information, no financial data, no household-scoped data |
Market data providers (for stock prices, fundamentals, and economic indicators) receive no consumer data. We pull public market information from them; no information flows in the other direction.
Your Firm
Your Firm's authorized personnel (administrators, advisors) can access your data within the Platform according to the role-based access controls described in our Access Control Policy. Your Firm determines which of its personnel can view your household.
Legal requirements
We may disclose your information if required by law, regulation, legal process, or enforceable governmental request. We will notify your Firm before disclosure unless prohibited by law.
Business transfers
If Argus is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify affected Firms before any transfer and provide the opportunity to delete data before the transfer occurs.
6. Data Security
We protect your information using multiple layers of security controls:
- Encryption at rest: all financial data is encrypted using customer-managed encryption keys. Sensitive personal information (credentials, government identifiers, full account numbers) receives additional envelope encryption with per-record keys.
- Encryption in transit: all data transmitted between your browser and the Platform, between Platform services, and between the Platform and third-party services uses TLS 1.2 or higher.
- Tenant isolation: every database query is filtered by row-level security policies enforced at the database layer. Your Firm's data is isolated from every other Firm's data at the database level, not just the application level. The isolation mechanism is fail-closed — if the access control system cannot determine your permissions, zero data is returned.
- Audit trail: all data creation, modification, and deletion events are recorded in an append-only audit log that cannot be altered or deleted by application code. Audit records are retained for seven years.
- Access control: access to your data is governed by a role-based model where your Firm's administrator determines who within the Firm can see your household. Argus personnel do not have broad standing browsing access to your data. When necessary to operate the service on behalf of Firms, limited Argus personnel may execute explicit, audited administrative workflows. Emergency access remains separately controlled, requires multi-factor authentication, is scoped to one Firm, and is subject to mandatory review within 24 hours.
- Log redaction: application logs and error reports never contain your financial data, account numbers, credentials, or government identifiers. Personal information is redacted before it leaves the Platform.
7. Data Retention
We retain your information for as long as your household account is active on the Platform. Specific retention practices:
- Financial data (ledger entries, account balances, portfolio positions, entity relationships, uploaded documents): retained for the lifetime of your household account
- Account linking credentials (Plaid access tokens): encrypted and retained for the lifetime of the connection; immediately and irreversibly destroyed when the connection is revoked
- Audit records: retained for seven years after the event, regardless of account status
- Application logs: retained for 90 days, then automatically deleted
When your household account is deleted (whether by your Firm, at your request, or by automated policy), your data follows a phased deletion process:
- Immediate access revocation: all access to your data is revoked. No user can view or modify your data through the Platform.
- 30-day recovery window: your data remains in the database but is inaccessible. An authorized administrator may restore the account during this window.
- Permanent deletion: after the recovery window, all data associated with your household is permanently and irreversibly deleted, including financial records, uploaded documents, and entity relationships. The audit trail recording that the deletion occurred is retained (without your financial data) for seven years.
The full retention schedule and deletion procedures are documented in our Data Retention and Disposal Policy, available on request.
8. Your Privacy Rights
Rights available to all users
Regardless of your location, you have the right to:
- Access: request a copy of the personal information we hold about you
- Deletion: request that we delete your personal information, subject to the retention requirements and deletion lifecycle described in §7
- Correction: request that we correct inaccurate personal information
- Data portability: receive your data in a structured, commonly used format (JSON or CSV)
Additional rights for California residents
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following additional rights:
- Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it
- Right to delete: you may request deletion of your personal information, subject to certain exceptions (legal obligations, ongoing service provision, exercising legal claims)
- Right to non-discrimination: we will not deny you services, charge different prices, or provide a different quality of service because you exercised your privacy rights
- Right to limit use of sensitive personal information: you may direct us to limit the use of your sensitive personal information (government identifiers, full account numbers) to what is necessary to provide the services requested by your Firm. We use sensitive personal information only for this purpose by default.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not sell or share your information, there is no need to opt out.
We honor Global Privacy Control (GPC) signals transmitted by your browser as a valid opt-out request under CCPA.
9. How to Exercise Your Rights
You may exercise your privacy rights through any of the following channels:
- In-app: use the account management or data deletion feature in the Platform (the fastest method)
- Email: send a request to
dev@getargus.techwith "Privacy Request" in the subject line - Web form: submit a request at the privacy request form on our website
For in-app requests, your authenticated session is sufficient to verify your identity. For email or web form requests, we will verify your identity by confirming at least two pieces of information associated with your account (for example, your email address and the name of your Firm).
We will acknowledge your request within 10 business days and complete processing within 30 calendar days. If we need additional time due to the complexity of your request, we will notify you with a revised timeline not exceeding 45 calendar days.
You may also authorize an agent to submit a request on your behalf. Authorized agents must provide written authorization from you and verify their own identity.
10. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not
knowingly collect personal information from children. If we learn that we have
collected personal information from a child under 18, we will delete it
promptly. If you believe a child's information has been submitted to the
Platform, contact us at dev@getargus.tech.
11. Third-Party Services
The Platform integrates with third-party services to provide account linking, authentication, and infrastructure. Each third-party service has its own privacy policy governing its collection and use of your information:
- Plaid: plaid.com/legal — governs the collection of your financial account data during the account linking process
- Google (Firebase Auth): policies.google.com/privacy — governs authentication and identity services
We require all third-party service providers to maintain security standards consistent with our Information Security Policy and to process your data only for the purposes specified in our agreements with them.
12. Changes to This Policy
We may update this policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- Update the effective date at the top of this document
- Notify affected Firms, who are responsible for communicating changes to their clients
- For changes that materially expand how we use or share your information, provide at least 30 days' notice before the changes take effect
We review this policy at least annually and update it as needed.
13. Contact Information
If you have questions about this privacy policy or our data practices, contact us at:
Argus Technologies Corporation
Email: dev@getargus.tech
Subject line: "Privacy Inquiry"
If you are not satisfied with our response, you have the right to lodge a complaint with the appropriate regulatory authority, including the California Attorney General's office for CCPA-related concerns.
Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-03-08 | Aman Timalsina | Initial policy |
| 1.1 | 2026-03-11 | Aman Timalsina | Clarified limited Argus-operated administrative workflows versus emergency access in the access-control summary (§6) |
| 1.2 | 2026-03-16 | Aman Timalsina | Added privacy-preserving product telemetry language (§2), PostHog as service provider (§5) |