← Back to CREAM

Privacy Policy

Effective March 18, 2026

Overview

CREAM (“we,” “our,” or “us”) is a personal net worth tracker that helps you view your financial holdings in one place. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

CREAM is a read-only application. We never initiate transactions, trades, or transfers on your behalf. We only view your data to display it back to you.

Information We Collect

Account Information

  • Email address and password (for authentication)
  • Display name (optional, provided during signup)

Financial Data via Plaid

  • Brokerage investment holdings (positions, quantities, values)
  • Bank account balances and transaction history
  • We store Plaid access tokens to maintain your connections
  • We do not store your bank login credentials — Plaid handles all authentication directly with your financial institution

Crypto Wallet Data

  • Wallet addresses you choose to enter
  • On-chain balances fetched from public blockchain networks (Ethereum, Solana)
  • We only read publicly available blockchain data — we never have access to your private keys

Crypto Exchange Data

  • Exchange API keys you provide for read-only portfolio access
  • Portfolio balances from connected exchanges
  • We strongly recommend providing read-only API keys — we never initiate trades or withdrawals

Portfolio Data

  • Asset valuations, price history, and net worth calculations
  • Alternative asset data (sneakers, watches, trading cards, luxury items) you add to your portfolio

How We Use Your Information

We use your data solely to:

  • Display your portfolio holdings and net worth
  • Fetch current market prices for your assets
  • Maintain your connected account sessions
  • Authenticate your identity and protect your account

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

Third-Party Services

CREAM uses the following third-party services to operate:

  • Plaid — securely connects your bank and brokerage accounts
  • Supabase — database, authentication, and data storage
  • Vercel — application hosting
  • CoinGecko — cryptocurrency price data
  • Finnhub — stock market data and company logos
  • StockX / KicksDB — sneaker and alternative asset pricing
  • Various pricing APIs — for watches, trading cards, and fashion items

Each third-party service is governed by its own privacy policy. We encourage you to review their policies, particularly Plaid's End User Privacy Policy.

Data Security

  • All data is encrypted in transit using TLS 1.3 (enforced by Vercel)
  • All data is encrypted at rest using AES-256 (provided by Supabase / AWS)
  • Row Level Security ensures each user can only access their own data
  • API secrets and credentials are stored as environment variables, never in source code

Your Rights

You have the right to:

  • Access your data — view all connected accounts and stored data within the app
  • Disconnect any linked account at any time, which removes stored tokens and imported data
  • Delete your account entirely by contacting us at the email below
  • Export your data upon request

Cookies

We use essential cookies solely for authentication (Supabase session cookies). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

Children's Privacy

CREAM is not intended for users under the age of 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it.

Data Retention

We retain your data for as long as your account is active. If you delete your account, we will retain your data for up to 90 days to allow for account recovery, after which all personal data is permanently deleted. Anonymized, aggregated data that cannot identify you may be retained indefinitely for service improvement.

International Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis — we process your data based on your consent (when you connect accounts) and our legitimate interest in providing the service
  • Right to access — request a copy of all personal data we hold about you
  • Right to rectification — correct any inaccurate personal data
  • Right to erasure — request deletion of your personal data
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — withdraw consent at any time by disconnecting accounts or deleting your profile

Your data is stored on servers in the United States via Supabase (AWS infrastructure). By using CREAM, you consent to the transfer of your data to the United States. We rely on industry-standard security measures to protect your data during international transfers.

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of your information. We do not sell personal information. To exercise your rights, contact us at the email below.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app or by email. Continued use of CREAM after changes constitutes acceptance of the updated policy.

Contact Us

For privacy questions, data requests, or concerns, contact us at: privacy@getcream.xyz