Privacy Policy
Last updated: July 3, 2026
Mullet (“we”, “us”, or “our”) operates the Mullet personal finance application available at getmullet.com. This policy explains what information we collect, how we use it, and your rights regarding that information.
Information We Collect
- Account information: name and email address when you register.
- Financial data: bank account and transaction data retrieved via Plaid when you connect your accounts. We do not store raw credentials.
- Uploaded documents: when you use the Document Vault feature, you may upload bank statements, bills, or other financial documents. The text content of these documents is processed by our AI provider to extract structured data. Raw document text is not retained after extraction is complete.
- Phone number: if you opt in to SMS or iMessage notifications, we store your phone number solely to send those messages.
- Usage data: pages visited, actions taken within the app, and device/browser type for analytics and debugging.
- Cookies and local storage: we use browser cookies and local storage to maintain your authentication session (managed by Supabase) and to remember in-app preferences such as your last viewed screen. We do not use third-party advertising cookies. You can clear cookies at any time through your browser settings, which will sign you out of the app.
How We Use Your Information
- To provide and improve the Mullet app and its features.
- To send you account notifications, spending alerts, and card recommendations you have opted into.
- To send one-time passcodes (OTP) for phone number verification.
- To respond to support requests.
SMS and Text Messaging
If you provide your phone number and opt in to text messaging within the app, you consent to receive SMS or iMessage communications from Mullet, including verification codes and account notifications.
- Message frequency varies based on your notification settings.
- Message and data rates may apply.
- Reply STOP at any time to unsubscribe. Reply HELP for support.
- Your mobile phone number will never be shared with third parties.
Third-Party Service Providers
We do not sell, trade, or rent your personal information. We share data only with service providers who process it on our behalf, under contractual obligations that prohibit them from using it for any other purpose. Our current service providers are:
- Plaid — receives your bank login credentials to establish read-only connections to your financial accounts. Plaid does not store your credentials and is subject to its own privacy policy.
- OpenAI — when you enable the Document Upload & Processing feature, the text extracted from your uploaded documents (which may include account numbers, transaction details, and other financial information) is sent to OpenAI's API for structured data extraction. OpenAI's API does not use API inputs to train its models. Raw document text is not stored by Mullet after extraction is complete. See OpenAI's enterprise privacy page for details.
- Supabase — manages user authentication, including email/password login and session tokens.
- Twilio — sends SMS verification codes and optional notifications to users who opt in.
- Railway — hosts Mullet's backend servers. Encrypted application data passes through Railway's infrastructure.
- Neon — hosts Mullet's database, which stores your account information, transaction history, and document metadata.
AI and Automated Processing
Mullet uses artificial intelligence to help you understand your finances. This processing is always optional and controlled by your privacy settings.
- Document processing: when you upload a bank statement, bill, or other financial document, the document text is sent to OpenAI's API to extract structured data (transaction amounts, due dates, account details). This requires your explicit consent, which you can grant or revoke at any time in Settings → AI & Privacy. You will be shown a specific disclosure before consenting. Raw document text is discarded after extraction — Mullet stores only the structured output.
- Transaction categorization and insights: Mullet analyzes your transaction history within our systems to identify subscriptions, spending patterns, and financial trends. This analysis does not leave our servers.
- AI assistant: questions you ask the Mullet AI assistant are processed by our AI provider. Do not paste account numbers, passwords, or other sensitive information directly into the chat.
You can review which AI features you have enabled and revoke consent for any of them at any time in Settings → AI & Privacy.
Data Retention
Your account data and transaction history are retained while your account is active. Uploaded documents and their extracted data are automatically and permanently deleted after 24 months from the upload date. You can delete individual documents at any time from the Document Vault.
You can delete your entire account from Settings → Account, which schedules permanent deletion of all your data after a 30-day grace period (giving you time to change your mind). Once the grace period expires, deletion is irreversible.
Security
Mullet protects your data using the following measures:
- All data is transmitted over encrypted connections (TLS 1.2 or higher).
- Sensitive financial fields, including bank account number fragments extracted from documents, are encrypted at rest using AES-256-GCM.
- Authentication is managed by Supabase, which handles password hashing and session security.
- Access to production systems and databases is restricted to authorized personnel.
No security measure is perfect. If you believe your account has been compromised, contact us immediately at support@getmullet.com.
In the event of a data breach that affects your personal information, we will notify affected users by email within the timeframe required by applicable law, and no later than 72 hours after we become aware of the breach.
Children's Privacy
Mullet is not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@getmullet.com and we will delete it promptly.
Changes to This Policy
We may update this policy from time to time. When we make material changes — such as collecting new categories of data or sharing with new third parties — we will notify you by email and display a notice in the app at least 14 days before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision. Continued use of Mullet after the effective date constitutes acceptance of the updated policy.
California Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you the following rights regarding your personal information:
Right to Know. You may request a copy of the personal information Mullet has collected about you, including the categories of data, the sources it came from, and any third parties it has been shared with. We will respond within 45 days.
Right to Delete. You may request deletion of your personal information. You can do this directly in the app at Settings → Account → Delete Account, or by contacting us at the address below. Certain information may be retained as required by law or to complete pending transactions.
Right to Correct. You may request correction of inaccurate personal information Mullet holds about you.
Right to Opt-Out of Sale or Sharing. Mullet does not sell your personal information and does not share it for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information. Mullet collects financial data, which is classified as sensitive personal information under California law. We use it only to provide the services you have requested. You can limit AI processing of your financial documents at any time in Settings → AI & Privacy.
Right to Non-Discrimination. Exercising any of these rights will not affect your access to Mullet's services.
How to Submit a Request. Email privacy@getmullet.com (or support@getmullet.com) with the subject line “California Privacy Request” and describe what you are requesting. We will verify your identity before responding and will respond within 45 days. For complex requests, we may extend this by an additional 45 days with notice.
Contact
Questions about this policy? Email us at support@getmullet.com.