Privacy Policy

1. Introduction

MST Technologies LLC, d/b/a VividTimeline (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and protect information when you use the VividTimeline application, website, and related services (collectively, the “Service”).

We understand that the financial and life event data you entrust to us is highly sensitive. We have designed our practices, architecture, and policies with your privacy as a foundational priority.

By using the Service, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

VividTimeline is a financial planning simulator for educational and informational purposes only. We are not a registered investment advisor, broker-dealer, tax advisor, accountant, or law firm. Nothing in the Service is financial, investment, tax, or legal advice. See our Terms of Use for additional disclaimers.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when using the Service:

• Account Information: Your name, email address, date of birth, and account credentials when you register for an account.
• Financial Data: Income details, employment information, assets, debts, savings, investment account details, retirement account balances, insurance policies, Social Security estimates, and other financial information you enter into your timeline. We do not collect bank login credentials, full bank account numbers, routing numbers, or full payment card numbers.
• Life Event Data: Career milestones (job changes, promotions, retirement dates), family events (marriage, children, dependents), housing events (purchases, sales, rentals, mortgages), vehicle acquisitions, health-related planning events (insurance changes, long-term care), and other life events you add to your timeline.
• Profile and Preference Data: Avatar selections, timeline customization preferences, notification settings, and feature preferences.
• Payment Information: When you subscribe to a Premium Plan or purchase a Lifetime Plan, payment details are collected and processed by our third-party payment processors (Stripe, Apple App Store, Google Play Store, or bank or ACH providers). We receive only limited payment information such as the last four digits of your card, billing address, plan, status, and renewal dates. We do not store full payment card numbers, CVV codes, or bank credentials on our servers.
• Communications: Information you provide when contacting our support team, submitting feedback, or corresponding with us.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical information:

• Device Information: Device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Usage Data: Pages and features accessed, actions taken within the Service, time spent on various features, click patterns, session duration, and frequency of use.
• Log Data: IP address, access times, referring URLs, error logs, and crash reports.
• Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain your session, remember preferences, and analyze usage. See Section 9 (Cookies and Tracking Technologies) for details.

2.3 Information from Third Parties

We may receive information from third-party sources, including authentication providers if you choose to sign in via third-party services (e.g., Google or Apple sign-in) and payment processors to confirm transaction status.

2.4 Local-First Data

VividTimeline uses a local-first architecture. Before you create an account, certain data you enter (such as timeline events and financial information from the onboarding wizard) is stored locally on your device. This data is synchronized to our servers only when you create an account and opt into synchronization. Data stored solely on your device is not accessible to us until synchronization occurs.

2.5 Sensitive Personal Information

Some of the information you provide (such as financial account balances, income, retirement projections, and health-related planning inputs) is treated as “sensitive personal information” under the California Privacy Rights Act and similar state laws. We use sensitive personal information only to operate the Service for you, including running the simulations you request. We do not use it to infer characteristics about you, do not use it for advertising, and do not sell or share it. See Section 12 for your right to limit our use of sensitive personal information.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, display your timeline, process life events, generate financial projections (for Premium and Lifetime users), and enable scenario comparisons.
• Payment Processing: To process subscription payments, manage billing cycles, handle refunds, and prevent payment fraud.
• Service Improvement: To analyze usage patterns, identify bugs, improve features, optimize performance, and develop new functionality.
• Personalization: To customize your experience, tailor content and recommendations, and adapt the Service to your preferences and usage patterns.
• Communications: To send you transactional messages (account confirmations, billing receipts, security alerts), service updates, and, with your consent, promotional communications.
• Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, fraud, abuse, and other harmful activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, and to defend against legal claims.
• Aggregated Analytics: To create anonymized, aggregated data sets for research, analytics, and business intelligence purposes. Aggregated data cannot be used to identify you.

4. How We Share Your Information

4.1 We Do Not Sell or Share Your Data

We do not sell, rent, or trade your personal information or financial data to third parties for their marketing or commercial purposes. We do not “share” your personal information for cross-context behavioral advertising as that term is defined under the California Privacy Rights Act. This is a core commitment of VividTimeline.

4.2 Service Providers

We share information with the following categories of third-party service providers, who process information only on our instructions and under contractual confidentiality and data protection obligations:

• Payment Processors: Stripe, Inc., Apple Inc. (App Store), Google LLC (Google Play), and bank or ACH payment providers process your subscription and lifetime payments. They receive the information necessary to complete transactions and are bound by their own privacy policies and PCI DSS compliance obligations. See stripe.com/privacy for Stripe’s policy.
• Cloud Infrastructure and Hosting: Vercel Inc. and our cloud database and email providers store and process your data and serve the Service. These providers are contractually obligated to protect your information and process it only as we direct.
• Analytics Provider (Mixpanel): Mixpanel, Inc. processes product analytics events and identifiers on our behalf. Mixpanel is engaged as a service provider under the CCPA/CPRA and is contractually prohibited from using the data for its own purposes. See Section 5 for full details and Mixpanel’s privacy policy at mixpanel.com/legal/privacy-policy.
• Authentication Providers: If you sign in using Google, Apple, or another federated provider, that provider receives information about the sign-in event under its own privacy policy.
• Customer Support Tools: If you contact our support team, your communication may be processed through third-party support platforms.

All service providers are bound by contractual obligations to maintain the confidentiality and security of your information and to use it solely for the purposes of providing services to us.

4.3 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation or government request, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Service, protect the personal safety of users or the public, or protect against legal liability.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the Service before your information becomes subject to a different privacy policy.

4.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Mixpanel Analytics

We use Mixpanel to understand how the Service is used and to improve it. This section discloses the specific data Mixpanel processes on our behalf so you can make informed choices.

• Events. Programmatic event names that describe actions you take in the Service (such as page views, simulation runs, plan changes, paywall views, and clicks). Event names do not contain free-text input from you.
• Anonymous identifier cookie. We set a cookie named analytics_anonymous_id on your first visit to stitch sessions together. It is a random identifier and does not contain your name or contact information.
• Authenticated identifier. After you sign in, your account ID is associated with the prior anonymous ID so we can attribute pre-signup activity to your account. This linkage is performed once per (anonymous, account) pair.
• Profile properties. We send Mixpanel limited profile properties about your account, such as plan tier (basic, subscription, lifetime) and authentication status. We do not send your name, email body content, password, full Planning Data, account balances, or income figures to Mixpanel as event properties.
• Bucketed amounts. Where dollar values are relevant for analytics (for example, paywall context), we bucket them into ranges before sending so the underlying value is not transmitted.
• IP address and device data. Automatically collected by Mixpanel as part of its service.

Mixpanel acts as our service provider under the CCPA/CPRA. You can opt out of analytics by enabling a Global Privacy Control (GPC) signal in your browser, blocking cookies and local storage in your browser settings, or contacting us using the address in Section 16.

6. Data Retention

6.1 Active Accounts

We retain your personal information and financial data for as long as your account is active or as needed to provide the Service to you.

6.2 Account Deletion

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention, financial record-keeping, or resolving disputes). Certain data may be retained in encrypted backup systems for up to 90 days before permanent deletion.

6.3 Billing and Tax Records

Billing records and tax-related information are retained for up to seven (7) years to comply with applicable tax, accounting, and recordkeeping obligations.

6.4 Analytics Data

Analytics data processed by Mixpanel is retained according to Mixpanel’s configured retention period (currently up to five (5) years) in pseudonymous form. We may further aggregate or anonymize data after that period.

6.5 Aggregated Data

Aggregated, anonymized data derived from your usage may be retained indefinitely, as it cannot be used to identify you.

6.6 Local Data

Data stored locally on your device through our local-first architecture is under your control. Clearing the application’s local storage or uninstalling the application will remove locally stored data. We cannot remotely delete data stored only on your device.

7. Data Security

7.1 Security Measures

We implement industry-standard technical, administrative, and organizational security measures to protect your information, including encryption of data in transit (TLS/SSL) and at rest, secure authentication mechanisms and password hashing, role-based access controls limiting employee access to your data on a need-to-know basis, regular security assessments and vulnerability testing, monitoring for unauthorized access and suspicious activity, and secure development practices in our software development lifecycle.

7.2 Payment Security

All payment processing is handled by PCI DSS-compliant third-party processors. We never store, process, or transmit full payment card numbers on our systems.

7.3 Your Role in Security

While we strive to protect your data, no method of transmission or storage is completely secure. You are responsible for maintaining the security of your account credentials, using strong and unique passwords, enabling multi-factor authentication where available, and notifying us promptly of any unauthorized access.

7.4 Breach Notification

In the event of a security incident that compromises your personal information, we will notify you and any applicable regulatory authorities in accordance with applicable law.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 Access and Portability

You may request a copy of the personal information we hold about you in a structured, commonly used, machine-readable format.

8.2 Correction

You may request correction of inaccurate or incomplete personal information. You can update most information directly through your account settings and timeline.

8.3 Deletion

You may request deletion of your personal information, subject to legal exceptions. You can initiate account deletion through your account settings or by contacting us.

8.4 Restriction and Objection

You may request that we restrict or object to certain processing of your personal information, including processing for direct marketing.

8.5 Withdraw Consent

Where we rely on your consent to process your information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

8.6 Communications Preferences

You can opt out of promotional emails at any time by clicking the “unsubscribe” link in any promotional email or adjusting your notification settings. You will continue to receive transactional and service-related communications.

8.7 Authorized Agent

You may use an authorized agent to submit a privacy request on your behalf. We may require the agent to provide written proof of authorization and may verify your identity directly.

8.8 Exercising Your Rights

To exercise any of these rights, contact us at contact@vividtimeline.com. We will acknowledge requests promptly and respond within forty-five (45) days, or longer where extension is permitted by law. We may need to verify your identity before processing your request. We will not discriminate against you for exercising any of these rights.

9. Cookies and Tracking Technologies

9.1 Categories

• Strictly Necessary Cookies: Required for the Service to function, including authentication, session management, CSRF protection, and security. These cannot be disabled without breaking the Service.
• Functional Cookies and Local Storage: Remember your preferences, settings, and customizations (such as Guide Mode and timeline view state) to enhance your experience.
• Analytics Cookies and Local Storage: Used by Mixpanel as described in Section 5, including the analytics_anonymous_id cookie. We do not use advertising cookies or behavioral advertising cookies.

9.2 Your Cookie Choices

You can manage cookies through your browser settings, including blocking or deleting cookies and disabling third-party cookies. Most browsers also let you set per-site preferences. Disabling strictly necessary cookies will prevent you from signing in.

9.3 Global Privacy Control and Do Not Track

Where required by law, we treat a Global Privacy Control (GPC) signal sent from your browser as a valid request to opt out of any “sale” or “sharing” of personal information as those terms are defined under applicable state privacy laws. We also disable non-essential analytics when we detect a Do Not Track signal.

10. Children’s Privacy

VividTimeline is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at contact@vividtimeline.com.

11. International Data Transfers and Legal Bases

11.1 Transfers to the United States

The Service is operated from the United States. If you access it from outside the United States, your information will be transferred to, and processed in, the United States and other countries where our service providers operate. Where required, we use Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

11.2 Legal Bases (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR or UK GDPR:

• Performance of a contract for account creation, simulations, billing, and providing the Service.
• Legitimate interests for product analytics, security, fraud prevention, and improving the Service, balanced against your rights.
• Consent for optional marketing communications and for cookies that require consent in your jurisdiction.
• Legal obligation for tax, accounting, and compliance.

12. State-Specific Privacy Rights

12.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: The categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties to whom we disclose information.
• Right to Delete: Deletion of your personal information, subject to legal exceptions.
• Right to Correct: Correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. We honor GPC signals as a valid opt-out.
• Right to Limit Use of Sensitive Personal Information: You may direct us to limit our use of sensitive personal information to providing the Service. Because we already use sensitive personal information only to provide the Service, no additional action is required from us in response to such a request.
• Right to Non-Discrimination for exercising your privacy rights.

To exercise these rights, contact us at contact@vividtimeline.com. We will verify your identity before processing your request.

California “Shine the Light.” California residents may request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures.

12.2 Other U.S. State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, Tennessee, and others) may have similar rights regarding access, deletion, correction, portability, and opt-out. Please contact us to exercise any applicable rights.

13. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through or in connection with VividTimeline.

14. Automated Decision-Making

We do not use Planning Data or other personal information to make any decision that has a legal or similarly significant effect on you. The Service generates simulations and projections at your request based on inputs you provide. Outputs are illustrative and are not decisions about you.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated to you via email or in-app notification at least 30 days before they take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

MST Technologies LLC, d/b/a VividTimeline
Email: contact@vividtimeline.com