Legal
Privacy Policy
Last updated · July 7, 2026
This Privacy Policy ("Privacy Policy" or "Policy") describes the practices of Kikoff Inc. and its affiliates ("Plutonus," "we," "us," or "our") with respect to the collection and use of personal information we collect about you through the Plutonus website at plutonus.app and the Plutonus service (the "Service"), and describes rights you may have with respect to that information.
Notice at Collection: Personal Information We Collect
We collect the following categories of personal information:
- Personal identifiers: Your name, email address, and/or mobile phone number, collected during registration and used to create and authenticate your account.
- Authentication credentials: Information used to verify your identity and secure your account, and the scoped access tokens Plutonus issues to you and to AI assistants you connect.
- Financial data (via Plaid): Account names, types, and balances; transaction history (payees, amounts, dates, categories); and account holder name if available from your financial institution. This data is accessed on a read-only basis.
- Connection metadata: Records of which financial accounts and which AI assistants (MCP clients) you have connected, and logs of when connected assistants access your data through the Service.
- Internet or other electronic activity information: Device identifiers, browser and operating system, and app version; in-product interactions and features used; and diagnostic and product analytics data.
- Inferences drawn from personal information we collect.
Notice at Collection: Purposes for Collection of Personal Information
We collect your personal information to:
- Authenticate your identity and provide access to the Service;
- Connect to and retrieve data from your linked financial accounts via Plaid;
- Fulfill read-only queries from the AI assistants you connect to the Service over the Model Context Protocol (MCP), at your direction;
- Power any Plutonus-native AI and dashboard features;
- Send account-related communications;
- Monitor and improve the reliability and performance of the Service;
- Prevent fraud, activities that violate our Terms of Service or other contracts, or that are illegal; and/or
- Comply with legal obligations and protect our rights and those of our users.
Notice at Collection: Retention Periods
We retain the categories of personal information we collect for as long as necessary to provide the Service and to comply with legal obligations or protect our legal rights. When you delete your account, we immediately terminate your access, revoke the access tokens issued to you and to connected AI assistants, and free your phone number and email for future registration. Your account is recoverable for 30 days — contact us at hello@plutonus.app to restore it (see also “U.S. State Data Privacy Rights” below). After that window, we automatically and permanently delete the personal and financial data associated with your account across our systems and service providers, including disconnecting your linked accounts at Plaid. We retain limited anonymized security and audit records for up to 90 days to meet legal and compliance obligations, and residual copies may persist in backups for a limited period.
Notice at Collection: Categories of Personal Information We Sell or Share
We do not sellyour personal information, and we do not share your personal information for cross-context behavioral advertising or targeted advertising. We do, however, disclose certain categories of personal information to service providers for a business purpose, and we transmit financial data to the AI assistants you connect at your direction. The categories disclosed for a business purpose are: personal identifiers; financial data; connection metadata; internet or other electronic activity information; and inferences. See “How We Share Your Information” below for the recipients of each.
Sources From Which We Collect Personal Information
We collect personal information from you when you register and use the Service, from Plaid Inc. when you connect your financial accounts, and through your use of the Service.
Artificial Intelligence and Your Data
AI Assistants You Connect
The core purpose of Plutonus is to let you connect third-party AI assistants — such as Claude and ChatGPT — to your financial data over MCP. When a connected assistant requests data, we transmit the requested read-only financial data to that assistant according to your directions. Those assistants are provided by independent third parties and are governed by their own terms and privacy policies. The assistant may transmit your data to its own model providers and infrastructure to generate responses, according to those third-party terms and privacy policies. You can revoke their access at any time through the Service.
Plutonus-Native AI Features and Model Providers
Where the Service itself uses large language model (LLM) technology, relevant financial data may be included in the context sent to our LLM providers in order to generate responses. We do not use your personal financial data, chat messages, or transaction history to train, fine-tune, or improve any AI or machine learning models. Your financial data is processed transiently to generate responses and is not retained by our own infrastructure for model-training purposes. Our third-party LLM providers are governed by their own terms and privacy policies, which may permit use of inputs for model improvement in certain circumstances; where available, we configure those services to opt out of training on your data.
execute_sql Query Logging
When you or a connected assistant run a query through our execute_sql tool, we log the query text and the number of rows it returns for safety, abuse prevention, and debugging. We do not log the query results or the financial-data values they contain. These logs are retained for up to 90 days, after which they are automatically and permanently deleted. If you delete your account before they expire, they are anonymized for the remainder of the 90-day window.
How We Share Your Information
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising or targeted advertising. We share your information only in the following limited circumstances:
- AI Assistants You Connect: At your direction, we transmit requested read-only financial data to the third-party AI assistants you choose to connect via MCP, as described above.
- Service Providers: We share data with third-party vendors who help us operate the Service (e.g., Plaid for account connectivity, our LLM/AI infrastructure providers, cloud hosting, product analytics such as PostHog, and email/SMS delivery).
- Legal Requirements: We may disclose your information as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property, or safety of others, including to law enforcement agencies and judicial and regulatory authorities. We may also disclose your information to third parties to help detect and protect against fraud or data security vulnerabilities.
- Business Transfers: We may disclose or transfer your personal information to a third party in the event of an actual or potential sale, merger, acquisition, or other restructuring of our entity. We will notify you before your information becomes subject to a different privacy policy.
Third-Party Links and Services
The Service may reference or link to third-party services, including the AI assistants you connect. This Policy does not govern how those third parties collect or use your information. We do not endorse or have control over their practices. We encourage you to review the privacy policies of any third-party services you use in connection with Plutonus.
Securing Your Personal Data
We implement and maintain reasonable security appropriate to the nature of the personal information that we collect, use, retain, transfer, or otherwise process, including encryption in transit (TLS) and at rest. However, there is no perfect security, and reasonable security is a process that involves risk management rather than risk elimination. While we are committed to maintaining a reasonable information security program, no such program can be perfect; all risk cannot reasonably be eliminated. Data security incidents and breaches can occur due to factors that cannot reasonably be prevented. Accordingly, it cannot be assumed that the occurrence of any given incident or breach results from our failure to implement and maintain reasonable security. If you believe your account has been compromised, contact us immediately at hello@plutonus.app.
Personal Information of Minors
Plutonus is not directed to minors and is intended only for adults. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hello@plutonus.app and we will delete it.
Changes to This Policy
We will review and update this Policy from time to time. If changes are made, we will update the Privacy Policy and reflect the date of such modification in the date above. If the changes are material, you will be notified.
Accessibility
To make accessibility-related requests or report barriers, please contact us at hello@plutonus.app.
U.S. State Data Privacy Rights
Consumer Rights Under Comprehensive U.S. State Data Privacy Laws
We provide residents of the following states with rights with respect to the personal information we may collect about them under their state's data privacy law: California, Connecticut, Minnesota, Montana, and Oregon.
Right to Know: The right to know whether we are processing your personal information. California residents may also request categories of personal information collected, categories of sources, business or commercial purposes for collection, categories of personal information disclosed for a business purpose, and categories of third parties to whom personal information was disclosed.
Right to Access / Copy: The right to access or request a copy of your personal information, subject to certain exceptions.
Right to Delete: The right to request deletion of your personal information that we have collected from or about you, subject to certain exceptions.
Right to Correct: The right to request that we correct inaccuracies in your personal information.
Right to Know Third Party Recipients: The right to know the identities of third parties to which a business has disclosed personal information. This right is provided under Oregon and Minnesota privacy laws.
Rights to Opt Out: We do not sell personal information or use it for targeted advertising, so these opt-out rights are not applicable to Plutonus.
Exercising Your Rights
To exercise applicable rights to know, access/copy, delete, correct, or know third parties to which personal information is disclosed, submit a request by contacting us at hello@plutonus.app. We will provide a substantive response within the period required by applicable law (generally 45 days), plus any extension that law permits, to the extent your state law applies. If we require additional information or time to process your request, we will contact you.
Opt-Out Preference Signals and Do Not Track
An opt-out preference signal, such as the Global Privacy Control (GPC), communicates a consumer's choice to opt out of the sale and sharing of personal information for cross-context behavioral advertising. Because we do not sell or share personal information for cross-context behavioral advertising, there is no such processing for an opt-out preference signal to apply to. We do not respond to the DNT or “Do Not Track” signal.
Exercising Your Rights Using Authorized Agents
Agents may submit requests on behalf of individuals. The agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. You will also be required to verify your identity directly with us or confirm that you provided the agent with permission to submit the request. Agents can submit requests by emailing hello@plutonus.app.
Verification of Requests
When you exercise rights other than opt-out rights, we will take steps to verify your identity. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request, and we will notify you to explain the basis of the denial.
When We Do Not Act on a Request
In some cases, we may not act on your requests (e.g., if we cannot do so under other laws that apply). When this is the case, we will explain our reasons for not providing you with the information or taking the action you requested. Residents of states other than California have the right to appeal our decision by contacting us at the same method used to submit requests within 30 days after your receipt of our decision.
Non-Discrimination
If you exercise any of the rights explained in this Privacy Policy, we will continue to treat you fairly.
Contact Us
If you have questions about this Policy, wish to exercise your privacy rights, or would like to request this Privacy Policy in an accessible format (for example, large print or a screen-reader-friendly version), please contact us at hello@plutonus.app, or by mail at Kikoff Inc., Attn: Plutonus, 633 Folsom St., Suite 300, San Francisco, CA 94107.
