Privacy Policy.
This policy explains what information Trussdee collects, how we use it, who can access it, and the rights you have regarding your data.
1. Introduction
Trussdee, Inc. ("we," "us," or "our") operates Trussdee (the "App"), a financial performance tracking and consolidation platform designed for family offices and the families they serve. We are committed to protecting the privacy and security of the financial and personal information entrusted to us.
This Privacy Policy explains what information we collect, how we use it, who can access it, and the rights you have regarding your data. By accessing or using the App, you agree to the practices described in this policy.
2. Who This Policy Covers
This policy applies to two categories of individuals:
Family Office Users — Authorized staff, advisors, and administrators at a family office who use the App to manage, consolidate, and report on financial information on behalf of a family.
Family Members — Individual members of a family whose financial information is managed or viewed within the App. Family members may have their own login credentials, or their data may be entered and managed by family office staff on their behalf.
Both categories are referred to collectively as "you" or "users" throughout this policy.
3. Information We Collect
We collect information necessary to provide a comprehensive financial consolidation and performance tracking experience. The categories of information we collect include:
3.1 Financial Account Data
Bank and Brokerage Accounts: Account balances, transaction histories, holdings, positions, and performance data from checking, savings, investment, and brokerage accounts.
Real Estate and Alternative Assets: Property valuations, acquisition costs, ownership details, and performance data for real property (sourced via our partner House Canary), private equity interests, hedge fund holdings, venture investments, collectibles, and other alternative or illiquid assets.
3.2 Information You Provide Directly
Family office staff and family members may enter data manually into the App, including asset descriptions, valuations, cost basis information, notes, entity structures, and other financial details that cannot be obtained through automated feeds.
3.3 Information from Third-Party Data Partners
Where you authorize it, Trussdee connects to your financial institutions through a chain of licensed data partners to automatically import account and transaction data. Here is how that data flows to us:
Finicity (a Mastercard company), MX Technologies, Inc., and Plaid connect to your financial institutions to retrieve account balances and transaction data. That data is passed to Quiltt, Inc., which serves as our primary data aggregation layer and delivers consolidated financial data to Trussdee through its API.
Additionally, transaction data is routed through FinGoal, a service used by Quiltt to categorize and enrich your transactions (for example, identifying a charge as "groceries" or "utilities"). FinGoal processes transaction data only for this classification purpose.
By connecting a financial account in Trussdee, you authorize this data flow. Each partner operates under its own privacy policy: Finicity · MX · Plaid · Quiltt · FinGoal.
3.4 Account and Identity Information
To create and maintain your account, we collect your name, email address, role (e.g., family office administrator, family member), and the credentials used to authenticate to Trussdee.
3.5 Technical and Usage Data
We automatically collect certain technical information when you use the App, including your IP address, device type, operating system, browser type, session timestamps, and pages or features accessed.
3.6 Categories of Personal Information — CCPA/CPRA Reference
The following table maps the information we collect to the statutory categories defined by the California Consumer Privacy Act and California Privacy Rights Act:
| CCPA/CPRA Statutory Category | Examples in Trussdee | Collected | Sensitive PI? |
|---|---|---|---|
| Identifiers | Name, email address, IP address, account login credentials | Yes | No |
| Financial Information | Bank account balances, brokerage holdings, transaction histories, real estate valuations, alternative asset data | Yes | Yes — SPI |
| Internet or Electronic Network Activity | Pages visited in the App, session duration, device and browser type | Yes | No |
| Professional / Role Information | User role (family office administrator, staff, or family member) | Yes | No |
| Inferences from Personal Information | Transaction categories (e.g., "groceries," "utilities") enriched via FinGoal | Yes | No |
| Geolocation Data | — | No | N/A |
| Biometric Information | — | No | N/A |
| Government Identifiers (SSN, passport, etc.) | — | No | N/A |
| Health or Medical Information | — | No | N/A |
4. How We Use Your Information
We use the information we collect for the following purposes:
- To provide and operate Trussdee — Consolidating, organizing, and displaying financial data across accounts and asset classes for authorized users.
- To generate reports and performance analytics — Producing financial summaries, portfolio performance views, and other reports used by family office staff and family members.
- To authenticate users and maintain account security — Verifying identities, managing access controls, and protecting against unauthorized access.
- To connect to financial institutions — Facilitating secure data flows through Quiltt, Finicity, MX, Plaid, and FinGoal to retrieve and categorize your financial data.
- To improve the App — Analyzing usage patterns and technical data (in aggregate and de-identified form where possible) to diagnose issues and enhance features.
- To communicate with you — Sending account-related notifications, security alerts, and important policy updates, including the annual GLBA privacy notice.
- To comply with legal obligations — Retaining records and responding to lawful requests where required by applicable law.
We do not use your financial data to serve you advertising, and we do not sell your personal information to any third party.
5. Who Has Access to Your Information
Access to your information within Trussdee is governed by role-based access controls as described below.
| Role | Access Level |
|---|---|
| Family Office Administrators | Full access to all data within the App for the families they manage, authorized by the family office's engagement agreement with Trussdee, Inc. |
| Family Office Staff | Access to some or all family financial data, depending on permissions configured by an administrator. |
| Family Members | Access to their own financial information and any data the family office has configured them to view. Family members do not have access to other family members' individually identifiable data unless explicitly granted by an administrator. |
| Trussdee, Inc. Personnel | Access only as needed to provide technical support, investigate security incidents, or fulfill legal obligations. All such access is logged and subject to confidentiality obligations. |
7. Data Security
We take the security of your financial information seriously and employ industry-standard safeguards, including:
- Encryption of data in transit using TLS (Transport Layer Security)
- Encryption of data at rest using AES-256 or equivalent standards
- Role-based access controls limiting data access to authorized personnel
- Multi-factor authentication (MFA) for user accounts
- Regular security assessments and monitoring
GLBA Safeguards Rule: Trussdee maintains a written Information Security Program in compliance with the FTC Safeguards Rule (16 C.F.R. Part 314), as updated in 2023. A designated Qualified Individual oversees this program, which includes formal risk assessments, technical and organizational controls, employee training, ongoing service provider oversight, and a documented incident response plan. The program is reviewed at least annually and reported to senior leadership.
Despite these measures, no system is completely immune from security risks. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorized access to your account. Please see Section 14 for information on how we respond to security incidents.
8. Data Retention
We retain your financial and account data for as long as your account is active or as necessary to provide you with Trussdee's services. Upon account termination, we retain data for a period necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, after which it will be securely deleted or anonymized.
You may request deletion of your data at any time by contacting us as described in Section 15. Please note that we may be required to retain certain records under applicable financial laws and regulations, including the GLBA and any applicable state requirements.
9. Children's Privacy
Trussdee is not designed for direct use by individuals under the age of 18. We do not knowingly collect personal information directly from minors.
In the family office context, data about minor children who are beneficiaries or family members may be entered into Trussdee by authorized family office staff or parents/guardians acting on the family's behalf — not by the minor children themselves. This indirect entry is distinct from direct collection covered by the Children's Online Privacy Protection Act (COPPA), which applies to the direct online collection of personal information from children under 13.
If you believe personal information about a child under 13 has been entered into Trussdee directly (i.e., not by an authorized adult), please contact us immediately using the privacy email link and we will take prompt steps to remove it.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you through the App or by email at least 30 days before the changes take effect.
Your continued use of Trussdee after the effective date of an updated policy constitutes your acceptance of the revised terms. We encourage you to review this policy periodically.
11. California Residents — CCPA/CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. This section describes those rights and how to exercise them.
Note on sensitive personal information: Financial account data — including bank balances, transaction history, and investment holdings — constitutes sensitive personal information under the CPRA. Trussdee uses this data solely to provide the services you have requested and does not use it for inferring characteristics about you or for any secondary purpose.
Your Rights Under the CCPA/CPRA
- Right to KnowYou have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose, and the categories of third parties with whom we share it. See Section 3.6 for our statutory category disclosures.
- Right to DeleteYou have the right to request deletion of your personal information, subject to certain exceptions — for example, where retention is required by law or necessary to complete a service you requested.
- Right to CorrectYou have the right to request correction of inaccurate personal information that we maintain about you.
- Right to Limit Use of Sensitive Personal InformationYou have the right to direct us to limit our use of your sensitive personal information (including financial account data) to what is necessary to provide Trussdee's services. We do not use sensitive personal information beyond this scope.
- Right to Opt Out of Sale or SharingWe do not sell your personal information, and we do not share it for cross-context behavioral advertising. You therefore have no need to opt out, but we will honor any such request if submitted.
- Right to Non-DiscriminationWe will not discriminate against you for exercising any of your CCPA/CPRA rights — including denying services, charging different prices, or providing a different level of service.
How to Submit a Request
To submit a verifiable consumer request, contact our Privacy Officer using the information in Section 15. We will acknowledge your request within 10 business days and respond substantively within 45 calendar days. If we need additional time, we will notify you and may extend the response period by up to an additional 45 days.
We will verify your identity before processing your request. You may designate an authorized agent to submit requests on your behalf; we will require the agent to provide proof of authorization and may contact you directly to verify.
We do not charge a fee to process a verifiable consumer request unless it is manifestly unfounded or excessive. If a fee is warranted, we will tell you why and provide a cost estimate before processing.
12. Federal Financial Privacy Notice (GLBA)
Trussdee, Inc. is subject to the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to explain their information-sharing practices and protect customers' nonpublic personal information (NPI). This section serves as our GLBA-required privacy notice.
What is Nonpublic Personal Information (NPI)?
NPI is personal financial information that is not publicly available. It includes the financial account data, transaction histories, asset details, and contact information we collect in connection with providing Trussdee's services.
Categories of NPI We Collect
| Category | Examples |
|---|---|
| Information you provide | Name, email address, login credentials, manually entered asset values, cost basis, entity structures |
| Financial account information | Bank and brokerage balances, transaction histories, investment holdings and performance data — obtained via Quiltt, Finicity, MX, and Plaid |
| Real estate and alternative assets | Property valuations, ownership details, private equity interests, alternative investment data |
| Transaction enrichment data | Categorized transaction labels (e.g., "dining," "utilities") processed through FinGoal on behalf of Quiltt |
| Technical information | IP address, device type, session data used to maintain security and improve the App |
How We Share NPI and With Whom
We share NPI only with service providers who process data on our behalf under written contracts that restrict their use of your information to the specific service purpose. These service providers are:
- Quiltt, Inc. — API data aggregation layer
- Finicity (Mastercard) — financial account data retrieval
- MX Technologies, Inc. — financial account data retrieval
- Plaid — financial account data retrieval
- FinGoal — transaction categorization and enrichment
- Cloud infrastructure providers — secure hosting and database services
We do not share NPI with non-affiliated third parties for their own marketing or business purposes, and we do not sell NPI.
Your Right to Opt Out
Federal law gives you the right to opt out of having your NPI shared with non-affiliated third parties for their independent use. Because we share NPI only with our service providers (as described above) — and not with non-affiliated third parties for independent purposes — there is currently no sharing that requires an opt-out. If our sharing practices change in a way that triggers this right, we will notify you and provide a clear opt-out mechanism before any such sharing begins.
Annual Privacy Notice
We will provide you with an updated version of this privacy notice at least annually, delivered through the Trussdee App or by email to your registered address. Your continued use of Trussdee after receipt of an updated annual notice constitutes acknowledgment of its terms.
Information Security (GLBA Safeguards Rule)
Trussdee maintains a written Information Security Program designed to protect the security, confidentiality, and integrity of NPI, in compliance with the FTC Safeguards Rule (16 C.F.R. Part 314), as updated effective June 9, 2023. A designated Qualified Individual oversees the program, which includes risk assessments, technical safeguards, employee training, service provider oversight, and a documented incident response plan reviewed and updated at least annually.
13. Utah Residents — Utah Consumer Privacy Act (UCPA)
If you are a Utah resident, the Utah Consumer Privacy Act (Utah Code §13-61-101 et seq.), effective December 31, 2023, provides you with the following rights regarding your personal data.
Note: The UCPA provides somewhat different rights than California's CCPA/CPRA. Notably, the UCPA does not include a right to correct personal data or a right to limit use of sensitive personal information. If you are both a Utah and California resident, Section 11 describes the broader set of CCPA/CPRA rights available to you.
Your Rights Under the UCPA
- Right to Access — You may request confirmation of whether Trussdee is processing your personal data and request access to that data.
- Right to Delete — You may request deletion of personal data that you provided to us, subject to exceptions where retention is required by law or necessary to complete a service you requested.
- Right to Data Portability — You may request a copy of your personal data in a portable, readily usable format, to the extent technically feasible.
- Right to Opt Out of Sale — You may opt out of the sale of your personal data. Trussdee does not sell personal data, so this right is not currently triggered — but we will honor any opt-out request you submit.
- Right to Opt Out of Targeted Advertising — You may opt out of the processing of your personal data for targeted advertising. Trussdee does not process personal data for targeted advertising purposes.
How to Submit a UCPA Request
To submit a request, contact our Privacy Officer using the information in Section 15. We will respond within 45 calendar days of receipt. If additional time is needed, we will notify you and may extend the response period by an additional 45 days.
We will not discriminate against you for exercising your UCPA rights. We may deny requests that we cannot verify or that fall within a statutory exception; if we deny a request, we will explain the basis for the denial.
14. Security Incidents & Breach Notification
Despite our safeguards, no system is completely risk-free. In the event of a security incident that results in unauthorized access to or acquisition of your personal information, Trussdee will respond as follows:
Our Response Process
- Detect & Contain Identify and contain the incident, preserving evidence for investigation and preventing further unauthorized access.
- Assess Determine the nature and scope of the breach — what information was affected, whose information, and the likely impact.
- Notify Affected Individuals Notify affected users as required by applicable law (see timelines below). Notices will describe: the nature of the breach, the categories of information involved, steps Trussdee is taking in response, and steps you can take to protect yourself.
- Notify Regulators and Partners Report to relevant regulatory authorities and data partners (Quiltt, Finicity, MX, Plaid, FinGoal) as required by law and contract.
- Remediate & Review Address the root cause of the incident and update our security program to reduce the risk of recurrence.
State Breach Notification Timelines
| Jurisdiction | Notification Timeline | Regulatory Reporting |
|---|---|---|
| Utah (Utah Code §13-44-202) | Within 30 calendar days of discovery of the breach | Notify the Utah Attorney General if 500 or more Utah residents are affected |
| California (Cal. Civ. Code §1798.82) | Without unreasonable delay and in the most expedient time possible | Notify the California AG if more than 500 California residents are affected |
| Other states | In accordance with each state's applicable breach notification law | As required by applicable state law |
If you suspect your Trussdee account has been compromised, please contact us immediately using the privacy email link. Prompt reporting helps us respond quickly and minimize potential harm.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information — including exercising any rights described in Sections 11, 12, or 13 — please reach out to our Privacy Officer: