What we know about you.

Most fintech companies hide their data practices in a fifty-page privacy policy nobody reads. This is the opposite: a one-screen audit of every data type WealthSpan touches, where it lives, who can read it, and how long it stays. If anything below isn't true of how we operate, the page is a bug — please tell us.

We never move money. Schwab integration uses OAuth read-only scope. We can see balances and positions; we cannot trade, transfer, or initiate any transaction. The scope is enforced by Schwab, not by us.

We never sell your data. No third-party advertisers, no data brokers, no analytics-as-business-model. The only entities that see your data are you, your advisor (if you're an RIA client), and Cloudflare (our infrastructure provider).

You can take your data and leave. Email us and we'll send you an export of everything we hold on you, in JSON, within 7 days. We'll also delete the originals if you ask us to.

Refresh tokens auto-expire. If you stop using WealthSpan for 7 days, the Schwab access we have to your accounts expires automatically. We can't restore it without you authorizing again.

What we store

Household profile

Cloudflare D1 · users + households tables

Names, birthdates, family relationships, retirement target age, annual income and spending — the same information you'd give a CFP at a first meeting. Entered by you, edited by you, never auto-populated.

Schwab tokens

Cloudflare KV · encrypted at rest · 7-day TTL

A refresh token Schwab issues us. Lets us pull balances on your behalf. Stored encrypted, separate per household member, automatically deleted on disconnect or 7-day inactivity.

Live Schwab balances

Cloudflare KV · 60-second cache

When you load the dashboard, we fetch your current Schwab balances and cache them for one minute so refreshes are fast. Positions, account values, and cash. Not persisted long-term — the cache rolls over.

Net worth snapshots

Cloudflare D1 · net_worth_snapshots table

A timestamped row written once per day (and on dashboard reloads, debounced to 6h) so the "what changed since last week" feature works. Sum totals only — no transaction-level data.

Insurance, real estate, other assets

Cloudflare D1 · insurance_policies, real_estate, other_assets tables

What you've entered about your insurance policies, real estate, and other assets (sport horse, 529s, etc.) — used by the rules engine to detect coverage gaps, ARM resets, and concentration risks.

Goals and life events

Cloudflare D1 · goals, life_events tables

Your stated goals (Coast FI, college funding) and significant life events you've logged. Goals drive the trajectory math; life events drive the followup rule.

Last-visit state

Cloudflare KV · 60-day TTL

When you last loaded the dashboard and what your net worth was at that moment — so the "Since you last looked" banner can show what changed. Auto-expires.

What we never store

Your Schwab username or password (we use OAuth — Schwab handles auth)
Your SSN, tax ID, or driver's license number
Your trading history, transaction-level data, or individual trades
Your account routing or bank account numbers (only last-4 of brokerage accounts, for display)
Any biometric data
Your location, device fingerprint, or browser metadata beyond what's needed to serve the request
Anything we don't have a specific reason to store and surface back to you

How it's protected

Everything runs on Cloudflare Workers — code executes at the edge, data lives in D1 (SQLite at edge, encrypted at rest) and KV (encrypted at rest with 60-day rolling rotation). No third-party databases, no shared infrastructure with other companies.

Connections are HTTPS-only with HSTS preload. We send a Content-Security-Policy header on every response so the browser refuses to load scripts or styles from anywhere we haven't allow-listed. X-Frame-Options: DENY prevents anyone from embedding the dashboard in their own page.

Access requires the demo password (signed cookie, 24-hour expiry) or an API key (server-to-server only). Real email-link authentication is the next milestone — single-use tokens delivered to your inbox, no passwords to remember or lose.

Schwab refresh tokens follow the OAuth 2.0 standard: 7-day expiry with no activity, rotation on every use. If your token is ever revoked at Schwab's end, our access dies with it — Schwab is the ultimate authority on what we can see.

Your rights

Export. Email hello@wealthspanhq.com with the subject "Data export request" and we'll send you a JSON file of everything we hold on you within 7 days. No questions asked.

Delete. Same address, subject "Delete my data." We'll permanently remove your D1 rows, all KV entries, and disconnect Schwab. Confirmation within 24 hours.

Audit. If you suspect we have something we shouldn't, ask. We'll either remove it or explain why it's necessary for the product to work.