Privacy Policy

The data controller responsible for your personal data is Liam Agent, operating the LIAM platform at liamagent.com. For all data protection enquiries, contact us at contact@liamagent.com.

Account information.When you sign up, we collect your name, email address, and a hashed password. If you sign in with Google, we receive your name and email from Google's OAuth service. We never receive your Google password.

Consent records. At registration, we record your acceptance of these policies including the policy version, timestamp, and IP address. This is a legal obligation under GDPR Article 7. See Section 9 for full details.

Financial documents. You may upload bank statements, credit reports, pay stubs, and other financial documents in PDF, CSV, or image format. These are stored securely and used only to provide you with AI-generated analysis.

Bank connection data (optional). If you connect a bank account via Plaid, we receive read-only account balances, transaction history, and institution name. We store Plaid access tokens server-side only — they are never exposed to the browser. We cannot initiate transactions or transfers on your behalf.

Identity verification outcome (optional). If you use our identity verification feature, Stripe Identity collects and processes your government-issued ID and selfie. We receive only the verification outcome (verified / rejected / pending) and a high-level reason code if rejected. We do not receive or store copies of your documents or biometric images. See Section 6 for full details.

Conversation data. Messages you send to LIAM and AI responses are stored to provide conversation history and context for follow-up queries. Conversation content may include financial details you share voluntarily.

Usage data. We collect standard server logs including IP address, browser type, pages visited, and timestamps for security monitoring and service improvement.

Payment information. Subscription payments are processed exclusively by Stripe. We do not store card numbers or full payment details. Stripe provides us with a subscription status and billing email only.

Voice data. If you use voice features, audio is processed in real-time by ElevenLabs for speech synthesis. We do not store audio recordings.

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with equivalent data protection law, we process your personal data under the following legal bases:

Where we rely on consentas the legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. Withdraw marketing consent from Settings → Privacy & Consent.

We use the information we collect to:

• Provide, operate, and improve the LIAM platform
• Generate AI-powered financial analysis, recommendations, and insights
• Maintain your conversation history and personalised financial profile
• Process subscription payments through Stripe
• Send important account notifications (confirmations, billing alerts, security updates)
• Send marketing communications where you have consented
• Detect and prevent fraud, abuse, or unauthorised access
• Fulfil our legal and regulatory obligations
• Record and manage consent as required by GDPR Article 7

We do not sell, rent, or share your personal or financial data with third parties for advertising, profiling, or marketing purposes.

LIAM integrates several third-party services ("sub-processors") that receive personal data in order to operate. All sub-processors are contractually bound to protect your data and use it only as directed by us.

Anthropic.Your chat messages — including any financial data you share — are sent to Anthropic's API for AI processing. We do not send your documents, account numbers, or identity information to Anthropic unless you explicitly paste them into a message.

Tavily. When LIAM performs an AI-driven web search to provide financial context or market data, your search query (generated by our AI, not your raw text) is sent to Tavily. We do not send personally identifiable information to Tavily.

We do not use your financial data to train any AI model without your explicit, separately obtained consent.

Identity verification is provided by Stripe Identity. When you choose to verify your identity:

• You are redirected to a Stripe-hosted verification flow
• Stripe collects and processes your government-issued ID document and a selfie
• Stripe performs biometric liveness detection and document authenticity checks
• Stripe's processing is governed by Stripe's Privacy Policy and their Identity End User Privacy Notice
• Liam Agent never receives, stores, or processes copies of your ID documents or selfie
• Liam Agent receives only: verification outcome, timestamp, and a high-level rejection reason if applicable

The verification outcome (e.g. verified) is stored in your account metadata to unlock features. If you request account deletion, this status field is deleted. Stripe retains its own verification records subject to their retention policy.

Identity verification is entirely optional unless explicitly required for a feature you have chosen to access.

Your data is stored using Supabase, a secure cloud database platform with AES-256 encryption at rest and TLS encryption in transit. File access requires authenticated session tokens.

We implement the following security measures:

• TLS 1.2+ encryption for all data in transit
• AES-256 encrypted database storage at rest
• Row-Level Security (RLS) policies — each user can only access their own data
• Session-based authentication — API routes verify every request server-side
• Server-side API key management — no credentials exposed to the browser
• Webhook signature verification for all third-party event sources
• API rate limiting to prevent abuse

Plaid access tokens and Stripe secret keys are stored and used exclusively server-side and are never returned to or accessible from the browser.

While we take strong precautions, no system is completely immune to security risks. We encourage you to use a strong, unique password. Report suspected security issues to contact@liamagent.com.

When you delete your account from Settings → Data & Account, our system immediately (1) revokes all connected bank account access via Plaid, (2) cancels your active subscription, and (3) permanently deletes your account and all linked data via cascading database deletion. Certain financial records may be retained in a secure archive for up to 7 years as required by GLBA and other applicable financial regulations. Consent records are retained for 7 years as required by GDPR Article 7. All retained records are subject to the same security controls and are not used for any commercial purpose.

At account registration, we collect and store a record of your consent to these policies. This is required by GDPR Article 7, which obliges us to demonstrate that consent was freely given, specific, informed, and unambiguous.

What we record. For each consent decision, we store:

• The type of consent (Terms of Service, Privacy Policy, Marketing)
• The policy version you agreed to
• The date and time of consent
• Your IP address at the time of consent
• The method by which consent was captured (signup form, Google OAuth, settings update)

Where to view your records. You can review your complete consent history at any time from Settings → Privacy & Consent.

Updating consent. You can withdraw or update optional consent (marketing communications) from your Settings page at any time. Required consents (Terms and Privacy Policy) cannot be withdrawn while your account remains active, as they form the legal basis for providing the Service. You may delete your account to end all processing.

Policy updates. When we make material changes to our policies, we will increment the version number and require you to re-consent before continuing to use the Service. You will receive an email notification of material changes.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion (Right to Erasure) — Delete your account and all associated data instantly via Settings → Data & Account → Delete my account. This triggers immediate revocation of bank connections, subscription cancellation, and cascading database deletion. Alternatively, submit a written request to contact@liamagent.com and we will process it within 30 days. Legal retention obligations (GLBA, GDPR Art. 7) apply to certain records as described in Section 8.
• Portability — Export your data in machine-readable JSON format from Settings → Export
• Objection — Object to processing based on legitimate interest
• Restriction — Request restriction of processing in certain circumstances
• Withdraw consent — Withdraw optional consents (marketing) at any time from Settings → Privacy & Consent
• Lodge a complaint — File a complaint with your national data protection authority

To exercise any of these rights, contact contact@liamagent.com. We will respond within 30 days (or within the timeframe required by applicable law).

LIAM uses strictly necessary cookies to maintain your authenticated session. These cookies are required for the Service to function and cannot be opted out of while using an authenticated account.

We do not use advertising cookies, third-party tracking cookies, or cross-site tracking pixels. We do not participate in advertising networks or behavioural profiling programmes.

LIAM is not directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us at contact@liamagent.com and we will promptly delete the account.

Liam Agent operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States. These countries may have different data protection standards than your home country.

Where we transfer EEA personal data to third countries, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with our sub-processors. For details on the safeguards applicable to any specific transfer, contact contact@liamagent.com.

We may update this Privacy Policy periodically. When we do, we will update the "Last updated" date at the top of this page and increment the version number.

Material changes — changes that significantly affect your rights, the types of data we collect, or with whom we share it — will be notified to you by email at least 14 days in advance and will require re-consent before you can continue using the Service.

Minor changes (corrections, clarifications, new sub-processors performing equivalent functions) will be reflected in the policy with an updated version date. We will notify you of these changes via the Settings → Privacy & Consent page.

For privacy-related questions, rights requests, or complaints, contact us at:

EEA users who are unsatisfied with our response have the right to lodge a complaint with their local supervisory authority. A list of EU data protection authorities is available at the European Data Protection Board website.