myMoneyBot
Working on it
Search
Learn
How It Works About Us Cities FAQ Contact Us
Account
Log In Sign Up Free

Privacy Policy

Version 1.0-draft  ·  Effective date: TBD \u2014 upon attorney approval and PATCH-229 production deployment

DRAFT \u2014 NOT YET EFFECTIVE

This Privacy Policy is a working draft held here for transparency during build. It is not yet in force. Do not rely on it as a legally binding published policy. The three conditions below must all be met before publication:

  • Attorney review and sign-off on the full document
  • Attorney confirmation of the retention period for the claim-filing documents bucket (placeholder below reads TBD)
  • PATCH-229 live in production \u2014 identity-document sections are only accurate once the R2 upload integration is shipped

1. Who We Are

myMoneyCA LLC is a California limited liability company operating a California unclaimed property search and claims filing service at mymoneyca.com. We are a registered California State Controller's Office (SCO) Investigator, licensed to file unclaimed property claims on behalf of clients under California law.

myMoneyCA is independent and is not affiliated with, endorsed by, or operated by the California State Controller's Office.

Privacy contact:
Christopher Lo, Founder & CEO
Email: clo@mymoneyca.com
Mail: 703 Red Barn Pl, Lathrop, CA 95330

2. What Data We Collect and Why

We collect only the information we need to operate your account, search for your unclaimed property, and file your claim with the SCO. Each category below lists what we collect, where it is stored, how we use it, and how long we keep it.

2.1 Account Registration Data

  • What: first name, last name, email address, phone number, password (hashed using Werkzeug \u2014 never stored in plaintext).
  • Collected at: signup.
  • Stored in: our PostgreSQL account database, hosted by Render in the United States.
  • Purpose: account creation, authentication, account recovery.
  • Retention: life of your account plus 30 days after a deletion request.

2.2 Search Data

  • What: names searched, addresses searched, ZIP codes, and timestamps.
  • Stored in: PostgreSQL on Render.
  • Purpose: returning search results and supporting the Search Again feature on your dashboard.
  • Retention: the last 10 searches per user. Older searches are auto-purged. You may delete any saved search at any time from your dashboard.

2.3 Claim Data

  • What: property details, claim status, timestamps, your myMoneyCA claim number, date of birth, current mailing address on file, and audit trail for your electronic signature on the myMoneyCA Fee Agreement (IP address and browser user-agent at the moment of signing, per the federal ESIGN Act and California Uniform Electronic Transactions Act).
  • Stored in: PostgreSQL on Render.
  • Purpose: managing the filing of your claim with the SCO and maintaining the audit trail required of a registered SCO Investigator.
  • Retention: [ATTORNEY TO CONFIRM \u2014 placeholder: 7 years after claim reaches Complete status.]

2.4 Identity Verification Documents

These items are collected only at Stage 2 of the claim flow. They are never stored in our application database.

  • What: your Social Security Number (SSN), government-issued photo ID, proof of SSN, proof of address, and your signed SCO Claim Affirmation Form.
  • Transmitted: server-side from our Flask application to Cloudflare R2. We never issue direct-to-browser upload URLs. Your browser sends the file to our server; our server sends the file to R2.
  • Stored in: Cloudflare R2, Western North America (WNAM) region, in a private bucket (mymoneyca-claims-pii). Contents are encrypted at rest by Cloudflare and are never publicly accessible. Our staff retrieves these files only via short-lived (1 hour max) signed URLs generated server-side, with every generation logged in our internal audit trail.
  • Purpose: required by the SCO to process your unclaimed property claim. Submitted to the SCO on your behalf as your authorized investigator.
  • Retention: automatically destroyed 90 days after your claim reaches Complete status. Governed by Cloudflare's Data Processing Addendum (Version 6.4, dated April 3, 2026) at cloudflare.com/cloudflare-customer-dpa.

2.5 Claim Filing Documents

  • What: generated claim filing PDFs, the SCO Investigator Agreement, filing packets we produce on your behalf, and SCO correspondence we receive on your claim.
  • Stored in: Cloudflare R2, WNAM, in a private bucket (mymoneyca-claims-docs). Same access controls as 2.4.
  • Purpose: SCO Investigator compliance recordkeeping and dispute resolution.
  • Retention: [ATTORNEY TO CONFIRM \u2014 DO NOT PUBLISH until confirmed.]

2.6 Payment Data

  • We do not charge you upfront. When post-recovery proceeds are processed, Stripe is our payment processor. myMoneyCA does not store card numbers or payment credentials. Stripe's handling of payment data is governed by stripe.com/privacy.

2.7 Communications Data

  • What: email inquiries you send us.
  • Purpose: responding to your inquiries.
  • Retention: 2 years after the last message in the thread.

2.8 Technical Data

  • What: IP address, browser type, pages visited, session data.
  • Purpose: security, fraud prevention, service operation.
  • Retention: 90 days in server logs.

3. Third-Party Data Processors

We use the following service providers to operate myMoneyCA. Each processes data only for the purposes stated and under contractual obligations to protect your information.

  1. Render \u2014 application hosting and PostgreSQL database. United States.
  2. Cloudflare R2 \u2014 document storage for identity verification documents (mymoneyca-claims-pii) and generated claim filings (mymoneyca-claims-docs). United States (WNAM region). Governed by the Cloudflare Data Processing Addendum Version 6.4, April 3, 2026.
  3. Stripe \u2014 payment processing for post-recovery proceeds. stripe.com/privacy.
  4. Google (Places API) \u2014 address autocomplete suggestions. When you type an address, the partial text is forwarded to Google's Places API to return suggestions. Subject to Google's Privacy Policy.
  5. Google (reCAPTCHA) \u2014 automated-abuse prevention on login, signup, and password-reset pages. May collect hardware and software information from your device. Subject to Google's Privacy Policy and Terms of Service.
  6. Anthropic \u2014 powers our MoneyBot AI assistant via the Claude API. If you use MoneyBot, the text of your message is sent to Anthropic. Do not include sensitive personal information (SSN, government ID numbers, date of birth) in chat messages. Anthropic's Commercial Terms prohibit using customer inputs to train their models.
  7. Gmail / Google SMTP \u2014 transactional email delivery (account creation, password reset, claim status updates).

We do not sell, rent, or trade your personal information. We do not share your information with advertisers, data brokers, or marketing partners.

4. Data Security

  • All traffic between your browser and our servers, and between our servers and Cloudflare R2, is encrypted in transit with TLS.
  • Documents stored in Cloudflare R2 are encrypted at rest by Cloudflare. Buckets are private and never publicly accessible.
  • Passwords are hashed with Werkzeug before storage. We never store or log plaintext passwords.
  • Sensitive credentials (database password, R2 access keys, API keys) live only in environment variables on our hosting provider and are never committed to source control or included in log output.
  • Your Social Security Number is never written to our PostgreSQL database, never written to any application log, never displayed in the administrative interface, never included in a URL, and never passed to our AI assistant. Its only location in our infrastructure is inside the supporting documents you upload to R2.
  • Administrative document access uses short-lived signed URLs (1 hour maximum). Every signed URL generated is logged with the admin's identity, timestamp, claim ID, document type, and object key.
  • Cross-site request forgery (CSRF) protection is enforced on every state-changing form in the application.
  • Access to user data is restricted to authorized myMoneyCA personnel only, using account-level access controls on both Render and Cloudflare.

Incident response. We maintain a written incident-response playbook with step-by-step procedures for detection, containment, notification, and post-incident review. In the event we identify unauthorized access to your personal information, we will investigate promptly, contain the issue, and notify affected California residents and the California Attorney General in accordance with California Civil Code §1798.82. Where the breach involves your Social Security Number or government identification, we will notify within the 72-hour window that section §1798.82 imposes for those identifiers.

No method of transmission or storage is 100% secure. While we use reasonable industry-standard measures to protect your information, we cannot guarantee absolute security.

5. Cookies and Local Storage

myMoneyCA uses only session cookies required for you to stay logged in. We do not use advertising cookies, third-party analytics cookies, or tracking cookies.

We use browser localStorage to save your dark/light mode preference. This preference stays on your device and is never transmitted to our servers.

Google reCAPTCHA (on login, signup, and password-reset pages) may set its own cookies to verify that you are not a bot. Those cookies are managed by Google under Google's Privacy Policy.

6. Children's Privacy

myMoneyCA is not directed at individuals under 18 years of age. Our service requires entering into a fee agreement, which requires the user to be an adult capable of entering a contract under California law. We do not knowingly collect personal information from anyone under 13 (as defined by the Children's Online Privacy Protection Act). If you believe we have collected information from a child under 13, please contact us immediately at clo@mymoneyca.com and we will delete it.

7. California Residents \u2014 Your CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the following rights regarding your personal information:

  • Right to Know. You may request a report of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we have shared it.
  • Right to Delete. You may request deletion of the personal information we have collected from you, subject to exceptions (for example, information we must retain to complete an active SCO filing or to meet our investigator recordkeeping obligations).
  • Right to Correct. You may request that we correct inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing. We do not sell or share your personal information for cross-context behavioral advertising. This right is already honored by default; there is nothing for you to opt out of.
  • Right to Limit the Use and Disclosure of Sensitive Personal Information. Under CPRA, SSN and government identification are categories of Sensitive Personal Information. We use these categories only for the purpose of filing your unclaimed property claim with the SCO \u2014 never for advertising, profiling, or any secondary purpose. This limitation is built into our practices; no separate request is needed.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

How to submit a privacy request. You may submit a request by either of the two methods below:

  • Email clo@mymoneyca.com with the subject line "Privacy Request" and a description of the request.
  • Mail a written request to myMoneyCA LLC, 703 Red Barn Pl, Lathrop, CA 95330.

We may require you to verify your identity before fulfilling the request so we can protect your information from unauthorized access. We will respond within 45 days; if we need more time, we will let you know and explain why.

If you authorize an agent to make a request on your behalf, we may require written proof of the authorization and verification of the agent's identity.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or by posting a notice at the top of this page for at least 30 days. Your continued use of myMoneyCA after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We will always keep the prior version accessible on request.

9. Contact Us

For privacy-related questions, requests, or concerns:

myMoneyCA LLC
703 Red Barn Pl, Lathrop, CA 95330
Email: clo@mymoneyca.com
Website: mymoneyca.com

Hi! I'm myMoneyBot — ask me anything about your unclaimed property!