Privacy Policy
Effective Date: June 2025 · Last Reviewed: June 2026
1. Introduction
Retire All Over (“we,” “us,” or “our”) operates this website and the Nomad Tools application at app.retireallover.com. This Privacy Policy explains what personal information we collect, how we use and protect it, your rights regarding your data, and how to contact us with questions.
This policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other applicable US state and international privacy regulations.
2. Information We Collect
Information You Provide
- Account information — email address and identity verified through Clerk, our authentication provider
- Financial data — account balances, transaction records, and subscription details you enter manually or import
- Linked institution data — account metadata and balances retrieved through Plaid when you choose to connect a bank or brokerage
- Travel data — trip itineraries, border crossing dates, and location information you enter
- Documents — files you upload to the Vault (insurance cards, vaccine records, passport scans, etc.)
Information Collected Automatically
- Usage data — pages visited and features used within the application
- Authentication data — session tokens issued by Clerk to verify your identity
- Log data — server-side request logs retained for security and operational purposes
Health-related information. Some features process health data you choose to enter — medications and prescription details, vaccination records, and related country legality/requirement lookups. We process this only to provide the feature you request; where applicable we rely on your explicit consent, and you can delete it at any time.
We do not knowingly collect personal information from children under 13. We do not use advertising trackers, third-party analytics SDKs, or sell data to any party.
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the application and its features | Performance of contract |
| Authentication and account security | Legitimate interests / contract |
| Storing and retrieving your financial and travel data | Performance of contract |
| Security monitoring and abuse prevention | Legitimate interests / legal obligation |
| Compliance with legal obligations | Legal obligation |
We do not sell personal information. We do not use your data for advertising or share it with third parties for their marketing purposes.
4. Sharing of Information
Within your household: Nomad Tools is built for households, not single logins. Information you add is shared with the other members of your household, who can view and (depending on the feature) edit it. The household owner manages membership. Your household’s data is never visible to other households.
We share personal information with third parties only in the following circumstances:
- Infrastructure providers — We use Cloudflare (Pages, D1, R2) to operate the application and Clerk to authenticate users and manage sessions. Both process data as service providers under appropriate data processing agreements.
- Financial data providers — If you connect a bank or brokerage, Plaid processes the connection and returns account information needed for balance sync. We store Plaid access tokens encrypted and use them only to sync accounts you connected.
- AI providers — When you use an AI feature (document and statement scanning, trip / visa / medication / vaccine lookups, advisories, and brief or narrative generation), the content needed for that request is sent to Anthropic (Claude) and, as a fallback, OpenAI. They process it only to return your result and, under their API terms, do not use it to train their models or retain it beyond processing. You may supply your own AI key to route and bill AI usage to your own account.
- Email — Resend delivers transactional email (alerts, invites, reminders) and receives the recipient address and message content; forwarded trip and receipt emails are processed to create crossings and expenses.
- Maps — Google Maps powers the neighborhood map and location-history import; your map interactions and any imported location data are processed by Google.
- Loyalty programs — if you connect AwardWallet, it returns your airline / hotel / credit-card loyalty balances for the Rewards tracker.
- Visa requirements — visa lookups send a passport country and destination country to a third-party visa-requirements service (via RapidAPI); no personal identifiers are sent.
- Payments — if and when paid plans launch, a payment processor (such as Stripe) will process your billing details; we never store full card numbers. This policy will be updated before paid billing begins.
- Legal requirements — We disclose information when required by law, court order, or regulatory authority, or to protect the rights and safety of users.
- Business transfers — In the event of a merger or acquisition, affected users will be notified before data becomes subject to a different privacy policy.
5. International Data Transfers
Your data is stored and processed on Cloudflare’s global infrastructure. Where data is transferred outside the European Economic Area (EEA) or United Kingdom, appropriate safeguards including Standard Contractual Clauses are in place. Details of Cloudflare’s data transfer mechanisms are available at cloudflare.com/trust-hub/gdpr.
6. Data Retention
Your data is retained for as long as your account is active and for up to 7 years following account closure to meet legal and tax obligations. Uploaded documents are retained until you delete them or close your account. Server logs are retained for up to 12 months. When data is no longer needed it is securely deleted.
7. Your Privacy Rights
All Users
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your personal data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
EU / UK Residents (GDPR / UK GDPR)
All rights above apply. You may also restrict processing while a dispute is resolved, withdraw consent at any time where processing is consent-based, and lodge a complaint with your national data protection authority.
California Residents (CCPA/CPRA)
You have the right to know what personal information is collected, delete it, correct inaccuracies, and opt out of its sale (we do not sell personal information). You will not be discriminated against for exercising these rights.
To exercise any of these rights, contact us at privacy@retireallover.com. We will respond within the timeframes required by applicable law (generally 30–45 days).
8. Security
We implement technical and organizational measures to protect personal information, including encryption in transit (TLS 1.2+) and at rest, access controls, and regular security reviews. In the event of a data breach affecting your rights and freedoms, we will notify you and applicable regulators as required by law.
9. Cookies and Tracking
Nomad Tools uses cookies only for authentication and security (session tokens issued by Clerk). We do not use tracking cookies or advertising cookies. No cookie consent banner is required for essential authentication cookies.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or prominent notice within the application at least 30 days before taking effect. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
11. Contact
For questions, requests, or complaints regarding this policy or our data practices:
Email: privacy@retireallover.com
Website: retireallover.com