WealthMRI Privacy Policy

1. Information We Collect

We collect information that advisors, prospects, and clients provide directly to the platform as well as data generated through system use. This includes:

• Intake questionnaire responses covering demographics, household details, dependent ages (including information about minors when supplied by a parent or guardian), employment, insurance coverage, assets, liabilities, goals, and other financial details.
• Session metadata such as advisor discount codes, intake progress status, draft identifiers, resume tokens, friendly access codes, unknown-answer flags, IP address, user-agent, and timestamps.
• Advisor onboarding data including name, business information, email, chosen advisor code, subscription plan, billing preferences, and verification details captured during enrollment or customer support interactions.
• Purchase records consisting of contact details, normalized emails, advisor codes, plan selections, pricing, discounts, Stripe identifiers, opt-in preferences, and follow-up status.
• Communication history such as assessment share events, connect requests, delivery status, and notifications handled through our email service.

2. How We Use Information

We process collected information to deliver and improve the WealthMRI service. Typical uses include:

• Creating, updating, and maintaining intake assessments and advisor dashboards.
• Facilitating advisor onboarding, subscription billing, and plan management.
• Generating financial assessment summaries and sharing them with authorized recipients at the request of advisors or their clients.
• Sending transactional communications, login links, and notifications about assessment status or payment activity.
• Monitoring for fraud, troubleshooting technical issues, and securing the platform.
• Complying with legal obligations, responding to lawful requests, and enforcing our terms of service.

3. Cookies, Tokens, and Similar Technologies

We rely on functional cookies and short-lived tokens to protect and stabilize sessions. We do not use marketing or analytics cookies.

• Advisor logins use NextAuth sessions, backed by JSON Web Tokens (JWTs). JWTs are stored in HTTP-only cookies and may also be cached in local storage for hardened environments. Tokens are rotated regularly and can be replayed via authorization headers for API access.
• Client intake flows employ hashed resume tokens with ~10 minute rotation and a default 24-hour time-to-live. Tokens are mirrored to local storage to provide continuity if a browser tab is closed.
• We log IP addresses and user-agents to detect abuse, enforce rate limits, and support security investigations.

4. Payments and Purchases

WealthMRI uses Stripe to manage all card processing and subscription billing. We never store or handle raw card details on our servers.

• When you create a purchase or subscription, we transmit advisor identifiers, assessment IDs, plan selections, and discount information to Stripe.
• Stripe webhooks notify us of payment success, failure, or disputes. We update purchase status, advisor entitlements, and follow-up tasks accordingly.
• Advisor onboarding creates Stripe customers, payment intents, and subscription records tied to your account for ongoing billing and receipts.

5. Advisor Accounts and Authentication

Advisors access WealthMRI through passwordless email links backed by JWT sessions.

• Verification links remain valid until first use so that spam or security scanners do not invalidate them.
• Account metadata can include follow-up status, subscription history, invoice details, and active share requests.
• Access is role-based. Advisors should avoid forwarding login or resume links to unauthorized individuals.

6. Result Sharing and Communications

We send assessment summaries, connect requests, and related notifications on behalf of advisors and their clients.

• Emails are delivered through our communications provider and may include assessment highlights, follow-up prompts, and secure access codes.
• We store metadata about delivery status, provider response IDs, share history, and contact preferences to manage outreach and troubleshoot issues.
• Clients control when their assessment is shared, and advisors must obtain appropriate consent before forwarding client information.

7. Identifiers, Metadata, and Logging

We generate unique identifiers and maintain logs to ensure service integrity.

• Friendly codes, resume tokens, and share links help connect advisors with assessments while minimizing exposure of direct personal data.
• Structured logs capture JSON events, timestamps, IP addresses, advisor codes, payment IDs, and error details for debugging and incident response.
• Logging data is restricted to authorized team members and retained only as long as necessary to investigate issues and improve security.

8. Data Retention and Deletion

WealthMRI stores assessment drafts, finished results, share tokens, and communications for as long as they are needed to deliver services and support advisors. We are developing automated retention schedules with the following commitments:

• Draft assessments, intake sessions, and share tokens will be purged once expired or no longer required for advisor workflows.
• Advisors may request deletion of completed assessments and related communications; we will facilitate removals as tooling becomes available.
• We will document retention windows for each data category and publish updates when schedules are finalized.

9. Third-Party Service Providers

We share information with service providers that help us operate the platform. Each processor is bound by contractual obligations to safeguard data and use it only for specified purposes.

• Stripe – payment processing, subscription billing, and advisor onboarding.
• Resend – transactional email delivery for login links, assessment notifications, and client communications.
• Hosting and database providers – managed infrastructure for application and database services (e.g., managed Postgres and CDN resources).

We maintain Data Processing Agreements (DPAs) with our vendors and will update this list as additional processors are engaged.

10. Security

We implement administrative, technical, and physical controls to protect personal information. Current safeguards include:

• Hashed intake tokens, rotating JWT sessions, and HTTP-only cookies to reduce credential exposure.
• Role-based access controls for advisor portals and internal tooling; least-privilege access is enforced for team members.
• Logging and monitoring for suspicious activity, with incident response procedures under development.
• Dependence on Stripe for card handling, so financial data never touches WealthMRI infrastructure.

We are expanding our security program to include regular audits, encryption reviews, and an incident response runbook.

11. Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete, or export your personal information, and to withdraw consent. Our self-service tooling is in development; in the interim, please contact us to submit requests. We will respond within a reasonable timeframe and may need to verify your identity before fulfilling a request.

12. Contact Us

For questions about this policy, privacy practices, or to exercise your rights, email contact@wealthmri.com. We currently process privacy requests manually and will confirm receipt within a reasonable period.

13. Changes to This Policy

We may update this policy as our services evolve or to reflect legal requirements. We will post the effective date at the top of the page and, when changes are material, provide additional notice to advisors through the portal or email.