Legal Documents

For the purposes of this Data Processing Agreement ("DPA"): "Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data. When you use 1Plan, you are the Controller of your Personal Data. "Processor" means 1Plan, LLC, which processes Personal Data on behalf of the Controller. "Personal Data" means any information relating to an identified or identifiable natural person, including names, email addresses, financial information, and any data entered into the Service. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, and destruction. "Sub-processor" means a third-party service provider engaged by 1Plan to process Personal Data on behalf of the Controller. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates. "Applicable Data Protection Law" means all applicable laws relating to data protection, including the General Data Protection Regulation (EU 2016/679) ("GDPR"), the California Consumer Privacy Act ("CCPA"), and any other applicable data protection legislation.

This DPA applies to all Personal Data processed by 1Plan on behalf of users in the course of providing the Service. Categories of data processed: • Identity data: name, email address, phone number • Account data: password hashes, authentication tokens, session data • Financial data: entity costs, provider names, renewal dates, policy numbers entered by the user • Document data: files uploaded by the user (policies, bills, contracts) • Usage data: interaction logs, feature usage, AI assistant conversations • Household data: names and email addresses of household members added by the user Purpose of processing: • Providing the core Service functionality (entity tracking, dashboard, reporting) • Powering the AI assistant with user context • Sending transactional communications (password resets, alerts) • Generating personalized insights and recommendations • Service improvement through anonymized, aggregate analysis Duration: Processing continues for the duration of the user's account. Upon account deletion, all Personal Data is deleted within 30 days (with backups purged within an additional 30 days).

1Plan acts as a Data Processor when processing Personal Data on behalf of users (Controllers). 1Plan processes data only as necessary to provide the Service and in accordance with the Controller's instructions (as expressed through their use of the Service). 1Plan acts as a Data Controller for: • Account registration and authentication data • Billing and payment information • Usage analytics (anonymized) • Communications related to the Service (support, updates) Controller obligations: You are responsible for ensuring that you have a lawful basis for providing Personal Data to 1Plan, and that any Personal Data you enter (including data about household members or third parties) has been collected in accordance with Applicable Data Protection Law. Processor obligations: 1Plan shall: • Process Personal Data only on documented instructions from the Controller • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations • Implement appropriate technical and organizational security measures • Assist the Controller in responding to Data Subject requests • Delete or return all Personal Data upon termination of the Service relationship • Make available all information necessary to demonstrate compliance

1Plan engages the following sub-processors to provide the Service: • Neon (Neon, Inc.) — Database hosting and management. Location: United States. Data processed: all user data stored in the Service. • Vercel (Vercel, Inc.) — Application hosting and edge delivery. Location: United States. Data processed: application requests, session tokens. • Stripe (Stripe, Inc.) — Payment processing. Location: United States. Data processed: billing information, subscription status. • Postmark (ActiveCampaign, LLC) — Transactional email delivery. Location: United States. Data processed: email addresses, email content. • Anthropic (Anthropic, PBC) — AI assistant services. Location: United States. Data processed: AI conversation content, user context for query processing. Data is processed per-query and not retained by Anthropic for training. • Plaid (Plaid, Inc.) — Financial account connectivity. Location: United States. Data processed: bank account connections, balance and transaction data (when authorized by user). • PostHog (PostHog, Inc.) — Product analytics and event tracking. Location: United States. Data processed: page views, feature usage, session data (when user consents to analytics cookies). Sub-processor requirements: All sub-processors are bound by data processing agreements that require them to: • Process data only as instructed by 1Plan • Implement appropriate security measures • Notify 1Plan of any data breach • Delete data upon termination of the engagement We will provide at least 30 days' notice before adding new sub-processors. You may object to a new sub-processor by contacting privacy@1plan.com.

1Plan will assist Controllers in fulfilling Data Subject rights requests under Applicable Data Protection Law: • Right of Access: Data Subjects may request a copy of their Personal Data. 1Plan provides this through the data export feature in account settings. • Right to Rectification: Data Subjects may update or correct their data directly through the Service. • Right to Erasure: Data Subjects may delete their account and all associated data. 1Plan will complete erasure within 30 days. • Right to Restriction: Data Subjects may request that processing be limited. 1Plan will accommodate such requests where technically feasible. • Right to Portability: Data Subjects may export their data in machine-readable format (JSON, CSV). • Right to Object: Data Subjects may object to processing. If the objection is valid under Applicable Data Protection Law, 1Plan will cease processing. Response timeline: 1Plan will respond to Data Subject requests within 30 days. If a request is complex, we may extend this period by an additional 60 days with notice. Notification: 1Plan will promptly notify the Controller if it receives a Data Subject request directly, unless prohibited by law.

1Plan implements the following technical and organizational measures to protect Personal Data: Technical measures: • Encryption in transit: TLS 1.3 for all data transmission • Encryption at rest: AES-256 encryption for stored data (provided by infrastructure) • Password security: bcrypt hashing with cost factor 12 (plaintext passwords are never stored) • Authentication: JWT-based session management with secure token generation • Access control: role-based access within household sharing; ownership verification on all data access • Input validation: schema-based validation on all API endpoints • File security: upload type and size restrictions, isolated user-scoped storage • Token expiry: password reset tokens expire after 1 hour and are single-use Organizational measures: • Access to production systems is restricted to authorized personnel • All personnel with data access are bound by confidentiality agreements • Regular security assessments and code reviews • Incident response procedures with defined escalation paths • Secure development practices including dependency auditing Monitoring and response: • Authentication events are logged and monitored • Automated backups with point-in-time recovery • Breach notification to Controllers within 72 hours of confirmed breach • Annual security posture review

1Plan is headquartered in the United States. All primary data processing occurs within the United States. For users in the European Economic Area (EEA), United Kingdom, or Switzerland: • Data transfers to the United States are conducted in compliance with applicable transfer mechanisms • We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers to sub-processors • We conduct transfer impact assessments for new sub-processors Sub-processor locations: All current sub-processors are located in the United States and maintain appropriate data protection certifications and agreements. If additional transfer safeguards are required under your jurisdiction, please contact legal@1plan.com to discuss supplementary measures.

Controllers have the right to audit 1Plan's compliance with this DPA: • Upon reasonable written request (no more than once per year), 1Plan will provide information demonstrating compliance with our data processing obligations • 1Plan will make available relevant audit reports, certifications, and assessment results • On-site audits may be conducted by the Controller or an independent auditor, subject to reasonable advance notice (at least 30 days), confidentiality obligations, and scheduling during business hours • The cost of audits initiated by the Controller shall be borne by the Controller, unless the audit reveals a material breach by 1Plan 1Plan will cooperate with regulatory authorities in the exercise of their powers of investigation, where required by Applicable Data Protection Law.

This DPA remains in effect for the duration of 1Plan's processing of Personal Data on behalf of the Controller. Upon termination of the Service agreement or upon request: • 1Plan will cease processing Personal Data within 30 days • 1Plan will delete all Personal Data from active systems within 30 days • 1Plan will delete Personal Data from backup systems within an additional 30 days • 1Plan will provide written confirmation of deletion upon request Exceptions: 1Plan may retain limited data beyond the deletion period only where required by applicable law (e.g., tax and financial reporting obligations), and will process such data only for the legally required purpose. Survival: Sections 5 (Data Subject Rights), 6 (Security Measures), and 8 (Audit Rights) survive termination of this DPA. Contact: For questions about this DPA, contact legal@1plan.com or privacy@1plan.com.