TurtlewayHelp Center

Privacy Policy

Last updated June 1, 2026

Turtleway LLC, a Hawaii limited liability company (“Turtleway,” “we,” “us,” or “our”), is building a platform for long-term investors. This Privacy Policy explains what information we collect, how we use it, how we share it, and the choices and rights you have. It applies to turtleway.io, the Turtleway mobile application, and any related services we offer (together, the “Service”).

1. Information we collect

We collect information you provide directly, information collected automatically when you use the Service, and information from third parties that help us operate.

  • Information you provide. When you join the waitlist, create an account, or contact us, we collect your email address, name, and any other details you choose to share (for example, messages, feedback, or notes you save in the Service).
  • Google account information. If you sign in with Google, we receive basic profile information (such as your name, email address, and profile picture) and any additional scopes you explicitly authorize. We only request the minimum scopes needed to provide the feature you are using.
  • Financial account information (via Plaid). If you choose to connect a financial account, we use Plaid Inc. (“Plaid”) to securely link that account and, with your authorization, receive financial data such as your investment holdings, transactions, account balances, and account and institution details (for example, account type, masked account number, and the name of your financial institution). We use this information to display and help you track your portfolio. You enter your account credentials directly with Plaid; we do not receive or store your financial institution login credentials. See Section 5 for details, including how to disconnect an account.
  • Usage information. We log pages visited, features used, referring URLs, timestamps, and similar activity data to understand how the Service is used and to keep it reliable.
  • Device information. When you use our mobile application or website, we automatically collect device and technical data such as device type, operating system and version, app version, browser type, language settings, approximate location (derived from IP address), and unique identifiers associated with your device.
  • Crash and diagnostic data. We collect crash logs, error reports, and performance data to diagnose issues and improve reliability. Crash logs are automatically purged after 30 days.
  • Cookies and similar technologies. We use a limited set of cookies, local storage, and SDKs to keep you signed in, remember preferences, and measure basic traffic. See Section 9 for more.

For users in California, the categories of personal information we collect correspond to the following categories under the California Consumer Privacy Act (“CCPA”): identifiers; customer records information; commercial information (limited to account activity); financial information (the Plaid-sourced account data described above, where you connect an account); internet or other network activity; geolocation data (approximate, derived from IP); and inferences drawn from the above to the extent we generate them.

2. Sources of information

We collect personal information from you directly, automatically from your device or browser, and from third parties such as Google (when you sign in), Plaid (when you connect a financial account), analytics and infrastructure providers we use to operate the Service, and, where applicable, public sources.

3. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the Service;
  • Authenticate you and keep your account secure;
  • Send you waitlist updates, product announcements, and transactional emails;
  • Respond to your questions and support requests;
  • Analyze how the Service is used so we can fix bugs and prioritize improvements;
  • Detect, investigate, and prevent fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our Terms of Service.

Legal bases (EEA, UK, Switzerland). Where the General Data Protection Regulation (“GDPR”) or UK GDPR applies, we rely on the following legal bases: performance of a contract with you (to provide the Service); our legitimate interests (to secure, improve, and promote the Service, provided these are not overridden by your rights); your consent (for example, for certain marketing communications); and compliance with legal obligations.

4. Use of Google user data

Turtleway’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide or improve user-facing features of the Service. We do not transfer it to others unless doing so is necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users. We do not use Google user data for serving ads, and we do not allow humans to read it unless we have your explicit consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and used for internal operations in line with Google’s policy.

5. Connecting financial accounts with Plaid

Turtleway lets you connect your investment and financial accounts so you can view and track your portfolio in one place. To do this securely, we use Plaid Inc. (“Plaid”), a third-party financial-data provider. When you connect an account, Plaid presents its own secure flow (“Plaid Link”) in which you enter your financial institution credentials directly with Plaid. Turtleway never sees or stores those credentials.

With your authorization, Plaid retrieves data from your financial institution and shares it with Turtleway so we can provide the Service. This data may include:

  • investment holdings and securities (such as positions, quantities, and cost basis);
  • transactions and transaction history;
  • account balances and account values;
  • account and institution details, such as account type, a masked account number, account owner name, and the name of your financial institution.

We use this information only to provide and improve the portfolio-tracking features you ask for, such as displaying your holdings, calculating performance, and keeping your data current. We do not sell it. Plaid’s own collection and use of your information is governed by Plaid’s end-user privacy policy, available at plaid.com/legal. We encourage you to review it before connecting an account.

Disconnecting an account. You can disconnect a financial account at any time from within the Turtleway app, which stops the ongoing retrieval of new data for that account. You can also review and revoke the connections you have made through Plaid using Plaid’s portal at my.plaid.com. When you disconnect an account or delete your Turtleway account, we delete the associated Plaid-sourced financial data as described in Section 8 (Data retention), except where we must retain limited information to meet legal obligations.

6. How we share information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only in these limited circumstances:

  • Service providers. With vendors who help us run the Service (for example, cloud hosting, email delivery, authentication, analytics, error-monitoring providers, and Plaid for financial account connectivity), under contracts that require them to protect your information and use it only to perform services for us.
  • Other users. If you post to community features of the Service, the content and any profile information you choose to display will be visible to other users.
  • Legal and safety. When we believe disclosure is required to comply with law, legal process, or a governmental request; to enforce our Terms; or to protect the rights, property, or safety of Turtleway, our users, or others.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, with notice to affected users.
  • With your consent. For any other purpose disclosed to you at the time we collect the information.

7. No sale or sharing of personal information

We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA and similar U.S. state privacy laws. We have not done so in the preceding 12 months and do not knowingly do so with respect to consumers under 16 years of age.

8. Data retention

We retain personal information for as long as necessary to provide the Service and for legitimate business or legal purposes, including compliance with legal obligations, dispute resolution, and enforcement of our agreements. Typical retention periods:

  • Account and profile information: for the life of your account;
  • User Content (such as notes or posts): for the life of your account, unless you delete it sooner;
  • Plaid-sourced financial data (holdings, transactions, balances): for as long as the account connection is active and your account is open; deleted within 30 days after you disconnect the account or delete your Turtleway account;
  • Crash logs and diagnostic data: 30 days;
  • Security, fraud, and audit logs: typically up to 24 months, longer if legally required;
  • Waitlist emails (if you do not create an account): until you unsubscribe or for up to 24 months, whichever is sooner.

When information is no longer needed, we delete or anonymize it.

9. Cookies and tracking technologies

We use a limited set of cookies, local storage, and mobile SDKs to operate the Service. These include strictly necessary technologies (to keep you signed in and remember preferences), and basic analytics technologies (to understand aggregate usage and diagnose issues). We do not use third-party advertising cookies. You can control cookies through your browser settings, and you can limit mobile ad identifiers through your device’s privacy settings.

10. Do Not Track and Global Privacy Control

Our systems do not currently respond to browser “Do Not Track” signals in a uniform way, because there is no common industry standard. Where required by law, we treat a Global Privacy Control (“GPC”) signal from your browser as a valid request to opt out of the sale or sharing of personal information for users in states that grant that right.

11. Security

We use reasonable administrative, technical, and physical safeguards designed to protect your information, including encryption in transit, access controls, and logging. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security. If a data breach affecting your personal information occurs, we will notify you and relevant authorities as required by applicable law, including Hawaii’s breach notification law (HRS Chapter 487N).

12. Your choices and rights

You can unsubscribe from marketing emails using the link in the email; transactional messages related to your account will still be sent. Depending on where you live, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise these rights, contact us at privacy@turtleway.io. We will verify your request using information associated with your account and respond within the time required by applicable law. You can also revoke Google’s access to your account at any time through your Google Account permissions page.

You will not be discriminated against for exercising your privacy rights. You may designate an authorized agent to make a request on your behalf, subject to verification.

13. Account deletion

You can delete your Turtleway account and all associated data at any time using the “Delete account” option inside the app, or by emailing support@turtleway.io with the subject “Delete my account”. We will process the request within 7 business days and permanently delete your account, saved notes, activity history, and any financial data retrieved through your connected Plaid accounts. Crash logs are automatically purged after 30 days. We may retain limited information if required to meet legal, tax, or security obligations, or in de-identified or aggregated form.

14. U.S. state privacy rights

Depending on your state of residence, you may have additional rights under state privacy laws, including the California Consumer Privacy Act as amended by the CPRA (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Texas Data Privacy and Security Act (“TDPSA”), and the Oregon Consumer Privacy Act (“OCPA”). These rights generally include:

  • The right to know or access the personal information we hold about you;
  • The right to correct inaccurate personal information;
  • The right to delete personal information we hold about you;
  • The right to a portable copy of your personal information in a commonly used format;
  • The right to opt out of the sale or sharing of personal information and targeted advertising (as noted, we do not sell or share for those purposes);
  • The right to limit use and disclosure of sensitive personal information (we use sensitive information only as reasonably necessary to provide the Service);
  • The right to non-discrimination for exercising these rights;
  • The right to appeal a denied request, where state law provides one.

To exercise any of these rights, email privacy@turtleway.io. California residents may also make a request under California Civil Code §1798.83 (“Shine the Light”) regarding disclosures of personal information to third parties for their direct marketing purposes; we do not currently make such disclosures.

15. EEA, UK, and Switzerland users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, Turtleway is the controller of your personal information. In addition to the rights described above, you have the right to:

  • Access your personal information and obtain a copy;
  • Rectify inaccurate personal information;
  • Have your personal information erased in certain circumstances (right to be forgotten);
  • Restrict or object to certain processing;
  • Data portability;
  • Withdraw consent at any time, where we rely on consent;
  • Lodge a complaint with your local data protection supervisory authority.

Because Turtleway operates from the United States, your personal information will be transferred to, stored in, and processed in the United States or other countries where our service providers operate. Where required, we rely on appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms. You can request a copy of the safeguards that apply to your information by emailing privacy@turtleway.io.

16. Canada (PIPEDA)

If you are located in Canada, we handle your personal information in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy laws. We collect, use, and disclose personal information only for the purposes described in this policy, and we obtain your consent to connect a financial account through Plaid before any financial data is accessed. You may:

  • request access to the personal information we hold about you;
  • ask us to correct inaccurate or incomplete information;
  • withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent (for example, by disconnecting a Plaid-linked account) may limit or prevent our ability to provide some features of the Service.

To exercise these rights, email privacy@turtleway.io. Because Turtleway operates from the United States, your personal information will be transferred to and processed in the United States or other countries where our service providers operate, and may be accessible to courts, law enforcement, and authorities there. If you are not satisfied with how we handle your information, you may contact the Office of the Privacy Commissioner of Canada.

17. Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from them in violation of the Children’s Online Privacy Protection Act (“COPPA”). The Service is intended for users 18 and older. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

18. International users

Turtleway operates from the United States. If you use the Service from outside the United States, your information will be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws different from those of your country of residence.

19. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Last updated” date and, where appropriate, by email or through the Service.

20. Contact us

If you have any questions about this Privacy Policy or our practices, please email privacy@turtleway.io, or write to us at:

Turtleway LLC
438 Hobron Ln, PH1
Honolulu, HI 96815, USA