Privacy Policy

How CashTalks collects, uses, shares, and protects your personal information.

Last updated: May 13, 2026

This Privacy Policy explains how CashTalks (“CashTalks,” “we,” “us,” or “our”), operated by Praxion, collects, uses, shares, and protects personal information in connection with the CashTalks website and conversational service (the “Service”). If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, the European Economic Area (EEA), or the United Kingdom, please also review the region-specific sections below.

1. Information We Collect

1.1 Information you provide directly

  • Conversation content. The questions you ask Penny, your answers to follow-up questions, and any related context (for example, “I owe about $14,000 across three cards”).
  • Contact information. If you elect to be connected with a Partner, the email address, phone number, and (optionally) full name you submit through the lead-capture form.
  • Free-text inputs. Anything you type in the chat composer, in feedback forms, or in privacy-request forms.

1.2 Information collected automatically

  • Session and device data. An opaque session identifier stored in a first-party cookie (ct_sid), a hashed representation of your IP address, a hashed representation of your user-agent string, and basic telemetry (timestamps, rate- limit counters, error events).
  • Cookies and similar technologies. See our Cookie Policy for details on what we set and why.
  • Marketing attribution. If you arrive at the Service through a marketing link, we may capture UTM-style parameters (e.g. utm_source, utm_campaign).

1.3 Information from third parties

If you reach the Service through a Partner or referral source, we may receive limited information about that referral (such as the referring URL or a partner identifier). We may also receive callback information from Partners we share leads with, such as whether your lead was accepted, scored, or rejected.

2. Sensitive Personal Information

Depending on the conversation you have with Penny, you may disclose information that some laws classify as sensitive personal information (for example, precise financial circumstances, debt status, or hardship details). We do not require you to disclose this information. We will use sensitive personal information only as necessary to provide the Service you requested and as further described in this Policy, and we will honor any “limit the use of my sensitive personal information” requests we are required to honor. We do not knowingly request, and we ask you not to provide, government identifiers (e.g. Social Security numbers), payment-card numbers, or full bank account numbers through the Service.

3. How We Use Information

We use information for the following purposes:

  • to provide, maintain, and improve the Service, including to run Penny’s conversation logic, route you to the most relevant track, and produce educational responses;
  • to perform safety, abuse, and fraud-prevention checks, including rate limiting and budget controls on anonymous use;
  • to evaluate and improve our prompts, models, and conversation flows (including building datasets of de-identified or pseudonymized conversations for evaluation);
  • to connect you, at your direction, with a Partner you have asked to be matched with, and to fulfill the Partner’s subsequent inquiries about that lead;
  • to comply with legal obligations, respond to lawful requests, and enforce our Terms;
  • to communicate with you about the Service, including service announcements and responses to questions you send us; and
  • with appropriate disclosure and where permitted, for marketing and product analytics — never including the content of regulated financial advice from licensed professionals, because we do not provide such advice.

4. How We Share Information

4.1 With Partners, at your direction

We share the contact information and conversation summary shown to you at the consent step with the Partner(s) you elect to be matched with. This happens only after you check the affirmative consent control. The exact text of the consent you accepted, the version identifier, and a hashed record of the request are stored for compliance purposes.

4.2 With service providers

We share information with vendors that process information on our behalf, including cloud hosting, database, model-inference (e.g. large-language-model providers), observability, email delivery, and analytics providers. These vendors are contractually limited to using the information only to provide services to us.

4.3 For legal, safety, and compliance reasons

We may disclose information to comply with law, valid legal process, or government requests; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of CashTalks, our users, or others.

4.4 In a business transaction

If CashTalks is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections.

4.5 “Sale” and “sharing” for advertising

Some U.S. state privacy laws define “sale” and “sharing” broadly. CashTalks does not sell personal information for money. Depending on how a regulator interprets these terms, our transmissions to Partners (which may include compensation to CashTalks) and certain analytics or advertising cookies may be considered a “sale” or “sharing.” You may opt out at any time using our Do Not Sell or Share My Personal Information form. We honor recognized opt-out preference signals (such as Global Privacy Control) where required by applicable law.

5. Data Retention

We retain personal information only for as long as needed to provide the Service and for legitimate business or legal purposes. Indicative retention periods:

  • Anonymous conversation transcripts: up to 13 months for service improvement, then deleted or de-identified.
  • Lead-event records and consent records: up to 5 years from the date of the lead event, to satisfy TCPA, fair-lending, and audit obligations.
  • Privacy-request records: for the period required by applicable law (generally 2–3 years).
  • Audit and security logs: up to 13 months, then deleted or aggregated.

We may retain information for longer where required by law or to resolve disputes.

6. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect personal information. Contact identifiers we store are encrypted at rest using authenticated encryption (an envelope-encryption scheme with key rotation) and, where appropriate, also stored as a one-way hash for deduplication and opt-out lookup. No system can be guaranteed 100% secure, and we cannot guarantee the security of information you send to us.

7. Children

The Service is intended for users aged 18 and older. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us personal information, please contact us at privacy@cashtalks.org and we will take appropriate steps to delete it.

8. Your Choices and Rights

Depending on where you live, you may have rights to:

  • know what personal information we collect, use, disclose, and sell or share;
  • access a copy of your personal information;
  • delete your personal information, subject to legal exceptions;
  • correct inaccurate personal information;
  • request portability of your personal information;
  • opt out of “sale” or “sharing” of your personal information;
  • limit the use of sensitive personal information beyond what is necessary to provide the Service; and
  • not be discriminated against for exercising any of these rights.

To submit a request, use the Data Request form or email privacy@cashtalks.org. To opt out of “sale” or “sharing,” use the Do Not Sell or Share form. We will verify your request as required by applicable law (typically by confirming the email address associated with the request) and respond within the timeframes required by law (generally 45 days for U.S. state laws, with a possible one-time 45-day extension). Authorized agents may submit requests on your behalf with appropriate proof of authorization.

9. California Notice at Collection (CCPA / CPRA)

In the preceding 12 months we have collected the following categories of personal information about California residents: identifiers (e.g. session ID, hashed IP, email and phone when submitted); commercial information (e.g. financial-product interest you express in conversation); internet or other electronic network activity (e.g. timestamps, basic device signals); geolocation (coarse, derived from IP, where applicable); inferences drawn from the above (e.g. likely track); and sensitive personal information (financial-status details you choose to disclose in conversation). We collect this information for the purposes described in Section 3 above, and we share it with the categories of recipients described in Section 4 above. We do not knowingly sell or share the personal information of consumers under 16. California residents may exercise their CCPA/CPRA rights using the forms linked in Section 8.

10. EEA / UK Notice (GDPR / UK GDPR)

If you are located in the EEA or the UK, our legal bases for processing your personal information are: (a) performance of a contract with you (to provide the Service you request); (b) our legitimate interests in operating, securing, and improving the Service, where not overridden by your rights; (c) your consent (for example, when you elect to be connected with a Partner or to receive marketing); and (d) compliance with legal obligations.

You have rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent (without affecting the lawfulness of prior processing). You also have the right to lodge a complaint with your local supervisory authority. To exercise your rights, use the Data Request form or email privacy@cashtalks.org.

Where we transfer personal information outside the EEA or UK to a country that does not have an adequacy decision, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses).

11. Automated Decision-Making

The Service uses AI to generate conversational responses and to score lead quality. These outputs are not used to produce legal or similarly significant decisions about you on a fully automated basis. A human reviews lead-quality decisions before they affect Partner routing. If you have questions about how an AI-generated output was produced or want to provide feedback, contact privacy@cashtalks.org.

12. Changes to This Policy

We may update this Policy from time to time. We will update the “Last updated” date and, where the change is material, provide additional notice (such as an in-product banner). Your continued use of the Service after the effective date constitutes acceptance of the changes.

13. Contact

Privacy questions and rights requests: privacy@cashtalks.org. Postal address available on request. EEA/UK data-protection representative information will be added here when designated.