Sockdrawer← Back

Privacy Policy

Sockdrawer Operated by The El Leche Co LLC (DBA Sockdrawer) Effective Date: April 7, 2026 Last Updated: April 7, 2026

1. Introduction

The El Leche Co LLC, doing business as Sockdrawer ("Sockdrawer," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains what information we collect when you use Sockdrawer at app.sockdrawer.io (the "Service"), how we use and protect that information, and what choices you have.

By creating an account or using the Service, you agree to the collection and use of your information as described in this Privacy Policy. This Policy is incorporated by reference into our Terms of Use.

This Service is intended for use by United States residents only. By using the Service, you represent that you are a resident of the United States. Data collected through the Service is stored and processed in the United States.

If you have questions or concerns about this Policy, please contact us at help@sockdrawer.io.

2. Information We Collect

We collect only the information necessary to provide and operate the Service. Below is a precise description of the categories of information we collect.

2.1 Account Information

When you create and maintain an account, we collect:

  • Your name and email address
  • Your hashed password (we never store your password in plaintext)
  • Email verification status
  • Account role (user or administrator) and account status (active or disabled)
  • Last login timestamp
  • Temporary data associated with password reset requests and pending email changes (retained only until the request is completed or expires)

2.2 Security and Authentication Data

To support account security features, we collect:

  • An encrypted two-factor authentication (2FA) secret, if you enable 2FA
  • Trusted device tokens associated with 2FA "remember me" functionality
  • Temporary password reset tokens (discarded immediately upon use or expiration)

2.3 Notification and Communication Preferences

  • Your notification preferences, including which alert types are enabled and your preferred delivery schedule
  • Browser push notification subscription data (the push endpoint provided by your browser), if you opt in to push notifications

2.4 Credit Card Portfolio Data

The core function of the Service is to help you track your credit card portfolio. For each card you add, we store only the information you provide, which may include:

  • Card name (a label you choose, such as "Sapphire Reserve")
  • Card issuer (e.g., Chase, American Express)
  • Card network (Visa, Mastercard, American Express, Discover)
  • Last four digits of the card number
  • Account type (personal or business)
  • Billing type (credit or charge card)
  • Credit limit
  • Card expiration date (month and year)
  • Signup date and annual fee amount and due date
  • Card status (active or cancelled) and close date if applicable
  • Last charge date and last credit limit increase request date
  • Credit bureau(s) pulled at time of application
  • Signup bonus target amount, deadline, completion status, and completion date
  • Dormancy snooze date
  • Business entity association (if applicable)
  • Flags indicating which data fields were populated by AI enrichment

2.5 What We Do NOT Collect

We want to be explicit about sensitive financial data we do not collect:

  • Full card numbers (only the last four digits)
  • Card CVV or security codes
  • Social Security Numbers or Tax Identification Numbers
  • Credit scores or credit reports
  • Points, miles, or rewards balances
  • Transaction history or individual purchase amounts
  • Bank login credentials or online banking passwords
  • Financial account access tokens (we do not integrate with Plaid or similar services)

2.6 Supporting Operational Data

To operate the Service's features, we also collect:

  • Monthly payment records (whether each card was marked paid or unpaid for a given month)
  • Business entity names, if you use the business card tracking feature
  • Records of completed action items (the task type and completion timestamp)
  • Notification delivery records retained for deduplication purposes (to avoid sending duplicate alerts)

2.7 Usage and Analytics Data

We use analytics tools — currently including Google Analytics and Vercel Analytics — to understand how the Service is used, identify errors, and improve performance. These tools may collect information such as pages visited, time spent on the Service, general geographic region, browser type, and device type. We may use additional or substitute analytics services over time; this Policy governs how we handle such data regardless of which tools we use.

Analytics data is collected in aggregated and/or anonymized form and is not linked to your individual account by us. Third-party analytics providers operate under their own privacy policies; we encourage you to review Google's and Vercel's privacy policies for details on how they handle data independently.

2.8 Technical Data

Our servers automatically collect standard technical log data when you access the Service, including your IP address, browser type, operating system, referring URLs, and timestamps of requests. This data is used for security monitoring, debugging, and maintaining service reliability, and is not used for marketing purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and operate the Service: Including displaying your card portfolio, generating action items, calculating 5/24 status, tracking signup bonuses, and processing monthly payment checklists.
  • To send you account and transactional notifications: Including action item alerts, payment reminders, annual fee alerts, and dormancy warnings — based on your notification preferences. We send only transactional and account-related communications; we do not send marketing emails.
  • To authenticate you and secure your account: Including verifying your identity at login, supporting two-factor authentication, and managing trusted devices.
  • To process payments: We use your subscription and billing information to manage your Pro subscription through Stripe.
  • To improve the Service: Analytics data helps us understand how users interact with the Service and identify areas for improvement.
  • To enforce our Terms of Use: Including detecting and addressing violations, fraud, and abuse.
  • To respond to your requests: Including support inquiries submitted to help@sockdrawer.io.
  • To comply with legal obligations: Including responding to lawful legal process.

4. AI-Powered Card Enrichment

When you use the card enrichment feature, the card name or identifier you enter is transmitted to a third-party AI provider to retrieve or infer card metadata (such as the card network, annual fee, and other attributes). This transmission includes only the card name or identifier you enter — it does not include your account credentials, email address, name, or any other information that identifies you personally.

We do not use your data to train or fine-tune any AI model. All use of AI within the Service is limited to inference at the time of your request.

AI-enriched data is marked as such within the Service. We make no guarantee as to the accuracy or completeness of AI-enriched data, and you are solely responsible for verifying it.

5. How We Share Your Information

We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.

We share your information only in the following limited circumstances:

5.1 Service Providers

We engage a small number of third-party vendors to help us operate the Service. These vendors process your data only on our behalf and subject to our instructions:

  • Stripe, Inc.: Processes subscription payments. Stripe stores your payment card data subject to their own privacy policy and PCI-DSS compliance standards. We do not store your full payment card information.
  • Supabase: Provides our database and backend infrastructure. Your card and account data is stored on Supabase-hosted servers.
  • Resend: Delivers transactional emails on our behalf.
  • Cloudflare: Provides bot protection and security services, including Turnstile verification.
  • Third-party AI provider: Receives card name inputs for metadata enrichment as described in Section 4.
  • Analytics providers: As described in Section 2.7.

5.2 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to: comply with applicable law, regulation, legal process, or a lawful government request; protect the rights, property, or safety of Sockdrawer, our users, or the public; or detect, prevent, or address fraud, security, or technical issues.

5.3 Business Transfers

If Sockdrawer is involved in a merger, acquisition, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a materially different privacy policy.

6. Data Retention

We retain your account and card data for as long as your account remains active. When you delete your account, your personal data — including all card records, payment records, action item history, notification preferences, and authentication data — is deleted immediately and permanently. We do not maintain post-deletion backups of individual user data.

We may retain certain limited records for a period following account deletion if required by applicable law, or as necessary to resolve an existing legal dispute, enforce our Terms of Use, or prevent fraud. In such cases, we retain only the minimum information necessary for that specific purpose.

7. Data Security

We implement industry-standard security measures to protect your information, including:

  • Passwords are stored using one-way cryptographic hashing and are never stored or transmitted in plaintext.
  • Two-factor authentication secrets are stored in encrypted form.
  • Data is transmitted over encrypted connections (HTTPS/TLS).
  • Trusted device tokens are used to support secure session management.

No method of transmission over the internet or electronic storage is completely secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at help@sockdrawer.io.

8. Cookies and Tracking Technologies

The Service uses cookies and similar technologies for authentication (to keep you logged in), security (to support trusted device management and CSRF protection), and functionality (to remember your preferences). These are necessary for the Service to operate and cannot be disabled without disrupting your ability to use the Service.

Analytics tools used by the Service may set their own cookies or use similar tracking technologies to collect aggregated usage data as described in Section 2.7. You may be able to opt out of certain analytics tracking through your browser settings or through opt-out tools provided by those services directly.

We do not use cookies or tracking technologies for advertising purposes.

9. Your Choices and Rights

9.1 Notification Preferences

You may update your notification preferences — including which alerts you receive, how they are delivered, and when — at any time through the Settings section of the Service.

9.2 Push Notifications

You may opt in and opt out of browser push notifications through your account Settings or through your browser's notification permission controls.

9.3 Account Deletion

You may delete your account at any time. Upon deletion, your personal data is immediately and permanently removed as described in Section 6.

9.4 Updating Your Information

You may update your name, email address, password, and notification preferences through your account Settings at any time.

9.5 Data Access Requests

If you have questions about the data we hold about your account, please contact us at help@sockdrawer.io and we will respond to reasonable requests.

10. Children's Privacy

The Service is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under the age of 18. If we learn that we have inadvertently collected information from a minor, we will delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at help@sockdrawer.io.

11. Third-Party Links and Services

The Service may contain links to third-party websites or services, including card issuer websites. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third parties, and we encourage you to review the privacy policies of any third-party services you access.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by sending an email to your registered address and/or displaying a prominent notice within the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the new Policy.

We will update the "Last Updated" date at the top of this Policy whenever changes are made. We encourage you to review this Policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

The El Leche Co LLC (DBA Sockdrawer) 502 W 7th Street, Suite 100 Erie, PA 16502 help@sockdrawer.io

This Privacy Policy was last updated on April 7, 2026.