Last updated: June 30, 2026
This Privacy Policy describes how MyDiscretionary ("we", "us", "the platform") collects, uses, and protects your information when you use the MyDiscretionary mobile or web application (the "Service"). By using the Service you agree to the practices described here. If you do not agree, do not use the Service.
1. Who We Are
MyDiscretionary is operated by MyDiscretionary LLC, an Ohio limited liability company.
Contact:
- Email: privacy@mydiscretionary.com
- Postal: 403 Wayne Street, Sandusky, Ohio 44870
2. What Data We Collect
2.1 Information you provide
When you use the Service, depending on your role:
As a beneficiary or trustee creating an account:
- Name, email address, phone number
- Mailing address
- Date of birth
- Government-issued tax identification number (SSN, EIN, or jurisdiction equivalent)
- Bank account routing and account numbers (for distribution destinations)
- Multi-factor authentication credentials (TOTP secret or SMS-enabled phone number)
When using the platform:
- Distribution request descriptions and supporting documents (tax returns, invoices, statements, contracts, etc.)
- Messages exchanged between trustees and beneficiaries
- Profile preferences
2.2 Information collected automatically
- Authentication session tokens
- IP address and device identifiers (used for session integrity and audit logging — not for tracking across apps)
- Operating system and app version
- Crash logs and diagnostic events (if crash reporting is enabled)
- A complete audit log of every state-changing action you take in the Service
2.3 Information from third parties
If your account is provisioned via Auth0 federation (single sign-on), we receive your name and email from the upstream identity provider.
If your firm enables SMS-based two-factor authentication, your phone number is shared with Twilio (our SMS provider) at the moment a code is sent. Twilio's privacy policy governs that interaction.
3. How We Use Your Data
We process your data only for the following purposes:
- Service provision — running your account, processing distribution requests, generating Monte Carlo analyses, executing payments, maintaining the audit log
- Communication — sending you notifications about requests, approvals, payments, and account security events
- Security — multi-factor authentication, fraud detection, session management, lockout on repeated failed login attempts
- Compliance — meeting fiduciary record-keeping obligations, responding to lawful requests from regulators, supporting any audit of your trust administration firm
- Service improvement — diagnosing bugs from crash reports and aggregate usage patterns (never linked to identifiable individuals in outputs)
We do not:
- Sell your data to anyone, ever
- Use your data to train AI models
- Track you across other apps or websites
- Show you advertising
4. How We Share Your Data
We share data only with the following parties, and only the minimum necessary:
- Your trust administration firm — trustees at your firm see your account information and the requests you submit. This is the core purpose of the platform.
- The beneficiaries of trusts you administer — if you are a trustee, beneficiaries see communications you send them and decisions you make on their requests.
- Our infrastructure providers — Railway (application hosting), our database provider, Twilio (SMS), our email provider. These are processors acting under our instructions; they do not have an independent right to use your data.
- Authorities — when required by valid legal process, court order, or to protect against fraud or harm.
- In a merger or acquisition — if MyDiscretionary is sold or merged, your data may transfer to the acquirer, subject to this Policy.
5. Security
We protect your data with:
- TLS 1.2+ encryption for all data in transit
- AES-256-GCM encryption at rest for sensitive financial fields (bank account numbers)
- Bcrypt-hashed passwords (passwords are never stored or transmitted in clear)
- Mandatory two-factor authentication for trustee accounts
- A complete audit log of every state-changing action
- Role-based access controls scoped to your firm and the trusts you are authorized to view
No security system is perfect. If we detect a breach affecting your data, we will notify you and applicable regulators as required by law.
6. Data Retention
We retain your data while your account is active. After account closure:
- Audit log entries are retained for at least 7 years to meet fiduciary record-keeping standards. Where local law mandates longer retention, we follow that.
- Personal information not required for the audit log is deleted within 90 days of account closure.
- Bank account numbers are deleted within 30 days of account closure, except where an active distribution to that account is pending.
7. Your Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to the audit-log retention requirement above)
- Port your data to another service
- Object to certain processing
- Withdraw consent where processing is based on consent
To exercise any of these rights, email privacy@mydiscretionary.com. We will respond within 30 days. If your request cannot be fulfilled (typically because the data is required for fiduciary record-keeping), we will tell you why and how long we are required to retain it.
California residents (CCPA / CPRA)
You also have the right to know whether we sell or share your data. We do not sell or share your data in the senses defined by these statutes.
EEA / UK residents (GDPR / UK-GDPR)
The legal basis for our processing is:
- Contract performance for Service provision
- Legitimate interest for security and service improvement
- Legal obligation for compliance and audit retention
- Consent for any optional features that ask for it
You have the right to lodge a complaint with your local supervisory authority.
8. Children
MyDiscretionary is not directed to anyone under 18. Where a beneficiary under 18 is named in a trust, their guardian or trustee acts on their behalf and is the platform user. We do not knowingly collect data directly from children.
9. International Transfers
MyDiscretionary is operated from Ohio, United States. If you are accessing the Service from another country, your data will be transferred to and processed in Ohio, United States and any region where our infrastructure providers operate. We rely on Standard Contractual Clauses or equivalent safeguards where required.
10. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced in-app and by email at least 30 days before they take effect. The "Last updated" date at the top of this document reflects the current version.
11. Contact
Questions, requests, or complaints:
- Email: privacy@mydiscretionary.com
- Postal: 403 Wayne Street, Sandusky, Ohio 44870
- Support: support@mydiscretionary.com