Privacy Policy
Pathway Tech ("we", "us", or "our") operates PathPlanner and Sanctum (together, "the Apps"). This Privacy Policy explains what information we collect, how we use it, and the rights you have over it.
We built Pathway Tech on a foundational principle: your financial data belongs to you, it stays on your device, and we never see it. This policy reflects that architecture honestly — including its limitations.
1. The Core Architecture: Local-First, By Design
Both PathPlanner and Sanctum use a local-first data architecture. This means:
- All financial data you enter — debts, transactions, budgets, vault contents — is stored exclusively in your browser's localStorage or IndexedDB on your device.
- Financial data is encrypted on your device using AES-256-GCM before it is written to storage. Encryption keys are derived using PBKDF2-SHA256 with 310,000 iterations, salted per-user.
- No financial data is transmitted to our servers, to any third-party cloud, or to us at any time — not during normal use, not during backup, not during licensing.
- We do not have the technical capability to access, read, decrypt, or recover your financial data. There is no server-side copy.
2. What We Do Collect
2.1 Licence and Account Data
To verify your licence and prevent fraud, we process:
- Email address — used to deliver your licence key and provide support.
- Licence key — a cryptographically generated token stored on our server to validate your purchase.
- Activation timestamp and device count — to enforce licence terms (maximum 3 simultaneous activations).
- Payment confirmation from Stripe — we receive a transaction reference and payment status only. We do not store your card number, expiry, CVV, or any raw payment data. Stripe is the data controller for payment processing; see stripe.com/privacy.
2.2 Licence Validation Requests
When you activate or revalidate your licence, the Apps send a minimal request to our validation server containing: your licence key (hashed), a product identifier, and an activation timestamp. This request does not contain your financial data, your PIN, your passphrase, or any personally identifiable information beyond the licence key.
2.3 Website Analytics (pathwaytech.co only)
Our marketing website may collect anonymised analytics including page views, referral source, and browser type. No third-party tracking pixels operate on the App domains (app.pathwaytech.co). Analytics data is not linked to individual users.
2.4 Support Communications
If you contact us at support@pathwaytech.co, we retain the contents of that correspondence for up to 3 years to assist with ongoing support and licence disputes.
2.5 What We Explicitly Do Not Collect
3. Legal Bases for Processing (GDPR / UK GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, we process personal data under the following legal bases:
- Contract performance (Article 6(1)(b) GDPR): processing your email address and licence key is necessary to deliver the software you purchased.
- Legitimate interests (Article 6(1)(f) GDPR): fraud prevention, licence enforcement, and security monitoring of our licensing API.
- Legal obligation (Article 6(1)(c) GDPR): retaining transaction records as required by applicable tax and financial regulations.
We do not rely on consent as a legal basis for any essential processing.
4. California Consumer Privacy Act (CCPA) Disclosure
California residents have the following rights under the CCPA and CPRA:
- Right to Know: request disclosure of personal information we have collected.
- Right to Delete: request deletion of your personal information, subject to certain exceptions.
- Right to Correct: request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: we do not sell or share personal information for cross-context behavioural advertising.
- Right to Non-Discrimination: we will not discriminate against you for exercising CCPA rights.
To submit a CCPA request, email privacy@pathwaytech.co with subject "CCPA Request". We will respond within 45 days.
5. International Data Transfers
Our licensing server is hosted in the United States (Render.com). If you are in the EEA or UK, licence data is transferred to the US under:
- EEA users: Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.
- UK users: the International Data Transfer Agreement (IDTA) as approved by the UK ICO.
Financial data is never transferred internationally because it never leaves your device.
6. Data Retention
- Licence records: retained for the life of the licence plus 7 years for tax and legal compliance.
- Email address: retained until you request deletion, plus 12 months.
- Support correspondence: retained for 3 years from the date of last correspondence.
- Payment reference (Stripe transaction ID only): retained for 7 years as required by tax law.
- Anonymised analytics: retained for 24 months in aggregated form.
7. Your Rights (GDPR / UK GDPR)
If you are in the EEA or UK, you have the following rights. We will respond within 30 days.
- Right of access (Article 15): receive a copy of your personal data we hold.
- Right to rectification (Article 16): correct inaccurate data.
- Right to erasure (Article 17): request deletion where no overriding legal basis exists.
- Right to restriction (Article 18): restrict processing in certain circumstances.
- Right to data portability (Article 20): receive your data in a structured, machine-readable format.
- Right to object (Article 21): object to processing based on legitimate interests.
Submit requests to: privacy@pathwaytech.co. EEA users may also lodge a complaint with your national supervisory authority. UK users may contact the Information Commissioner's Office.
8. Data Security
- Financial data: AES-256-GCM on-device encryption, PBKDF2-SHA256 key derivation (310,000 iterations, random salt). Keys never transmitted or stored in plaintext.
- Licence API: TLS 1.2 minimum for all client-server communications.
- Licence server: access-controlled backend, principle of least privilege, token-based authentication.
9. Local Storage: Risks and User Responsibilities
Because your financial data exists only on your device:
- Clearing browser cache, browser history, or "application data" will permanently delete your financial data.
- Resetting your device to factory settings will permanently delete your financial data.
- Uninstalling the browser in which you use the Apps will permanently delete your financial data.
- Switching to a new device without first exporting an encrypted backup means your data will not be available on the new device.
- We cannot restore, recover, or regenerate your data.
We strongly recommend: (a) exporting an encrypted backup at least monthly; (b) storing backups in at least two separate locations; (c) keeping your backup passphrase in a secure password manager.
10. Third-Party Services
- Stripe (stripe.com/privacy): payment processing. Stripe is an independent data controller.
- Render.com: hosting for our licence validation API. Server logs may include IP addresses.
- Google Fonts (pathwaytech.co marketing site only): a connection to Google's servers is made when you visit our website. No connection is made from within the Apps.
We do not use advertising networks, social media trackers, or data brokers in connection with the Apps.
11. Children's Privacy
The Apps are not directed at children under 16 (under 13 in the United States). We do not knowingly collect personal information from children. Contact privacy@pathwaytech.co if you believe we have done so.
12. Changes to This Policy
We will notify you of material changes by email at least 30 days before changes take effect. The updated policy will be posted at pathwaytech.co/legal#privacy with the revision date clearly marked.
13. Contact
Pathway Tech (trading name of Graham Capital Holdings)
Privacy enquiries: privacy@pathwaytech.co
Support: support@pathwaytech.co
Terms of Service
These Terms of Service ("Terms") govern your access to and use of PathPlanner and Sanctum (the "Apps"), operated by Pathway Tech, a trading name of Graham Capital Holdings. By purchasing a licence or using the Apps, you agree to these Terms.
1. The Licence
1.1 What you are purchasing
A personal, non-exclusive, non-transferable, perpetual licence granting:
- Unlimited use of the covered App(s) on up to 3 devices simultaneously.
- All feature updates released during the active maintenance period (committed through at minimum December 2028).
- Security patches and bug fixes for the duration of the maintenance period.
- The right to continue using the App(s) indefinitely after the maintenance period ends, without additional payment. The software will not be remotely disabled.
1.2 Licence types
- PathPlanner Licence ($49): PathPlanner only.
- Sanctum Licence ($89): Sanctum only.
- Bundle Licence ($119): Both apps. One licence key. One payment.
- Capsule Licence ($499 Founder Launch / $799 standard): Capsule — Business Financial OS. One licence key. One payment.
All prices in USD. One-time payment. No subscription. No renewal fee.
1.3 What you are not permitted to do
- Redistribute, resell, sublicense, or share your licence key outside your household.
- Reverse engineer, decompile, or disassemble the Apps.
- Use the Apps commercially on behalf of third-party clients without a separate commercial licence.
- Remove or obscure any copyright or proprietary notices.
2. Account and Licence Activation
No account registration is required for trial mode. To activate a full licence: purchase at pathwaytech.co, enter your key in the App, and the App will make a one-time connection to our validation server. Once activated, the App operates fully offline. Periodic background revalidation occurs approximately every 30 days.
3. Your Data
3.2 Local-first architecture
Your financial data is stored locally on your device, encrypted using AES-256-GCM. We do not hold a server-side copy. See Section 4 and the Privacy Policy for full details.
3.3 Backup responsibility
You are solely responsible for backing up your data using the App's built-in Export function. Pathway Tech is not liable for data loss arising from browser storage deletion, device loss, factory reset, or failure to create backups.
4. Local Storage: Risk Disclosure
Use of the Apps constitutes acknowledgement that you understand and accept these data persistence limitations.
5. Fees, Payment, and Pricing
All prices are in USD. Payment is processed by Stripe. By purchasing, you agree to Stripe's Terms of Service. Your purchase is a one-time payment for a perpetual licence. There are no recurring charges and no automatic renewals.
6. Refunds
See the Refund Policy incorporated into these Terms by reference. A 14-day unconditional money-back guarantee applies to all purchases.
7. Trial Mode
- PathPlanner trial: up to 3 debts. All analysis and export features fully functional.
- Sanctum trial: up to 3 transactions. Monthly Close accessible.
8. Maintenance, Updates, and End of Life
- Critical security patches released promptly during the maintenance period.
- Maintenance period committed through at minimum December 2028, with at least 12 months' advance notice before any change.
- After the maintenance period, your licence remains valid, the Apps continue to function, and no further updates are guaranteed. No remote disabling.
9. Acceptable Use
The Apps are for lawful personal financial management only. You may not use them for unlawful purposes, attempt to circumvent licence enforcement, or use automated tools to probe our API.
10. Intellectual Property
The Apps and all associated intellectual property are owned by Pathway Tech (Graham Capital Holdings). These Terms grant a licence to use the Apps; no intellectual property is transferred to you. The .pathplan file format is proprietary; files may be used freely for personal backup and portability.
11. Disclaimer of Warranties
THE APPS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. TO THE FULLEST EXTENT PERMITTED BY LAW, PATHWAY TECH DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND UNINTERRUPTED OR ERROR-FREE OPERATION.
The Apps are financial analysis tools — they are not a substitute for professional financial advice.
12. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PATHWAY TECH'S TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT YOU PAID FOR YOUR LICENCE IN THE 12 MONTHS PRECEDING THE CLAIM.
IN NO EVENT SHALL PATHWAY TECH BE LIABLE FOR: LOSS OF DATA; LOSS OF PROFITS OR REVENUE; INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES; OR FINANCIAL LOSS ARISING FROM RELIANCE ON THE APPS' CALCULATIONS.
13. Indemnification
You agree to indemnify Pathway Tech from claims arising from your use of the Apps in violation of these Terms or applicable law.
14. Termination
Pathway Tech may suspend or terminate your licence for material breach with 14 days' notice to cure. Upon termination, your locally stored data remains on your device — we have no technical means to delete it remotely.
15. Governing Law and Dispute Resolution
These Terms are governed by the laws of England and Wales. EU consumers retain their rights under applicable consumer protection law in their country of residence.
For US users: disputes shall be resolved by binding arbitration (AAA rules), individually (no class actions), except where either party seeks injunctive relief.
Contact support@pathwaytech.co before initiating any formal dispute process.
16. Changes to These Terms
We will provide at least 30 days' notice of material changes, delivered to the email address associated with your licence.
17. Miscellaneous
- Entire agreement: these Terms, together with the Privacy Policy and Refund Policy, constitute the complete agreement between you and Pathway Tech.
- Severability: if any provision is unenforceable, the remaining provisions continue in full force.
- No waiver: failure to enforce any provision does not waive future enforcement rights.
- Force majeure: neither party is liable for delays caused by circumstances beyond their reasonable control.
Refund Policy
1. The 14-Day Money-Back Guarantee
If you are not satisfied for any reason within 14 calendar days of your purchase, you will receive a full refund. You do not need to:
- Provide a reason.
- Demonstrate a technical fault.
- Meet any usage threshold or condition.
- Return or delete the software.
The guarantee period begins at the timestamp of your Stripe payment confirmation and ends at 23:59 UTC on the 14th calendar day thereafter.
2. How to Request a Refund
- Email support@pathwaytech.co with the subject line "Refund Request".
- Include the email address used at purchase and your order reference number (from your Stripe receipt email).
- We will acknowledge within 1 business day and process the refund within 5 business days.
Refunds are returned to the original payment method. Stripe typically processes the credit within 5–10 business days depending on your card issuer.
3. After the 14-Day Window
After the guarantee period, refunds are evaluated case-by-case and are available only where the App does not function as described and the issue is verifiable and reproducible, and has not been resolved within 14 business days of your initial support report.
4. Licence Status After Refund
- Your licence key will be revoked within 48 hours of refund confirmation.
- Licenced features will be discontinued when revocation takes effect.
- Your locally stored data remains on your device — you may export a backup before revocation.
5. Partial Refunds
- Upgrade: purchase the Bundle, then request a refund for your original single-App licence within its 14-day window.
- There are no partial refunds for unused time as all licences are perpetual.
6. Statutory Rights
European Union and United Kingdom
Nothing in these Terms limits your statutory rights under the EU Consumer Rights Directive (2011/83/EU) or the UK Consumer Rights Act 2015. Our 14-day unconditional guarantee meets or exceeds these statutory minimums.
United States
Our 14-day guarantee applies to all US customers. State-specific consumer protection laws may provide additional rights.
7. Chargebacks and Payment Disputes
Please contact support@pathwaytech.co before initiating a chargeback. We resolve requests quickly and a direct resolution is faster for you. Unjustified chargebacks after receiving a functioning product may result in licence revocation.
8. Contact
Refunds and billing: support@pathwaytech.co
Response time: within 1 business day.
Processing time: within 5 business days of approval.
Security Architecture
Encryption
- Algorithm: AES-256-GCM (authenticated encryption — provides both confidentiality and integrity verification).
- Key derivation: PBKDF2-SHA256, 310,000 iterations, unique random salt per user. This iteration count meets and exceeds NIST SP 800-132 (2023) recommendations.
- Key storage: Derived keys exist only in memory during an active session. They are never written to disk, never transmitted, and never held by Pathway Tech.
- Backup encryption: Exported backup files are encrypted with AES-256-GCM using a key derived from your backup passphrase. Pathway Tech cannot decrypt backup files.
Network Security
- No financial data transmitted: The Apps make no network requests containing financial data. Financial data never leaves your device.
- Licence validation: A minimal request (licence key hash, product identifier, activation timestamp) is sent to our server approximately every 30 days. TLS 1.2 minimum.
- Content Security Policy: Both Apps implement a strict CSP preventing execution of inline scripts, loading of external resources, or form submission to third parties.
Local Storage
- Data is stored in browser localStorage / IndexedDB, always in encrypted form.
- The Apps do not use cookies for financial data.
- Safari and Firefox may clear localStorage under storage pressure or after periods of inactivity. We recommend regular encrypted backups.
Reporting a Vulnerability
If you discover a security vulnerability in PathPlanner or Sanctum, please report it responsibly to security@pathwaytech.co. We aim to acknowledge reports within 48 hours and resolve critical issues within 14 days. We do not currently operate a formal bug bounty programme but will recognise responsible disclosures.