Legal · Updated May 17, 2026

Privacy Policy

Dip is an AI agent that helps you lower recurring bills, built and operated by Quintin Tech LLC, a Pennsylvania limited liability company. This policy describes what we collect, what we never collect, where it lives, who we share it with, and what you can do about it. Plain language; no boilerplate.

Version 1.1 — effective May 17, 2026.

What we collect

  • Email. Either via Sign in with Apple or an email magic link on Android / web. We use it to authenticate you and to send transactional messages (call summaries, approvals, receipts).
  • Bill metadata you enter or upload. Provider name, your current rate, the service address (when needed — trash, internet, electric). Nothing more than what we need to negotiate.
  • Voice recordings of calls Dip places on your behalf. Our calling partner Vapi retains recordings for 90 days and then deletes them. We keep the resulting transcript on our side so you have a record of what was agreed to.
  • Plaid transaction data. Only if you opt in to bank linking. We use it to spot bills and rate changes. We never sell or share the data, and we use Plaid only in read mode — we do not initiate transfers or modify your bank account.
  • Subscription state via Stripe. Plan, period dates, customer id. We do not store your card number; Stripe does.

What we don't collect

  • Your phone number — Dip doesn't call you back.
  • Your full legal name, unless you explicitly share it on a call (some providers ask).
  • Cross-app or cross-site tracking. We don't use ad SDKs.
  • Advertising identifiers (IDFA / AAID).
  • Contacts, photos, calendars, location.

How we share data with providers during negotiation

When Dip calls a provider on your behalf, the provider's representative will typically ask for information to authenticate you and to discuss your account. Dip discloses only what's necessary, which usually includes:

  • Your name and the name on the account.
  • The account number and the service address on file.
  • Identity-verification answers (last 4 of SSN, date of birth, security-question answers) when the provider requires them. We never disclose your full SSN.

We do not share your email, phone number, bank or card details, or any data from Plaid with the provider. The Letter of Authorization you sign before adding a bill is the consent basis for this disclosure.

How we use Plaid

If you link a bank account, we use Plaid to receive transaction data so we can identify recurring bills and detect rate changes. Plaid is a processor that connects to your bank on your behalf; their use of the data is governed by Plaid's End User Privacy Policy. You can review the accounts you've connected and revoke Plaid's access at any time through the Plaid Portal or from inside the Dip app. Revoking access in Plaid Portal immediately stops Plaid from sharing new data with us; data we've already received is retained per the retention windows below until you delete your Dip account.

Where it lives, and how long

  • Supabase (Postgres). Encrypted at rest. Hosted in the US. Account data, bill metadata, and call transcripts. Retained while your account is active and deleted within 30 days of account deletion, except where we're legally required to retain longer (typically tax and dispute-resolution records, up to 7 years).
  • Vapi. Call audio and live audio. 90-day retention, then deletion. Transcripts move to our Supabase storage and follow the Supabase retention window.
  • Stripe. Subscription state. Retained per Stripe's policies and as required for tax and accounting (typically 7 years). No card details stored by us.
  • Anthropic (Claude). LLM inference for the agent. Per Anthropic's API policy, your data is not used to train their models. Anthropic does not retain inputs/outputs beyond the inference window for API customers.
  • Plaid. Bank transaction data is pulled by Plaid from your bank, passed to us, and stored in Supabase under the same retention window as your other account data. Revoking Plaid access in Plaid Portal stops new data from flowing.

Subprocessors

The vendors named above are our subprocessors. We will update this policy and notify users by email at least 30 days before any new subprocessor begins receiving user data, so you can object or delete your account before that happens.

Financial-data safeguards (GLBA)

Because Dip handles nonpublic personal information from financial accounts (via Plaid) and assists you in financial decisions, the Gramm-Leach-Bliley Act's Safeguards Rule applies to us. We maintain a written information-security program with administrative, technical, and physical safeguards designed to protect your data, including encryption at rest and in transit, access controls, vendor due diligence on each subprocessor named above, and an incident response plan.

AI disclosure and call recording

When Dip calls a provider on your behalf, the agent identifies itself at the start of the call as an AI assistant acting on your behalf, and discloses that the call is being recorded. We do not secretly impersonate humans. The recording is made with your consent (granted in the Letter of Authorization you sign before adding a bill) and with the provider representative's consent (requested at the start of every call). If the representative declines to be recorded, Dip will stop recording or end the call.

A number of US states have all-party (sometimes called “two-party”) consent requirements for recording phone conversations, and may include criminal as well as civil liability for violations. Our practice is to disclose recording and request consent at the start of every call, in every state, so we don't rely on the user's location to determine which standard applies.

Your rights

  • Delete your account. Email us or use the in-app option. All data is purged within 30 days, including call recordings and transcripts on our side, except records we're legally required to keep (typically tax and dispute records).
  • Export your data. Email us. We'll send a machine-readable archive within 30 days.
  • Revoke negotiation authority. Removing a bill in the app revokes Dip's Letter of Authorization for that account. Deleting your account revokes it for all accounts.
  • California residents (CCPA / CPRA): You have the right to know the categories of personal information we collect (listed above under “What we collect”), the sources (you, Plaid, Stripe, providers), the purposes (operating the service, negotiating on your behalf, billing, security), and the third parties we share it with (listed above under “Subprocessors”). You have the right to request deletion and to opt out of sale or sharing of personal information. We do not sell your data and we do not share it for cross-context behavioral advertising. To exercise any CCPA right, email privacy@dip.bot.
  • GDPR / EU: Dip is currently US-only. If we expand, we'll update this section before accepting EU signups.

Children

Dip is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, email privacy@dip.bot and we will delete it.

Contact

Privacy questions, deletion requests, exports — all go to privacy@dip.bot. A real person reads that inbox.

Changes to this policy

If we make a meaningful change (new data type, new vendor, new retention window), we'll notify you by email and update the “Updated” date and version at the top of this page. Cosmetic edits don't bump the version.