Privacy Policy

Last updated 2026-04-29.

This is the privacy policy for EarlyBird (“EarlyBird,” “we,” “us”), operator of investearlybird.com. It explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

EarlyBird is pre-launch. Today the only services we provide are this marketing site, the email waitlist, and an authenticated dashboard. The EarlyBird Card and the rewards-allocation investing service have not launched. When they launch, this policy will be updated and you will be notified by email before the new practices take effect. Until then, this policy describes only the data we actually collect today, with forward-references to what will change at launch.

Not legal advice. This document is provided for transparency. It is not legal advice, and reading it does not create an attorney–client relationship. Before relying on it for any decision, consult your own counsel.

At a glance

• We collect your email and, if you create an account, the limited profile data Clerk passes us (display name, email, phone if you add it).
• We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
• We use vendors (listed below) to run the site, send transactional email, monitor errors, and measure product analytics. PII is stripped from error and analytics streams.
• When the EarlyBird Card and investing service launch, we will collect more (investment objectives, risk tolerance, bank link tokens via Plaid), and identity-verification data will be collected by our regulated partners on their own systems — not held by EarlyBird.
• You have rights to access, correct, delete, and port your data, plus state-specific rights described below. Email privacy@investearlybird.com to exercise them.

Who we are

EarlyBird is a Delaware company building a credit card whose interchange rewards are automatically allocated by a registered investment adviser into curated early-stage offerings exempt under Regulation Crowdfunding (Reg CF) and other exemptions. EarlyBird Advisors is registered as an investment adviser under the Investment Advisers Act of 1940 (a federally covered, Series 65–led RIA) and is currently in pre-launch.

If you have questions about this policy:

• Email privacy@investearlybird.com.
• A mailing address will be added before the EarlyBird Card and investing service launch.

Information we collect today

We only collect what we actually need to run the waitlist and the authenticated dashboard.

What you give us directly

• Waitlist signup. Email address.
• Account creation (Clerk). Email address, display name, and — if you choose to add it — phone number. If you sign in with Google, we receive your Google profile email and name from Clerk; we do not receive your Google password.
• Investor profile (forward-looking). When the investing service launches, we will collect the information required to give you suitable advice under FINRA Rule 2111 and our fiduciary duty as a federally covered RIA — investment objectives, risk tolerance, time horizon, financial situation as you describe it, and similar suitability data. We will retain it as part of our Form ADV and books-and-records obligations.

What gets collected automatically

• Server and product analytics. PostHog records anonymous funnel events (page views, button clicks, signup conversions). We have configured PostHog to block IP capture and to create profiles only for users who are already identified by Clerk. We do not record sessions.
• Error monitoring. Sentry receives stack traces and error metadata when something breaks. We have set sendDefaultPii: false, which means IP addresses, request bodies, cookies, and headers are not sent to Sentry.
• Cookies and similar technologies. See “Cookies and tracking technologies” below.

What we do not hold

So you know what is and is not in our systems:

• No Social Security numbers. SSNs are collected by our regulated partners (currently planned: North Capital for KYC/AML/OFAC, Nxtmoves for card issuance) and held on their systems. EarlyBird never stores your SSN.
• No government ID images. Identity-verification photos are uploaded directly to our KYC partner.
• No raw bank account or routing numbers. When we add bank linking, we will use Plaid; EarlyBird stores only the Plaid item or access token, not the underlying account numbers.
• No card PAN, CVV, or full card data. Card credentials are tokenized by Nxtmoves under PCI DSS; EarlyBird sees only a token and the last four digits for display.
• No credit-pull data, income, or net-worth verification. Where these are collected (for example, to confirm Reg CF investment limits), they are collected by our regulated partners and reported back to EarlyBird only at the granularity needed to make allocations.

What changes at launch

When the EarlyBird Card and the investing service launch, additional categories will apply:

• KYC/AML data (collected by North Capital): legal name, date of birth, residential address, SSN, government ID. Held by North Capital subject to its own privacy notice. EarlyBird receives only a verification status and a customer ID.
• Bank account link (via Plaid): an institution identifier and a Plaid access token used to initiate ACH transfers. Plaid’s end-user privacy policy is at plaid.com/legal/#end-user-privacy-policy.
• Card and transaction data (collected by Nxtmoves and the issuing bank): full PAN, CVV, transaction stream. EarlyBird receives a tokenized reference, transaction-category data, and the rewards amount earned.
• Investment activity (collected by EarlyBird and recorded by North Capital as our books-and-records partner): allocations, holdings, statements, tax reporting data.

When this happens, we will publish an updated version of this policy and a separate Financial Privacy Notice under the Gramm–Leach–Bliley Act (GLBA) using the regulator-mandated “FACTS” format. We will email you before the change takes effect.

How we use your information

We use personal information for these purposes:

• To run the waitlist and the authenticated dashboard.
• To send you transactional email about your account (sign-in, security, and product updates from EarlyBird itself). We use Resend as our email vendor.
• To send you launch updates about EarlyBird if you have asked to be on the waitlist. You can unsubscribe at any time using the link in any email.
• To detect, prevent, and respond to fraud, abuse, and security incidents.
• To comply with legal obligations, including, after launch, recordkeeping under the Investment Advisers Act, FINRA rules applicable to our partners, the Bank Secrecy Act, the CARD Act, the Truth in Lending Act, the Electronic Fund Transfer Act (Regulation E), the ESIGN Act, and applicable state law.
• To improve the product through aggregated, de-identified analytics.
• For business transactions, including evaluating, negotiating, or completing a corporate financing, merger, acquisition, or sale of assets, with appropriate confidentiality protections.

We do not use your information for cross-context behavioral advertising, and we do not sell your personal information for money or other valuable consideration.

How we share your information

We share personal information only in the following circumstances.

Service providers acting on our behalf

Vendors that process data only under our instructions and under written contract. Today this includes:

• Clerk — authentication and identity. clerk.com/legal/privacy-policy
• Resend — transactional email delivery. resend.com/legal/privacy-policy
• PostHog — product analytics, with IP capture disabled and identified-only profiles. posthog.com/privacy
• Sentry — error monitoring, with sendDefaultPii: false. sentry.io/privacy
• Vercel — web hosting and CDN. vercel.com/legal/privacy-policy
• Railway — API hosting. railway.com/legal/privacy
• Neon — managed Postgres database. neon.com/privacy-policy
• Cloudflare — DNS and edge caching. cloudflare.com/privacypolicy

Regulated partners (after launch)

When the EarlyBird Card and investing service launch, we will share account, identity, and transaction data with North Capital (KYC/AML, money movement, books-and-records) and Nxtmoves (card issuance and processing) so they can perform their regulated functions. Plaid will receive bank-link information that you affirmatively initiate. The post-launch GLBA Financial Privacy Notice will describe these flows in the regulator’s “FACTS” format.

Issuers and offerings (after launch)

If you direct allocations into a Reg CF or other exempt offering, the issuer and the offering’s funding portal or broker-dealer will receive the information they need to record your investment and meet their own disclosure obligations.

Legal, safety, and compliance

We may disclose information when required by law (subpoena, court order, regulator request), to comply with a legal obligation, to investigate fraud or security incidents, to protect the rights or safety of EarlyBird or others, or to defend legal claims.

Corporate transactions

In connection with a financing, merger, acquisition, sale of assets, or bankruptcy, in which case the recipient must honor commitments materially consistent with this policy.

With your consent

Any other sharing only with your consent.

We do not have a public sub-processor registry today; the list above is the full set of vendors we use that touch personal information. After launch, we will maintain a sub-processor list available on request.

Cookies and tracking technologies

We use a small number of cookies and similar technologies:

• Strictly necessary — session cookies set by Clerk to keep you signed in.
• Functional — preferences such as your selected theme.
• Analytics — PostHog uses a cookie to attribute repeat events to a single anonymous visitor, configured to ignore IP addresses.

We do not use advertising cookies or third-party retargeting pixels today. Our PostHog deployment is reverse-proxied through /ingest on our own domain so that ad-blockers do not double as analytics-blockers; you can still opt out using your browser, your operating system’s ad-tracking controls, or by sending a Global Privacy Control signal.

Do Not Track and Global Privacy Control

Browsers vary in how they signal user preferences.

• Do Not Track (DNT). There is no industry consensus on how to interpret DNT, so we do not respond to DNT headers.
• Global Privacy Control (GPC). When our site receives a GPC signal in a state that recognizes GPC as a valid opt-out (currently California, Colorado, Connecticut, and, beginning in 2026, Oregon), we treat it as a request to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising for that browser. We do not sell or share data for advertising in any state, so the practical effect today is that GPC is recorded but no advertising opt-out is needed.

Your privacy rights

We honor data-subject rights for everyone who interacts with EarlyBird, regardless of where you live, with state-specific additions where applicable.

Rights everyone has

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — ask us to delete your information, subject to legal hold and recordkeeping carve-outs (for example, after launch we are required by SEC and FINRA rules to retain advisory and brokerage records for several years even if you ask us to delete).
• Portability — receive a structured copy of the information you have provided to us.
• Withdraw consent — where we rely on consent, withdraw it at any time.
• Non-discrimination — we will not deny services, charge different prices, or provide a different level of service because you exercised a right.

To exercise any right, email privacy@investearlybird.com from the email associated with your account, or use the “Delete account” control in the dashboard once it is available. We may need to verify your identity before acting; we will not require more information than is necessary to do so.

You also have the right to lodge a complaint with your state attorney general or, where applicable, the Consumer Financial Protection Bureau, the SEC, or the FTC.

State-specific rights

We currently process the personal information of residents in all 50 U.S. states. The following states have comprehensive consumer privacy laws as of 2026; the rights described above apply to residents of each, with the additional notes below.

• California (CCPA / CPRA). California residents have the rights described above plus the right to limit the use and disclosure of “sensitive personal information,” the right to know the categories and sources of personal information we collect, and the right to opt out of any “sale” or “sharing.” We do not sell or share personal information as those terms are defined under the CCPA. We have not knowingly sold the personal information of consumers under 16. To exercise California rights, email privacy@investearlybird.com. An authorized agent may submit a request on your behalf with your written authorization.
• Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA). You have the rights described above. You may also opt out of profiling that produces legal or similarly significant effects; the rewards-allocation engine, when it launches, will not produce such effects without your express direction.
• Oregon (OCPA), Texas (TDPSA), Montana (MTCDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire, Kentucky, Maryland (MODPA), Minnesota (MNCDPA), Rhode Island, Nebraska (NDPA). You have the rights described above to the extent the applicable state law grants them. Effective dates vary; we honor each state’s rights from its effective date.
• Vermont. Under the GLBA Financial Privacy Notice that will apply after launch, we will not share your nonpublic personal information with non-affiliates for marketing purposes without your authorization.
• Nevada. You may opt out of the sale of certain personal information for monetary consideration. We do not sell personal information.

If your state recognizes a Global Privacy Control or Universal Opt-Out Mechanism as a valid opt-out signal, we honor it as described under “Do Not Track and Global Privacy Control.”

If we deny a rights request, you may appeal by replying to our denial email; in states with a statutory appeal right (Colorado, Connecticut, Virginia, and others), we will respond within the period required by that state’s law.

Children

EarlyBird is not directed to children under 18, and you must be at least 18 (and the age of majority in your state) to create an account or join the waitlist. We do not knowingly collect personal information from anyone under 18. If you believe a child under 18 has provided us information, email privacy@investearlybird.com and we will delete it.

Data retention

We retain personal information for as long as we need it to provide the services, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.

• Waitlist email addresses are retained until you ask us to delete them or for the period needed to demonstrate consent.
• Authenticated account data is retained while your account is active and for a reasonable period afterward.
• After launch, advisory and brokerage records will be retained for the period required by SEC and FINRA rules (generally five to seven years), even if you delete your account.
• Error logs and aggregated analytics are retained for shorter, vendor-defined periods.

Security

We use commercially reasonable administrative, technical, and physical safeguards: TLS in transit, encrypted databases at rest, access controls and least-privilege roles, audit logs, vendor risk review, and continuous error monitoring. No system is perfectly secure, and we cannot guarantee that information will never be accessed by an unauthorized party. If we discover a security incident affecting your information, we will notify you and the appropriate regulators as required by applicable law.

International users

EarlyBird is intended for U.S. residents. We do not target or knowingly accept users outside the United States. If you access the site from outside the United States, your information will be transferred to and processed in the United States.

Changes to this policy

We will update this policy when our practices change. The “Last updated” date at the top reflects the most recent change. For material changes — including the changes that will accompany the launch of the EarlyBird Card and the investing service — we will email registered users in advance and will not apply the new practices retroactively to data already collected.

Contact

• Email privacy@investearlybird.com.
• Web investearlybird.com.
• After launch, the postal address of EarlyBird’s registered office and the name of our Chief Compliance Officer (Comrie Flinn) will be listed here.

If you cannot resolve a concern with us directly, you may contact your state attorney general or, where applicable, the Consumer Financial Protection Bureau (consumerfinance.gov), the Securities and Exchange Commission (sec.gov), or the Federal Trade Commission (ftc.gov).