Ungerboeck Families

Privacy Notice

Effective Date[set on merge]Last Updated[set on merge]

About this Notice

Ungerboeck Families (“UFam,” “we,” “us”) is a private application operated by Cedar Forest Group, LLC (“CFG”), a privately-held family investment office. UFam is used by the Members of CFG and a small number of authorized professional service providers to view, organize, and report on the Members’ financial activity.

This Notice describes how we collect, use, share, and retain personal and financial information in connection with UFam. Because UFam is a private family-office application — not a consumer service — this Notice is intentionally scoped to the small population of authorized users it serves.

1. Who this Notice applies to

This Notice applies to:

  • Members of Cedar Forest Group, LLC who use UFam
  • Authorized professional service providers (for example, the firm’s accountants) granted limited access for defined purposes

UFam is not offered to the general public. There is no public sign-up, no marketing, and no consumer enrollment.

2. Information we collect

We collect the following categories of information:

  • Identity information. Name, email address, and authentication credentials for accessing UFam.
  • Financial account information.Account names, account types, custodian or institution names, the last four digits of account numbers (“masks”), entity ownership relationships, and similar account-identifying information.
  • Position and balance information. Holdings, securities, quantities, prices, market values, cost basis, and account balances as of specific points in time.
  • Transaction and cash-flow information. Investment transactions (dividends, interest, contributions, distributions, fees, capital gains, transfers), manually-entered cash flows, and associated metadata.
  • Document and note content. Any documents, notes, or annotations that authorized users add to UFam.
  • Audit and access logs. Records of authentication events, administrative actions, and changes to records, used to support security monitoring and incident response.

We do not collect biometric information, precise geolocation, social-graph information, or any information from cookies or trackers beyond what is necessary to authenticate users and operate the application.

3. How we collect information

We collect information in three ways:

  • Direct entry by authorized users — when a Member or service provider types information into UFam (for example, manual cash-flow entries, notes, account labels).
  • Authorized integrations with third-party financial data providers — when a Member explicitly connects an external financial account through a data aggregator (currently Plaid Inc.). Connection requires the Member’s affirmative action and presentation of a step-up authentication.
  • Automated logs— generated by UFam’s underlying platforms in the course of operating the application securely.

We do not purchase, license, or otherwise acquire personal information from data brokers.

4. Why we use the information

We use the information described in §2 only for the following purposes:

  • Providing the Member-facing UFam application (portfolio reporting, cash-flow tracking, document storage, family-office workflows).
  • Supporting the Members’ tax, legal, and family-office advisors with information they need to perform engagements on the Members’ behalf.
  • Maintaining the security of UFam — including detecting and responding to unauthorized access or suspicious activity.
  • Complying with applicable law, including tax and regulatory recordkeeping obligations.

We do not use this information for marketing, advertising, behavioral profiling, automated decision-making with legal effect, or sale to any third party. UFam does not engage in advertising of any kind.

5. Who we share information with

We share information only with:

  • Cedar Forest Group, LLC and its Members. The Members are the primary users of UFam and have read access to consolidated family-office data.
  • Authorized professional service providers— for example, the firm’s accountants — for defined purposes, on a need-to-know basis, and subject to written confidentiality obligations.
  • Sub-processors that operate UFam’s infrastructure — Vercel, Inc. (application hosting) and Supabase, Inc. (database hosting). These providers process data only on CFG’s instructions and are subject to their own security and privacy obligations.
  • Plaid Inc. (financial data aggregator)— Plaid retrieves account and transaction information from financial institutions on the Members’ behalf, at the Members’ direction. Plaid’s handling of this data is governed by Plaid’s own end-user privacy policy, which Plaid presents to each Member during the connection flow.
  • Government authorities — when required by law (for example, in response to a valid subpoena or court order).

We do not sell, rent, or lease personal information to any third party. We do not share information for any third party’s marketing purposes.

6. Third-party connections initiated by Members

When a Member connects an external financial account through Plaid:

  • The Member completes Plaid’s authentication flow directly with the financial institution. UFam does not see or store the Member’s institution credentials.
  • Plaid returns to UFam a set of account-level identifiers, security identifiers, holdings, and transactions for the accounts the Member chose to connect.
  • The data flow continues until the Member disconnects the account.
  • A Member may disconnect a connected account at any time from within UFam. Disconnection revokes UFam’s access token at Plaid, immediately destroys the encrypted access token in our database, and ceases further data retrieval. The Member may also revoke access independently through Plaid’s portal at https://my.plaid.com.

7. How long we keep information

We retain information for the periods set out in CFG’s Information Security Policy, §6.2 (Data Retention and Disposal). In summary:

  • Portfolio holdings snapshots: retained indefinitely for long-term performance reporting
  • Cash-flow event records: 7 years after the transaction date
  • Tax and accounting source records: 7 years after the close of the relevant tax year
  • Raw payloads from data aggregators (for example, Plaid webhook bodies): 90 days
  • Authentication and access logs: 12 months
  • Administrative action logs: 24 months
  • Incident response records: 7 years after incident close
  • User consent records: for the duration of the user relationship plus 7 years
  • Disconnected data-aggregator Items: 90 days after disconnection (the encrypted access token is destroyed immediately on disconnection)

A copy of the full retention schedule is available from the Information Security Officer on request.

8. How we protect information

UFam is operated in accordance with CFG’s Information Security Policy and Procedures. Material controls include:

  • Multi-factor authentication for all users
  • Step-up authentication for sensitive operations (such as connecting external accounts)
  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or stronger)
  • Application-layer encryption of long-lived third-party access tokens
  • Row-level security in the underlying database
  • Continuous vulnerability scanning of application dependencies
  • Logging and monitoring of authentication events and administrative actions
  • Quarterly access reviews

A full description of CFG’s security program is available from the Information Security Officer on request.

9. Your rights and choices

As an authorized user of UFam, you may:

  • Accessthe information UFam holds about you and your connected accounts (which is the application’s primary purpose).
  • Correct information that is inaccurate or out of date.
  • Withdraw consent to any third-party data-aggregator connection you previously authorized, at any time, by initiating the disconnect flow within UFam.
  • Request deletion of your personal information, subject to retention obligations imposed by law (for example, tax recordkeeping). Where retention is required, we will restrict further use of the information beyond what the law requires.
  • Request a record of the information UFam holds about you and the third parties with whom it has been shared.

To exercise any of these rights, contact the Information Security Officer at the address in §11.

10. Children

UFam is not directed to, and is not designed for, individuals under the age of 18. We do not knowingly collect information from children. If a Member adds information regarding a family member who is a minor (for example, in the context of trust or beneficiary records), that information is treated as Restricted under the Information Security Policy and is accessible only to authorized Members and their service providers.

11. Contact

Information Security Officer
Cedar Forest Group, LLC
Daren Ungerboeck
privacy@ungerboeckfamilies.com

12. Changes to this Notice

We may update this Notice from time to time to reflect changes in our practices or in applicable law. The “Last Updated” date at the top of this Notice indicates when it was most recently revised. Material changes will be communicated to authorized users in advance of taking effect, including by an in-application notice on next sign-in.

Return to Ungerboeck Families