Privacy

Everything you enter into Budget Tracker: salary, balances, expenses, BNPL plans, payment history, savings goals, category budgets, and your display preferences.

We do not collect analytics, behavioural tracking, ad identifiers, or anything beyond what you type into the app. There is no third-party tracking script.

On your device.A copy of your budget is mirrored in your browser's local storage so the app loads instantly and works offline.

On a managed Postgres database (Supabase). If you sign in, your budget is stored there so it syncs across devices. The database is encrypted at rest and all traffic between your browser and the server is encrypted in transit (TLS).

You. The database enforces row-level security: when you query for your data, the database only returns rows owned by your account. No other signed-in user can ever read your budget — that isolation is enforced at the database, not by the app.

The operator (me). I have administrative access to the database in principle, in the same way the owner of a server has access to anything stored on it. I do not query user data and have no analytics on your activity. If you would prefer a zero-trust setup, you can self-host the project from source and the operator becomes you.

Supabase. The hosting provider holds the database. Their privacy and security commitments apply on top of mine.

Export. Settings → Data → Export JSON downloads everything we hold for your account.

Delete budget data. Settings → Danger zone → Delete budget data wipes your synced data and clears local storage. You can keep using the app, just empty.

Delete account & data. Same place — wipes the data and signs you out. The auth account record itself can be removed by request; contact support to fully erase the login record.

Your data is encrypted at rest by Supabase and in transit by TLS, but it is not end-to-end encrypted. That means an operator with database access can technically read it. If true zero-trust storage matters to you, the right answer is self-hosting from the open-source code rather than relying on a hosted instance.

We considered shipping opt-in client-side encryption and may add it later. The trade-off is harsh: forget the passphrase and the data is permanently unreadable. Most users prefer the current model where forgetting your password just means resetting it.