Privacy Policy

Introduction

Welcome to BudgetLabs ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our budgeting application and related services.

Important Notice: BudgetLabs is not designed to store highly sensitive personal information such as financial account numbers, credit card details, or login credentials for banks or other institutions. Please do not enter such information into the application.

Information We Collect

Account Information

When you create an account, we may collect:

• Email address
• Name (optional)
• Account credentials (securely hashed)

Financial Data

To provide budgeting and tracking features, we collect user-entered data such as:

• Budget categories and amounts
• Transaction descriptions, dates, and amounts
• Income and expense information
• Savings goals and targets
• Asset and debt account balances, including optional recurring contribution amounts and employer-match amounts you choose to record
• Optional gross annual salary you choose to enter in Profile, used only to auto-convert between contribution percent and dollar amount in the savings modal — encrypted at rest, never shared with third parties
• Receipts and source artifacts you choose to attach to a transaction — receipt photos, dropped emails (raw .eml, HTML body, or plain text), or uploaded statement PDFs / images. Stored in your private receipts bucket on Supabase Storage, scoped to your account by row-level security, served only via short-lived signed URLs you request, never shared with third parties. You can remove a receipt at any time by clearing it from the transaction.

Note: We do not collect, store, or process actual bank account numbers, credit card numbers, or login credentials for financial institutions.

Usage and Device Data

We may collect limited usage data (e.g., device type, browser, IP address) and use cookies or similar technologies for analytics and performance. You can manage cookie preferences through your browser settings.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our budgeting services
• Track budgets, process transactions you enter, and show your progress
• Send service-related notifications and account updates
• Respond to your requests and provide customer support
• Detect, prevent, and investigate fraud or abuse
• Analyze usage to enhance features and performance

Data Storage and Security

We implement commercially reasonable technical, administrative, and physical safeguards to protect your information, including:

• Encryption in transit: All connections to BudgetLabs use HTTPS/TLS.
• Encryption at rest: Sensitive financial fields are encrypted with AES-256 at the application layer before being written to the database. Encryption keys are stored in a managed secrets vault, not in application code.
• Row-level security: Every record is access-scoped to its owning user at the database layer; users cannot read or modify other users’ data even by direct database query.
• Optional two-factor authentication (TOTP): You can enable 2FA in Settings → Security to require a 6-digit code on each sign-in.
• Trusted-device tokens: If you opt to trust a device for 30 days, we store a one-way hash of a per-device token (not the token itself), the device’s user-agent string, and the IP address used at the time of opt-in, so you can review and revoke trust later.

AI Features and Third-Party Processing

BudgetLabs includes optional AI-assisted features (collectively, "Hank" — the in-app chat assistant, AI-powered transaction import, AI-powered receipt scanning, AI-powered bill scanning (for upcoming-bill scheduling), and an MCP server for connecting external AI agents). When you use these features, certain inputs and the relevant context required to answer your question are sent to third-party AI providers for processing.

Specifically:

• The in-app chat assistant routes your messages, plus a limited slice of your budget data needed to answer them (for example: requested category names, transaction details, or spending summaries), to xAI (Grok) via the Vercel AI SDK.
• AI-powered import (pasted text, CSV / spreadsheet, uploaded bank-statement PDFs, and uploaded statement images), receipt scanning, and bill scanning (photos of upcoming-bill invoices, PDF bills, or emails / pasted text dropped into the “Add bill” modal, for extracting vendor / amount / due-date / supporting notes) send the file contents, email body, or image you submit to xAI for parsing into structured transaction or bill fields. Uploaded files are processed in memory and are not retained by BudgetLabs after parsing.
• If you connect an external AI agent (Claude, ChatGPT, etc.) to BudgetLabs via our MCP server, the queries you make through that agent and the responses we return travel through that third-party agent’s provider; their privacy policy governs their handling of those exchanges.

We do not use your data to train third-party AI models. We do not share AI inputs or outputs with advertisers.

These AI features are optional. You can avoid sending data to xAI by not using the chat assistant, AI import, receipt scanning, or bill scanning. You can revoke external MCP integrations at any time from Settings → API & Integrations.

Data Sharing and Disclosure

We do not sell your personal information. We may share information in these limited circumstances:

• Service Providers (subprocessors): With trusted third parties who help us run the Service, including:
  • Microsoft Azure — application hosting (Azure Web App) and transactional email (Azure Communication Services).
  • Supabase — managed Postgres database, authentication, and file storage.
  • xAI (via the Vercel AI SDK) — large-language-model processing for the in-app chat assistant, AI-powered import (pasted text, CSV / spreadsheet, PDF, and image uploads), receipt scanning, and bill scanning. See "AI Features and Third-Party Processing" above.
  • Stripe — payment processing for web subscriptions. We do not store full payment-card numbers.
  • RevenueCat, in conjunction with the Apple App Store and Google Play — in-app purchase processing on mobile. Payment-card and billing details are handled by Apple or Google directly under their privacy policies.
  • Google Analytics — aggregate usage analytics on the marketing site.
• Legal Requirements: When required by law, subpoena, or government request
• Protection of Rights: To protect our rights, safety, or property, or that of our users
• Business Transfers: In connection with a merger, acquisition, or sale of assets

Sharing Your Data with Family Members

If you turn on Family Sharing and invite another person to join your budget, that person — once they accept — can see and modify the transactions, categories, monthly plans, debts, savings goals, and other budget data in the budget you share with them. Family Sharing is opt-in per invite; nothing is shared until you send an invite and the recipient accepts it.

You can revoke a pending invite at any time before it's accepted, and you can remove a member after they've joined. A member can also leave on their own. When someone leaves or is removed, any transactions they entered into the shared budget remain part of the budget's history so your accounting record stays intact; their personal authentication link to those records is removed.

We do not share your data with the family member's employer, advertisers, or any third party as a consequence of Family Sharing. The other party is a fellow BudgetLabs user who you have authorized to see this budget.

Your Rights and Choices

Depending on where you live, you may have the right to:

• Right to know / access: request a copy of the personal information we hold about you and how we use it.
• Right to correct: update or correct your personal information.
• Right to delete: delete your account and associated personal information.
• Right to portability: receive an export of your data in a machine-readable format.
• Right to opt out of sale or sharing: we do not sell your personal information and do not share it for cross-context behavioral advertising. You may still exercise this right at any time.
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
• Right to opt out of promotional communications: use the unsubscribe link in any marketing email or contact us directly.

California residents (CCPA / CPRA): you may also designate an authorized agent to make a request on your behalf, and you may appeal a denied request by contacting us at the address below.

EEA / UK / Swiss residents (GDPR / UK GDPR): our legal basis for processing your personal data is (a) the performance of our contract with you, (b) our legitimate interests in operating and improving the Service, and (c) your consent where required (for example, for optional analytics). You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at contact@budgetlabs.io. We will respond within the timeframes required by applicable law (45 days under CCPA; 30 days under GDPR, extendable by an additional 60 days for complex requests).

Data Retention

We retain your account information (e.g., email, name) for as long as your account remains active. Financial data you enter is retained for the life of your account plus up to 90 days after deletion for backup and recovery purposes.

After account deletion, we will delete or irreversibly anonymize your personal data within a reasonable period, unless we are required to retain it for legal, compliance, or security reasons.

Children’s Privacy

BudgetLabs is not directed to or intended for use by children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent, in accordance with the U.S. Children’s Online Privacy Protection Act (COPPA).

If you are a parent or guardian and believe your child under 13 has provided us with personal information without your consent, please contact us immediately at contact@budgetlabs.io. We will promptly delete such information from our records.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the revised policy here and update the "Last updated" date. For material changes, we will also notify you via email or in-app notice at least 30 days in advance where required by law. Your continued use of BudgetLabs after the effective date constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, please contact us: