Budget Spotlight
Last Updated: January 1, 2026
Effective Date: March 1, 2026
Introduction
Budget Spotlight App ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our family budget management web application (the "Service").
Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide
Account Information:
- Email address
- Full name
- Password (hashed and encrypted)
- Profile settings and preferences
- Timezone
- Avatar selection
Financial Information:
- Bank account names and types
- Account balances
- Transaction data (amounts, dates, descriptions, merchants)
- Budget categories and allocations ("Piggies")
- Debt information (balances, interest rates)
- Savings goals
- Income information
Household Information:
- Household name
- Member names and email addresses
- Member roles and permissions
Communications:
- Support requests and correspondence
- Feedback and suggestions
1.2 Information Collected Automatically
Usage Data:
- Features used and frequency
- Pages visited within the Service
- Time spent on pages
- Errors encountered
Device Information:
- Device type and model
- Operating system and version
- Browser type and version
- Screen resolution
Connection Information:
- IP address
- Approximate location (country/region)
- Internet service provider
- Referring website
Session Information:
- Login timestamps
- Session duration
- Authentication events
- Device fingerprint (for security)
1.3 Information from Third Parties
Authentication Providers:
When you sign in with Google or Apple, we receive:
- Your name
- Email address
- Profile picture URL (if available)
- Unique identifier from the provider
We do NOT receive your Google or Apple passwords.
Bank Connection Services:
If you connect bank accounts through SimpleFIN or Plaid, we receive:
- Account names and types
- Account balances
- Transaction history
- Account identifiers
We do NOT receive:
- Your bank login credentials
- Account numbers
- Routing numbers
1.4 Information We Do NOT Collect
We do NOT collect:
- Full credit card numbers (handled by Stripe)
- Bank login passwords
- Social Security numbers
- Government ID numbers
- Biometric data
2. How We Use Your Information
2.1 Provide the Service
- Create and manage your account
- Process and display your financial data
- Calculate budgets, balances, and insights
- Enable household sharing and collaboration
- Provide customer support
2.2 Improve the Service
- Analyze usage patterns to improve features
- Identify and fix bugs and errors
- Develop new features
- Optimize performance
2.3 Security and Fraud Prevention
- Detect and prevent unauthorized access
- Monitor for suspicious activity
- Verify user identity
- Comply with legal requirements
2.4 Communications
- Send service-related notifications (password resets, security alerts)
- Respond to support requests
- Send billing notifications
- Send optional product updates (with consent)
2.5 Legal Compliance
- Comply with applicable laws and regulations
- Respond to legal requests
- Enforce our Terms of Service
- Protect our rights and property
3. How We Share Your Information
3.1 We Do NOT Sell Your Data
We do NOT sell, rent, or trade your personal information to third parties.
3.2 Household Members
When you join a household, other members can see:
- Your name and profile information
- Transactions you create
- Budget allocations you make
- Account balances (based on permissions)
Household owners control what members can access.
3.3 Service Providers
We share data with trusted service providers who assist in operating the Service. See the Third-Party Services section for a full table with privacy policy links.
3.4 Legal Requirements
We may disclose your information if required by law or if we believe disclosure is necessary to:
- Comply with a legal obligation
- Protect our rights or property
- Prevent fraud or security threats
- Protect the safety of users or the public
3.5 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is subject to a different privacy policy.
3.6 Aggregated and Anonymized Data
We may share aggregated, anonymized data that cannot be used to identify you. This data may be used for:
- Industry benchmarks
- Research and analysis
- Marketing materials
4. Data Retention
4.1 Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion | Service operation |
| Transaction data | 7 years | Tax record requirements |
| Security logs | 3 years | SOC 2 compliance, fraud investigation |
| Audit logs | 3 years | Compliance requirements |
| Support communications | 3 years | Service quality |
| Billing records | 7 years | Tax and legal requirements |
4.2 After Account Deletion
When you delete your account:
- Profile data is deleted within 30 days
- Financial data is deleted within 30 days
- Backup copies are purged within 90 days
- Aggregated/anonymized data may be retained indefinitely
- Data required for legal compliance is retained as required
4.3 Inactive Accounts
Accounts with no activity for 24 months may be:
- Notified of pending deletion
- Deleted after an additional 30 days if no response
5. Data Security
5.1 Security Measures
We implement industry-standard security measures:
Encryption:
- All data encrypted in transit (TLS 1.3)
- Financial data encrypted at rest (AES-256)
- Passwords hashed with bcrypt
Access Control:
- Row-Level Security (RLS) ensures data isolation
- Role-based access control
- Multi-factor authentication available
- Regular access reviews
Infrastructure:
- Hosted on SOC 2 compliant infrastructure
- Regular security assessments
- DDoS protection
- Automated backups
Monitoring:
- 24/7 system monitoring
- Intrusion detection
- Failed login attempt monitoring
- Audit logging for security events
5.2 Security Incidents
In the event of a data breach affecting your personal information:
- We will notify you within 72 hours (as required by GDPR)
- We will describe the nature of the breach
- We will explain what data was affected
- We will describe steps we are taking
6. Your Privacy Rights
6.1 Rights for All Users
Regardless of your location, you have the right to:
Access Your Data:
- View what data we have about you
- Export your data in a portable format (JSON) — go to Settings → Account → Export Data
Correct Your Data:
- Update inaccurate information
- Complete incomplete information
Delete Your Data:
- Delete your account and all associated data — go to Settings → Account → Danger Zone
- Request deletion of specific data
Withdraw Consent:
- Opt out of optional data processing
- Withdraw consent for marketing communications
6.2 GDPR Rights (European Economic Area)
If you are in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
Right to Access: Request a copy of your personal data.
Right to Rectification: Request correction of inaccurate data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data.
Right to Data Portability: Receive your data in a machine-readable format.
Right to Restrict Processing: Request we limit how we use your data.
Right to Object: Object to processing based on legitimate interests.
Rights Related to Automated Decision-Making: We do not make automated decisions with legal effects about you.
Legal Basis for Processing:
- Contract performance (providing the Service)
- Legitimate interests (security, service improvement)
- Legal obligations (compliance requirements)
- Consent (optional communications)
6.3 CCPA/CPRA Rights (California Residents)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: What personal information we collect, use, disclose, and sell.
Right to Delete: Request deletion of your personal information.
Right to Correct: Request correction of inaccurate personal information (CPRA).
Right to Opt-Out of Sale: We do NOT sell personal information.
Right to Limit Use of Sensitive Data: Limit how we use sensitive personal information (CPRA).
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
Categories of Information Collected:
- Identifiers (name, email, IP address)
- Financial information (account balances, transactions)
- Internet activity (usage data)
- Geolocation (approximate)
Categories of Sources:
- You (directly provided)
- Automatic collection (usage data)
- Third parties (OAuth providers, bank connections)
Business Purposes:
- Providing the Service
- Security and fraud prevention
- Customer support
- Service improvement
6.4 Exercising Your Rights
To exercise your privacy rights:
Through the App:
By Email:
- Send requests to privacy@budgetspotlightapp.com
- Include your registered email address
- We will verify your identity before processing
Response Times:
- We respond to requests within 30 days
- Complex requests may take up to 45 days (with notice)
6.5 Appeals
If you disagree with our response to your privacy request:
- Contact us at privacy@budgetspotlightapp.com
- You may file a complaint with your local data protection authority
EEA Supervisory Authority: You can find your local authority at ec.europa.eu/justice/data-protection/bodies/authorities (opens in new tab)
7. International Data Transfers
7.1 Data Location
Our Service is hosted in the United States using Supabase (AWS infrastructure).
7.2 Transfer Mechanisms
If you are located outside the United States, your data is transferred internationally. We ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs)
- Data Processing Agreements with service providers
- Privacy Shield successor frameworks (where applicable)
7.3 EEA Data Transfers
For data transferred from the EEA, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions (for transfers to approved countries)
8. Children's Privacy
8.1 Age Requirement
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.
8.2 Household Members
While children may be beneficiaries of household budgets, children should not create their own accounts. If you believe a child has created an account, contact us at privacy@budgetspotlightapp.com.
9. Third-Party Services
9.1 Third-Party Integrations
The Service integrates with third-party services that have their own privacy policies:
| Service | Purpose | Privacy Policy |
|---|---|---|
| OAuth sign-in | policies.google.com/privacy | |
| Apple | OAuth sign-in | apple.com/legal/privacy |
| Stripe | Payment processing | stripe.com/privacy |
| SimpleFIN | Bank synchronization | beta-bridge.simplefin.org/info/privacy |
| Plaid | Bank connections | plaid.com/legal |
| Supabase | Backend infrastructure | supabase.com/privacy |
| Vercel | Web hosting | vercel.com/legal/privacy-policy |
| Sentry | Error monitoring | sentry.io/privacy |
9.2 Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices of external sites. Review their privacy policies before providing personal information.
10. Cookies and Tracking
10.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
sb-* | Essential | Supabase authentication | Session |
theme | Functional | Dark/light mode preference | 1 year |
sidebar-collapsed | Functional | UI state | 1 year |
10.2 Essential Cookies
Essential cookies are required for the Service to function. They cannot be disabled. These include:
- Authentication tokens
- Session identifiers
- Security tokens (CSRF protection)
10.3 Functional Cookies
Functional cookies remember your preferences:
- Theme (light/dark mode)
- UI state (sidebar collapsed)
- Language preference
You can disable functional cookies in your browser settings, but some features may not work correctly.
10.4 Analytics
We may use privacy-focused analytics to understand how the Service is used. We:
- Do NOT use Google Analytics
- Do NOT use third-party advertising trackers
- Do NOT track users across websites
10.5 Do Not Track
We honor "Do Not Track" browser signals. When detected:
- We disable any optional analytics
- We do not change essential functionality
11. Changes to This Policy
11.1 Updates
We may update this Privacy Policy periodically. When we make material changes, we will:
- Update the "Last Updated" date
- Notify you by email
- Display a notice within the Service
11.2 Review
We encourage you to review this Privacy Policy periodically to stay informed about our data practices.
11.3 Previous Versions
Previous versions of this Privacy Policy are available upon request.
12. Contact Us
Privacy Questions
For privacy-related questions or to exercise your rights:
Email: privacy@budgetspotlightapp.com
Response Time: Within 30 days
General Support
For general questions about the Service:
Email: support@budgetspotlightapp.com
Website: https://www.budgetspotlightapp.com
Privacy at a Glance
| Question | Answer |
|---|---|
| Do you sell my data? | No, never. |
| Who can see my data? | You, your household members (based on role), and our service providers. |
| How is my data protected? | Encrypted at rest (AES-256) and in transit (TLS 1.3). |
| Can I export my data? | Yes, in JSON format from Settings → Account. |
| Can I delete my data? | Yes, from Settings → Account → Delete Account. |
| How long do you keep data? | Active data while your account exists; 30 days after deletion. |
| Do you use cookies? | Essential and functional cookies only. No advertising trackers. |
| Who do you share data with? | Service providers (Supabase, Stripe, etc.) for operating the Service only. |
BY USING BUDGET SPOTLIGHT, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.