Privacy Policy - Budgero

This Privacy Policy explains what personal data Budgero collects, how it's used and shared, and the rights you have under applicable privacy laws — primarily the EU/UK General Data Protection Regulation (GDPR / UK GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA).

It's written in plain English. Where a section matters legally — like lawful bases or your rights — the legal terms are preserved so you can compare it against the regulations. If anything is unclear, email [email protected].

1. Who we are

Budgero is the “data controller” for the personal data processed through the service for the purposes of GDPR.

Privacy contact: [email protected]
General contact: [email protected]

At Budgero's current scale (small user base, no special-category data, no large-scale monitoring), GDPR Art. 27's exemption from the EU-representative requirement applies — processing is occasional, not large-scale, and not high-risk. If the project grows past that threshold, an EU representative will be appointed and this policy updated. The same applies to a UK representative under UK GDPR Art. 27.

2. The short version

Your financial data is end-to-end encrypted. Transactions, budgets, balances, categories, and notes are encrypted on your device with a key derived from your password. Nobody — not Budgero, not its providers, not an attacker, not a government — can read them. This is the part of Budgero called zero-knowledge.
The rest is normal SaaS data. Running the service still requires an email and password (handled by an auth provider), billing details (handled by a payments provider), product analytics (handled by an EU analytics provider), and email logs (handled by an email provider). For shared workspaces, the display name you give a workspace and the email addresses of people you invite are also stored in plaintext so that collaboration can work — see §3.2 for the precise carve-out. The full list is in §6 below.
Personal data is never sold. Budgero doesn't share data with advertisers in any way that GDPR or the CCPA defines as a “sale” or “share.” The only third-party advertising tag — Google Ads — only loads after you accept it via the cookie banner.
You have full rights under GDPR / UK GDPR / CCPA, including the right to access, correct, delete, and export your data, and to complain to your local data-protection authority. See §10.
Cookies and trackers require your consent. The “Manage cookies” link in the footer of every page lets you change your choice at any time.

3. What personal data is collected

3.1 Account data

Email address
Password — never stored in plain text; hashed and salted by the authentication provider (Clerk)
Account preferences and settings
A unique account identifier (Clerk user ID)

3.2 Encrypted vault data (zero-knowledge — unreadable by Budgero)

Transactions, budgets, balances, categories, notes, spending data
Encrypted on your device with AES-256 using a key derived from your password
Only the resulting ciphertext is stored on the server

What zero-knowledge does not cover. To make shared workspaces and real-time sync work, Budgero stores a small amount of collaboration metadata on the server in plaintext: the display name you give to a workspace, the email addresses of people you've invited to it, membership roles, and sync version numbers. Push-notification payloads themselves are encrypted; only the account and workspace identifiers needed to route them are stored in plaintext. This metadata never includes any of the financial content listed above — your transactions, balances, and categories remain unreadable by Budgero.

3.3 Billing and subscription data

Plan, price, currency, subscription status, renewal date, country (for tax)
Order ID, last four digits of payment method (where provided to us)
Full payment-instrument data (card number, etc.) is collected and held by the payments provider (LemonSqueezy), not by Budgero

3.4 Service-email metadata

Send/open/bounce events for transactional emails (welcome, trial-ended, inactivity, password reset, billing receipts)

3.5 Product analytics (pseudonymous)

Page URLs, screen size, browser, operating system, referrer
IP address — used at request time for coarse geolocation and abuse-prevention, then discarded server-side. It is not retained alongside the analytics events.
Event names — for example Checkout Started, Purchase, Subscription Canceled, Trial Started
Event properties for commercial events only — plan, amount, currency, the cancellation reason you provide
A pseudonymous user identifier (your Clerk user ID), so events from the same account can be correlated across sessions
No session recording, autocapture, heatmaps, or surveys

3.6 Marketing analytics — consent-gated

If — and only if — you accept the “Marketing” category in the cookie banner: a Google Ads click identifier (gclid), a conversion event, and the aggregate identifiers Google's tag (gtag) collects (IP, browser, page URL)
If you decline or ignore the banner, none of this is collected

3.7 Server / security logs

Request logs from the hosting provider — IP address, timestamp, request path, response status, user agent — used for service operation, security, and abuse-prevention

Not collected: financial-account credentials (Budgero doesn't connect to banks), location data beyond IP-based country, contacts, photos, microphone, or any of the special categories of personal data listed in GDPR Art. 9.

4. Why it's used, and on what lawful basis

For users in the EU/UK, Budgero identifies a lawful basis for each processing purpose under GDPR Art. 6:

Purpose	Categories of data	Lawful basis (GDPR Art. 6)
Provide the Budgero service (account creation, login, sync, vault storage)	Account data, encrypted vault data	Performance of a contract — Art. 6(1)(b)
Take payment and manage your subscription	Billing & subscription data	Performance of a contract — Art. 6(1)(b)
Send service emails (welcome, trial-ended, inactivity, security, billing receipts)	Email + send/open/bounce metadata	Performance of a contract — Art. 6(1)(b); legitimate interest in keeping you informed about your account — Art. 6(1)(f)
Comply with tax, accounting, and other statutory obligations	Billing & subscription data	Legal obligation — Art. 6(1)(c)
Detect, investigate, and prevent abuse, fraud, and security incidents	Server logs, IP, account data	Legitimate interest in protecting the service and its users — Art. 6(1)(f)
Product analytics — understanding what features get used and where users drop off	Pseudonymous analytics events (§3.5)	Legitimate interest in improving the product — Art. 6(1)(f). You can object at any time (see §10).
Marketing analytics — measuring the effectiveness of paid acquisition campaigns	Google Ads click ID, conversion event, gtag aggregate data	Consent — Art. 6(1)(a). Collected only after you accept the “Marketing” category in the cookie banner. You can withdraw consent at any time via “Manage cookies.”

Where Budgero relies on legitimate interest, the balance between that interest and your rights has been considered. If you'd like to talk through the reasoning for any specific case, email [email protected].

5. How long it's kept

Category	Retention
Account data (email, account ID, preferences)	For the life of your account, plus up to 30 days after deletion to allow for recovery and to flush backups
Encrypted vault data	For the life of your account; deleted within 30 days of account deletion (Budgero cannot read it at any point)
Billing records (orders, invoices)	Retained as required by applicable tax and accounting law (typically 5–10 years); after that, deleted
Service-email send/open/bounce metadata	Up to 90 days in the email provider, then deleted
Product-analytics events (pseudonymous)	Up to 6 months in the analytics provider
Product-analytics person profiles	Up to 12 months of inactivity, then deleted
Marketing-analytics data (Google Ads)	Per Google Ads' default retention; you can request earlier deletion via the rights described in §10
Server / security logs	Up to 30 days for routine operations; up to 1 year for entries flagged as security-relevant

When you delete your account, the data above is deleted or anonymized on the schedules listed, except where Budgero is legally required to retain it (e.g. tax records).

6. Who it's shared with (Sub-processors)

Personal data is never sold or rented. Limited personal data is shared with the service providers listed below, who act on Budgero's instructions under written contracts (Data Processing Agreements where the provider offers them). Each provider's standard contractual terms are reviewed before they are added.

Provider	Role	Personal data shared	Region
Clerk	Authentication and account management	Email, password (hashed), account ID	EU residency configured
PostHog Cloud EU	Product analytics	Pseudonymous events (§3.5), IP, account ID	EU
LemonSqueezy	Payments and subscription billing	Email, billing address, plan, payment-instrument data	US (with SCCs)
Resend	Transactional email delivery	Email address, message content of service emails	EU / US (with SCCs)
Google Ads (gtag) (consent-gated)	Marketing-analytics conversion tracking	Click ID, conversion event, IP, browser	US (with SCCs)
Hosting provider	Application hosting and server logs	All data above transits or is logged here at the network level	EU

Budgero may also disclose personal data to:

Professional advisers (lawyers, accountants) under duties of confidentiality, when required;
Law-enforcement or regulators where compelled by valid legal process — in which case, where lawful, you'll be notified.

7. International transfers

Some of the providers in §6 process personal data outside the European Economic Area — primarily in the United States.

For provider transfers outside the EEA (e.g. LemonSqueezy, Resend US region, Google Ads), Budgero relies on the provider's European Commission Standard Contractual Clauses (SCCs, 2021 version) and equivalent UK addenda where applicable. Vault data remains end-to-end encrypted across all providers and is unreadable by anyone other than you.

8. Cookies and tracking

No non-essential cookies or third-party scripts (including Google Ads) load until you accept them via the consent banner. The categories are:

Strictly necessary — required to log you in and keep the site working. Always on; cannot be disabled.
Analytics — pseudonymous product-usage analytics (PostHog Cloud EU). Treated as legitimate interest in the EU/UK; you can opt out via “Manage cookies” or via Settings → Security & Privacy in the app.
Marketing — Google Ads conversion tag. Off by default. Loaded only after you click Accept on the relevant banner category.

You can change your choice at any time via the Manage cookies link in the footer of every page on https://budgero.app.

9. How data is secured

End-to-end encryption for vault data — AES-256 with a key derived from your password on your device. The key is never seen by Budgero, and plaintext vault data is never seen by Budgero.
TLS 1.2+ for all data in transit.
Encryption at rest at the database and storage layers.
Single-operator access controls. Only the operator has administrative access; that access is used solely to run the service.
Vendor due diligence when choosing each provider in §6.
Breach response — if a personal-data breach occurs that's likely to result in risk to your rights, the relevant supervisory authority will be notified within 72 hours of becoming aware (GDPR Art. 33), and affected users notified without undue delay where the risk is high (Art. 34).

Important caveat: zero-knowledge means your vault cannot be recovered if you forget your password. Store it somewhere safe — a password manager is the standard answer.

10. Your rights

Wherever you live, you can:

Access the personal data Budgero holds about you — request a copy
Correct inaccurate personal data (rectification)
Delete your account and associated personal data (“right to erasure”) — subject to legal-retention exceptions
Export your data in a portable, machine-readable format (data portability)
Restrict processing while a dispute is resolved
Object to processing based on legitimate interest, including analytics
Withdraw consent at any time for anything processed on the basis of consent (e.g. marketing analytics) — withdrawal does not affect the lawfulness of processing before the withdrawal
Not be subject to automated decisions that produce legal or similarly significant effects — Budgero does not perform such automated decision-making

To exercise any of these, email [email protected]. Requests will be answered as fast as possible, and within 30 days as required by GDPR (extendable by up to 60 days for complex requests, with notice).

You can also lodge a complaint with a supervisory authority:

EU/EEA residents: with the data-protection authority of your habitual residence, place of work, or place of the alleged infringement. A list is published by the EDPB at https://edpb.europa.eu.
UK residents: the Information Commissioner's Office at https://ico.org.uk.

11. California residents (CCPA / CPRA notice)

If you're a California resident, this section gives you additional disclosures required by the California Consumer Privacy Act, as amended.

Categories of personal information collected, mapped to the CCPA categories: identifiers (email, account ID, IP), commercial information (subscription plan), internet/network activity (analytics events, server logs), inferences (none). These are collected for the business purposes described in §4.

Sources: directly from you, from your device, and from service providers.

Disclosure for a business purpose: only to the service providers in §6.

Sale or sharing of personal information: Personal information is not sold or shared as those terms are defined in the CCPA. Budgero does not engage in cross-context behavioural advertising. The Google Ads conversion tag described in §3.6 fires only on consent and only sends conversion signals — not user identifiers — for measurement of campaigns Budgero runs.

Because nothing is sold or shared, no “Do Not Sell or Share My Personal Information” link is provided. You can still exercise the rights to know, correct, delete, and limit the use of sensitive PI by contacting [email protected].

Sensitive personal information is not used or disclosed for purposes other than those identified in CPRA §7027(m).

You will not be discriminated against for exercising your rights.

12. Children's privacy

Budgero is not directed to and may not be used by individuals under the age of 16, or under the local digital-consent age where it is higher. Personal data is not knowingly collected from children. If you believe a child has provided personal data, email [email protected] and it will be deleted.

13. Changes to this policy

This policy may be updated as the service or the law changes. The “Last updated” date at the top of this page will reflect the latest revision. For material changes affecting how personal data is used, you'll be notified by email before the change takes effect.

14. Contact

Privacy questions and rights requests: [email protected]
General support: [email protected]