Budgeter Privacy Policy
Version: v1 (effective 2026-05-15) Last updated: 2026-05-17
The source-of-truth Markdown for this page lives in the public repository at docs/legal/privacy-policy.md. Past versions are preserved in git history.
1. Who we are
Budgeter is an iOS-first personal-finance and budgeting application operated by Drew Scheidt as a solo founder, pre-revenue. We are based in the United States.
- Owner: Drew Scheidt
- Security & privacy contact: security@trystackapp.com
2. Plain-English summary
We help you understand and manage your money. To do that we connect to your bank or brokerage on your behalf (with your explicit consent), pull your balances and transactions, and use them to build budgets and a chat-based money coach. We do not sell your data, we do not share it with advertisers, and we never see or store your bank password — Plaid and SnapTrade hold those credentials, never us.
If you delete your account inside the app, we delete your data immediately — no soft-delete grace window, no recoverable archive.
3. Information we collect
We collect only what we need to run the service.
3.1 Identity and account information
- Email address (used as your login identifier).
- A Supabase auth identity (Supabase Auth stores a hashed password if you sign up with email/password). We never see the plaintext password.
- An optional second factor (TOTP) if you enroll multi-factor authentication. The shared secret lives in Supabase Auth; we don’t see it.
3.2 Profile and preferences
What you tell us during onboarding or in settings:
- Display name (optional).
- Age range (optional, bucketed — e.g., 25–34).
- Location cost tier (low / medium / high — not a precise location).
- Household size.
- Money-personality preference.
- Timezone and quiet-hours window.
- Notification preferences.
3.3 Connected-account data (from Plaid and SnapTrade, with your consent)
When you connect a bank or brokerage:
- Account metadata: institution name, account type, currency, last-four mask.
- Balances: current and available balances.
- Transactions: posted and pending transactions — amount, merchant name, date, type.
- Account / routing identifiers (for ACH-eligible accounts) — stored masked.
- The provider access token Plaid or SnapTrade issues us, wrapped in authenticated symmetric encryption before it reaches our database (see §10).
We never see, store, or transmit your bank login password. Plaid’s End User Privacy Policy describes their data practices: https://plaid.com/legal/#end-user-privacy-policy.
3.4 Derived data
What Budgeter computes from the above:
- Categories assigned to transactions (some derived by Claude, see §6.3).
- Budgets and budget lines you create.
- Savings goals you create.
- Onboarding answers you submit.
3.5 Conversation history
If you use the chat coach:
- Messages between you and the assistant.
- Tool-call records when the assistant takes an action on your behalf (with your explicit confirmation at the time).
3.6 Audio (if you use voice)
When you tap the voice button:
- Audio bytes are streamed to Deepgram for speech-to-text, transcribed, and immediately discarded — we do not store raw audio.
- The transcribed text is treated as a chat message under §3.5.
3.7 Notifications
- Push tokens issued by Apple (APNs via Expo Push) so we can send notifications.
- Notification delivery records (sent at, opened at).
3.8 Operational telemetry
- Server logs — request method, path, status, timing, redacted user identifier. No request bodies. No authorization headers (redacted by Pino at the log layer).
- Error reports sent to Sentry when something throws.
- Audit log of security-relevant events (sign-ins, deletions, consent changes).
We do not use third-party analytics SDKs (no Google Analytics, no Segment, no Mixpanel).
4. What we do not collect
We want to be explicit about this:
- We do not track your location (no GPS, no Wi-Fi triangulation).
- We do not access your contacts, photos, calendar, or microphone except when you tap voice and only for the duration of that recording.
- We do not embed advertising SDKs, fingerprinting libraries, or session-replay tooling.
- We do not buy or enrich your data from third-party data brokers.
5. How we use your data
We use the data above to:
- Provide the service: show you your balances, categorize transactions, build budgets, run the chat coach.
- Notify you when budgets are exceeded, goals are nudged, or weekly recaps are due — only the kinds you’ve opted into.
- Diagnose issues when something breaks (Sentry error reports).
- Comply with legal obligations (e.g., responding to a valid subpoena targeted at a specific user).
We do not:
- Sell your data.
- Share your data with advertisers or data brokers.
- Use your data to train third-party AI models (see §6.3 for the LLM exception, which is also a hard “no”).
- Combine your data with other Budgeter users’ data to build aggregate products.
6. Third-party processors
We share the minimum data necessary with these processors so they can perform a specific service for us. Each has its own privacy policy; we link below.
| Processor | Role | Data shared | Region |
|---|---|---|---|
| Plaid | Bank-account linking + transactions | Provider access token; we receive (not send) balances + transactions + account metadata. See https://plaid.com/legal/#end-user-privacy-policy. | US |
| SnapTrade | Brokerage linking | Provider access token; we receive holdings + transactions. https://snaptrade.com/privacy | US |
| Supabase | Authentication + JWT | Email, hashed password, optional MFA factor secret. https://supabase.com/privacy | US |
| Neon | Postgres database (production) | Everything in §3 except raw audio. Encrypted at rest (AES-256). https://neon.tech/privacy-policy | US |
| Anthropic | Claude LLM for chat + categorization | Your chat messages and a windowed transaction context. Anthropic’s API policy disables training on API data. https://www.anthropic.com/legal/privacy | US |
| ElevenLabs | Text-to-speech (assistant voice) | The text response only — no user data. https://elevenlabs.io/privacy | US |
| Deepgram | Speech-to-text (voice input) | Audio bytes for the duration of the request only — discarded after transcription. https://deepgram.com/privacy | US |
| Expo Push | iOS/Android push delivery | Push token + notification payload (title + body). https://expo.dev/privacy | US |
| Apple APNs | iOS push transport (via Expo) | Push token + notification payload. https://www.apple.com/legal/privacy/ | Global |
| Fly.io | API hosting + TLS termination | All request/response traffic in transit; nothing persisted by Fly beyond runtime logs. https://fly.io/legal/privacy-policy/ | US |
| Sentry | Error monitoring | Stack traces and error context. We do not send authorization headers, access tokens, or message bodies. https://sentry.io/privacy/ | US |
| Upstash Redis | BullMQ job queue | Job payloads (notification scheduling, categorization). No raw financial data — references by user ID. https://upstash.com/trust/privacy | US |
6.1 Data residency
Where region selection is available, processors are configured to US regions. We do not currently store consumer financial data outside the United States.
6.2 Plaid
Plaid acts as a regulated financial-data aggregator. When you connect a bank via Plaid Link inside Budgeter, Plaid takes you through their own consent flow first; Plaid’s End User Privacy Policy describes what they collect and how they use it. We use Plaid’s transactions, accounts, and auth products.
6.3 Anthropic and LLM data handling
We send your chat messages and a windowed slice of your transaction history (only what’s needed to answer the question) to Anthropic’s Claude API. Anthropic’s API terms state that API data is not used to train models and is retained only for the duration needed to deliver the response and run their abuse-monitoring. We do not enable Anthropic’s optional training opt-in.
7. Your rights
You can exercise any of these directly inside the app. If something isn’t working, email security@trystackapp.com and we will help.
- Access — view your profile, accounts, transactions, budgets, goals, and chat history from inside the app at any time.
- Correction — edit your profile, recategorize transactions, edit budgets and goals inside the app.
- Deletion — Settings → Delete my account. This calls
DELETE /me/accountand removes your data immediately and irreversibly: profile, accounts, transactions, budgets, goals, chat history, push tokens, and the provider access tokens we hold. Your Supabase authentication identity is removed as well. A small audit-log tombstone (account_deletedwithuser_id = null) is retained for 24 months as proof the deletion happened — it contains no identifying data. - Revoke consent — Settings → Connected accounts disconnects an institution, which clears the corresponding provider access token. You can also revoke a specific consent record via the API (
DELETE /consents/:id). - Export — at request to security@trystackapp.com. We will deliver your data as JSON within 30 days. Self-service export is a tracked follow-up.
- California residents (CCPA/CPRA) — you have the same rights above and the right to opt out of “sale” or “sharing” of your personal information. We do not sell or share your personal information.
- EEA / UK residents — we do not currently serve EEA or UK users. If we begin to, this policy will be amended with the GDPR-required disclosures.
8. Data retention
| Data | Retention |
|---|---|
| Authentication identity (email, hashed password) | Lifetime of account; immediately removed on user-initiated deletion |
| Provider access tokens | Lifetime of the connected account; immediately removed on account deletion |
| Financial transactions | Rolling 24 months from posting date |
| Account snapshots (balances, masks) | Lifetime of the connected account |
| Chat history | Rolling 12 months |
| Budgets and goals | Lifetime of account |
| Notifications | 12 months |
| Audit log entries | 24 months (survives user deletion as a user_id = null tombstone — no PII) |
| Server request logs | Fly.io retention (currently 30 days) |
| Error telemetry | Sentry retention (currently 90 days) |
9. Children
Budgeter is intended for users 18 and older. We do not knowingly collect data from children under 13 (US COPPA) or, where applicable, minors under 18. If you believe a minor has signed up, email security@trystackapp.com and we will delete the account.
10. Security
- In transit: TLS 1.2 or 1.3 only, enforced at the Fly.io edge plus a 2-year HSTS header with
includeSubDomains. - At rest: Neon Postgres encrypts everything at the storage layer (AES-256). Provider access tokens are additionally wrapped at the application layer with ChaCha20-Poly1305 authenticated encryption, so a database compromise alone does not yield live banking access.
- Authentication: Every authenticated API endpoint is gated by Supabase JWT verification. Plaid Link is gated behind both consumer multi-factor authentication enrollment and an explicit per-user consent record.
- Dependencies: Every pull request fails CI on a
highor higher vulnerability in production dependencies. Dependabot files security advisories continuously. - Incident response: Detection, notification, and post-mortem procedures are defined. User-affecting confirmed breaches trigger email notice to affected users within 72 hours.
Full security evidence (TLS, at-rest, vulnerability management, incident response) is published in the public repository under docs/security/.
11. International data transfers
Our processors operate in the United States. Users accessing Budgeter from outside the US should be aware that their data is processed in the US. We do not currently serve users in jurisdictions whose laws prohibit such transfers (EEA / UK / certain other regions); this policy will be amended before we begin to.
12. Changes to this policy
When we change this policy in a way that materially affects how we collect, use, or share your data, we will:
- Increment the
Versionheader at the top of this document. - Increment
PRIVACY_POLICY_VERSIONinapps/mobile/src/consent/PlaidConsentScreen.tsx. The next time you open Budgeter and reach the Plaid consent gate, the mobile client will detect the new version and prompt you to re-consent. - Post the new version to https://privacy.trystackapp.com/ immediately.
Non-material changes (typos, clarifications, broken links) are made in place without a version bump and are reflected by the Last updated date at the top.
Past versions are preserved in this repository’s git history at the path docs/legal/privacy-policy.md.
13. Contact
- Email: security@trystackapp.com
- Purpose: privacy inquiries, data-deletion or export requests beyond the in-app flow, security disclosures, breach notifications.
Acknowledgement within 3 business days. Substantive response within 30 days.