Privacy Policy

BudgetKit is an app operated by Gavyn Stanley ("I", "me", or "my"). I am committed to protecting your privacy. This policy explains what information BudgetKit collects, how it is used, and your rights.

Summary

BudgetKit is a personal finance application operated by Gavyn Stanley. Your financial data is stored on self-hosted servers so it can sync across your devices. I never sell your data or share it with third-party advertisers. All data is encrypted in transit and at rest.

Information I Collect

Account information

• Sign in with Apple — when you create an account using Apple, I receive your Apple ID user identifier and, if you choose to share them, your name and email address. Apple may provide a private relay email address instead of your real email.
• Sign in with Google — when you sign in with Google, I receive your Google account identifier, name, and email address from Google's OAuth service. Please review Google's Privacy Policy for details on how Google handles your information.
• Username and password — if you sign in with a username and password, I store your username and a securely hashed version of your password. Passwords are never stored in plain text.
• Passkeys — once your account is created, you may register a passkey (WebAuthn) as an additional sign-in method. I store the public key credential associated with your account. Your private key never leaves your device.

Financial data

• Transactions, accounts, and budgets — the financial data you enter or import is stored on my servers to enable syncing across your devices and powering features like notifications and widgets.
• SimpleFIN — if you connect bank accounts via SimpleFIN, your access token is used to fetch transactions from SimpleFIN's servers. Please review SimpleFIN's privacy policy for details on how they handle your data.

Analytics

BudgetKit uses Aptabase, a privacy-first, open-source analytics platform, to collect anonymous usage events. Aptabase does not use cookies, does not store IP addresses, and does not track users across sessions or applications. The events collected include things like sign-in method (e.g. Apple, Google, or password) and do not include personally identifiable information, financial data, or device identifiers. You can learn more at aptabase.com.

Beyond Aptabase, I do not use crash-reporting services or any third-party advertising trackers. I do not collect location data or usage telemetry beyond what Aptabase captures.

How I Use Information

I use the information collected to:

• Authenticate your account and provide access to the app
• Store and sync your financial data across your devices
• Import transactions from connected bank accounts via SimpleFIN
• Understand aggregate usage patterns to improve the app (via Aptabase)
• Respond to support requests if you contact me

I do not use your data for advertising, profiling, or any purpose beyond providing the BudgetKit service.

Data Sharing

I do not sell, rent, or share your personal or financial data with third parties, except:

• SimpleFIN — only if you choose to connect bank accounts, and only to import your transactions.
• Google — only if you choose to sign in with Google. Google receives an authentication request; I receive only your basic profile information in return.
• Aptabase — anonymous, non-identifiable usage events as described above.
• Resend — I use Resend to deliver transactional emails (such as account deletion confirmations and data breach notifications). Resend receives your email address solely for the purpose of sending these emails.
• Cloudflare — I use Cloudflare as a reverse proxy, CDN, and hosting provider for my API servers and marketing website. All network traffic between your device and my servers passes through Cloudflare's network. Cloudflare may process IP addresses and request metadata for security and performance purposes.
• Legal requirements — if required by law, regulation, or legal process.

Third-Party Services

Apple App Store & TestFlight

BudgetKit is distributed through Apple's App Store. Apple may collect information as part of the download and installation process. Please review Apple's Privacy Policy for details.

Google Sign-In

If you choose to sign in with Google, authentication is handled via Google's OAuth service. Please review Google's Privacy Policy for details on how Google processes your information during sign-in.

Aptabase Analytics

Aptabase is used for privacy-respecting analytics. Aptabase does not collect personally identifiable information and is GDPR compliant. See the Analytics section above for details.

Resend

I use Resend to deliver transactional emails. Resend receives your email address solely to send emails on my behalf and does not use it for any other purpose. Please review Resend's Privacy Policy for details.

Cloudflare

My API servers and marketing website are protected and served through Cloudflare, which acts as a reverse proxy and CDN. All traffic between your device and my servers passes through Cloudflare's network. Cloudflare may process IP addresses and request metadata as part of providing DDoS protection, performance optimization, and security services. Please review Cloudflare's Privacy Policy for details.

Data Security

All communication between the app and my servers uses HTTPS encryption. Data stored on my servers is encrypted at rest. Sensitive credentials like authentication tokens are stored in the system Keychain on your device. I recommend using a device passcode or biometrics to further protect access to the app.

Data Breach Notification

In the event of a data breach that compromises your personally identifiable information, I will notify affected users without unreasonable delay, as required by the Georgia Identity Theft Protection Act (O.C.G.A. § 10-1-910 et seq.) and any other applicable law. Notification will be provided by email to the address associated with your account, where permitted by law, and will describe the nature of the breach, the information involved, and steps you can take to protect yourself.

Data Retention & Deletion

Your data is retained as long as your account is active.

In-app deletion: You can request account deletion at any time from within the App by navigating to Settings → Delete Account. After confirming, a deletion request is submitted and your account and all associated data will be permanently deleted after a minimum 24-hour grace period. You may cancel the request within that window by contacting me at support@budget-kit.com.

You may also request deletion by emailing support@budget-kit.com if you are unable to access the App. I will process your request and confirm once deletion is complete.

Children's Privacy

BudgetKit is not directed to children under the age of 13 and I do not knowingly collect information from children.

Changes to This Policy

I may update this Privacy Policy from time to time. The updated policy will be posted at this URL with a revised "last updated" date.

Contact

If you have questions about this Privacy Policy, please contact me at:
support@budget-kit.com