🔒

Privacy Policy

Plain English — no legalese. Last updated May 2026.

GFinTrack is a personal finance app built to help you and your household track spending, investments, and taxes. Your financial data is sensitive — this policy explains exactly what we collect, how we use it, who can access it, and what your rights are under applicable privacy laws including GDPR and CCPA/CPRA.

Data Controller: GFinTrack (gfintrack.com) | Contact: privacy@gfintrack.com

📋 Plain English Summary

Before the legal detail: here is exactly what this policy means in plain English.

📊Your financial data (transactions, balances, investments) lives in your own Google Sheet or OneDrive Excel file — not on our servers. We read it to show you insights, but we never copy it into our database.

🗄️We store only what's needed to run your account: your email, name, feature settings, hashed password, and session tokens to keep you logged in.

🚫We do not sell your data, share it with advertisers, or use it to train AI models. Period.

🔒Your data is encrypted at rest (AES-256) and in transit (HTTPS/TLS). Passwords are hashed with bcrypt — never stored in plaintext.

🗑️You can delete your account and all your data at any time — no waiting, no hoops. Settings → Account → Delete Account.

📬If there is ever a security breach affecting your data, we will tell you within 72 hours.

Want the full technical details? Visit our Trust & Security Center →

🗄️

What Data We Collect

When you use GFinTrack, the following information is stored in our database (Supabase — PostgreSQL hosted on AWS):

Account info — email address, name, household name, and sign-in method (Google, Microsoft, or email/password)
Financial transactions — dates, payees, categories, amounts, and any notes you add
Budgets, goals, and rules — your budget categories, savings goals, and auto-categorization rules
Investment data — stock holdings, transactions, and performance history you enter
Tax data — deduction tags on transactions, retirement contributions, mileage logs, and donation records
Settings & preferences — filing status, state, feature preferences

We do not store your actual bank credentials, credit card numbers, or brokerage login information. GFinTrack has no connection to your bank — you import data manually via CSV or enter it directly.

We do not use cookies for tracking, advertising, or analytics. We use a single functional session cookie and a lightweight preference cookie (theme). No third-party tracking pixels or analytics SDKs are present in this app.

⚖️

Legal Basis for Processing (GDPR — EU/EEA Users)

If you are located in the European Union or European Economic Area, we process your personal data on the following legal bases under GDPR Article 6:

Performance of a contract (Art. 6(1)(b)): Processing your account data, financial transactions, budgets, and goals is necessary to provide the GFinTrack service you have signed up for.
Legitimate interests (Art. 6(1)(f)): Maintaining security logs, preventing fraud, and operating reliable infrastructure — balanced against your privacy interests.
Compliance with legal obligations (Art. 6(1)(c)): Where applicable law requires us to retain certain records.

We do not rely on consent as a legal basis for processing your financial data, because that processing is inherent to the service you requested.

☁️

Receipts & Documents — Stored in Your Cloud

Receipt images and tax documents (W-2s, 1099s, PDFs) that you upload are stored directly in your own Google Drive or OneDrive account — not in our database. We never see or store these files on our servers.

Files are uploaded to a folder you control in your personal cloud storage
Only you (and anyone you choose to share that Drive/OneDrive folder with) can access them
Our database stores only the file URL/ID, so we can display a link back to your file
Deleting your account removes the URL reference from our database, but does not delete the file from your Drive/OneDrive — you stay in control

✅ This design means your most sensitive documents — tax forms, pay stubs, receipts — never touch our infrastructure. They live in your personal cloud storage account.

👥

Who Can Access Your Data

You. When you sign in, you can only see data associated with your account. No other user can access your transactions, budgets, or any other data.

The service operator / admin. As the person who built and runs this app, access to the underlying database infrastructure is technically possible through the Supabase admin dashboard. This is no different from any hosted web service. We do not access, read, or share your data except to operate the service for you.

Nobody else. Your data is not sold, shared, or used for advertising. There are no third-party analytics SDKs or trackers in this app.

🔐 All database access from the app runs server-side only — the database credentials never reach your browser. Row-Level Security (RLS) is enabled on all tables, blocking any direct API access with public credentials.

📅

Data Retention

We retain your personal and financial data for as long as your account is active. Specific retention periods:

Data Type	Retention Period
Account profile & preferences	Until account deletion
Financial transactions, budgets, goals	Until account deletion
Email verification tokens	24 hours from issuance
Password reset tokens	15 minutes from issuance
Server / security logs	90 days
Deleted account data	Permanently deleted immediately upon request

When you delete your account, all personal data associated with your account is permanently and immediately removed from our active database. No backups containing your personal data are retained beyond 30 days after deletion.

🛡️

How Your Data Is Protected

🔐

Encrypted at rest

All database data is encrypted at rest using AES-256 by Supabase on AWS infrastructure.

🔒

Encrypted in transit

All communication between your browser and our servers uses HTTPS/TLS encryption. Your data is never sent over an unencrypted connection.

🗄️

Row-Level Security

Every database table has Row-Level Security enabled. Even if someone obtained a public database key, they could not query your data.

🔑

Passwords hashed

If you use email/password sign-in, your password is hashed with bcrypt (cost factor 12) before storage. We cannot read your password — ever.

🧩

Session isolation

Your session is a short-lived JWT token. You can invalidate all active sessions instantly from Settings → Account → Sign Out All Devices.

☁️

OAuth — no password stored

If you sign in with Google or Microsoft, we never receive your password. Authentication is handled entirely by Google/Microsoft on their servers.

🇪🇺

Your Rights Under GDPR (EU/EEA Residents)

If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation. To exercise any of these rights, contact us at privacy@gfintrack.com or use the self-service tools in Settings. We will respond within 30 days.

📥

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you. Use Settings → Account → Download My Data for an immediate self-service export.

✏️

Right to Rectification (Art. 16)

If any data we hold about you is inaccurate or incomplete, you can correct it directly in the app at any time, or contact us to update it.

🗑️

Right to Erasure / Right to Be Forgotten (Art. 17)

You can permanently delete your account and all associated personal data from Settings → Account → Delete Account. Deletion is immediate and irreversible. Your uploaded receipts in Google Drive / OneDrive are not affected — they remain in your personal cloud storage.

📦

Right to Data Portability (Art. 20)

You can export all your financial data as an Excel workbook at any time from Settings. The export includes all transactions, budgets, goals, and investment data in a machine-readable format.

⏸️

Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in specific circumstances (e.g., while we resolve a dispute about its accuracy). Contact us at privacy@gfintrack.com.

🚫

Right to Object (Art. 21)

You may object to processing based on legitimate interests. Because our processing is primarily for performance of a contract (providing the service), this right is most relevant to any future processing based on legitimate interests.

🏛️

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of national data protection authorities is available at edpb.europa.eu.

🇺🇸

Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific privacy rights.

🔍

Right to Know

You have the right to know what personal information we collect, use, disclose, and sell. This Privacy Policy describes our practices in full. You may also submit a verifiable request for specific information by emailing privacy@gfintrack.com.

🗑️

Right to Delete

You have the right to request deletion of your personal information. Use Settings → Account → Delete Account for immediate self-service deletion.

✏️

Right to Correct

You have the right to request correction of inaccurate personal information. All data can be edited directly in the app.

📦

Right to Data Portability

You have the right to receive your personal information in a portable format. Use Settings → Account → Download My Data.

🚫

Right to Opt Out of Sale or Sharing

GFinTrack does not sell or share your personal information with third parties for cross-context behavioral advertising. There is nothing to opt out of.

🛡️

Right to Limit Use of Sensitive Personal Information

GFinTrack uses sensitive personal information (financial data) solely to provide the service you requested. We do not use it for any secondary purpose.

⚖️

Non-Discrimination

We will not discriminate against you for exercising any CCPA/CPRA rights.

To submit a verifiable consumer request, email us at privacy@gfintrack.com from the email address associated with your account. We will respond within 45 days as required by law.

🔗

Third-Party Services We Use

Service	Purpose	Data Shared
Supabase (AWS)	Database & storage	Your financial data (encrypted at rest)
Vercel	App hosting / CDN	Request logs only (no financial data)
Resend	Transactional email	Your email address, one-time verification links
Google OAuth	Sign-in (if used)	Email address and display name only
Microsoft OAuth	Sign-in (if used)	Email address and display name only
Google Drive	Receipt storage (if connected)	Only files you explicitly upload
OneDrive	Receipt storage (if connected)	Only files you explicitly upload

No advertising platforms, analytics trackers, or data brokers are used.

🌍

International Data Transfers

GFinTrack is hosted on infrastructure operated by Supabase (AWS us-east-1) and Vercel (global CDN). If you are located in the EU/EEA, your data may be transferred to and processed in the United States. These transfers are governed by the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, and by Supabase's Data Processing Agreement which is available at supabase.com/legal/privacy.

📝

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of GFinTrack after changes become effective constitutes acceptance of the updated policy.

📬

Contact Us

If you have questions about this Privacy Policy, want to exercise a data subject right, or have a concern about how your data is handled, please contact us:

GFinTrack — Privacy Team
Email: privacy@gfintrack.com
Website: gfintrack.com
Response time: within 30 days (GDPR) / 45 days (CCPA)

← Back to Settings