Privacy Policy

We collect the following information when you use PennyTracker:

• Account information: Your email address and a securely hashed version of your password. We never store or log your plaintext password.
• Financial data: Expense records (amounts, descriptions, merchants, dates), categories, and budget settings that you voluntarily enter into the app.
• Profile information: An optional display name if you choose to provide one.
• Session tokens: A secure, HTTP-only cookie used to keep you signed in.
• Technical data: Basic request metadata (IP address, browser type, device type) may be processed automatically by our hosting provider, Vercel, as part of normal web infrastructure operation.

We use the information we collect solely to provide and improve the PennyTracker service:

• To authenticate your account and maintain your session.
• To store, display, and process your financial data on your behalf.
• To send password reset emails if you request them.
• To respond to support requests you submit.

We do not sell, rent, share, or disclose your personal data to third parties for marketing, advertising, or any purpose unrelated to providing the service.

Your data is stored in a PostgreSQL database hosted on Supabase, and the application is served via Vercel’s global infrastructure. Both providers implement industry-standard security controls.

Security measures we apply include:

• Passwords hashed with bcrypt (12 rounds) — never stored in plaintext.
• All data transmitted over HTTPS (TLS encryption in transit).
• HTTP-only, Secure, SameSite session cookies to prevent XSS and CSRF attacks.
• Row-level data isolation — your data is only accessible with your credentials.

While we implement reasonable security measures, no system is completely secure. We cannot guarantee absolute security of your data.

PennyTracker relies on the following third-party providers to operate. These providers may process your data as part of providing their services to us:

• Supabase — database hosting and infrastructure. Your data is stored in Supabase-managed PostgreSQL databases.
• Vercel — application hosting, serverless functions, and global content delivery.

We do not use any advertising networks, analytics platforms, or tracking services.

We use a single authentication cookie to keep you signed in. This cookie is:

• HTTP-only (not accessible to JavaScript).
• Marked Secure (only sent over HTTPS in production).
• Set to expire after 30 days of inactivity.

We do not use advertising cookies, tracking pixels, or any third-party cookies. You can clear cookies at any time via your browser settings, which will sign you out.

We retain your data for as long as your account is active. When you delete your account through the Settings page, all associated data — including your profile, expenses, categories, budgets, and support tickets — is permanently and irreversibly deleted from our database.

Backups maintained by our infrastructure providers (Supabase) may retain data for a short additional period per their own retention policies.

Depending on your location, you may have rights over your personal data under applicable privacy laws (including GDPR, CCPA, and similar regulations). These rights may include:

• Access: View all your data within the app at any time.
• Correction: Update your profile information and financial records via the app.
• Deletion: Delete your account and all associated data via Settings → Danger Zone.
• Export: Download a CSV of all your expenses via Settings → Export data.
• Objection / Restriction: Contact us if you wish to object to or restrict any processing not coverable by the above in-app options.

To exercise any rights not available in the app, contact us at the address below.

PennyTracker is a global service. Your data may be stored and processed in countries other than your own, including the United States and the European Union, where Supabase and Vercel maintain infrastructure. By using the service, you consent to this transfer.

We rely on standard contractual clauses and the data processing agreements provided by Supabase and Vercel to safeguard international transfers.

PennyTracker is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Continued use of PennyTracker after changes are posted constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

• Email: support@pennytrackerapp.com