Privacy policy
Last updated: 9 June 2026
TL;DR. Inside the Budjo app, nothing is tracked. Before you sign in, your data stays in your browser. Once you sign in — on any plan, free or paid — your data syncs to Supabase (Asia Pacific servers, Mumbai region) under strict per-user access control. It is not end-to-end encrypted. Payments are handled by Stripe (USA); transactional email by Resend (USA). The marketing site uses Google Analytics, but only if you accept cookies. We don't sell your data, ever.
Budjo is built to keep budgeting simple and private. This page explains, in plain language, what data we collect, what we can see, what we can't, and how to contact us.
Who we are
Budjo is operated by Fabio Zanchi Mancuso trading as Budjo (ABN 46 596 098 326), based in Queensland, Australia. We're the data controller for personal data processed via Budjo. For privacy questions, email support@budjo.app (we read every email).
What we store
Before you sign in (no account)
Every transaction, account, bill, and preference lives in localStorage on your device. We can't see any of it.
When you're signed in
Once you sign in — on any plan, free or paid — your data syncs to Supabase (hosted in Asia Pacific, Mumbai region) under a row-level-security (RLS) policy that ties every row to your user ID. No other user can read your rows. We store:
- Your email address (for login and account recovery)
- Your transactions, accounts, categories, bills, goals, and preferences
- Free-text notes you write (treat these as you would any private note)
- Receipt images you attach to transactions, kept in Supabase Storage (paid plans)
- Stripe customer ID and subscription status (no card details)
- Authentication metadata (last login, OAuth provider if used), plus an export log if you email an accountant export (see below)
What we never store
- Card numbers, CVVs, or expiry dates (Stripe handles those)
- Your bank login credentials (we don't connect to your bank)
- Any data from inside the app for analytics
Receipts you upload
If you attach a receipt, the image is stored in Supabase Storage and is visible to everyone in your household. Receipts are meant for images of your own records. We don't scan, moderate, or virus-check uploads, and images can carry metadata (such as location) — you're responsible for what you upload. Removing a receipt deletes the image.
Households share data
If you're in a household, the other members can see the financial data, notes, and receipts in that household. Don't enter anything you don't want them to see.
Accountant export
You can choose to email a CSV of your transactions to a recipient you pick (for example, your accountant). When you do, you're sending your own data to a third party of your choosing, and we store that recipient's email address in an export log. We're not responsible for what the recipient does with it.
Why we process your data (legal basis)
Under GDPR Article 6, we process data for these reasons:
| What we do | Why we're allowed to | Legal basis |
|---|---|---|
| Run your account, sync your data, deliver features | To provide the service you signed up for | Contract. Art. 6(1)(b) |
| Process payments via Stripe | To bill you for your subscription | Contract. Art. 6(1)(b) |
| Log edge-function errors (rate of 500s, webhook failures) | To fix bugs and keep the service running | Legitimate interest. Art. 6(1)(f) |
| Marketing-site analytics (Google Analytics) | Only if you accept cookies | Consent. Art. 6(1)(a) |
| Retain Stripe transaction records | Tax and audit obligations | Legal obligation. Art. 6(1)(c) |
For Australian users, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.
What we track
Inside the Budjo app: nothing.
Your transactions, accounts, and preferences are never sent to an analytics tool. Period.
On the marketing site (budjo.app)
We use Google Analytics 4 to understand which pages get traffic and where visitors come from. But only if you accept analytics cookies via the consent banner. Reject them and GA never loads. We use Google Consent Mode v2 to honour your choice in real time. IP addresses are anonymised; data retention is set to 14 months in GA4 admin. GA never sees anything you do inside the app itself.
You can change your cookie choice anytime via the Cookie settings link in the footer of budjo.app.
Error logs
Error events on our edge functions (rate of 500s, webhook failures) are logged for bug-fixing. Those logs don't contain your financial data.
Sub-processors
We use these third parties to run Budjo. Each is bound by data-processing terms.
| Sub-processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage (receipts), edge functions | Asia Pacific (Mumbai, India) | supabase.com/privacy |
| Stripe, Inc. | Payment processing | USA (DPF-certified, EU SCCs in place) | stripe.com/privacy |
| Resend (Plus Five Five, Inc.) | Transactional email — sign-in links, codes, household invites, accountant exports | USA | resend.com/legal/privacy-policy |
| Google LLC | Sign-in (OAuth) and marketing-site analytics (consent-based only) | USA (DPF-certified) | policies.google.com/privacy |
| Hostinger International Ltd | Static marketing-site hosting | Asia Pacific (Australian region) | hostinger.com/privacy-policy |
We'll update this list before adding any new sub-processor that handles personal data.
International data transfers
- Supabase stores your synced data on Asia Pacific servers (Mumbai, India). Transfer to/from the EU, UK, USA and other regions is protected by Standard Contractual Clauses (SCCs) included in Supabase's data-processing agreement.
- Stripe processes payments in the USA. Transfer is protected by Standard Contractual Clauses (SCCs) and Stripe's certification under the EU-US Data Privacy Framework (DPF).
- Resend sends transactional email from the USA, protected by Standard Contractual Clauses (SCCs).
- Google Analytics transfers analytics data (only if you consent) to the USA under the DPF and with IP anonymisation enabled.
- Hostinger stores the marketing-site files in their Asia Pacific region.
Sync and encryption
When you're signed in, your data is serialised and sent over HTTPS (TLS) to Supabase. Supabase encrypts all data at rest using AES-256. Access is controlled by per-user Row-Level Security policies. No other user, and no part of our system outside the relevant edge functions, can read your rows.
Budjo does not currently use end-to-end encryption on the sync layer. Supabase sees the rows, bound by strict RLS. We're working on an optional E2E layer so we can't read rows even with database access.
Security
- TLS in transit. Every request encrypted via HTTPS.
- Encryption at rest. AES-256 on the database (Supabase default).
- Row-Level Security. Every row tied to your user ID; other users can't read your data.
- Authentication. Handled by Supabase Auth (Google OAuth + email/password). Passwords are never stored on our side.
- PCI compliance. Card data never touches Budjo servers; Stripe-hosted checkout (PCI-DSS Level 1).
- Access controls. Service-role keys are restricted to edge functions; user-role access is bound by RLS.
- Audit logs. Supabase records auth events; Stripe records all payment events.
Payments
Budjo uses Stripe for all payments. Card details are entered on Stripe's hosted checkout (Stripe, Inc., 510 Townsend Street, San Francisco, CA, USA) and never touch Budjo servers. Stripe acts as a separate data controller for payment data. See their privacy policy. We only receive your Stripe customer ID and subscription status. Never your card number, CVV, or expiry.
How long we keep your data
| Data | Retention |
|---|---|
| Synced personal data (transactions, accounts, etc.) | Deleted within 30 days of account-deletion request |
| Stripe transaction records | 7 years (Australian Taxation Office requires 5 years; we use 7 as a safety margin) |
| Database backups | 7-day rolling retention via Supabase; backups containing deleted data are purged within this window |
| Edge-function error logs | 7 days rolling retention via Supabase |
| Marketing-site analytics (GA4) | 14 months (GA4 admin minimum) |
Your rights
You have the following rights over your data:
- Access. Get a copy of what we hold (export to CSV from Settings → Data)
- Rectification. Fix incorrect data (edit anytime in the app)
- Erasure. Delete your account and all synced data (Settings → Account → Delete account)
- Restriction. Pause processing
- Portability. Get your data in machine-readable form (CSV export)
- Objection. Object to legitimate-interest processing
- Withdrawal of consent. Where consent is the legal basis (e.g. analytics cookies)
California residents: you have the additional rights under CCPA/CPRA to know, to delete, and to correct. We do not sell or share your personal information for cross-context behavioural advertising. Ever.
To exercise any right, email support@budjo.app. We'll respond within 30 days. Complex requests may be extended by up to 60 days, with notice.
Right to lodge a complaint
You can lodge a complaint with a data-protection authority:
- Australia: Office of the Australian Information Commissioner, oaic.gov.au
- UK: Information Commissioner's Office, ico.org.uk
- EU: your national DPA (e.g. CNIL in France, BfDI in Germany, Garante in Italy)
- USA: your state Attorney General
Data breaches
If we discover a breach affecting your personal data, we'll notify the relevant authority. The OAIC under Australia's Notifiable Data Breaches scheme, or the relevant EU DPA under GDPR Article 33. Within 72 hours of becoming aware. If the breach is likely to result in serious harm, we'll notify affected users directly via the email associated with the account.
Children
Budjo is not intended for users under 16. We don't knowingly collect data from anyone younger. If you believe a child has signed up, email support@budjo.app and we'll delete the account.
Changes to this policy
We'll notify you of material changes at least 30 days before they take effect, by email or via a banner in the app. The "Last updated" date at the top always reflects the current version.
Contact
support@budjo.app. We answer every email.