Logo Light

BudgetBit

Privacy Policy for BudgetBit

Last Updated: March 24, 2026

This Privacy Policy describes how BudgetBit ("we," "us," or "our"), a personal project built and operated solely by Dawid Bartczak — an individual developer, not a company or legal entity — collects, uses, and protects your personal data when you use our web application for tracking transactions, loans, and budgets (the "Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Dawid Bartczak (individual, operating as BudgetBit)
Email: contact@budgetbit.com
Location: European Union

BudgetBit is an independent, individually owned and operated project hosted within the European Union. There is no company, organisation, or legal entity behind it — just one person. If you have any questions or concerns about how your data is handled, please reach out directly at the email address above.

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Account & Identity Data

  • Email address — collected when you create an account or sign in with Google, used to identify your account and communicate with you.
  • Authentication credentials — passwords (stored as a secure hash, never in plain text) or OAuth tokens when you sign in with Google.
  • User ID — a unique identifier assigned to your account.

2.2 Financial Data You Provide

  • Transaction records (amounts, categories, dates, descriptions) that you manually enter into the Service.
  • Loan records and related financial details you enter.
  • Any other financial data you choose to input.

This data is stored and processed solely to provide you with the Service's functionality. We do not analyse this data for any purpose other than displaying it back to you.

2.3 Usage & Analytics Data

  • Pages visited and features used within the Service.
  • Actions taken (e.g., exporting transactions or loans).
  • Device type, browser type and version, operating system.
  • IP address and approximate geographic location (country/city level).
  • Session duration and interaction patterns.

2.4 Technical Data

  • Authentication session tokens.
  • Cookie consent preferences.
  • Error and exception logs (when technical errors occur).

3. Legal Basis for Processing

Under the GDPR, we process your personal data on the following legal bases:

Processing ActivityLegal Basis
Creating and managing your accountPerformance of a contract (Art. 6(1)(b) GDPR)
Storing and displaying your financial dataPerformance of a contract (Art. 6(1)(b) GDPR)
Authenticating sessions (essential cookies)Performance of a contract (Art. 6(1)(b) GDPR)
Analytics and usage tracking (PostHog)Consent (Art. 6(1)(a) GDPR) — only when you accept cookies
Infrastructure security and performance (Cloudflare)Legitimate interests (Art. 6(1)(f) GDPR) — to protect and operate the Service
Responding to your requests or complaintsLegitimate interests (Art. 6(1)(f) GDPR)
Compliance with legal obligationsLegal obligation (Art. 6(1)(c) GDPR)

4. Third-Party Services & Data Processors

We use the following third-party services to operate the Service. Each acts as a data processor on our behalf or as an independent data controller for their own purposes:

Supabase (Authentication & Database)

We use Supabase to manage user authentication and store your account and financial data. Supabase processes your email address, authentication credentials, and all data you store in the Service. Supabase provides EU data residency options and is compliant with GDPR.

Supabase Privacy Policy

Google (OAuth Sign-In)

If you choose to sign in with Google, Google will authenticate your identity and share your email address with us via the OAuth 2.0 protocol. We do not receive your Google password. Google processes your data according to their own privacy policy.

Google Privacy Policy

PostHog (Analytics)

We use PostHog to understand how users interact with our Service. PostHog collects usage events, page views, and device/browser information. Your email address is used to associate analytics events with your account (user identification). PostHog processes data on EU servers (eu.i.posthog.com), meaning your data stays within the EU.

PostHog analytics are only activated if you consent to analytics cookies. You may withdraw consent at any time via the cookie settings.

PostHog Privacy Policy

Cloudflare (CDN & Security)

We use Cloudflare as our content delivery network and security provider. Cloudflare processes IP addresses and HTTP request metadata to protect the Service against attacks, improve performance, and ensure availability. Cloudflare acts as an independent data controller for some of this processing.

Cloudflare Privacy Policy

5. Data Retention

We retain your personal data for the following periods:

  • Account data (email, credentials): Retained for as long as your account is active. Deleted promptly upon account deletion request.
  • Financial data (transactions, loans): Retained for as long as your account is active. Deleted when you delete individual records or your account.
  • Analytics data (PostHog): Retained according to PostHog's default retention policy (typically 1 year). Deleting your account does not automatically delete PostHog analytics data — contact us if you wish this data to be erased.
  • Session tokens: Expire upon logout or after a period of inactivity.
  • Cookie consent preference: Stored for 365 days, after which you will be asked for consent again.

6. International Data Transfers

BudgetBit is hosted and operated within the European Union. We have specifically chosen EU-region infrastructure to minimise data transfers outside the EEA:

  • PostHog: Data processed exclusively on EU servers (eu.i.posthog.com).
  • Supabase: Configured to use EU data residency.
  • Cloudflare: Operates a global CDN; some request metadata may be processed outside the EEA as part of DDoS protection and routing. Cloudflare relies on Standard Contractual Clauses (SCCs) for such transfers.
  • Google OAuth: If you use Google sign-in, Google may process your authentication data outside the EEA. Google relies on SCCs and other GDPR-compliant transfer mechanisms.

7. Data Sharing

We do not sell, rent, or trade your personal data to any third party. We share data only:

  • With the third-party processors listed in Section 4, strictly to provide the Service.
  • When required by law, court order, or competent authority.
  • To protect the rights, property, or safety of BudgetBit, our users, or others.

We do not share your financial data or email address with marketing or advertising partners.

8. Your Data Protection Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You may correct inaccurate personal data. You can update your email and password directly in the account settings.
  • Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"). You can delete your account directly from the settings page, which removes your account and financial data.
  • Right to restriction of processing (Art. 18): You may request that we restrict how we use your data in certain circumstances.
  • Right to data portability (Art. 20): You may request your data in a structured, machine-readable format. The Service supports CSV export of your transactions and loans.
  • Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22): We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, contact us at contact@budgetbit.com. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with your national supervisory authority. If you are based in the EU, you can find your local authority at edpb.europa.eu.

9. Cookies and Tracking Technologies

We and our third-party providers use cookies and similar technologies. For a detailed breakdown of all cookies used, please see our Cookie Policy.

Essential cookies (required for authentication and session management) are placed on the basis of contractual necessity. Analytics cookies (PostHog) are only placed with your explicit consent, which you can grant or withdraw via the cookie consent banner.

10. Data Security

As an individual developer, I take reasonable steps to protect your personal data, including:

  • HTTPS encryption for all data in transit.
  • Password hashing (never stored in plain text).
  • Bearer token-based API authentication.
  • Cloudflare DDoS protection and firewall.
  • Supabase's built-in security controls for data at rest.

No method of transmission over the internet is 100% secure, and as a solo developer I cannot guarantee absolute security. If you become aware of a security issue, please contact me immediately at contact@budgetbit.com.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make significant changes, we will update the "Last Updated" date at the top of this page. For material changes that affect your rights, we will make reasonable efforts to notify you (e.g., via a notice in the Service). We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or wish to exercise your data protection rights, please contact us:

Email: contact@budgetbit.com
Operator: Dawid Bartczak
Location: European Union

We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.