The short version
Budgie can't read your financial data. Your transactions are encrypted on your device with keys only you hold. Our servers store sealed boxes we can't open.
We don't sell your data. We don't show you ads. We don't share your data with advertisers, data brokers, or affiliate partners.
Bank connections are read-only. Budgie can see your transactions but cannot move your money.
You can delete everything, any time. Deletion really means deletion.
1. Who we are
Budgie is a personal budgeting application for iOS and web, operated by an independent developer in the United States. In this policy, "Budgie," "we," "us," or "our" refers to the operator. You can contact us at support@trybudgie.app.
2. What data we collect
2.1 Data you give us directly
- Account information. Your email address and a device-registered encryption key when you create an account.
- Categories, rules, budgets, and notes you create inside the app.
- Corrections you make to categorizations, which Budgie uses to improve its suggestions for you.
2.2 Data we receive from Plaid on your behalf
When you connect a bank account through Plaid, Plaid shares with Budgie:
- Transaction data (merchant, amount, date, category, location where available)
- Account names, types, and balances
- A Plaid access token that allows Budgie to fetch future transactions on your behalf
Budgie does not receive your bank login credentials. Those are handled by Plaid. You can review Plaid's own privacy practices at plaid.com/legal.
2.3 Data we collect automatically
- Minimal operational logs from our servers (IP-hash, request path, timestamp, error codes). We do not log transaction content.
- Crash reports if you opt in, to help us fix bugs.
3. How we protect your data
Budgie is built on a zero-knowledge architecture. The short version: our servers store your data in a form we cannot read.
- End-to-end encryption. Your transactions, categories, rules, and budgets are encrypted on your device using XChaCha20-Poly1305 with keys derived from a master key that never leaves your devices unencrypted. Our sync server stores only ciphertext.
- Key custody. On iOS, your device key is held in the Secure Enclave, unlocked by Face ID or Touch ID. On the web, it is protected by a passkey. You receive a 24-word recovery phrase at setup; we do not keep a copy.
- Isolation. Plaid access tokens are held in a separate backend service that is walled off from your identity, budgets, and other user data. A compromise of our sync infrastructure would not expose your Plaid tokens, and vice versa.
- Transport security. All network traffic uses TLS 1.3.
- Encryption at rest. All Budgie-held data, including operational logs, is encrypted at rest.
A comprehensive security review is conducted before public launch and annually thereafter.
4. How we use your data
We use your data only to operate Budgie on your behalf. Specifically:
- To fetch and display your transactions, balances, and categories.
- To categorize transactions using a combination of your rules, your history, and AI assistance (see §5).
- To compute budgets, forecasts, and analytics on your device, not on our servers.
- To send you occasional product emails (only with your consent and only about Budgie itself).
- To respond to your support requests.
- To detect fraud and abuse of our service.
- To comply with our legal obligations.
We do not sell your data. We do not share it with advertisers, data brokers, or for any marketing purpose. We do not use your data to train general-purpose AI models.
5. AI-assisted categorization
Budgie uses a cascading categorization engine: your rules first, then patterns learned from your corrections, then AI assistance for transactions we can't confidently categorize otherwise. When AI assistance is used:
- The input is stripped. Only the merchant name, amount, and date are sent to our AI provider (Anthropic). No account numbers, no user ID, no balances, no identifiers that could link a transaction back to you.
- Zero data retention. Our AI provider operates under a Zero Data Retention contract. Your data is not used to train models and is not retained after the request completes.
- You can turn it off. At any time, in Settings, you can disable AI-assisted categorization. Budgie will fall back to rules and manual categorization.
6. Who we share data with
We share data only with service providers who help us operate Budgie. Each is contractually bound to handle your data consistent with this policy.
| Provider | Purpose | What they see |
|---|---|---|
| Plaid | Bank account connections | Your bank login, account details, transactions |
| Cloudflare | Hosting and networking | Encrypted blobs, IP-hashed request logs |
| Anthropic | AI categorization (optional) | Stripped merchant strings and amounts only, with Zero Data Retention |
| Apple | iOS distribution and push notifications | Device tokens, App Store transaction IDs |
We may also share data when legally required (subpoena, court order) or to protect the safety of Budgie or its users. Because of our zero-knowledge design, the data we could produce in response to a subpoena is limited to what our servers hold in plaintext: your email, your encrypted blobs (which we cannot decrypt), and our operational logs.
7. How long we keep your data
| Data | Retention |
|---|---|
| Your transactions and budgets (on-device) | As long as your account is active; you control this |
| Encrypted blobs (on our servers) | As long as your account is active; deleted within 30 days of account deletion |
| Plaid access tokens | Deleted within 1 hour of you revoking a bank connection |
| Operational logs | 30 days |
| Security audit logs | 1 year |
| Consent records | Life of account plus 3 years, for audit defensibility |
| Backups | 30-day rolling window; deleted user data is purged from backups within 30 days of account deletion |
8. Your rights
You have the following rights over your Budgie data:
- Access. You can view everything Budgie has about you directly in the app.
- Export. You can export all your data as an encrypted archive at any time, from Settings.
- Correct. You can edit any categorization, rule, budget, or note.
- Delete. You can delete your account at any time. When you do, we wipe your local data, tombstone your encrypted blobs (deleted within 30 days), revoke all Plaid items, and purge your profile from our integration service. We send a confirmation email when deletion completes.
- Withdraw consent. You can disable AI-assisted categorization, disconnect individual bank accounts, or revoke any device that has access to your account.
If you are a California resident, you have additional rights under the CCPA, including the right not to be discriminated against for exercising these rights. If you are in the EEA or UK, you have rights under GDPR. To exercise any of these rights, email support@trybudgie.app.
9. Children
Budgie is not directed at children under 13, and we do not knowingly collect data from them. If you believe a child has created a Budgie account, email us and we will delete the account.
10. International transfers
Budgie operates in the United States. If you are accessing Budgie from outside the United States, your data will be transferred to and processed in the United States. We use standard contractual clauses and technical safeguards to protect this data.
11. Changes to this policy
We will notify you by email of any material change to this policy at least 30 days before it takes effect. The version and effective date at the top of this page always reflect the current policy.
12. Contact
Questions about this policy, or about your data: support@trybudgie.app.