Privacy Policy

Your financial data is encrypted on your device before it reaches our servers. We operate on a true zero-knowledge architecture — we cannot read your data, even if we wanted to.

We do not sell, rent, or trade your data to advertisers, banks, or data brokers. We never will.

Budget iT is a Canadian personal finance application operated by Satwinder Singh Panaich, accessible at budgetit.ca.

Contact: support@budgetit.ca

3.1 Account Information

• Email address — For login, account recovery, and essential notifications. This is the only plaintext personal data we store.
• Display name — Optional, user-provided.
• Password hash — Your password is hashed using bcrypt. We never store your plaintext password.

3.2 Encrypted Financial Data (Zero-Knowledge)

• All financial data — Budgets, transactions, invoices, shifts, goals, expenses, accounts, tax records, and 23 other vault categories are stored as encrypted blobs we cannot read.
• Encryption metadata — Salt values, wrapped keys, and IVs needed to reconstruct your keys at login. Useless without your password.

3.3 Bank Connection Data (Plaid)

• If you connect a bank account via Plaid, we receive transaction data, account balances, and institution information from Plaid.
• This data is immediately encrypted client-side using your personal encryption key before being stored.
• Plaid access tokens are encrypted and stored within your zero-knowledge vault.
• We cannot read your bank data, even with full database access.
• You can disconnect your bank at any time, which revokes the Plaid token and deletes all associated data.
• Plaid's own privacy practices are governed by Plaid's End User Privacy Policy.

3.4 Usage Data

• We use Google Analytics to collect anonymous, aggregated usage data such as page views, session duration, device type, and approximate geographic region. This helps us understand how visitors use Budget iT and improve the experience.
• Google Analytics uses cookies to distinguish unique users. No financial data, personal identifiers, or encrypted vault contents are ever sent to Google Analytics.
• Google Analytics data is governed by Google's Privacy Policy. We have IP anonymization enabled, so your full IP address is never stored by Google.
• We do not use advertising cookies, remarketing, or cross-site tracking of any kind.
• Basic server logs (IP address, request timestamps) are retained for 90 days for security and abuse prevention, then automatically deleted.

3.5 Cookies & Local Storage

• Authentication cookies — Supabase session cookies for maintaining your login. Essential only.
• Analytics cookies — Google Analytics cookies (_ga, _ga_*) for anonymous usage tracking. These contain no personal or financial data.
• Theme preference — Stored in localStorage (dark/light mode). No tracking.
• Session encryption key — Your DEK is stored in sessionStorage and cleared when you close the tab or sign out.
• We use no advertising cookies and no remarketing or cross-site tracking cookies.

We use your information only to:

• Provide the service — Authenticate you, sync your encrypted vaults, and deliver the app.
• Send essential communications — Password resets, security alerts, and critical service updates via Resend.
• Maintain security — Detect abuse, enforce rate limits, and block malicious IP addresses.
• Comply with law — Respond to valid legal requests (see Section 10).

We never use your data for advertising, profiling, or selling to third parties.

All financial data uses AES-GCM 256-bit encryption, the same standard used by governments and financial institutions.

• Password-Derived Keys — Your password goes through PBKDF2 with 600,000 iterations to create your encryption key. Brute-force is computationally infeasible.
• DEK/KEK Hierarchy — A random Data Encryption Key encrypts your data. It is itself encrypted by your password-derived key. We never store your password or raw keys.
• Recovery Key — Generated once during setup. The only way to recover your vault if you forget your password. We do not store it.
• Mandatory Two-Factor Authentication — All users are required to enable TOTP-based MFA (Google Authenticator, Authy, etc.) for account access.
• Row-Level Security — Database isolation ensures users can only access their own data, even at the PostgreSQL level.
• Zero Server Access — Servers store only ciphertext. Each vault is encrypted independently with authenticated encryption that detects tampering.
• TLS 1.2+ — All data in transit uses transport-layer security.
• Session Security — Your decryption key is held in sessionStorage and cleared when you close the tab, sign out, or after 1 hour of inactivity.

• Receipt OCR — Image processing occurs client-side in your browser. Extracted text is encrypted before storage.
• Google Drive Integration — If connected, grants a limited OAuth token scoped only to file upload. We do not access existing files. Revocable at any time.
• Business Dashboard & Analytics — Revenue trends, expense charts, and profit/loss calculations are computed entirely in your browser. No analytics data is sent to our servers.
• Tax Calculations — Federal/provincial tax estimates, CPP, EI, and HST/GST are calculated client-side using publicly available CRA data.
• Investment Portfolio — Holdings, dividends, and performance data from Plaid are encrypted client-side before storage. Portfolio calculations occur in your browser.
• Financial Planning Tools — Goal tracking, debt payoff plans, and projections are all processed locally in your browser.

We use the following third-party services. None of them can read your financial data due to our zero-knowledge architecture.

• Supabase — Database and authentication hosting (SOC 2 Type II certified). Stores encrypted vaults and auth records. Cannot decrypt your data.
• Plaid — Bank account connection and transaction retrieval (SOC 2 Type II, ISO 27001 certified). Data received from Plaid is immediately encrypted client-side before storage. Plaid Privacy Policy.
• Resend — Transactional email delivery (password resets, notifications). Only receives your email address. No financial data is ever included in emails.
• Google Analytics — Anonymous website usage analytics (page views, session duration, device type). IP anonymization is enabled. No financial data is shared. Google Privacy Policy.
• Coolify — Self-hosted application hosting. Full infrastructure control. Financial data is encrypted and unreadable at the server level.

We do not share your data with any other third parties, advertisers, or data brokers.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), we process your information based on:

• Consent — You provide informed consent when you create an account and agree to this policy.
• Contractual necessity — Processing is necessary to provide you with the Budget iT service.
• Legitimate interest — Security monitoring and abuse prevention to protect all users.

You may withdraw consent at any time by deleting your account (see Section 9).

• Account data — Retained while your account is active, plus 30 days after deletion request.
• Encrypted financial data — Deleted immediately upon account deletion. Due to zero-knowledge encryption, deleted data is permanently irrecoverable.
• Bank connection tokens — Plaid tokens are revoked and deleted when you disconnect a bank or delete your account.
• Session data — Cleared when you close the tab, sign out, or after 1 hour of inactivity.
• Server logs — Automatically deleted after 90 days.
• Transactional emails — Retained by Resend for 30 days.
• Inactive accounts — Accounts inactive for 24 months receive warning emails, then are suspended and eventually deleted after a 90-day grace period.

How to Delete Your Account

You can delete your account at any time via Settings → Account → Delete Account, or by emailing support@budgetit.ca. Deletion is permanent and irrecoverable due to our zero-knowledge architecture.

Under PIPEDA, you have the right to:

• Access — View all your data through the dashboard at any time.
• Correction — Edit any entry instantly within the app.
• Deletion — Permanently delete your account and all associated data.
• Portability — Export your data in CSV or PDF format at any time.
• Withdraw consent — Delete your account to withdraw consent for all data processing.
• Complain — File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated.

To exercise any of these rights, contact us at support@budgetit.ca.

In the unlikely event of a data breach, we will notify affected users within 72 hours via email and in-app notification. We will also report to the Office of the Privacy Commissioner of Canada as required by PIPEDA.

Due to our zero-knowledge encryption architecture, compromised data would consist of unreadable ciphertext that cannot be decrypted without each individual user's password.

Budget iT is not intended for children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has created an account, please contact us at support@budgetit.ca and we will delete the account promptly.

Your encrypted data may be stored on servers located outside of Canada (Supabase infrastructure). However, due to our zero-knowledge architecture, any data stored outside Canada is encrypted ciphertext that cannot be read by any party, including the hosting provider, foreign governments, or Budget iT itself.

We may update this policy from time to time. Material changes will be communicated via email and/or in-app notification at least 30 days before taking effect. The “last updated” date at the top of this page reflects the most recent revision.

Continued use of Budget iT after changes take effect constitutes acceptance of the revised policy.

For privacy questions, data requests, or concerns:

• Email: support@budgetit.ca
• Privacy Officer: Satwinder Singh Panaich
• Website: budgetit.ca

If you are unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.