BitBudget Privacy Policy

BitBudget uses client-side and public-key encryption for sensitive transaction text. We store ciphertext for the following data at rest:

• Transaction payee names and transaction notes are encrypted before storage.
• Recurring transaction payee names and notes are encrypted before storage.
• Backend-created transaction payee names and notes from connected services are encrypted with your public key so only your client can decrypt them.
• Your privacy key is stored on our servers only as a wrapped encrypted blob. For password or PIN users, the wrapping key is derived client-side. For Nostr users, browser extension encryption is used where available.

We do not store your raw Nostr secret key. If you use a Nostr browser extension, signing and NIP-04 encryption happen through the extension. If you use the nsec fallback, the key is encrypted locally before it is saved in browser storage.

Some data must remain available to BitBudget servers so the app can authenticate you, sync your budget, run integrations, and render summaries. This data is protected by our application, database, and hosting security controls, but it is not encrypted in a way that prevents BitBudget servers from reading it:

• Account identity data such as email address, Nostr public key, OAuth provider identifiers, profile name, and profile image.
• Budget structure and settings such as monthly income, pay cadence, envelope names, envelope colors, icons, tags, archive state, display preferences, subscription tier, onboarding state, and reminder settings.
• Transaction metadata such as amount, date, type, envelope assignment, tags, source, created and updated timestamps, recurring rule cadence, and optional Bitcoin/sats opportunity-cost fields when enabled.
• Integration data needed to operate optional features, including Plaid item/account metadata and access tokens, connected email account tokens, receipt inbox tokens, push notification subscriptions, and imported transaction IDs used for deduplication.
• Operational records such as sessions, email sign-in codes, referral records, survey responses, admin audit logs, and cached BTC price data.

Low-friction capture features may also store non-encrypted processing metadata, such as confidence scores, suggested envelope IDs, and limited raw integration context. Examples include Plaid category metadata or a short receipt/email snippet used to help you review a pending transaction.

• Provide the budgeting app, authentication, sync, reminders, referrals, optional integrations, support, and account administration.
• Protect the service from abuse, debug production issues, and maintain security and reliability.
• Improve BitBudget using privacy-preserving, aggregate analytics. We do not use ad-tech, cross-site tracking, or sell budgeting data.

We do not sell your personal information or budgeting data. We do not use ad-tech or cross-site tracking. Vercel Analytics is used only for basic aggregate usage and performance telemetry.

We may reach out by email or Nostr to ask for feedback, understand how BitBudget is working for you, announce important service changes, or help with support. You can opt out of non-essential feedback or product outreach at any time by replying to the message or using any unsubscribe or opt-out instructions we provide.

We may still send transactional or security-related messages when needed to provide the service, such as sign-in codes, account notices, or important security updates.

BitBudget relies on service providers for hosting, authentication, email delivery, optional financial account connectivity, optional email scanning, push notifications, and aggregate analytics. These providers may process the data needed to perform their services for BitBudget.

You control whether to use optional features such as Plaid connections, connected email scanning, receipt forwarding, reminders, push notifications, referrals, surveys, and opportunity-cost tracking. You can sign out to clear local session data, and you can contact us if you need help with account data or feedback opt-outs.