Privacy Policy

What data we collect

• Your account email. Your email address is your account identifier — it is how we recognize you when you sign in and where we send essential account messages.
• Your password. We never store your password in plain text. It is hashed with argon2id, a modern, memory-hard password-hashing algorithm, before it is saved.
• Your budget data. The financial information you enter — budgets, spending, and related details — so the app can do its job.
• Your IP address (transiently). When you use the sign-in and account endpoints, we apply a per-IP rate limit (20 requests per minute) to protect against abuse and brute-force attempts. This processes your IP address for that security purpose; we do not use it to track or profile you.

How we use your data

• To create and secure your account and authenticate you when you sign in.
• To send essential transactional email — account verification, password resets, and account-related notices. These are sent from noreply@steadybudget.app.
• To provide the budgeting features you use the app for.

We do not use your data for advertising, profiling, or any purpose unrelated to running Steady Budget, and we do not sell it.

How your data is stored and secured

• Your budget data is stored in a managed PostgreSQL database. We will disclose the specific hosting provider and region on this page once production hosting is provisioned.
• Passwords are never stored in plain text — only their argon2id hashes are kept.
• The Steady Budget app at money.steadybudget.app sets two strictly-necessary cookies, scoped to that subdomain: a session cookie to keep you signed in and a security (anti-forgery) cookie that protects you against cross-site request forgery. This marketing site sets no cookies at all.

Cookies and tracking

This marketing site (steadybudget.app) is cookie-free: it sets no cookies and runs no analytics or third-party trackers. The only cookies Steady Budget uses anywhere are the two strictly-necessary cookies set by the app at money.steadybudget.app — a session cookie that keeps you signed in and a security (anti-forgery) cookie that guards against cross-site request forgery. Both are scoped to that subdomain, serve no tracking purpose, and are essential to operate the app.

Third parties

We keep third-party involvement to a minimum. We use Amazon Web Services (AWS) Simple Email Service (SES) to deliver our transactional email (verification, password-reset, and account-related messages). When we send you one of these messages, your email address is processed by AWS SES for the sole purpose of delivering it. We do not share your data with advertisers or data brokers.

Data retention

When you close your account, we deactivate it — your account is marked inactive so you can no longer sign in, but your account email and budget data are retained in our database rather than being erased immediately. Because deactivation is a soft action, that data is retained indefinitely until it is erased. If you want your personal data fully erased, contact us at the address below: until self-serve account deletion ships, we handle full erasure manually on request.

Contact

For any privacy question — including a request to access or delete your data — email support@steadybudget.app. See also our Terms of Service.