Privacy & Security

• Name and email address — used for account sign-in and to send you important updates and notifications
• No phone numbers, location data, or personal identifiers are collected
• No data is collected in the background or without your knowledge

We only collect what is necessary to provide the service — nothing more.

• Passwords are hashed using industry-standard bcrypt encryption — they are never stored in plain text
• All connections are encrypted with HTTPS/TLS, so your data is protected in transit
• Session tokens use secure, HTTP-only cookies that cannot be accessed by JavaScript
• Passkey/biometric authentication is supported for phishing-resistant sign-in
• Your data is encrypted at rest and isolated to your account — no one else can access it

• Only you can see your financial data — no one else has access, not even us
• Your data is never sold, rented, or shared with any third party
• No analytics trackers, no third-party scripts, no ads — ever
• All data is encrypted and stored securely in an isolated environment

• Google OAuth — used only for convenient sign-in; no financial data is shared with Google
• Vercel — hosts the application with enterprise-grade infrastructure and automatic HTTPS
• Database — hosted on a managed, secure cloud provider with access restricted to the application

These services are used strictly for functionality. None receive your financial data.

• Export all your data — download your transactions as a CSV file at any time from Settings
• Delete your data — reset all financial data (transactions, categories, budgets) from Settings
• Delete your account — contact us to permanently delete your account and all associated data
• Modify your data — edit or remove any transaction, category, budget, or payment method at any time

• SPENTit uses session cookies only — these keep you signed in securely
• No advertising cookies, no tracking pixels, no analytics cookies
• A dark mode preference is stored locally in your browser (localStorage), never on our servers