Privacy Policy

1. Introduction

This Privacy Policy describes how Finance Self-Hosted ("we," "our," or "us") collects, uses, stores, and protects your personal and financial information when you use our personal finance management application.

By using our application, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

• Email address
• Password (stored as encrypted hash)
• Two-factor authentication secrets (encrypted)
• Profile information (name, address, phone - optional)

2.2 Financial Data via Plaid

When you connect your bank accounts through Plaid, we collect:

• Account names, types, and balances
• Transaction history (date, amount, merchant, category)
• Account and routing numbers (masked)
• Institution information

2.3 Manual Data

• Manually created accounts and assets
• Custom categories, tags, and budgets
• Bills and savings goals
• Transaction notes and categorizations

2.4 Technical Data

• IP addresses (for security and rate limiting)
• Login timestamps and user agent
• Failed login attempts

3. How We Use Your Information

• Provide Services: Display accounts, transactions, budgets, and financial insights
• Security: Authenticate users, detect fraud, prevent unauthorized access
• Improvements: Analyze usage patterns to improve the application
• Communications: Send household invitations and security alerts

4. Data Storage and Security

We implement industry-standard security measures:

• Encryption at Rest: Plaid access tokens encrypted with AES-256-GCM
• Encryption in Transit: All communications over HTTPS/TLS
• Password Security: Bcrypt hashing with salt
• Access Controls: JWT tokens with 2-hour expiration, refresh token rotation
• Rate Limiting: Protection against brute force attacks
• Account Lockout: Automatic lockout after failed login attempts
• IP Banning: Automatic ban for repeated failed attempts
• Two-Factor Authentication: TOTP-based MFA available for all accounts

5. Data Retention

We retain your data as follows:

• Account Data: Retained until you delete your account
• Transaction History: Retained for the lifetime of your account
• Login History: Retained for 90 days for security auditing
• IP Ban Records: Automatically expire after 1 hour
• Plaid Connections: Access tokens retained until you disconnect the bank

6. Third-Party Services

6.1 Plaid

We use Plaid Inc. to connect to your financial institutions. When you connect an account, Plaid's privacy policy also applies. Plaid collects and processes your financial data to provide account and transaction information to our application.

View Plaid's End User Privacy Policy

6.2 Email Services

We use SMTP email services to send household invitations and security notifications. Only your email address is shared with our email provider for delivery purposes.

7. Your Rights

You have the right to:

• Access: Request a copy of all data we store about you
• Correction: Update or correct your personal information
• Deletion: Request deletion of your account and all associated data
• Disconnect: Remove bank connections at any time through Plaid
• Export: Download your data in a portable format
• Withdraw Consent: Revoke access to financial data at any time

To exercise these rights, visit your Profile settings or contact us directly.

8. Data Sharing

We do not sell your personal or financial data.

We may share data only in these circumstances:

• Household Members: Accounts/transactions you explicitly share with your household
• Service Providers: Plaid for bank connectivity, email provider for notifications
• Legal Requirements: When required by law or to protect our legal rights

9. Children's Privacy

Our application is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.