SpendSquire

Privacy Policy

Effective: 2026-05-24 · Version: 1

1. Who we are

SpendSquire (“we”, “us”) provides a personal finance product consisting of a web dashboard and a native iOS app. Contact: [email protected].

2. Data we collect

Account & identity

Email, password hash, display name, locale, default currency, email verification status. Optional Google OAuth link stores the provider user ID and email returned by Google.

Authentication factors

TOTP secrets and backup codes (encrypted at rest). Email verification and password-reset tokens are stored only as hashes.

Sessions & devices

Session and CSRF tokens (hashed), user agent, IP address, last-activity timestamp. For the iOS app: device ID, Apple Push Notification Service (APNS) device token, app version, platform.

Financial data (user-entered)

Accounts, transactions, splits, tags, categories, budgets, recurring transactions, net-worth snapshots, reconciliations, exchange rates.

Preferences

Notification settings, timezone, budget alert thresholds.

Operational

Audit events, idempotency keys (24-hour TTL), CSV import presets, import fingerprints, saved filters.

Diagnostics

Crash reports, error traces, request IDs, app version, release name. On iOS, payloads are PII-scrubbed before transmission — emails, access/refresh/ID tokens, passwords, TOTP codes, CSRF tokens, and session IDs are redacted; Authorization, Cookie, and X-CSRF-Token headers are replaced with [redacted].

3. How we use it

To operate the service, authenticate you, sync data across devices, deliver alerts you have enabled, prevent fraud and abuse, and debug failures.

4. Third parties

We do not use advertising trackers, analytics SDKs, third-party trackers, or payment-card processors. We do not collect location, contacts, photos, microphone, or camera data.

5. Retention

6. Your rights

You may request access, correction, export (CSV from the web app), or deletion of your data. Email [email protected]. We respond within 30 days.

7. Security

Data is encrypted in transit (TLS). Credentials are stored hashed. TOTP secrets and backup codes are encrypted at rest. iOS diagnostic payloads are PII-scrubbed before send. Server-side authorization restricts access to your data.

8. Children

SpendSquire is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect data from such users.

9. International transfers

Data is processed in the region of our hosting provider, disclosed once finalized.

10. Changes

We version this policy. Material changes are announced in-app. The current effectiveDate is shown above; prior versions are retained in our public repository.

11. Contact

[email protected]