Privacy Policy

Effective Date: April 10, 2026

This Privacy Policy explains how MyAutoBudget (\"the Service,\" \"we,\" \"us,\" or \"our\") handles your information. MyAutoBudget is operated by Josh Jones, an independent software developer based in Arizona, United States. We believe in transparency, so this policy is written in plain language and we are candid about what we have and have not built yet.

1. What We Collect

Account information: When you sign up we collect an email address, a display name, and a password. Your password is stored as a one-way cryptographic hash — we never store or have access to your plaintext password.

Financial data you enter: Accounts, balances, bills, income sources, allocation buckets, savings goals, and similar records. All of this data is entered by you and stored solely to provide the budgeting features you signed up for.

Plaid data (optional): If you choose to connect a bank account through our Plaid integration, we receive account balances, transaction data, and account metadata (such as APRs) from Plaid on your behalf. The Plaid connection is read-only — MyAutoBudget cannot initiate transfers, make payments, or modify your bank account in any way. We do not receive or store your bank login credentials — those are handled entirely by Plaid under their own privacy policy.

Server and operational logs: We maintain limited access and operational logs (such as IP addresses, request timestamps, URL paths, and error information) for security, reliability, and abuse prevention. These logs are retained for no more than 30 days.

2. How We Use Your Data

We use your data to provide the Service, maintain reliability and security, fix bugs, and improve budgeting features and product functionality. This includes generating your budget dashboard, running calculations and projections, and sending transactional emails (such as password-reset links). We do not use your personal financial data for advertising, cross-user profiling, or sale to third parties.

We may generate aggregated, de-identified operational statistics (for example, error rates, feature usage counts, or performance metrics) to maintain and improve the Service. These statistics are designed not to identify individual users and are not sold to third parties.

3. Data Isolation and Access

We design the Service so that each user's financial records are isolated from those of other users. In the ordinary course of operating MyAutoBudget, we do not review individual user financial data. Because the Service is operated by a small independent provider, the operator has administrative access to the underlying infrastructure. Access to account data may occur when reasonably necessary to provide support, investigate a reported issue, maintain or secure the Service, comply with legal obligations, or respond to a security incident. When support-related access is needed for a specific issue you report, we will make reasonable efforts to inform you when practical.

4. Security and Privacy Maturity

We want to be upfront about the current maturity of our security and privacy infrastructure. The following protections have been implemented and are active:

• Encryption at rest — sensitive financial fields and Plaid access tokens are encrypted at the application layer before being written to persistent storage. The encryption key is stored separately from the database files.
• Self-service data export — you can download a complete copy of all your data in JSON format from the Profile page at any time, with no need to contact us.
• Self-service account deletion — you can permanently delete your account and all associated data from the Profile page. Deletion requires password confirmation and removes your authentication record, all sessions, and your user financial data from active application storage.
• Per-user data isolation — each user's financial records are logically isolated from those of other users, and our current storage architecture keeps user financial data separated on a per-user basis.
• HTTPS/TLS in transit — all connections to the Service are encrypted.
• Password hashing — passwords are stored using a modern, salted one-way hashing algorithm.
• CSRF protections — cross-site request forgery tokens are applied to state-changing requests.
• Session security — session tokens are cryptographically random and expire after a configurable period.
• Login rate limiting — brute-force login attempts are throttled.

The following protection is not yet implemented:

• Independent security audit — the Service has not undergone a formal penetration test or independent security audit.

No system is perfectly secure. Please consider these limitations when deciding what data to enter into the Service.

5. Before You Connect Bank Accounts

MyAutoBudget is an independent budgeting tool in public beta. It is not a bank and has not undergone an independent security audit. If you choose to connect financial accounts through Plaid, you should do so with that understanding. Funds held in your own bank accounts remain subject to your bank's terms and protections. MyAutoBudget does not provide FDIC or similar deposit insurance.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing or advertising. We share data only in these limited circumstances:

• Plaid (if you opt in) — to retrieve bank balances, transaction data, and liability information (such as credit card APRs). Plaid acts as a data processor on your behalf. See Plaid's privacy policy for details on how they handle your bank credentials.
• Email delivery — we use an SMTP email service to send password-reset links. The service receives only your email address and the message content.
• Legal obligations — we may disclose data if required by law, regulation, subpoena, or valid legal process.

7. Data Retention and Deletion

We retain your data while your account remains active. You may permanently delete your account and associated application data at any time from the Profile page, subject to password confirmation. We will then remove your authentication record, sessions, and user financial data from active application storage. We do not intentionally maintain long-term user-accessible backups of per-user financial data after deletion, but limited residual data may remain temporarily in short-lived logs, infrastructure snapshots, or systems pending normal expiration or overwrite. Once deletion has been completed in active systems, your data cannot be restored by us. Self-service deletion through the Profile page is processed promptly in active application systems. If you submit a deletion request by email to support@myautobudget.com instead, we will complete it within 30 days.

8. Breach Notification

If we confirm a security incident that materially compromises your personal data, we will notify affected users without undue delay and, where feasible, within 72 hours of confirmation. The notice will describe the nature of the incident, the data involved as then understood, the steps we are taking, and recommended protective actions where appropriate.

9. Where Your Data Is Hosted

The Service is hosted on Fly.io infrastructure in the United States (Virginia region). All data — including your user database and encrypted financial records — resides on Fly.io servers. Fly.io's security practices are described in their security documentation.

10. Cookies and Tracking

We use a single, strictly necessary session cookie to keep you signed in. We do not use analytics cookies, advertising trackers, or any third-party tracking scripts. We do not participate in cross-site tracking or behavioral advertising. There are no third-party pixels, tags, or SDKs on any page of the Service.

11. Your Rights

Depending on your location, you may have rights under applicable privacy laws (such as CCPA if you are a California resident, or GDPR if you are in the EU/EEA). These may include the right to access, correct, delete, or port your data, or to object to certain processing. You can exercise your right to data portability and account deletion directly from the Profile page. For all other requests, email support@myautobudget.com. We will respond within 30 days.

12. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect data from minors. If we learn that we have inadvertently collected data from someone under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect, and we will update the effective date at the top of this page. Continued use of the Service after the notice period constitutes acceptance of the revised policy.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Arizona, United States.

15. Translation

This Privacy Policy may be available in languages other than English. In the event of any conflict or inconsistency between a translated version and the English version, the English version shall control.

16. Contact

Questions about this policy, your data, or a privacy concern? Email us at support@myautobudget.com. To report a suspected security issue, email support@myautobudget.com with the subject line \"Security Issue\".