Privacy at a glance
- Your budget lives on your device. Accounts, categories, transactions, notes, goals, and receipt photos are stored in a local database on your phone. We have no copy of them and no way to read them.
- Accounts are anonymous. Budgy has no sign-up. We never ask for — and never receive — your email address, name, or a password.
- AI features send only what they need, only when you use them. They are available on Budgy Plus and during the free trial; on the free tier, no budget data ever leaves your device.
- We do not sell your data, and there are no ads.
1. Who we are and what this policy covers
This Privacy Policy explains how Budgy (“Budgy”, “we”, “us”) handles information when you use the Budgy mobile app for iOS and Android, the website at usebudgy.com, and the community feedback board at usebudgy.com/feedback (together, the “Service”). Questions or requests can always be sent to support@usebudgy.com.
2. Data that stays on your device
Budgy is a local-first app. All of your budgeting data is stored in a database on your device and is never uploaded to Budgy’s servers. This includes:
- accounts and balances;
- categories, category groups, budgets, and tags;
- transactions, including payees, amounts, dates, and any notes you write;
- savings goals and contributions;
- recurring bills and reminders;
- receipt photos, which are saved as files inside the app’s private storage;
- your in-app preferences, including the name you optionally enter for yourself.
Because this data exists only on your device, you control it completely. You can delete individual transactions, reset everything with Fresh Start in the app, or remove all of it by uninstalling the app. You can also export any month as a CSV or PDF file through your device’s share sheet — the export is created on your device and goes only where you choose to send it.
Budgy does not provide cloud backup or sync. There is no copy of your budget anywhere but your device, so we recommend exporting regularly if you want an off-device record.
3. Data we store on our servers
The only data Budgy stores server-side is the minimum needed to run the Service:
- An anonymous account. When you first use Budgy, the app silently creates an anonymous account — a random identifier with an auto-generated username (for example, “user_ab12cd34”). It contains no email address, name, phone number, or password. Its purpose is to identify your install for AI rate limiting and subscription verification. The website creates a similar anonymous identity only if you vote or comment on the feedback board.
- Feedback board content. If you post a feature request, bug report, vote, or comment, we store that content along with your anonymous identifier. Posts and comments are public, so please don’t include personal information — yours or anyone else’s — in them.
Your budget data is never among the data stored on our servers.
4. AI features and what they send
Budgy’s AI features are available with a Budgy Plus subscription or during the free trial. On the free tier, the app makes no AI requests, and no budget data leaves your device.
When you use an AI feature, the app sends the specific data that feature needs through our API (hosted on Cloudflare) to Anthropic, the AI provider, and returns the result to your device:
- Receipt scanning sends the photo of the receipt you chose to scan, along with your category names.
- Magic add and voice logging send the text you typed or the transcription of what you said, along with your category and account names.
- Auto-categorization sends a payee or merchant name along with your category names.
- Insights and Wrapped send monthly summaries: totals, category names with amounts spent and budgeted, and your top payees for the month.
- The assistant sends your questions plus the context needed to answer them, which can include category names, monthly totals, top payees, and details of your largest transactions for a period (payee, amount, and category).
Our API is stateless: it forwards these requests and stores none of their content — no prompts, images, or responses are retained on our servers. Processing by Anthropic is governed by Anthropic’s commercial terms and data policies, under which API inputs and outputs are not used to train their models.
5. Analytics and diagnostics
We use PostHog (hosted in the United States) to understand how Budgy is used and to catch errors. We designed this to be as minimal as we could:
- In the app, events carry only feature names, settings choices, booleans, and counts — never amounts, payee names, notes, category names, or any text you write.
- Session recording is off, and the app does not auto-capture taps or screens.
- The website records page views and basic interaction events on the marketing pages.
- If something goes wrong, error diagnostics (such as error messages and technical context) are captured so we can fix bugs.
- Analytics are tied to your anonymous identifier, together with technical context such as platform, app version, locale, plan, and currency setting.
6. Purchases
Subscriptions are billed by Apple (App Store) or Google (Google Play). Budgy never sees your payment card details, billing address, or store account identity. We use RevenueCat to manage subscriptions; it receives your anonymous identifier and purchase metadata (such as product, renewal date, and store) so the app and our API can verify your Budgy Plus entitlement.
7. Device permissions
Budgy asks for permissions only when a feature needs them:
- Camera and photo library — to capture or pick receipt photos, which are stored on your device (and sent to the AI provider only if you scan them).
- Microphone and speech recognition — for voice logging; the transcribed text is sent to the AI provider when you use it.
- Face ID / biometrics — to lock the app; verification happens entirely on your device.
- Notifications — for reminders you set. All notifications are scheduled locally on your device; Budgy does not use push notifications and holds no push tokens.
8. Service providers
We rely on a small set of providers to run the Service:
| Provider | Purpose | What they receive |
|---|---|---|
| Supabase | Anonymous accounts and the feedback board database | Anonymous identifier, generated username, feedback content |
| Cloudflare | Hosting for our API and website | API traffic in transit (including AI requests) and standard request metadata |
| Anthropic | AI processing | The AI feature inputs described in section 4 |
| PostHog | Analytics and error diagnostics | The minimal events described in section 5 |
| RevenueCat | Subscription management | Anonymous identifier and purchase metadata |
| Apple / Google | App distribution and billing | Handled under their own terms and privacy policies |
| Expo (EAS) | Delivering app updates | Standard update-request metadata (no user content) |
9. Data retention and deletion
Your budget data is on your device and under your control at all times: delete entries in the app, use Fresh Start, or uninstall the app to remove everything.
Server-side, your anonymous account and any feedback board content are retained until you ask us to delete them. There is currently no self-serve deletion in the app — email support@usebudgy.com from the device in question (or with your feedback username) and we will delete your anonymous account and the content associated with it. Analytics data is retained according to PostHog’s retention settings.
10. Your rights
Budgy operates from Canada, and we handle personal information in line with the Personal Information Protection and Electronic Documents Act (PIPEDA). Depending on where you live, you may also have rights under laws such as the GDPR (Europe) or the CCPA (California), including the rights to access, correct, delete, or export personal information, and the right to lodge a complaint with your local supervisory authority.
In practice, most of your data is already in your hands: it lives on your device, and you can export it as CSV or PDF at any time. For anything server-side, contact support@usebudgy.com and we will honor your request. Because server-side accounts are anonymous, we may ask you to demonstrate control of the app install or feedback account in question. We do not sell or share personal information for advertising, and we do not use it for profiling that produces legal effects.
11. Security
All traffic between the app, the website, and our servers is encrypted in transit. Access to server-side data is restricted and protected by row-level security. On your device, you can enable Face ID / biometric lock in the app’s settings. No method of storage or transmission is completely secure, but the local-first design means the most sensitive data — your finances — never leaves your device unless you use an AI feature or export it yourself.
12. Children
Budgy is not directed at children and is rated for users 17 and older. We do not knowingly collect personal information from children. If you believe a child has provided us personal information (for example, on the feedback board), contact us and we will delete it.
13. International transfers
Our service providers listed above process data in the United States and other countries. Where required, transfers rely on appropriate safeguards such as standard contractual clauses maintained by those providers.
14. Changes to this policy
We will post any changes to this policy on this page and update the “Last updated” date above. For material changes, we will also provide notice in the app or on the website.
15. Contact
For privacy questions or requests: support@usebudgy.com.