Privacy Policy

At Coffee Budget, we take the protection of your personal data seriously. This Privacy Policy explains what data we collect, why we process it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and Italian data protection law (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).

1. Data Controller

The data controller is the person or entity responsible for determining the purposes and means of processing your personal data. For any questions regarding this policy or to exercise your rights, please contact us at the email address above.

2. What Data We Collect

We collect only the data necessary to provide and improve our service. We do not process any special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data).

2.1 Identity & Authentication Data

When you create an account, we receive your email address and name from Auth0, our authentication provider. We also store a unique user identifier to associate your data within our system.

2.2 Financial Data

You provide the following data when using the service:

• Transactions — amounts, descriptions, dates, types, and associated categories or tags
• Categories and tags — custom labels you create to organize transactions
• Expense plans — budgeting envelopes, contribution rules, and spending limits
• Income plans — income sources and distribution rules
• Payment accounts — bank account and credit card names and balances

2.3 Bank Connection Data

If you choose to connect your bank account via GoCardless (our Open Banking provider), we store connection identifiers needed to synchronize your transactions. Bank accounts are accessed in read-only mode — we cannot initiate payments or modify your accounts. Connection identifiers are encrypted at rest using AES-256-GCM encryption.

2.4 AI Processing Data

When AI-powered categorization is enabled, transaction descriptions may be sent to OpenAI for analysis. We send only the transaction description — no amounts, account numbers, or other personally identifiable information. OpenAI does not use this data to train their models.

2.5 Technical & Usage Data

We collect minimal technical data required to operate the service:

• Session cookies — set by NextAuth.js for authentication (session token, CSRF token, callback URL)
• Sidebar preference — a cookie to remember your sidebar layout preference

We do not use analytics cookies, advertising trackers, or any third-party tracking scripts.

3. Why We Process Your Data

Under Article 6(1) of the GDPR, we process your data based on the following legal grounds:

• Contract performance (Art. 6.1.b) — Processing is necessary to provide you with the Coffee Budget service: storing transactions, managing budgets, synchronizing bank data, and categorizing expenses.
• Consent (Art. 6.1.a) — For optional features that require explicit consent, such as connecting your bank account via GoCardless or enabling AI-powered categorization. You can withdraw consent at any time.
• Legitimate interest (Art. 6.1.f) — For security measures such as duplicate detection, rate limiting, and protection against unauthorized access.

4. Third-Party Processors

We share your data with the following third-party service providers, each acting as a data processor on our behalf under a data processing agreement:

• Auth0 (Okta, Inc.) — Authentication and identity management. Processes your email, name, and login credentials. Privacy policy: okta.com/privacy-policy
• GoCardless (GoCardless Ltd.) — Open Banking connection for automatic transaction synchronization. Processes bank account identifiers and transaction data. Privacy policy: gocardless.com/privacy
• OpenAI (OpenAI, LLC) — AI-powered transaction categorization. Receives only transaction descriptions. Privacy policy: openai.com/policies/privacy-policy
• Railway (Railway Corp.) — Cloud hosting infrastructure. All application data and databases are hosted on Railway servers. Privacy policy: railway.com/legal/privacy

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

5. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with the service. Specifically:

• Account and financial data — Retained for the duration of your account. When you delete your account, all associated data is permanently removed within 30 days.
• Bank connection data — GoCardless connection tokens have a 90-day validity period and are refreshed automatically. When you disconnect a bank account, connection data is deleted immediately.
• Session data — Authentication cookies expire when your session ends or after the configured session duration.
• Backups — Database backups are retained for up to 7 days and then automatically overwritten.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data in transit is encrypted via TLS/SSL
• Sensitive fields (bank connection identifiers, provider configurations) are encrypted at rest using AES-256-GCM
• Database connections use SSL with connection pooling
• All data queries are isolated per user — you can only access your own data
• API endpoints are protected by rate limiting and JWT authentication
• Security headers are enforced via Helmet (HSTS, CSP, X-Frame-Options)

7. Cookies

Coffee Budget uses only strictly necessary cookies required for the application to function. We do not use analytics, advertising, or tracking cookies.

• __Secure-next-auth.session-token — Maintains your authenticated session
• __Secure-next-auth.callback-url — Stores the redirect URL during authentication
• __Secure-next-auth.csrf-token — Protects against cross-site request forgery attacks
• sidebar:state — Remembers your sidebar layout preference

Since these cookies are strictly necessary for the service to function, they do not require consent under the ePrivacy Directive (2009/136/EC).

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our third-party processors. Where such transfers occur, they are protected by:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission, or
• Adequacy decisions by the European Commission for the receiving country

OpenAI and Railway are based in the United States. Transfers to the US are covered under the EU-US Data Privacy Framework. Auth0 (Okta) and GoCardless maintain EU data processing capabilities.

9. Your Rights

Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:

• Right of access (Art. 15) — Request a copy of all personal data we hold about you
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing (Art. 18) — Request that we limit how we use your data
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to object (Art. 21) — Object to processing based on legitimate interest
• Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at privacy@coffeebudget.app. We will respond to your request within one month, as required by the GDPR.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at garanteprivacy.it. However, we encourage you to contact us first so we can address your concern directly.

10. Children

Coffee Budget is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe that a child under 16 has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will notify you through the application or by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Contact

For any questions about this Privacy Policy or your personal data, please contact us: