Skip to main content

Privacy Policy

Last updated: 15 February 2026

Version: v0.9.0 (Early Access)

Introduction

Welcome to BalanceOne. We're a small team that built this personal finance tracking platform to help you and your trusted family or friends share financial insights together.

This Privacy Policy explains how we collect, use, store, and protect your personal and financial information when you use BalanceOne.

Key principles:

  • Your data belongs to you
  • We only collect what's necessary
  • We never sell your data
  • You control who sees your financial information
  • Your data stays in Australia

Information We Collect

Account Information

  • Name, email address
  • Encrypted password (hashed with bcrypt, never stored in plaintext)
  • Profile settings and preferences

Financial Data

  • Portfolios (names, descriptions, currency settings)
  • Wealth accounts (names, types, balances)
  • Transactions (date, amount, description, category, notes)
  • File attachments (receipts, documents you upload)
  • Portfolio members and sharing permissions

Portfolio Sharing

  • Portfolio invitations you send or receive
  • Member permissions (view, edit)
  • Sharing history (who you've invited, when)

Communications

  • Support requests and correspondence
  • Feedback you provide

Usage Data

  • Pages you visit (anonymized via Vercel Analytics)
  • Features you use (anonymized)
  • Performance metrics (page load times via Vercel Speed Insights)
  • Error logs (anonymized, for debugging)

Note: Usage data is cookieless, anonymized, and GDPR-compliant. We see aggregated statistics (e.g., "50 users visited the Portfolio page"), not individual activity.

Technical Data

  • IP address (for security and fraud prevention only)
  • Browser type and version
  • Device type
  • Login timestamps

How We Use Your Information

We use your information to:

  1. Provide the service: Create and manage your portfolios, accounts, and transactions
  2. Enable portfolio sharing: Share financial insights with people you invite
  3. Communicate with you: Send transactional emails (welcome, password resets), respond to support requests
  4. Improve the app: Analyze anonymized usage patterns to fix bugs and improve features
  5. Ensure security: Detect fraud, prevent abuse, and protect your account
  6. Comply with legal obligations: Respond to legal requests (e.g., court orders)

We will NEVER:

  • Sell your data to third parties
  • Share your financial data for advertising or marketing purposes
  • Use your data to train AI models (your data won't become part of a model's learning)
  • Browse your data out of curiosity

How We Share Your Information

We share your information only in these limited circumstances:

With Your Explicit Consent

  • Portfolio sharing: When you invite someone to a portfolio, they see the financial data you've explicitly shared with them (based on portfolio permissions)

With Service Providers

We use trusted third-party services to operate BalanceOne. These services process your data only as instructed and are bound by strict confidentiality agreements:

  • Supabase: Database and authentication (Sydney, Australia region)
  • Vercel: Application hosting and edge network (Sydney, Australia region)
  • Resend: Transactional email delivery (Tokyo, Japan)
  • Vercel Analytics: Anonymized usage analytics (GDPR-compliant, cookieless)
  • Vercel Speed Insights: Performance monitoring (GDPR-compliant, cookieless)
  • Future AI providers (when AI features launch): OpenAI, Anthropic: AI-powered insights (opt-in only, zero-retention, not for training)

See the Third-Party Services section below for details.

For Legal Reasons

We may disclose your information if required by law:

  • To comply with court orders, subpoenas, or legal processes
  • To protect our rights, property, or safety, or that of our users
  • To investigate fraud, security issues, or violations of our Terms of Service

We will notify you of legal requests unless prohibited by law.

Business Transfers

If BalanceOne is acquired or merged, your data may be transferred to the new owner. You'll be notified and have the option to delete your account before the transfer.

AI-Powered Features (Future)

We're planning to offer AI-powered insights to help you understand your finances better—like identifying spending patterns, suggesting smart categorization, or providing budget recommendations.

How It Works

  • Future feature: AI-powered insights are not yet available
  • Opt-in only: AI features will be disabled by default. You must explicitly enable them in Settings
  • Your data, your insights: When you enable AI, we'll send your transaction data to trusted AI providers (OpenAI, Anthropic) for temporary analysis. They process your data and return personalized insights only to you
  • Zero-retention: Your data is processed temporarily and immediately deleted by the AI provider. It's not stored, logged, or kept for any other purpose
  • Not for training: Your data will NEVER be used to train AI models (your data won't become part of a model's learning)
  • Your control: You can disable AI features anytime from Settings

Privacy-First Approach

  • We only send the minimum data needed for insights (e.g., transaction amounts and categories, not your name)
  • AI providers are contractually bound by zero-retention agreements
  • Your data never leaves Australia except temporarily for AI processing (and is immediately deleted)

Not yet available

Learn more: See our Security page for technical details

Third-Party Services

We use the following third-party services to operate BalanceOne:

Supabase (Database & Authentication)

  • Purpose: Stores your data and manages authentication
  • Data shared: All your BalanceOne data (portfolios, transactions, profile)
  • Region: Sydney, Australia
  • Security: AES-256 encryption at rest, TLS 1.3 in transit, Row Level Security (RLS) enforced
  • https://supabase.com/privacy

Vercel (Application Hosting)

Resend (Transactional Emails)

Vercel Analytics (Usage Analytics)

  • Purpose: Anonymized usage statistics to improve the app
  • Data shared: Page views, feature usage (anonymized, no personal data)
  • Privacy: Cookieless, GDPR-compliant, cannot identify individual users
  • https://vercel.com/legal/privacy-policy

Vercel Speed Insights (Performance Monitoring)

OpenAI & Anthropic (Future AI Features)

  • Purpose: AI-powered financial insights (opt-in only, not yet available)
  • Data shared: Transaction data (when you enable AI features)
  • Retention: Zero-retention (data deleted immediately after processing)
  • Privacy: Not used for training, contractually bound
  • https://openai.com/privacy, https://anthropic.com/privacy

Alternative analytics: We may evaluate alternative analytics platforms (PostHog, Plausible) in the future. If we change analytics providers, we will update this policy.

Data Security

Currently, BalanceOne is operated by Christian (founder). Administrative access is:

Encryption

  • In transit: TLS 1.3 encryption for all communications
  • At rest: AES-256 encryption for all database data
  • Passwords: bcrypt hashing with salt (never stored in plaintext)

Access Controls

  • Row Level Security (RLS): Database automatically enforces access rules
  • Multi-layer enforcement: Access restrictions at database, API, and UI levels
  • Secure sessions: JWT tokens with automatic expiration

Infrastructure Security

  • DDoS protection: Vercel provides automatic protection
  • Data residency: All financial data stays in Australian data centers (Sydney)
  • Automatic backups: Encrypted backups in Sydney region

BalanceOne Team Access

  • Support only: Access occurs only when you contact support@balanceone.app
  • Production debugging: Rare cases for critical system errors (access logged)
  • No routine access: No production user data has been accessed to date
  • Audit logging: Coming soon (view your access log in Settings → Data & Privacy)

Learn more: See our Security page for technical details

Your Rights and Choices

What is "your data"? Your data includes everything you create in BalanceOne: profile information, portfolios, accounts, transactions, notes, and file attachments. For shared portfolios, your export includes shared data you have access to, but excludes other members' private items.

Access and Portability

View your data: All your data is accessible within the BalanceOne app at any time.

Export your data: Coming soon — Download your data from Settings → Data & Privacy.

What's included in your export:

  • Your profile information (name, email, settings, preferences)
  • Portfolios you own (complete data)
  • Portfolios you're a member of (shared data only)
  • Your transactions, accounts, and balances
  • Shared transactions and accounts from portfolio members (if not marked private)
  • Your notes and descriptions
  • File attachments you uploaded
  • Access log (when BalanceOne staff accessed your account, if any)

What's NOT included:

  • Password: Excluded for security
  • Other members' private data: Transactions, accounts, or notes that other portfolio members marked as private are excluded from your export
  • Portfolios you don't own: If you're only a member (not owner) of a shared portfolio, only the data shared with you is included
  • System data: Server logs, IP addresses, technical metadata
  • Analytics: Aggregated, anonymized usage statistics

Privacy rule: Your export includes only data you created or data explicitly shared with you by portfolio owners. We respect all privacy settings.

Export formats: JSON (machine-readable) or CSV (spreadsheet-compatible)

Correction and Deletion

Update your data: Edit your profile, portfolios, accounts, and transactions anytime through the app.

Delete your account: Coming soon — Request account deletion from Settings → Data & Privacy.

Immediate actions (Day 0):

  • Your account is locked (you can't login)
  • All portfolio owners you've shared with are notified
  • 30-day grace period begins (you can cancel deletion during this time)

After 30 days:

  • Your profile: Permanently deleted (name, email, password, settings)
  • Your private data: All items marked as private are permanently deleted
  • Portfolios you own: You must transfer ownership or delete these portfolios before deleting your account
  • Your contributions to shared portfolios: Transactions, accounts, and notes you added remain visible to portfolio members (financial history is preserved), but your identity is anonymized to "Former Member"
  • Portfolios you're a member of: You're removed as a member; the portfolio continues without you

Why shared data is preserved: Shared portfolio data is co-owned by the portfolio owner. Other members rely on this data for their financial tracking. Deleting your contributions would break their financial history. Your contributions remain, but your personal information is removed.

Legal retention: We may retain limited data if required by law (e.g., financial records for tax purposes, typically 7 years in Australia).

To restore your account: Email support@balanceone.app within 30 days with your registered email address.

We'll send a confirmation email with next steps and a list of affected portfolios.

Portfolio Sharing Controls

  • Invite members: You control who can access your portfolios.
  • Remove members: You can remove someone's access anytime from Portfolio Settings.
  • Leave portfolio: You can leave a shared portfolio anytime.

Marketing Communications

  • Transactional emails: We send essential emails (welcome, password resets, security alerts). These cannot be opted out of.
  • Marketing emails: We don't currently send marketing emails. If we do in the future, you'll be able to opt out via an unsubscribe link.

Data Retention

Active accounts: Data retained indefinitely while you use BalanceOne

Deleted accounts: 30-day grace period (data kept but inaccessible, you can restore). After 30 days, data permanently deleted (except anonymized shared portfolio contributions).

Legal retention: Some data may be retained longer if required by law (e.g., financial records for 7 years)

Backups: Deleted data is removed from backups within 90 days

Children's Privacy

BalanceOne is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us at support@balanceone.app and we will delete it.

International Users

BalanceOne is operated from Australia. Your data is stored in Australian data centers (Sydney region), except for:

  • Transactional emails: Routed through Resend servers in Tokyo, Japan
  • Future AI processing: Temporary processing by OpenAI (US) or Anthropic (US), with immediate deletion

If you access BalanceOne from outside Australia, your information will be transferred to and stored in Australia. By using BalanceOne, you consent to this transfer.

GDPR (EU users): BalanceOne is designed with privacy principles that align with GDPR. You have rights to access, correct, delete, and export your data. Contact us at support@balanceone.app to exercise these rights.

Cookies and Tracking

BalanceOne uses minimal cookies for essential functionality:

Essential cookies:

  • Authentication: Session token (JWT) to keep you logged in
  • Security: CSRF protection token

Analytics: Vercel Analytics and Speed Insights are cookieless (no tracking cookies or persistent identifiers)

Third-party cookies: We do not use third-party advertising or tracking cookies.

Browser storage: We use local storage to cache app preferences (e.g., theme, currency). This data stays on your device and is not sent to our servers.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we'll notify you by email or through the app.

Version history:

  • v0.9.0 (February 15, 2026): Early access version for pilot users

Contact Us

Questions about this Privacy Policy or how we handle your data?

Email: support@balanceone.app

Response time: Within 48 hours

BalanceOne is committed to transparency and protecting your privacy. Thank you for trusting us with your financial data.