Privacy Policy

1. Information We Collect

We collect information that you provide directly to us and information automatically collected when you use the Services.

A. Information You Provide Directly

Account Information:

When you create an account, we collect:

• Display name: You provide a name during signup (labeled as "Full Name" in the signup form)
• Email address
• Password (encrypted and securely stored through Supabase Authentication Services—we do not have access to your plaintext password)

System-Generated Profile Data:

When your account is created, our system automatically sets the following defaults (which you can modify in your profile settings):

• Default currency: Automatically set to USD (you can change this to any of 140+ supported currencies)
• Subscription tier: Set to "free" by default (with option to upgrade to premium)
• Account status: Set to "active"
• Last login timestamp: Tracked for security and account activity monitoring
• Timezone and date format preferences: Set to system defaults based on your browser/location

Financial Snapshot Data:

When you use the Services to track your financial accounts, you provide:

• Account names (e.g., "Chase Checking," "Emergency Savings")
• Account balance amounts
• Currency selections
• Entry dates (when you create financial snapshots)
• Optional notes or descriptions you add to entries

Communications:

When you contact us for support or inquiries, we collect:

• Your email address
• The content of your messages
• Any additional information you choose to provide

B. Information Collected Automatically

Technical and Usage Information:

We automatically collect certain information when you access and use the Services, including:

• IP address
• Browser type and version
• Device type, operating system, and device identifiers
• Pages visited within the Services
• Features used and actions taken
• Date, time, and duration of visits
• Referring website or source through which you accessed the Services
• User ID and session identifiers
• Timezone preference (approximate location)
• Country-level location data (not precise location)

Analytics Data:

We use analytics services to understand how users interact with the Services:

• Vercel Analytics (for basic performance and usage metrics)
• PostHog (for product analytics and feature usage tracking)

Cookies and Similar Technologies:

We use cookies and similar technologies primarily for authentication and session management. See Section 5 for more details.

C. Information from Third Parties

Payment Processing:

We use Stripe, Inc. as our payment processor. Stripe processes your payment information and shares with us:

• Subscription status (active, canceled, expired)
• Subscription tier and billing cycle
• Email address associated with payment
• Payment method type (e.g., Visa, Mastercard)
• Stripe customer ID

We do not store or have access to your full payment card numbers. For information about how Stripe handles your payment information, please review Stripe's Privacy Policy at https://stripe.com/privacy.

Webhook Event Logging:

To ensure reliable payment processing and prevent duplicate charges, we store webhook events from Stripe in our database, including:

• Stripe event IDs (for deduplication)
• Event types (subscription created, updated, deleted, payment success/failure)
• Event timestamps
• Full event payload for debugging (includes subscription metadata, user email, and payment status)
• Link to your user account (for associating events with your profile)

Purpose: This data is used solely for:

• Preventing duplicate payment processing when Stripe retries failed webhooks
• Debugging payment and subscription issues
• Ensuring your subscription status is always accurate
• Compliance with financial record-keeping requirements

Access: This data is restricted to service role access only (backend systems) and is never exposed to other users.

Retention: Webhook event logs are retained for 90 days for operational purposes, then automatically purged. Payment records required for tax compliance are retained for 7 years as required by law.

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing and Operating the Services:

• Creating and managing your user account
• Storing and displaying your financial snapshot data
• Performing currency conversions and calculations
• Enabling you to track your financial accounts over time
• Processing your subscription payments through Stripe
• Ensuring reliable payment processing and preventing duplicate charges

Improving and Developing the Services:

• Understanding how users interact with features
• Identifying and fixing technical issues and bugs
• Analyzing usage patterns to improve performance
• Developing new features and functionality
• Conducting internal research and analytics

Communicating with You:

• Responding to your inquiries and support requests
• Sending service-related notifications (when implemented)
• Providing important updates about the Services
• Notifying you of changes to our Terms of Service or Privacy Policy

Security and Fraud Prevention:

• Protecting against unauthorized access or use
• Detecting and preventing fraud or abuse
• Ensuring the security and integrity of the Services
• Investigating and responding to security incidents

Legal Compliance:

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from public authorities
• Enforcing our Terms of Service and other legal agreements
• Protecting our legal rights and interests

Business Operations:

• Maintaining business records and financial reporting
• Managing subscriptions and billing
• Performing accounting and tax compliance activities

3. Legal Bases for Processing (EU/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

Performance of a Contract:

We process your personal information to provide the Services you have requested and to fulfill our obligations under our Terms of Service.

Legitimate Interests:

We process certain information based on our legitimate business interests, including:

• Operating and improving the Services
• Ensuring security and preventing fraud
• Analyzing usage to enhance user experience
• Conducting internal business operations
• Communicating with users about the Services

We balance these interests against your rights and freedoms and only process data where our interests are not overridden by your rights.

Legal Compliance:

We process personal information to comply with legal obligations, such as tax laws, accounting requirements, and responding to valid legal requests.

Consent:

Where required by law, we obtain your consent before processing certain personal information. You may withdraw consent at any time by contacting us at support@fatstack.app.

4. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the limited circumstances described below:

A. Service Providers

We share information with third-party service providers who perform services on our behalf:

Infrastructure and Hosting:

• Supabase: Provides database hosting, authentication services, and backend infrastructure. Your account information, financial data, and webhook event logs are stored on Supabase's secure servers.
• Vercel: Hosts our web application and provides content delivery services.

Payment Processing:

• Stripe, Inc.: Processes subscription payments. Stripe receives your payment information directly and shares only subscription status and basic billing information with us. Stripe also sends webhook events to our systems to keep your subscription status synchronized.

Analytics Providers:

• Vercel Analytics: Provides basic website performance metrics.
• PostHog: Provides product analytics to help us understand feature usage and improve the Services.

These service providers are contractually obligated to protect your information and may only use it to provide services to us. We have entered into data processing agreements with our service providers that require them to process personal information only according to our instructions and to implement appropriate security measures.

B. Legal Requirements and Protection of Rights

We may disclose your information when we believe in good faith that such disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service or other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of fatstack, our users, or the public as required or permitted by law

C. Business Transfers

If fatstack is involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

D. With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

E. Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information is not considered personal information and may be used and shared without restriction for purposes such as research, analytics, and improving our Services.

5. Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit websites. We use cookies and similar technologies (such as web beacons and local storage) to provide and improve the Services.

Types of Cookies We Use

Essential Cookies (Required):

These cookies are necessary for the Services to function and cannot be disabled:

• Authentication cookies to keep you logged in
• Session management cookies
• Security cookies to protect against unauthorized access
• user_region: Stores your geographic region (EU/non-EU) for cookie consent compliance. Expires after 1 day.

Functional Cookies:

These cookies remember your preferences and settings to enhance your experience. They are enabled by default but can be disabled:

• sidebar:state: Remembers whether your sidebar is expanded or collapsed. Expires after 7 days.

Analytics Cookies:

These cookies help us understand how users interact with the Services:

• Vercel Analytics cookies for performance metrics
• PostHog analytics cookies for feature usage tracking

What We Do NOT Use

We do not use:

• Third-party advertising cookies
• Retargeting or remarketing cookies
• Social media tracking pixels
• Cross-site tracking technologies

Managing Cookies

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. Please note that disabling cookies may prevent you from using certain features of the Services, particularly authentication and account access.

To learn more about cookies and how to manage them, visit: https://www.allaboutcookies.org/

6. Online Analytics

We use analytics services to collect and analyze information about how users interact with the Services. These services may use cookies and similar technologies.

Vercel Analytics

Provides aggregated, privacy-first usage statistics and performance metrics. Vercel Analytics is designed to be privacy-friendly and does not track users across sites or use advertising cookies. Data collected includes:

• Page views and navigation paths
• Performance metrics (page load times, server response times)
• Device type and browser information
• Aggregated geographic data (country-level only, not precise location)

Vercel Analytics does NOT collect personally identifiable information and cannot be used to identify individual users.

For more information, see Vercel's Privacy Policy at https://vercel.com/legal/privacy-policy.

PostHog

Provides product analytics to help us understand which features are most valuable and how to improve the Services. PostHog collects:

• Feature usage patterns: Which buttons and features you interact with
• User journey flows: How you navigate through the app
• Event tracking: Actions taken within the app (creating entries, changing settings, etc.)
• Session recordings and replays: Visual recordings of your app usage to help us identify usability issues and improve user experience

Managing PostHog Analytics:

You have control over PostHog data collection:

• Opt-out of session recordings: Disable session recordings in your profile settings under Privacy Preferences
• Opt-out of analytics entirely: Contact us at support@fatstack.app to opt out of all PostHog tracking
• Browser-level opt-out: You can block PostHog using browser privacy extensions or ad blockers

How We Use PostHog Data:

• Improving user experience and identifying usability issues
• Understanding which features are most/least valuable
• Prioritizing product development and bug fixes
• Measuring performance and reliability

For more information about PostHog's data practices, see PostHog's Privacy Policy at https://posthog.com/privacy.

7. Data Security

We implement reasonable technical, administrative, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction.

Security Measures Include:

• Encryption of data in transit using HTTPS/TLS protocols
• Password encryption using industry-standard hashing algorithms
• Secure authentication services provided by Supabase
• Access controls limiting team member access to user data
• Row-level security on sensitive data (webhook events accessible only to backend systems)
• Regular security assessments and updates
• Secure infrastructure provided by our service providers

Your Responsibility:

You are responsible for maintaining the confidentiality of your account credentials. We recommend:

• Using a strong, unique password
• Not sharing your login credentials with others
• Logging out after using the Services on shared devices
• Contacting us immediately at support@fatstack.app if you suspect unauthorized access

No Guarantee of Security:

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we will notify you of any security breaches as required by applicable law.

8. Data Retention

Active Accounts:

We retain your information for as long as your account is active and as necessary to provide the Services.

Account Deletion:

If you request deletion of your account, we will delete your information according to the following schedule:

• Account information and financial data: Deleted within 30 days of your deletion request
• Backup copies: May persist in backup systems for up to an additional 30 days before permanent deletion
• Webhook event logs: Automatically purged after 90 days for operational purposes
• Legal and business records: Certain information may be retained longer to comply with legal obligations, including:
  • Subscription payment records: Retained for 7 years for tax and accounting purposes
  • Communications and support records: Retained as necessary for legal compliance

Aggregated Data:

We may retain aggregated, anonymized, or de-identified data indefinitely for analytics and research purposes, as this data cannot be used to identify you.

9. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by fatstack. This Privacy Policy applies only to the Services.

We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

Examples of third parties you may interact with:

• Stripe for payment processing
• External websites linked from our Services
• Third-party analytics services

10. Children's Privacy

The Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If you are under 18, you may not use the Services or provide any information to us. If we learn that we have collected personal information from a child under 18, we will delete that information as quickly as possible.

If you believe we may have information from or about a child under 18, please contact us at support@fatstack.app.

11. Your Privacy Rights and Choices

You have certain rights regarding your personal information, subject to applicable law.

Rights Available to All Users

Access and Update:

You can access and update most of your information directly through your account settings in the Services, including:

• Account information (display name, email)
• Financial snapshot data (account names, balances, dates, notes)
• Profile preferences (default currency, timezone, date format)

Request Changes:

For information you cannot update directly in the app (such as your email address), contact us at support@fatstack.app.

Delete Your Account:

To delete your account and personal information, email us at support@fatstack.app. We will process your request within 30 days.

Marketing Communications:

We do not currently send marketing emails. If we implement marketing communications in the future, you will be able to opt out by following the unsubscribe instructions in those emails.

Additional Rights for EU/UK Users (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), you have the following additional rights under the GDPR:

Right of Access:

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

Right to Rectification:

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten):

You have the right to request deletion of your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests
• The data has been unlawfully processed

Right to Restriction of Processing:

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want the data erased
• We no longer need the data but you need it for legal claims

Right to Data Portability:

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

Right to Object:

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent:

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time.

Right to Lodge a Complaint:

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside, work, or where an alleged infringement occurred.

How to Exercise Your Rights:

To exercise any of these rights, contact us at support@fatstack.app. We will respond to your request within one month (which may be extended by two additional months in complex cases).

12. California Residents' Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

We collect the following categories of personal information (as defined by the CCPA):

• Identifiers: Display name, email address, IP address, user ID, Stripe customer ID, device identifiers
• Commercial Information: Subscription status (free/premium), payment history, subscription tier, billing cycle, trial status
• Internet Activity: Browsing behavior, usage data, analytics information, feature usage patterns, page views, session information, session recordings
• Financial Information: Account names and balances (self-provided, not obtained from financial institutions), currency preferences, entry dates and timestamps
• Geolocation Data: Timezone preference (approximate location), country-level analytics data (not precise location tracking)
• Inferences: Subscription tier and usage patterns (used only for service provision, not for advertising or profiling)

Your CCPA/CPRA Rights

Right to Know:

You have the right to request that we disclose:

• The categories of personal information we collect about you
• The categories of sources from which we collect personal information
• Our business or commercial purpose for collecting personal information
• The categories of third parties with whom we share personal information
• The specific pieces of personal information we have collected about you

Right to Delete:

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal obligations or fraud prevention).

Right to Correct:

You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale/Sharing:

We do not sell your personal information or share it for cross-context behavioral advertising purposes. We do not sell the personal information of minors under 16 years of age.

Right to Limit Use of Sensitive Personal Information:

We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA.

Right to Non-Discrimination:

We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by:

• Denying goods or services
• Charging different prices or rates
• Providing a different level or quality of services
• Suggesting you will receive different prices or quality of services

How to Exercise Your Rights

Submit a Request:

Email us at support@fatstack.app with your request. Please include:

• Your full name
• Email address associated with your account
• Description of your request

Verification:

We will verify your identity before responding to your request. This may include asking you to confirm your email address or provide additional identifying information.

Response Time:

We will respond to verifiable requests within 45 days. If we need additional time (up to 90 days total), we will notify you of the reason and extension period.

Authorized Agents:

You may designate an authorized agent to make requests on your behalf. The authorized agent must provide proof of authorization, and we may require you to verify your identity and confirm the authorization.

13. Other State Privacy Rights

Residents of certain other U.S. states have privacy rights under their respective state laws.

Virginia Residents (VCDPA)

Virginia residents have rights to:

• Confirm whether we process their personal data and access that data
• Correct inaccuracies in personal data
• Delete personal data
• Obtain a copy of personal data in a portable format
• Opt out of targeted advertising, sale of personal data, or profiling

Colorado Residents (CPA)

Colorado residents have rights to:

• Confirm whether we process their personal data and access that data
• Correct inaccuracies in personal data
• Delete personal data
• Obtain a copy of personal data in a portable format
• Opt out of targeted advertising, sale of personal data, or profiling

Connecticut Residents (CTDPA)

Connecticut residents have rights to:

• Confirm whether we process their personal data and access that data
• Correct inaccuracies in personal data
• Delete personal data
• Obtain a copy of personal data in a portable format
• Opt out of targeted advertising, sale of personal data, or profiling

Utah Residents (UCPA)

Utah residents have rights to:

• Confirm whether we process their personal data and access that data
• Delete personal data
• Obtain a copy of personal data in a portable format
• Opt out of targeted advertising or sale of personal data

Nevada Residents

Nevada residents have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that information to additional persons. We do not sell personal information as defined under Nevada law.

However, if you are a Nevada resident and would like to submit an opt-out request for any potential future sales, you may contact us at support@fatstack.app with "Nevada Opt-Out Request" in the subject line. We will maintain your request in the event our practices change.

How to Exercise State Privacy Rights

To exercise any of these rights, email us at support@fatstack.app with your request. Please include:

• Your full name
• Email address associated with your account
• Your state of residence
• Description of your request

Verification:

We will verify your identity before responding to your request. This may include asking you to confirm your email address or provide additional identifying information.

Response Time:

We will respond to verifiable requests within the timeframes required by applicable state law (typically 45 days). If we need additional time, we will notify you of the reason and extension period.

Right to Appeal:

If we deny your request, you have the right to appeal our decision. We will provide information on how to appeal in our response to your request. To submit an appeal, email us at support@fatstack.app with "Privacy Request Appeal" in the subject line, along with:

• A description of the original request
• The reason you believe the denial was incorrect
• Any supporting information

We will respond to your appeal within the timeframe required by applicable law (typically 45-60 days depending on the state).

Note: We do not engage in targeted advertising or sell personal information as defined by these state laws.

14. International Data Transfers

The Services are operated from the United States. If you are accessing the Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

Data Protection Standards:

The United States may have data protection laws that differ from those in your country. However, we implement appropriate safeguards to protect your information in accordance with this Privacy Policy and applicable law.

EU/UK Users:

For transfers of personal data from the European Economic Area or United Kingdom to the United States, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Adequate security measures and data protection practices
• Compliance with GDPR requirements for international transfers

By using the Services, you consent to the transfer of your information to the United States and other countries where our service providers operate.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, as defined under the GDPR or other applicable privacy laws.

Any analytics or data processing we conduct is used solely to improve the Services and understand user behavior at an aggregate level. We do not make automated decisions about you that would significantly affect your rights or interests.

16. Do Not Track Signals

Some web browsers have "Do Not Track" (DNT) features that allow users to signal their privacy preferences. Currently, there is no industry standard for how to respond to DNT signals.

At this time, we do not respond to DNT signals from web browsers. However, we do not track users across third-party websites or engage in behavioral advertising, so DNT signals have limited applicability to our Services.

We may adopt a DNT standard in the future if one becomes widely accepted.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy
• Notify you of material changes by email (to the address associated with your account) or through a prominent notice on the Services
• Provide you with an opportunity to review the changes before they take effect, where required by law

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Privacy Policy, you must stop using the Services.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: