Effective March 26, 2026

Privacy Policy

Your privacy is fundamental to how we build TrackFi. This policy explains exactly what data we collect, why we collect it, how it is used, and what rights you have over it.

1. Introduction & Data Controller Identity

This Privacy Policy (“Policy”) describes how TrackFi (“TrackFi,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the TrackFi web application and all associated services (collectively, the “Service”) available at trackfi.me.

For purposes of the General Data Protection Regulation (GDPR), the UK GDPR, the Lei Geral de Proteção de Dados (LGPD), and the California Consumer Privacy Act (CCPA), TrackFi is the data controller in respect of your personal data processed through the Service.

This Policy applies to all users of the Service globally. Where specific provisions apply only to users in certain jurisdictions (EU/UK, Brazil, or California), this will be clearly indicated.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use the Service.

2. Data We Collect

We collect the following categories of personal data when you use TrackFi:

Account Data

Provided via Google OAuth at sign-in

When you authenticate with Google OAuth, we receive and store:

  • Full name — as registered in your Google account
  • Email address — your primary Google account email
  • Profile picture — your Google account profile photo URL
  • Google user ID — used internally to link your account

Financial Data

Entered manually by you; stored in Firebase Firestore

All financial data in TrackFi is entered manually by you. We store:

  • Transaction records (amount, date, description, category)
  • Account names and balances
  • Budget rules and savings goals
  • Custom categories and tags
  • Notes attached to transactions

TrackFi never connects to or accesses your actual bank accounts, credit cards, or investment accounts.

Usage Data

Collected automatically when you use the Service

  • Pages and features accessed within the application
  • Session duration and frequency of use
  • Feature interaction events (e.g., button clicks, dashboard views)
  • Error events and performance metrics

Payment Data

Collected and processed by Stripe — we do not store card details

When you subscribe to the Pro plan, payment processing is handled entirely by Stripe, Inc. TrackFi receives from Stripe:

  • Your Stripe Customer ID
  • Subscription status and billing cycle
  • Last 4 digits of your card (for display purposes only)
  • Billing country and currency

We never store your full card number, CVV, or other sensitive payment credentials. Stripe is PCI DSS Level 1 certified.

Technical Data

Collected automatically by our infrastructure

  • IP address
  • Browser type and version
  • Device type and operating system
  • Time zone setting
  • Language preferences
  • Referring URL

3. How We Use Your Data

We use the personal data we collect for the following specific purposes:

  1. Providing and operating the Service: To authenticate your identity, create and manage your account, store and retrieve your financial data, display dashboards and reports, and deliver all features of the Service to you.
  2. Processing payments and managing subscriptions: To process Pro plan subscription payments via Stripe, manage your billing cycle, enforce subscription entitlements, and send receipts and billing notifications.
  3. Improving the Service: To analyze usage patterns, identify bugs and performance issues, understand how users interact with features, and make informed decisions about product improvements and new features. Analytics data is aggregated and anonymized where possible.
  4. Communications: To send transactional emails (account confirmation, billing receipts, password-related notices via Google), service announcements (e.g., planned maintenance, security alerts), and, where you have consented, product updates and newsletters.
  5. Security and fraud prevention: To detect, investigate, and prevent fraudulent or unauthorized activity, enforce our Terms of Service, protect TrackFi and our users, and comply with legal obligations related to security incident reporting.
  6. Legal compliance: To fulfill our obligations under applicable law, including data protection laws (GDPR, LGPD, CCPA), financial record-keeping requirements, tax obligations, and to respond to lawful requests from public authorities, courts, or regulators.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We do not use your financial data for targeted advertising.

4. Legal Basis for Processing (GDPR Art. 6)

EU / UKApplies to users in the European Union and United Kingdom

Under the GDPR and UK GDPR, we are required to identify a legal basis for each purpose for which we process personal data. Our legal bases are as follows:

Performance of a Contract (Art. 6(1)(b))

Creating and managing your account; storing and displaying your financial data; processing subscription payments; providing core Service features. This processing is necessary to perform the contract we have with you (the Terms of Service).

Legitimate Interests (Art. 6(1)(f))

Improving the Service through aggregated analytics; fraud detection and security monitoring; sending important service announcements. Our legitimate interests are to operate a secure, functional, and improving Service. We have assessed that these interests are not overridden by your fundamental rights.

Legal Obligation (Art. 6(1)(c))

Retaining financial records for the periods required by applicable tax and accounting law; responding to lawful requests from regulators and courts.

Consent (Art. 6(1)(a))

Sending optional marketing communications or newsletters (if you opt in). You may withdraw your consent at any time by unsubscribing or reaching us via our contact form.

5. Data Processors & Third Parties

We share personal data with the following sub-processors and third-party service providers solely for the purposes described in this Policy:

Google LLC

Authentication (OAuth 2.0) & Data Storage (Firebase Firestore)

Google provides our authentication layer and cloud database infrastructure. Your account data and financial data are stored in Google Firebase Firestore. Google is headquartered in the United States.

International transfers (EU/UK): EU / UK Data transfers to Google in the US are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. Google is also certified under applicable data transfer frameworks. See Google’s Privacy Policy.

Stripe, Inc.

Payment processing

Stripe processes all Pro plan subscription payments. Stripe is PCI DSS Level 1 compliant — the highest level of payment security certification. Stripe handles your payment card details directly; TrackFi never receives or stores your full card number.

International transfers (EU/UK): EU / UK Data transfers to Stripe in the US are covered by SCCs. See Stripe’s Privacy Policy.

Vercel, Inc.

Application hosting & edge delivery

Our application is hosted on Vercel’s infrastructure. Vercel processes technical data (including IP addresses) as part of delivering the Service. Vercel’s infrastructure is SOC 2 Type II audited.

See Vercel’s Privacy Policy.

We do not share your personal data with any other third parties except: (a) as required by law or legal process; (b) to protect the rights and safety of TrackFi or others; (c) in connection with a merger, acquisition, or sale of assets, where we will notify you before your personal data is transferred and becomes subject to a different privacy policy; or (d) with your explicit consent.

6. Data Retention

We retain your personal data for only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law:

Account data

Retained until you delete your account. Upon deletion, your name, email, and profile picture are removed from our systems within 30 days, except where retention is required by law.

Financial data (transactions, accounts, budgets)

Retained until you delete your account or delete individual records. Certain aggregated financial records may be retained for up to 7 years to comply with applicable tax and financial record-keeping obligations.

Usage and analytics data

Retained for up to 26 months from the date of collection, after which it is deleted or anonymized.

Payment and billing records

Retained for 7 years from the date of the transaction to comply with financial, tax, and accounting legal obligations.

Technical and security logs

Retained for up to 12 months for security, fraud prevention, and debugging purposes.

When we no longer have a lawful basis to retain your data, we will securely delete or anonymize it. If you request deletion of your account, we will delete your personal data within 30 days, subject to the retention obligations described above.

7. International Data Transfers

TrackFi is a global service. Your personal data may be transferred to and processed in countries outside of your country of residence, including the United States, where our key infrastructure providers (Google, Stripe, Vercel) are headquartered.

EU / UK When we transfer personal data from the European Economic Area (EEA) or the United Kingdom to third countries that do not have an adequate level of data protection, we use appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914), incorporated into our data processing agreements with Google (Firebase), Stripe, and Vercel;
  • Adequacy decisions where applicable — we will rely on any adequacy decision covering a relevant country or sector;
  • Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest, access controls, and pseudonymization where feasible.

Brazil International data transfers from Brazil are conducted in accordance with the LGPD (Art. 33), relying on contractual clauses, standard contractual clauses, or transfers to countries that provide an adequate degree of protection as determined by the Autoridade Nacional de Proteção de Dados (ANPD).

You may request a copy of the safeguards we use for international data transfers by contacting us at our contact form.

8. Your Rights

You have a number of rights regarding your personal data. These rights vary depending on your jurisdiction and are described below.

EU / UKGDPR & UK GDPR Rights
  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ('right to be forgotten'), subject to our legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: File a complaint with your national data protection supervisory authority (e.g., CNIL in France, ICO in the UK, DPA in Ireland).
BrazilLGPD Rights (Lei nº 13.709/2018)
  • Confirmação e acesso: Request confirmation that your data is being processed and access a copy of your data (Art. 18, I and II).
  • Correção: Request correction of incomplete, inaccurate, or outdated data (Art. 18, III).
  • Anonimização, bloqueio ou eliminação: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD (Art. 18, IV).
  • Portabilidade: Request portability of your data to another service provider (Art. 18, V).
  • Eliminação: Request deletion of personal data processed with your consent, except where retention is required by law (Art. 18, VI).
  • Informação sobre compartilhamento: Request information about which public and private entities your data has been shared with (Art. 18, VII).
  • Revogação do consentimento: Revoke your consent at any time, where processing is based on consent (Art. 18, IX).
  • Reclamação à ANPD: File a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
CaliforniaCCPA / CPRA Rights (California)
  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, security purposes).
  • Right to Opt-Out of Sale or Sharing: TrackFi does not sell or share your personal information for cross-context behavioral advertising. If this practice changes, we will provide a 'Do Not Sell or Share My Personal Information' link.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Limit Use of Sensitive Personal Information: Request limitation on our use of sensitive personal information (as defined by CPRA) to necessary purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different level of service or different prices for exercising these rights.

California residents may also submit rights requests via an authorized agent. We will verify your identity before processing any request.

To exercise any of these rights, please contact us at our contact form (or our contact form for EU/UK users). We will respond to verified requests within the timeframes required by applicable law (generally 30 days, with a possible extension of up to 30 additional days for complex requests).

9. Cookies & Similar Technologies

TrackFi uses a minimal approach to cookies, consistent with our commitment to privacy. We use only the following categories of cookies:

Strictly Necessary / Functional Cookies

These cookies are essential for the Service to function correctly. They include session cookies used by NextAuth.js to maintain your authenticated session, CSRF protection tokens, and user preferences (such as your selected theme or language). These cookies cannot be disabled without impairing core functionality.

Authentication Cookies

Set by NextAuth.js to manage your login session securely. These are HTTP-only, secure cookies that expire at the end of your session or after a defined inactivity period.

We do not use third-party tracking cookies, advertising cookies, or behavioral profiling cookies. We do not use Google Analytics, Meta Pixel, or similar third-party advertising trackers on the TrackFi application.

You can control and manage cookies through your browser settings. Note that disabling functional/session cookies will prevent you from logging in to TrackFi. For more information about managing cookies, visit allaboutcookies.org.

10. Children’s Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If you are under 16 years of age, you must not use the Service or provide any personal data to us.

If you are a parent or guardian and believe that your child under 16 has provided personal data to us without your consent, please contact us immediately at our contact form. Upon verification, we will promptly delete the minor’s personal data from our systems.

This policy applies regardless of jurisdiction. For users in the EU/UK, we comply with the age-based consent thresholds under GDPR Article 8. For users in the US, we comply with the Children’s Online Privacy Protection Act (COPPA).

11. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in transit: All communications between your browser and TrackFi are encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints.
  • Encryption at rest: Your data stored in Firebase Firestore is encrypted at rest using AES-256 by Google’s infrastructure.
  • SOC 2 infrastructure: Firebase (Google Cloud) and Vercel both maintain SOC 2 Type II certification, providing independent verification of their security controls.
  • Authentication security: We use Google OAuth 2.0 exclusively, meaning we never store passwords. All session tokens are HTTP-only, secure, and SameSite=Lax to prevent cross-site attacks.
  • Access controls: Access to production data is restricted on a strict need-to-know basis with multi-factor authentication required for all administrative access.
  • PCI DSS compliance: Payment card data is never transmitted to or stored on our servers. All payment processing is delegated to Stripe’s PCI DSS Level 1 certified infrastructure.

While we implement these measures, no security system is impenetrable. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with applicable law (within 72 hours for GDPR/UK GDPR, and as required by LGPD and applicable US state laws).

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Effective” date at the top of this Policy;
  • Send an email notification to your registered email address; and/or
  • Display a prominent notice within the Service.

For material changes that affect your rights or the way we process your data, we will provide at least 30 days’ advance notice before the changes take effect. Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes.

We encourage you to review this Policy periodically to stay informed about how we protect your information.

13. Contact & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the details below:

TrackFi Privacy Team

General Privacy Inquiries

our contact form

Data Protection Officer (EU/UK Users) EU / UK

our contact form

EU/UK users may contact our DPO directly for GDPR and UK GDPR inquiries, including data subject access requests and complaints.

We aim to respond to all privacy-related inquiries within 5 business days. For formal data subject requests, we will respond within the timeframe required by applicable law (30 days under GDPR, with a possible 60-day extension for complex requests).

If you are not satisfied with our response to your privacy inquiry, you have the right to lodge a complaint with the relevant supervisory authority:

  • EU: EU Your national data protection authority (e.g., CNIL — France, BfDI — Germany, Garante — Italy, AEPD — Spain, DPC — Ireland)
  • UK: UK The Information Commissioner’s Office (ICO) at ico.org.uk
  • Brazil: Brazil Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd
  • California: California California Attorney General’s Office at oag.ca.gov/privacy