Privacy Notice

Last updated: May 3, 2026

This Privacy Notice for BudgetBotApp, LLC ("Company," "we," "us," or "our"), a limited liability company organized under the laws of the State of Delaware, United States, describes how and why we access, collect, store, use, and/or share ("process") your personal information when you use our services (the "Services"), including when you:

  • visit our website at https://budgetbot.app or any related website that links to this Privacy Notice;
  • register for or use the BudgetBot personal finance application, including the spreadsheet interface and the BudgetBot AI assistant;
  • link a bank, brokerage, or other financial account through our third-party data aggregator, Plaid Inc.;
  • purchase, upgrade, downgrade, cancel, or otherwise manage a paid subscription processed by Stripe, Inc.;
  • communicate with us, including by email, support request, newsletter sign-up, or other channel.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use the Services. If you still have questions or concerns, please contact us at admin@budgetbot.app.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice. You can find more details about any of these topics in the corresponding numbered sections below.

What personal information do we process? When you visit, use, or navigate the Services, we may process personal information depending on how you interact with us, the choices you make, and the products and features you use. This includes account information (such as your name, email address, and password hash), financial account and transaction data obtained through Plaid when you connect a financial account, the contents of the spreadsheets you create in the Services, prompts and conversations you have with the BudgetBot AI assistant, and limited billing information from Stripe. See Section 1.

Do we process any sensitive personal information? We do not intentionally collect categories of information defined as "sensitive," "special," or "sensitive personal information" under applicable law (such as racial or ethnic origin, sexual orientation, religious beliefs, or precise geolocation). Information about your finances obtained from your linked accounts may be considered sensitive in some jurisdictions; we process this information solely to provide the Services to you. See Section 1.

Do we collect any information from third parties? Yes. We receive information from financial-data aggregators (Plaid), payment processors (Stripe), single sign-on providers (Google, if you choose to sign in with Google), email and authentication infrastructure providers, and analytics providers. See Section 1.

How do we process your information? We process your information to provide, operate, secure, and improve the Services; communicate with you; administer your account and subscription; respond to support requests; comply with our legal obligations; and, where permitted, with your consent. See Section 2.

In what situations and with which parties do we share personal information? We share information with our service providers (including Plaid, Stripe, Microsoft Azure, the Microsoft Azure OpenAI Service, Google, PostHog, Azure Communication Services, and Selzy), in connection with legal process, with your consent, and in connection with a corporate transaction. We do not sell your personal information. See Section 3.

What about the BudgetBot AI assistant? When you submit a prompt to the BudgetBot AI assistant, your prompt, your conversation history, and the contents of the spreadsheet sheet you have open at the time of your request are sent to Microsoft's Azure OpenAI Service for processing. See Section 5.

What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information, including the rights to access, correct, delete, port, restrict, or object to processing of your personal information, and to withdraw consent. See Section 11.

How do you exercise your rights? The easiest way is to email us at admin@budgetbot.app or to use the deletion controls in your account settings. We will consider and act upon any request in accordance with applicable data protection laws. See Section 14.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you voluntarily provide to us when you register for or use the Services.

We collect personal information that you voluntarily provide to us when you register for the Services, express an interest in obtaining information about us or our products, participate in activities on the Services, or otherwise contact us. The personal information we collect depends on the context of your interactions with us, the choices you make, and the products and features you use, and may include:

  • Account information: your full name, email address, and a password (which we store only as a salted scrypt hash; we never store your plaintext password). We also generate and store short-lived email verification codes and password-reset tokens.
  • Single sign-on profile information: if you create or access an account using Google, we receive limited profile information from Google, such as your email address, name, and a unique Google account identifier, in accordance with the authorization scopes you approve.
  • Subscription and billing information: when you purchase a paid plan, our payment processor (Stripe) collects your payment card details directly. We receive a Stripe customer identifier and limited subscription metadata (such as plan, interval, status, current period start and end, and whether the subscription is set to cancel). We do not receive or store full payment card numbers, CVV codes, or bank account numbers.
  • Financial-account information from Plaid: when you choose to link a financial account, you authenticate with your financial institution through Plaid. Plaid returns to us an access token and a list of accounts you have selected, along with the name of the institution and account identifiers. We use the access token to retrieve account balances and transactions on your behalf. Your bank login credentials are submitted to Plaid and are not received, stored, or accessible by us.
  • Financial transactions: when you choose to populate a spreadsheet with transaction data, we retrieve up to the most recent sixty (60) days of transactions for the accounts you select. This data may include merchant name, transaction date, amount, category, counterparty, payment channel, location, and similar metadata returned by Plaid.
  • Spreadsheet content: the cell values, formulas, formats, sheets, tables, named ranges, and other content you create, import, paste, or otherwise enter into the Services.
  • BudgetBot AI conversations: the prompts and messages you submit to the BudgetBot AI assistant, our responses to you, and the contents of the spreadsheet sheet that is open at the time of your request.
  • Communications and support content: the contents of any messages you send us by email or through other support channels, and any newsletter or marketing preferences you express.

Sensitive information. We do not request or intentionally collect categories of information that are treated as "sensitive" or "special" under applicable law (for example, racial or ethnic origin, sexual orientation, religious or philosophical beliefs, trade union membership, biometric or genetic data, or precise geolocation). Information about your finances and transactions obtained through Plaid may be considered sensitive in certain jurisdictions; we process such information only as needed to provide and operate the Services.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not by itself reveal your identity (such as your name or contact information) but may include: device and usage information, IP address, browser and device characteristics, operating system, language preferences, referring URLs, country, approximate (city- or region-level) location derived from your IP address, information about how and when you use the Services, and other technical information. We collect this information primarily to maintain the security and operation of the Services, for debugging and troubleshooting, and for our internal analytics and reporting.

Like many websites, we also collect information through cookies, similar technologies, and server logs. See Section 4.

Information we receive from third parties

We may receive information about you from third parties, including:

  • Plaid Inc. — account, balance, and transaction data for the financial accounts you have authorized us to access. By using the Services to link a financial account, you also agree to Plaid's end-user privacy policy, available at https://plaid.com/legal/.
  • Stripe, Inc. — subscription, customer, and billing-event metadata associated with your account.
  • Google LLC — profile information you authorize to share when you sign in with Google.
  • Analytics, infrastructure, and email providers— aggregate usage information, delivery and engagement events, authentication telemetry, and similar operational data.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, operate, secure, and improve the Services, communicate with you, comply with law, and, where permitted, with your consent.

We process your personal information for a variety of reasons, depending on how you interact with the Services, including:

  • To provide and administer the Services — for example, to create your account, authenticate you, render and persist your spreadsheet, retrieve transactions from your linked accounts, generate AI responses, and remember your preferences (such as your theme).
  • To process subscriptions and payments — to provision your plan, charge recurring fees through Stripe, manage renewals, downgrades, and cancellations, and respond to billing inquiries.
  • To communicate with you — to send transactional emails (for example, email-address verification codes, password-reset links, billing receipts, and subscription notifications), to respond to your support requests, and, with your consent or where otherwise permitted, to send product updates and marketing communications.
  • To operate the BudgetBot AI assistant — to process your prompts, conversation history, and currently open spreadsheet contents through the Microsoft Azure OpenAI Service to generate a response.
  • To enforce our usage limits and plan tiers — for example, to enforce the daily AI-request and linked-account limits associated with your plan.
  • For security and fraud prevention — to detect, investigate, and prevent fraudulent, unauthorized, or illegal activity; enforce our Terms of Service; and protect the rights, property, and safety of you, us, or others.
  • For analytics and product improvement — to understand how the Services are used, identify and fix bugs, evaluate feature flags and experiments, and improve the Services.
  • To comply with legal obligations — for example, to respond to valid legal process, regulatory inquiries, tax and accounting obligations, and to enforce our agreements.
  • For other purposes with your consent — we may process your information for any other purpose disclosed to you at the time we collect the information, or with your consent.

Legal bases for processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under applicable data protection law to process your personal information:

  • Performance of a contract — to provide the Services you have requested under our Terms of Service.
  • Legitimate interests — to operate, secure, and improve the Services, prevent fraud and abuse, communicate with you about the Services, and conduct analytics, where these interests are not overridden by your data protection rights.
  • Consent — where required by law, for example for certain marketing communications and non-essential cookies. You may withdraw your consent at any time.
  • Legal obligation — to comply with legal, regulatory, tax, or accounting obligations.
  • Vital interests — in rare cases, to protect your or another person's vital interests.

We do not use your personal information for solely automated decision-making that produces legal or similarly significant effects about you. The BudgetBot AI assistant generates suggestions and commentary for informational purposes only and does not make decisions about you.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information with vetted service providers that help us operate the Services, with your consent, in response to legal process, and in connection with a corporate transaction. We do not sell your personal information.

Service providers

We rely on third-party service providers (also referred to as "processors") to operate the Services. These providers process personal information on our behalf and are contractually required to use it only for the purposes for which we engaged them and in accordance with applicable law. Our principal service providers include:

  • Plaid Inc. — financial-account aggregation, authentication with your financial institution, and retrieval of account and transaction data.
  • Stripe, Inc. — payment processing, subscription management, and the customer billing portal.
  • Microsoft Corporation (Azure) — cloud hosting, managed database (Azure Cosmos DB for MongoDB vCore), container registry, secret management, and the Azure OpenAI Service that powers the BudgetBot AI assistant.
  • Azure Communication Services — delivery of transactional emails such as verification codes, password-reset links, and subscription notifications.
  • Google LLC — single sign-on (Google OAuth) for users who choose to sign in with Google.
  • PostHog, Inc. — product analytics, error and performance telemetry, and feature-flag delivery.
  • Selzy — newsletter and marketing email delivery, only if you have explicitly subscribed.

Our use of service providers may change over time. We may engage additional or replacement providers to operate the Services in accordance with this Privacy Notice.

Other disclosures

We may also share your personal information in the following situations:

  • Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. We will continue to ensure the confidentiality of your personal information and provide notice to affected users before personal information is transferred and becomes subject to a different privacy notice.
  • Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Notice. Affiliates include any parent company, subsidiaries, or entities under common control with us.
  • Legal obligations and protection of rights. We may disclose your information where required to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal process; to enforce our Terms of Service; to investigate, prevent, or take action regarding suspected illegal activity, violation of our policies, or fraud; or to protect the rights, property, or safety of us, our users, or others.
  • With your consent. We may share your information for any other purpose disclosed to you at the time and with your consent.

No sale of personal information. We do not sell your personal information for monetary consideration. We also do not knowingly "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the "CCPA").

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use cookies and similar technologies to operate the Services, keep you signed in, remember your preferences, and understand how the Services are used.

We and our service providers use cookies, local storage, server logs, and similar tracking technologies to gather information when you interact with the Services. The technologies we use fall into the following categories:

  • Strictly necessary. Required to operate the Services. These include the encrypted, HttpOnly authentication session cookie that keeps you signed in; cookies and tokens used to prevent cross-site request forgery (CSRF); and local storage used to remember your last transaction-sync timestamp and resizable-chat dimensions. You cannot opt out of these technologies and continue to use the Services.
  • Functional. Used to remember choices you make, including a cookie that stores your color theme (light or dark mode).
  • Analytics and performance. Used to understand how the Services are used and to improve them, including identifiers and event data sent to PostHog.

We do not use cookies or pixels for third-party advertising or cross-site behavioral tracking. We do not host third-party advertising on the Services. You can control cookies through your browser settings (for example, by blocking, deleting, or restricting cookies); however, disabling strictly necessary cookies will prevent the Services from functioning correctly.

Your cookie choices

On your first visit, we display a cookie notice describing the cookies and local-storage entries the Services use. Strictly necessary cookies and local storage are not gated on your consent because the Services cannot function without them. These include the encrypted, HttpOnly authentication session cookie that keeps you signed in; the cookies and tokens used to prevent cross-site request forgery (CSRF); the cookie that stores your color theme; and the local-storage entries used to remember your last transaction-sync timestamp and resizable-chat dimensions. Your acknowledgement of the notice is stored in your browser's local storage under the key budgetbot:cookie-consent; clearing your browser's site data will cause the notice to appear again on your next visit.

5. THE BUDGETBOT AI ASSISTANT

In Short: When you use the AI assistant, your prompt, conversation history, and currently open spreadsheet contents are sent to a third-party large language model service for processing.

The BudgetBot AI assistant generates responses using the Microsoft Azure OpenAI Service. When you submit a prompt, the following information is sent to that service for the sole purpose of generating a response:

  • your current and prior messages in the active conversation;
  • the contents of the spreadsheet sheet you have open at the time of your request, which may include any financial data you have populated from your linked accounts;
  • a system prompt that establishes the assistant's persona and instructions.

We have configured the BudgetBot AI assistant to use the Microsoft Azure OpenAI Service under Microsoft's enterprise terms. Microsoft's commitments to Azure OpenAI customers include not using customer prompts or completions to train or improve OpenAI's or Microsoft's foundation models. We rely on those commitments; however, your interactions with the BudgetBot AI assistant remain subject to Microsoft's applicable terms and privacy practices, which may change from time to time.

We may retain prompts and responses to operate, secure, monitor, debug, and improve the Services. If you do not wish a particular piece of information to be processed by the BudgetBot AI assistant, do not include it in your prompts or in the active spreadsheet sheet at the time of your request.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or sign in using a third-party account such as Google, we receive certain profile information about you from that provider.

Our Services offer you the ability to register and sign in using your Google account. Where you choose to do this, we receive certain profile information about you from Google, which may include your name, email address, a unique account identifier, and other information you have chosen to make available, in each case in accordance with the authorization scopes you approve. We use the information we receive only for the purposes described in this Privacy Notice or otherwise made clear to you.

Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party identity provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short: Yes. Your information is transferred to, stored in, and processed in the United States, Canada, and other countries where our service providers operate.

Our application infrastructure is hosted in the United States, and our primary database is hosted in Canada, in each case operated by Microsoft Azure. Our service providers may also process your information in other countries where they operate their facilities.

If you are accessing the Services from the European Economic Area (EEA), the United Kingdom (UK), Switzerland, or another jurisdiction with data protection laws that differ from those of the United States and Canada, please be aware that the laws of those countries may not provide the same level of protection as the laws of your jurisdiction. Where required by law, we put appropriate safeguards in place for international transfers, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or equivalent mechanism for transfers from the UK), and we rely on adequacy decisions where applicable. You may contact us at admin@budgetbot.app to request a copy of, or further information about, the safeguards we use.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required or permitted by law.

We retain your personal information only for as long as is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, fraud-prevention, or other legal requirements). General retention principles include:

  • Account and spreadsheet data — retained for as long as your account is active and for a reasonable period afterward to allow account recovery, resolve disputes, and comply with our legal obligations.
  • Email-verification codes and password-reset tokens — retained only until expiration or use, and then deleted in the ordinary course.
  • Financial-account access tokens and transaction data — retained while you keep the relevant account linked. If you disconnect an account or delete your account, we will revoke the access token and delete or anonymize the associated data within a reasonable period, subject to backup-retention cycles described below.
  • Billing and tax records — retained as required by applicable tax, accounting, and audit obligations (typically up to seven (7) years).
  • Operational logs and analytics — retained for a limited period to support security, fraud prevention, debugging, and product analytics.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if deletion is not immediately possible (for example, because the information is stored in encrypted backup archives), we will securely store the information and isolate it from any further processing until deletion is possible.

9. HOW DO WE SECURE YOUR INFORMATION?

In Short: We use industry-standard administrative, technical, and physical safeguards designed to protect your personal information, but no system is perfectly secure.

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These measures include encryption of data in transit using Transport Layer Security (TLS), encryption of data at rest at our infrastructure providers, salted password hashing, access controls, secret management through a managed key vault, audit logging, and regular software updates.

Despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should access the Services only within a secure environment.

You are responsible for keeping your account credentials confidential and for promptly notifying us at admin@budgetbot.app of any actual or suspected unauthorized access to or use of your account.

10. DO WE COLLECT INFORMATION FROM MINORS?

In Short: No. The Services are intended for users who are at least 18 years old.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from a user less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete the data from our records. If you become aware of any data we may have collected from a child under 18, please contact us at admin@budgetbot.app.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on where you live, you may have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

Rights available to all users

You have the right to:

  • access and update the information in your account through your account settings;
  • terminate your account at any time;
  • unsubscribe from marketing emails by following the unsubscribe link in those emails or by contacting us. We may still send you transactional, account-related, or legal notices that are necessary to operate the Services.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms of Service, or comply with applicable legal requirements.

Withdrawing your consent

If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us using the contact details provided in Section 14. Please note that withdrawing consent will not affect the lawfulness of processing carried out before the withdrawal nor, where applicable law permits, processing carried out on lawful processing grounds other than consent.

Rights for residents of the EEA, the UK, and Switzerland

If you are a resident of the EEA, the UK, or Switzerland, you have, subject to applicable law, the right to:

  • request access to and obtain a copy of your personal information;
  • request rectification or erasure of your personal information;
  • restrict the processing of your personal information, or object to processing based on our legitimate interests;
  • where applicable, the right to data portability and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects about you;
  • if we are processing your information based on consent, withdraw your consent at any time;
  • lodge a complaint with your local supervisory authority. Contact details for EEA supervisory authorities are available at https://edpb.europa.eu/about-edpb/about-edpb/members_en; the UK Information Commissioner's Office is at https://ico.org.uk/; and the Swiss Federal Data Protection and Information Commissioner is at https://www.edoeb.admin.ch/.

Rights for residents of California, Colorado, Connecticut, Virginia, Utah, and other U.S. states with comprehensive privacy laws

If you are a resident of a U.S. state that has enacted a comprehensive consumer privacy law, you may have the right, subject to verification and applicable exceptions, to:

  • confirm whether we are processing your personal information and access that information;
  • correct inaccuracies in your personal information;
  • delete your personal information;
  • obtain a copy of your personal information in a portable format;
  • opt out of the "sale" of personal information or the "sharing" of personal information for cross-context behavioral advertising (note: as described in Section 3, we do not engage in either);
  • opt out of certain "profiling" that produces legal or similarly significant effects (we do not engage in this activity);
  • appeal a refusal to act on your request, where the applicable state law provides such a right.

We will not discriminate or retaliate against you for exercising these rights. If you exercise a right under applicable law, you will not receive different prices or quality of Services solely as a result.

California "Shine the Light" law. California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice. We do honor the Global Privacy Control (GPC) signal where required by applicable law as an opt-out of sale or sharing of personal information.

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws and to reflect changes in our practices.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes on the Services or by sending you a notification directly (which may be sent from a BudgetBot email address). We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this Privacy Notice, you may contact us by email at admin@budgetbot.app.

For our registered mailing address, please contact us by email and we will provide it on request.

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your jurisdiction, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correction of inaccuracies, deletion of your personal information, or to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To exercise any of these rights, please email us at admin@budgetbot.app from the email address associated with your account, or use the controls available in your account settings. We may need to verify your identity before responding to your request, and we will respond within the timeframe required by applicable law.

© 2025

New York, NY

Resources
FAQPricing