Privacy Policy

Spendplan LLC · Effective Date: March 25, 2026

The Short Version

Your data is yours. Messages between you and your connections are end-to-end encrypted — we relay them, but we cannot read them. Your financial data, calendar, documents, and personal content live on your device, not our servers.

We do see some data in order to operate the service: your email address, who you connect with, and the routing metadata needed to deliver messages. This policy explains exactly what we store, what we can observe, what we can't, and why.

1. What We Store On Our Servers

We store only what is necessary to operate the service. Here is the complete list:

Account Information

Email address — used for account identity and login
Password — stored only as a cryptographic hash, never in plain text
Display name — shown to other users when they look up your public key

Authentication

Refresh tokens — stored as cryptographic hashes for session management across your devices. Revoked on logout or expiry.

Encryption Keys

Your public encryption key — used by other users to encrypt messages to you. Your private key never leaves your device.

Subscription

Subscription status and tier — whether your subscription is active, in a grace period, or lapsed
Apple transaction ID or Paddle subscription/customer ID — to verify your subscription. We do not store payment card numbers, bank account details, or billing addresses.

Messages (Transient)

Encrypted message blobs — when someone sends you a message, we hold the encrypted data until you pick it up. We delete messages after you acknowledge receipt. Unacknowledged messages expire after a configurable period (currently 30 days). We cannot decrypt these messages.

Photos (Transient)

Encrypted photo blobs — moment photos shared with connections are stored encrypted on our servers until all recipients download them or they expire (currently 7 days). We cannot decrypt these photos. The decryption key is delivered separately through the encrypted message channel.

Connections & Partner Links

Connection records — we know that you and another user are connected, so we can route messages between you
Partner link records — if you link with a partner, we store that relationship so we can manage the shared subscription

Invite Codes

Invite codes you create — tied to your account, including whether they've been redeemed and by whom. This means we can see the chain of who invited whom.

Engagement Events (When You Choose to Share)

Achievement reports — on by default, you can turn this off in Preferences. When on, your device sends us a record that you earned an achievement (which one and when). No personal content is included.
Opt-in data — only if you explicitly enable specific categories in Preferences (see Section 4)

What We Do NOT Store

This is equally important. Our servers never store, receive, or process:

Message content between you and other users (it's encrypted and we don't have the key)
What type of message was sent (scheduling request, chat, availability response — we can't tell)
Calendar events, appointments, or availability information
Documents or their contents
Financial data (income, spending, savings, goals, account balances)
Group names, membership, or metadata
Life tasks, intentions, values, or review responses
Contact lists or phone numbers
Location data (except zip code, only if you opt in)
Device identifiers or advertising IDs

2. End-to-End Encryption

All messages between users are end-to-end encrypted using well-established public-key cryptography. At launch, this uses X25519 key exchange with XSalsa20-Poly1305 authenticated encryption. We may update the specific algorithms over time to adopt stronger standards, but we will always use end-to-end encryption where only the sender and recipient can read the message.

What this means in practice:

When you send a message, your device encrypts it with the recipient's public key before it leaves your phone
Our server receives and stores only the encrypted blob — it looks like random data to us
Only the recipient's device can decrypt it using their private key, which never leaves their device
We cannot read your messages, even under a court order, because we do not possess the decryption keys

For group communication: Your device encrypts the message separately for each recipient. Our server sees individual messages to individual recipients — it has no concept of groups.

For shared photos (moments): Photos are encrypted with a random key on your device. The encrypted photo is uploaded to our server. The decryption key is sent to each recipient through the encrypted message channel. Compromising our photo storage alone does not expose your photos (no key), and compromising the message channel alone does not expose photos (no photo data).

3. The Server User

Our server has its own user identity in the system, with its own encryption keypair. This is the only way our server can read any message content — when you explicitly send a message addressed to the server.

Achievement reporting (default: on): When you earn an achievement, your device encrypts an achievement event and sends it to the server. We decrypt it because it's addressed to us. This contains only the achievement ID and the time it was earned — no personal content. You can turn this off in Preferences at any time, and your device will simply stop sending.

Superlative reporting (default: on): When you record a superlative, anonymizable metadata (category, frequency) may be sent to the server. You can turn this off in Preferences.

When you address a message to us, you know you're doing it. We never request, pull, or silently collect data from your device.

4. Opt-In Data Sharing

You can choose to share specific categories of data with our server. Each category is an independent toggle in Preferences, and all default to OFF.

Category	What you send us	What we do with it
Zip code	Your 5-digit zip code	We look up your statistical area and send you a package of public Census/BLS data for local peer comparisons. We do not track your location.
Household size	A number	Combined with zip code to refine your peer comparison data
Review completion	That you completed a review (type only)	Aggregate engagement analytics
Goal progress	Active and completed goal counts only	Aggregate engagement analytics

We never receive your actual financial figures, goal details, review content, or any other personal data through these opt-ins. The comparison math ("your housing is 32% of income, your area's median is 28%") happens entirely on your device.

Your opt-in preferences are stored on your device, not our server. If you reinstall the app, all opt-ins reset to OFF.

5. Statistical Data

We serve pre-cached packages of public statistical data from the U.S. Census Bureau and Bureau of Labor Statistics. This is public government data, not derived from our users. We fetch it on an annual schedule when new data vintages are published and cache it on our server.

We use this data to provide you with local and demographic peer comparisons. The comparison calculations happen on your device — we send you the public statistics, and your device does the math using your private financial data that we never see.

6. Partner Accounts

If you link with a partner, both of you share financial summaries, review status, and profile updates through the same encrypted message channel used for all other communication. We relay these messages but cannot read them.

What we know about your partnership:

That two specific user accounts are linked
Which subscription covers the partner account

What we do not know:

What data you share with your partner
The content of any financial, goal, or review information exchanged

We can observe that messages are being exchanged between partner accounts (see Section 7), but we cannot see what those messages contain.

7. What We Can Observe (Metadata)

In operating the service, we necessarily observe certain metadata. We believe in being explicit about this.

Message Routing Metadata

Who sends messages to whom (sender and recipient user IDs) — required for routing
When messages are sent (timestamps)
Message sizes (encrypted payload length)
Number of recipients per send request — if you send a message to 15 people at once, we can see that, which reveals approximate group sizes even though we have no concept of groups

Network and Access Metadata

IP addresses — your IP address is visible to our servers on every request. We do not store IP addresses in our database or associate them with your account. IP addresses may appear transiently in server logs for operational troubleshooting (see Server Logs below). We may use IP addresses in real time to detect and block abuse (e.g., brute-force login attempts), but we do not build IP-based profiles or location histories.
Polling frequency — when your app checks for new messages, we can see how often it connects
Last active time — inferable from when you last polled for messages or made any API request

Relationship Metadata

Your connection graph — who you are connected to (stored in our database for message routing authorization)
Your partner link — if you have one
Your invite chain — who invited you, and who you invited

What We Cannot Observe

Message content, type, or purpose (encrypted — we don't have the key)
Whether a message is a scheduling request, a chat, a financial sync, or anything else
The content of shared photos (encrypted separately from the message channel)
What contacts you compared during peer discovery (encrypted protocol between devices)

Pattern Inference

We want to be honest: even without reading message content, metadata can reveal patterns. A burst of messages to the same 15 recipients suggests a group. Frequent exchanges between two users suggest an active relationship. A message to the server user followed by a response suggests an opt-in data exchange. We are aware of this and may implement metadata-reduction measures (message padding, batched sends) in the future, but these are not in place today.

Server Logs

Our server logs record request paths, HTTP status codes, response times, and error information for operational purposes. Logs may include IP addresses. Logs never include passwords, authentication tokens, message content, encryption keys, or decrypted server-user message content. Logs are retained for a limited period for operational troubleshooting and then deleted.

8. Third-Party Services

Apple (In-App Purchases)

If you subscribe through the iOS App Store, Apple processes your payment. We receive only a transaction ID to verify your subscription status. Apple's privacy policy governs their handling of your payment information.

Paddle (Web Purchases)

If you subscribe through our website, Paddle acts as our Merchant of Record. Paddle processes your payment, collects applicable taxes, and handles refunds. We receive only a subscription ID and customer ID. We do not receive or store your payment card details, billing address, or tax information. Paddle's privacy policy governs their handling of your payment information.

Census Bureau and Bureau of Labor Statistics

We fetch publicly available statistical data from U.S. government APIs. No user data is sent to these agencies.

We do not use any advertising networks, analytics services, or other third-party services that receive your personal data. If we add any operational third-party services in the future (such as error monitoring), we will update this policy and those services will not receive message content or encryption keys.

9. Data Retention

Data	Retention
Account information	Until you delete your account
Encrypted messages	Until you acknowledge receipt, or expiry (whichever is first)
Encrypted photo blobs	Until all recipients acknowledge, or expiry (whichever is first)
Subscription records	Until you delete your account
Engagement events	Until you delete your account
Refresh tokens	Until expiry, logout, or account deletion
Connection/partner records	Until you delete your account

10. Account Deletion

You can delete your account at any time from within the app. When you do:

All rows referencing your account are permanently deleted from our database
All pending messages to and from you are deleted
All encrypted photo blobs you uploaded are deleted
All engagement events associated with your account are deleted
Any active partner link is dissolved (your partner is notified)
All authentication tokens are invalidated

We may retain a hashed version of your email address for a limited period after deletion to prevent abuse. This hash cannot be used to recover your email address or any other data.

Data on your device is not affected by account deletion. Your on-device data (calendar, documents, financial records, reviews, etc.) remains on your device. The app handles on-device data export separately.

11. Data Export

You can export all server-held data associated with your account at any time. This includes your profile information, subscription history, public key history, connection history, and partner link history. It does not include message content (messages are encrypted and transient — they're deleted after you receive them).

12. Children's Privacy

Spendplan is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete the account.

13. Security

All communication between the app and our servers uses TLS encryption in transit
All user-to-user messages are end-to-end encrypted (the server cannot read them)
Passwords are hashed using industry-standard one-way hashing algorithms
Refresh tokens are stored as cryptographic hashes
Payment receipts are validated and discarded — only the identifiers needed for subscription verification are retained
Request logging never includes passwords, tokens, message content, or encryption keys

14. Law Enforcement and Legal Requests

If we receive a valid legal request (subpoena, court order, or similar), here is what we can and cannot provide:

We can provide:

Whether an account exists for a given email address
Account creation date
Subscription status and tier
Connection and partner link records (who is connected to whom)
Invite chain (who invited whom)
Encrypted message metadata (sender, recipient, timestamps, sizes) — but not content

We cannot provide, because we do not possess it:

Message content (end-to-end encrypted; we do not hold decryption keys)
Photo content (encrypted with keys we do not hold)
Any on-device data (financial records, calendar, documents, reviews, etc.)
Private encryption keys (never transmitted to our servers)

We will notify affected users of legal requests unless prohibited by law (e.g., a gag order). If we are ever compelled to make structural changes that would weaken our privacy protections, we will make reasonable efforts to notify users before those changes take effect.

We do not currently publish a transparency report. If we receive a meaningful volume of legal requests, we will begin publishing one.

15. International Users and GDPR

The Company is based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws:

Legal basis for processing: We process the limited personal data described in this policy on the basis of contractual necessity (operating the service you signed up for) and legitimate interest (preventing abuse, maintaining security).

Your rights: You have the right to access, correct, export, and delete your personal data. The App provides these capabilities directly — you can export your server-held data and delete your account at any time without contacting us.

Data transfers: Your data is processed on servers that may be located in the United States. By using the service, you acknowledge this transfer. We protect your data through end-to-end encryption (meaning we cannot access message content regardless of where servers are located) and through the security measures described in this policy.

Data minimization: Our architecture inherently minimizes data collection. We store only what is listed in Section 1, and most user content never reaches our servers.

If you have questions about your rights under GDPR or other data protection laws, contact us at contact@spendplan.co.

16. Auditability

We believe privacy claims should be verifiable, not just promised. To that end:

Our end-to-end encryption uses open, well-documented cryptographic standards. The encryption happens on your device using open-source cryptographic libraries that anyone can inspect.
We intend to pursue independent security audits as the service matures, and will publish the results.
Our architecture is designed so that our privacy claims are enforced by technical constraints (we don't hold decryption keys), not just by policy. Even if we wanted to read your messages, we couldn't.

17. Changes to This Policy

If we make material changes to this policy, we will notify you through the app before the changes take effect. We will not retroactively reduce the privacy protections described here without your explicit consent.

The commitments in this policy regarding end-to-end encryption and our inability to access your message content are codified in our company's operating agreement and are binding on any future owners or acquirers of the company.

18. Contact

If you have questions about this privacy policy or your data:

Email: contact@spendplan.co
Spendplan LLC
8401 Mayland Dr Ste A, Richmond, VA 23294

Last updated: March 26, 2026