Our Privacy Commitment
At Spenvelopes, your privacy is not just a priority—it's fundamental to how we built this app. We do not collect, store, or have access to your financial data. All your transaction information, account balances, and budgeting data stays on your device and in your private iCloud account.
1. Information We Do NOT Collect
We do NOT collect, store, or have access to:
- Your bank account credentials
- Your transaction history or details
- Your account balances
- Your budget allocations or spending patterns
- Your personally identifiable financial information
2. Information We DO Collect
We collect minimal information necessary to operate the app's notification system:
Device Tokens (for Push Notifications)
When you enable push notifications, we store your device's push notification token on our secure server. This token is:
- A random identifier provided by Apple that cannot be traced back to you
- Used exclusively to send you notifications about new transactions
- Stored securely on Upstash Redis infrastructure
- Automatically deleted when you disconnect your bank account or uninstall the app
- Not shared with any third parties
Usage Analytics (Optional)
If you opt in to analytics, we may collect anonymous usage data such as:
- App crashes and errors (for debugging)
- Feature usage statistics (which screens are used most)
- Device type and iOS version (for compatibility)
This data is anonymized and cannot be linked to your identity. You can opt out at any time in Settings.
3. How Your Financial Data Is Stored
On Your Device
All your financial data is stored locally on your device using:
- SwiftData: Apple's secure local database framework
- iOS Keychain: Bank connection tokens are encrypted in the iOS Keychain
- App Sandbox: No other apps can access your Spenvelopes data
iCloud Backup (Optional)
If you enable iCloud backup, your budgeting data is stored in your private iCloud account:
- Encrypted in transit and at rest by Apple
- Only accessible when signed in with your Apple ID
- Automatically restores when you get a new iPhone
- Never accessible to Spenvelopes or any third party
- Follows Apple's iCloud Privacy Policy
4. Third-Party Services
Plaid (Bank Connection Service)
We use Plaid to connect to your bank accounts securely. When you connect a bank:
- You authenticate directly with Plaid—your credentials never pass through our servers
- Plaid provides us with transaction data, which is immediately stored on your device
- We store your Plaid access token encrypted in your iOS Keychain
- Plaid's privacy practices are governed by their Privacy Policy
Apple (App Store, iCloud, Push Notifications)
- App Store: Your subscription is managed by Apple. We never see your payment information.
- iCloud: If you enable backup, Apple encrypts and stores your budgeting data.
- APNs (Apple Push Notification service): Apple delivers notifications to your device. We send anonymous push requests with your device token.
Vercel (Backend Hosting)
Our backend API is hosted on Vercel. This backend:
- Only stores device tokens for push notifications
- Does NOT store any financial data
- Uses HTTPS encryption for all communications
- Runs serverless functions that process requests and immediately discard data
Upstash (Device Token Storage)
Device tokens are stored in Upstash Redis:
- Encrypted at rest and in transit
- Located in secure data centers
- Only contains anonymous device tokens—no personal information
5. Data Retention
- Financial Data: Stored only on your device and iCloud. We never have access to it.
- Device Tokens: Stored until you disconnect your bank account or uninstall the app, then automatically deleted.
- Analytics Data: Retained for 90 days, then automatically deleted.
6. Your Data Rights
You have the following rights regarding your data:
Right to Access
All your financial data is on your device. You can view it anytime in the app. For device tokens, contact us at support@spenvelopes.app.
Right to Delete
To delete your data:
- Financial Data: Delete the app from your device. If iCloud backup is enabled, sign out of iCloud or delete the app data from iCloud Settings.
- Device Tokens: Disconnect your bank account in the app, or email us to manually remove your device token.
Right to Export
Your financial data is already on your device. You can export it manually (future feature) or access it directly from your device's backup.
7. Security Measures
We implement industry-standard security practices:
- HTTPS Encryption: All network communications use TLS 1.3 encryption
- Webhook Signature Verification: Plaid webhooks are cryptographically verified to prevent spoofing
- iOS Keychain: Bank tokens encrypted using hardware-backed encryption
- No Backend Storage: We don't store what we don't need
- Regular Security Audits: We review our security practices regularly
8. Children's Privacy
Spenvelopes is not intended for children under 13 years of age. We do not knowingly collect information from children. If you believe a child has provided us with data, contact us immediately.
9. International Data Transfers
Your financial data stays on your device—there are no international transfers. Device tokens are stored in Upstash data centers, which may be located in different regions. All transfers comply with GDPR and other data protection regulations.
10. California Privacy Rights (CCPA)
If you're a California resident, you have additional rights under CCPA:
- We do not sell your personal information
- We collect minimal data (device tokens only)
- You can request deletion of your device token at any time
- You have the right to opt out of analytics
11. GDPR Compliance (European Users)
If you're in the EU/EEA:
- Legal Basis: We process device tokens based on your consent (opting in to notifications)
- Data Controller: Spenvelopes is the data controller for device tokens
- Your Rights: Access, rectification, erasure, restriction, portability, and objection
- Complaints: You can lodge a complaint with your local data protection authority
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We'll update the "Last Updated" date at the top
- We'll notify you in-app if changes are significant
- Your continued use constitutes acceptance of the updated policy
13. Contact Us
If you have questions about this Privacy Policy or your data:
- Email: support@spenvelopes.app
- Support: Contact Form
Summary: What Makes Spenvelopes Private
Your financial data never leaves your device (except to your private iCloud).
We only store device tokens for push notifications—nothing else.
Your bank credentials never touch our servers—Plaid handles authentication.
No tracking, no selling, no data mining. We built a budgeting app, not a data harvesting operation.
Questions about privacy? We're happy to explain our approach in detail.
Contact us anytime.