Privacy Policy
Last updated: April 2026
This Privacy Policy explains how IHAB ("I Have a Budget"), operated by [Legal Entity Name] ("IHAB," "we," "us," or "our"), collects, uses, stores, and protects your information when you use our web application at ihab.io (the "Service").
We are committed to protecting your privacy. We do not sell your personal data. We collect only what is necessary to provide the Service.
1. Information We Collect
1.1 Account Information
When you sign in with Google SSO, we receive your Google profile name, email address, and profile photo. This information is used to identify your account and personalize your experience.
1.2 Financial Data
You voluntarily enter financial information into IHAB, including:
- Monthly income amount
- Recurring expenses (names, amounts, categories)
- Savings goals and non-monthly expense plans
- Monthly budget overrides and allocations
- Emergency fund targets
This data is entered by you and stored solely to provide budgeting functionality. We do not access, analyze, or share your financial data for any purpose other than operating the Service for your benefit.
1.3 Payment Information
Premium subscription payments are processed by Stripe. When you subscribe, Stripe collects your payment details (card number, expiration, CVC). We never see, receive, or store your full credit card number. We receive from Stripe only: your Stripe customer ID, subscription status, plan type, and billing period dates.
1.4 API Keys
If you generate API keys for programmatic access, the keys are hashed using SHA-256 before storage. The plaintext key is shown to you once at creation and is never stored or retrievable by us.
1.5 Usage Data
We collect anonymized usage events (such as feature usage counts and lifecycle events like signup, trial start, and subscription changes) to understand how the Service is used and improve it. These events do not contain personally identifiable information (PII). We do not use third-party analytics trackers.
1.6 Error Logs
When errors occur, we log technical details (error message, stack trace, timestamp, and an anonymized user identifier) to diagnose and fix issues. Error logs do not contain your financial data.
2. How We Store Your Data
2.1 Database
Your data is stored in Google Cloud Firestore, a managed NoSQL database provided by Google Cloud Platform. Firestore encrypts all data at rest using Google-managed encryption keys.
Each user's financial data is stored in a single document, isolated from other users by Firestore security rules that enforce per-user access control. No user can read or write another user's data.
2.2 Encryption
- Data at rest: All Firestore data is encrypted at rest by Google Cloud
- Data in transit: All connections use HTTPS/TLS encryption
- API keys: Hashed with SHA-256 before storage (one-way; not reversible)
- Plaid tokens: Encrypted with AES-256-GCM using a dedicated encryption key (if bank linking is enabled)
- Sequence access tokens: Encrypted with AES-256-GCM at rest
2.3 Data Residency
All data is stored in Google Cloud's United States regions. If you are located outside the United States, your data is transferred to and processed in the United States.
3. How We Use Your Data
We use your information to:
- Provide, maintain, and improve the budgeting Service
- Authenticate your identity and secure your account
- Process subscription payments (via Stripe)
- Send transactional emails (welcome, trial expiry, payment notifications)
- Provide Sequence.io with transfer amounts when you enable the integration
- Diagnose errors and improve Service reliability
- Enforce subscription tiers and usage limits
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
4. Third-Party Data Sharing
We share data with third parties only as necessary to operate the Service. We never sell your personal or financial data.
| Provider | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, payment method (collected directly by Stripe) | Subscription payment processing |
| Google Cloud / Firebase | All Service data (stored on their infrastructure) | Authentication, database, hosting, cloud functions |
| Sequence.io | Transfer amounts in cents (no personal data) | Automated money movement (only if you enable this) |
| Plaid | Bank credentials (handled directly by Plaid) | Bank account linking (only if you connect a bank; backend-only currently) |
Each third-party provider processes data under their own privacy policy. We encourage you to review their policies.
5. Your Rights
Regardless of where you are located, we provide the following rights to all users:
5.1 Right to Access
You can view all of your data within the IHAB application at any time. Your budget, expenses, goals, and settings are all visible in the app interface.
5.2 Right to Export (Data Portability)
You can export all of your data in JSON format through Settings > Data Management > Export Data. The export includes all financial data, budget configurations, and account metadata.
5.3 Right to Delete (Right to Erasure)
You can permanently delete your account and all associated data through Settings > Data Management > Delete Account. Deletion removes all data from Firestore, including your financial data, profile, API keys, and any connected account records. Deletion is immediate and irreversible.
5.4 Right to Restrict Processing
You can restrict how your data is processed by:
- Disconnecting Sequence.io integration at any time
- Revoking API keys to prevent programmatic access
- Disconnecting linked bank accounts (if applicable)
5.5 Right to Rectification
You can update or correct your financial data at any time within the app. Your Google profile information (name, email, photo) is managed through your Google account.
6. GDPR (European Economic Area)
If you are located in the European Economic Area (EEA), the following additional provisions apply under the General Data Protection Regulation (GDPR):
- Legal basis for processing: We process your data based on (a) your consent (provided when you sign in and use the Service), (b) contractual necessity (to provide the Service you signed up for), and (c) legitimate interests (error logging, Service improvement).
- Data controller: [Legal Entity Name, Address]
- International transfers: Your data is transferred to the United States. We rely on [Standard Contractual Clauses / adequacy decisions / other transfer mechanism] to ensure adequate protection.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any GDPR rights beyond what is available in-app, contact privacy@ihab.io.
7. CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information.
7.1 Categories of Personal Information Collected
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, Google profile photo | Yes |
| Financial information | Income, expenses, savings goals (user-entered) | Yes |
| Commercial information | Subscription plan, billing history | Yes |
| Internet activity | Anonymized feature usage events | Yes |
| Geolocation data | Approximate location from IP | No |
| Biometric information | N/A | No |
| Sensitive personal information | N/A | No |
7.2 Your CCPA Rights
- Right to know: You can request details about the personal information we have collected about you in the preceding 12 months.
- Right to delete: You can request deletion of your personal information. This is available directly in Settings > Delete Account.
- Right to opt-out of sale: We do not sell your personal information. We have never sold personal information and have no plans to do so.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise CCPA rights beyond in-app tools, contact privacy@ihab.io with the subject line "CCPA Request."
8. Cookies and Tracking
IHAB uses only essential cookies required for the Service to function:
- Firebase Authentication session cookie: Maintains your sign-in session. This is a first-party, session-duration cookie set by Firebase Auth. Without it, you would need to sign in on every page load.
We do not use:
- Third-party tracking cookies
- Analytics cookies (e.g., Google Analytics)
- Advertising or retargeting cookies
- Social media tracking pixels
Because we use only essential cookies, no cookie consent banner is required under GDPR. However, we disclose cookie usage here for transparency.
9. Data Retention
- Active accounts: Your data is retained for as long as your account exists and you continue to use the Service.
- Deleted accounts: When you delete your account, all associated data is removed from Firestore within 30 days. Backups may retain data for up to [30 / 60 / 90] additional days before being purged.
- Legacy migration data: Archived data from system migrations is automatically cleaned up 90 days after archival.
- Error logs: Retained for [30 / 90] days, then deleted.
- Stripe records: Payment history is retained by Stripe according to their data retention policy and applicable financial regulations.
10. Data Security
We implement reasonable technical and organizational measures to protect your data, including:
- Encryption at rest (Google Cloud managed) and in transit (TLS)
- Per-user Firestore security rules preventing cross-user data access
- SHA-256 hashing for API keys
- AES-256-GCM encryption for sensitive tokens (Plaid, Sequence)
- Rate limiting on API endpoints
- CORS restrictions limiting API access to authorized origins
- Helmet security headers on all API responses
No system is 100% secure. While we take data security seriously, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to security@ihab.io.
11. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@ihab.io.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify you (for example, by email or an in-app notice).
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.
13. Contact
For privacy-related questions, data requests, or concerns, contact us at:
Privacy inquiries: privacy@ihab.io
General support: support@ihab.io
Security issues: security@ihab.io
Data Controller:
[Legal Entity Name]
[Address]