your privacy

Privacy Policy

Last updated · July 5, 2026

Abundey is a privacy-first tool for understanding and projecting your wealth. This policy explains what we collect, why, and the deliberate limits we place on ourselves. The short version: we collect as little as possible, we encrypt your financial data so that we cannot read it, and we will never sell or rent your personal information.

Our privacy philosophy

Your wealth is nobody’s business but yours. We designed Abundey so that the sensitive parts of your financial life stay under your control. Where we do handle data, we hold only what is necessary to run the service, and we are honest about exactly what that is.

  • We do not sell, rent, or trade your personal information.
  • We do not show ads and we do not run advertising trackers.
  • We do not connect to your bank or ask for banking credentials.
  • The financial figures you save are end-to-end encrypted — we cannot read them (see Encryption & zero-knowledge below).

What we collect and why

We collect information in a few narrow categories, each for a specific purpose.

Identity & access

When you create an account we collect your email address, and, if you choose to sign in with Google, the basic profile information Google returns (name, email, avatar). We use this to authenticate you, keep your account secure, and contact you about the service. Authentication is handled by our auth provider on our behalf.

Billing information

If and when Abundey offers paid plans, payments are handled by a third-party payment processor. We do not store full payment-card numbers on our servers — the processor does. We keep only the billing status and records we need for accounting.

Analytics & diagnostics

We do not currently use third-party product analytics or advertising trackers — there is no Google Analytics, PostHog, or similar tracking in Abundey. To keep the service running and secure, our infrastructure may record minimal operational logs (such as error reports and request metadata). If we ever introduce product analytics, we will use privacy-preserving tooling that never includes the contents of your financial data, and we will update this policy before we do.

General location

We may infer a coarse, city- or country-level location from your IP address to help secure your account and understand where our users are. We do not collect precise GPS location.

Cookies

We use essential cookies required to keep you signed in and to run the application. We do not use advertising or cross-site tracking cookies.

Voluntary correspondence

When you email us for support or fill out a form, we keep that correspondence so we can help you and improve our support over time.

Encryption & zero-knowledge

The financial data you save with Abundey is end-to-end encrypted. Your encryption key is derived on your own device from your credentials and is never transmitted to us. Our servers store only encrypted blobs — ciphertext we have no way of reading.

Because of this design, we do not have the technical means to access, view, or reconstruct the contents of your financial data, and neither does anyone else with access to our servers. Zero-knowledge is not a promise we ask you to take on faith — it is a property of how the system is built.

If you lose your key, your data cannot be recovered

Because your data is encrypted with a key that only you hold, we cannot reset it, recover it, or decrypt your data on your behalf. If you lose your password or encryption key and have no backup, the encrypted data becomes permanently unreadable. There is no backdoor — not for us, and not for anyone else. Please keep your credentials safe.

What we can see (metadata honesty)

Zero-knowledge does not mean zero-metadata, and we would rather be clear than sound more private than we are. Even though we cannot read your financial data, we can necessarily see:

  • Your account email and authentication details.
  • Your billing status, if you are on a paid plan.
  • Timestamps and the size of the encrypted blobs you sync (but not their contents).
  • Your IP address at the time of a request, used transiently for security and abuse prevention.

When we access or disclose your information

We access the limited data we hold only when it is necessary to operate the service, resolve a support request you’ve made, maintain security, or comply with the law.

We may disclose information in response to a valid and legally binding request, but we assess every such request and push back on ones that are overbroad or improper. Critically, because your financial data is end-to-end encrypted, we cannot produce its plaintext in response to any request — we can only ever hand over the limited metadata described above.

Your rights over your information

Depending on where you live, you may have rights under laws such as the GDPR (EU/UK) or the CCPA/CPRA (California). We extend the core of these rights to everyone.

  • Access & portability — request a copy of the personal data we hold, and export your own data. (Your encrypted content is already only readable by you.)
  • Rectification — correct inaccurate account information.
  • Erasure — delete your account and associated data.
  • Restriction & objection — ask us to limit or stop certain processing.
  • Opt-out of sale — not applicable in practice, because we never sell or share your personal data for advertising.
  • Non-discrimination — we will not treat you differently for exercising any of these rights.

To exercise any of these rights, email us at abundeyfinance@gmail.com. If you are in the EU/UK, you also have the right to lodge a complaint with your local data-protection authority.

How we secure your data

Encryption keys are derived on your device and never sent to us. Data is encrypted in transit using TLS, and the blobs we store are encrypted at rest. We limit internal access to the systems that hold your account metadata and keep our infrastructure patched and monitored.

Deletion & data retention

You can delete your account at any time. When you do, we delete your encrypted blobs and account data from our active systems. Residual copies may persist in encrypted backups for a limited period before they are rotated out and permanently deleted. We retain limited billing records for as long as required by law.

Sub-processors

We rely on a small number of third parties to run Abundey. Each only receives the data necessary for its function, and none receives your decrypted financial data.

  • Supabase — database and storage hosting for encrypted blobs and account metadata.
  • Railway — application hosting and infrastructure.
  • Better Auth & Google — authentication and optional Google sign-in.
  • Payment processor — to handle payments for paid plans (when offered).

We will update this list as our infrastructure evolves and aim to give notice before adding a materially new sub-processor.

International data transfers

Abundey’s infrastructure and the sub-processors above may store and process data in [server / data-hosting region — to be finalized]. Where data is transferred across borders, we rely on appropriate safeguards, such as standard contractual clauses, as required by applicable law.

Children's privacy

Abundey is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, notify you. Questions? Email us at abundeyfinance@gmail.com. You can also read our Terms of Service.

This document is provided for transparency and is not legal advice. Please review it with qualified counsel before relying on it.

Adapted from Basecamp’s open-source policies, used under CC BY 4.0, with modifications for Abundey.