Legal

Privacy Policy

Last updated: May 23, 2026 · Effective immediately

1. Who we are

ProFinanceCast is a personal finance forecasting application operated at profinancecast.com. When this policy says "we", "us", or "ProFinanceCast", it refers to the team behind this product.

2. What data we collect

We collect only the information you choose to enter:

• Account data: your name, email address, and password (stored as a salted hash — we never see your actual password)
• Financial data: income, expenses, savings, debts, and goals that you enter manually
• Usage data: which features you use and when, to improve the product (no personal financial data included)
• Device data: browser type and timezone, used only to format dates and currencies correctly

We do not connect to your bank accounts, request your bank credentials, or store any payment card details (payments are handled entirely by PayPal).

3. How we use your data

• To generate your 12-month financial forecast
• To power Sage AI — your financial data is sent to the AI model only to answer your questions and is not retained by the AI provider
• To send you the email digest you opted into (you can turn this off any time in Settings)
• To improve ProFinanceCast features using anonymised, aggregated usage patterns

4. How we protect your data

• AES-256-GCM at rest and TLS 1.3 in transit — industry-standard ciphers
• Your financial data is stored in isolated, access-controlled databases
• We conduct regular security reviews and follow industry best practices
• Staff access to user data is logged and restricted to what is necessary to provide support

5. What we never do

• We never sell your personal or financial data to any third party
• We never share your data with advertisers
• We never use your financial data to train AI models — yours or anyone else's
• We never send unsolicited marketing without your explicit opt-in

6. Third-party services (sub-processors)

We use the following trusted third parties to operate the service. Each is bound by a Data Processing Agreement (DPA) where applicable under GDPR Article 28:

• Supabase — database, authentication, and file storage. GDPR-compliant, SOC 2 Type II. DPA: supabase.com/legal/dpa. Data hosted in EU region.
• PayPal — payment processing and, for Pro/Premium subscriptions, storage of the recurring billing agreement linked to your account. We never see or store your card details. PayPal acts as an independent controller for payment data under their privacy statement. For recurring subscriptions, PayPal retains your billing agreement until you cancel it (either via our Settings or directly in your PayPal account).
• Vercel — hosting and serverless functions (SOC 2). DPA: vercel.com/legal/dpa.
• Upstash — Redis-backed rate-limiting cache for payment endpoints. Stores only short-lived counters keyed by your user ID; no financial or personal data. DPA: upstash.com/trust/dpa.pdf.
• Resend — transactional email delivery (account verification, billing notifications, operational alerts). Receives your email address and message content. DPA: resend.com/legal/dpa.
• Google (Gemini) / Anthropic — AI model providers, used only to answer your Sage queries. Your data is not retained by these providers after the response and is not used to train their models (per their enterprise terms).
• Cloudflare Web Analytics — privacy-respecting analytics; no cookies, no IP fingerprinting, no PII; we use the JS-beacon variant. More info.
• Plausible — privacy-respecting analytics (EU-hosted, no cookies, no cross-site tracking, no PII).
• Sentry — error monitoring; PII-scrubbed via beforeSend filter so financial figures, user IDs, and emails never leave the browser.

6a. Payment data flow

When you subscribe to a paid plan or buy Founders Lifetime, the following data flow occurs:

• You are redirected to PayPal's hosted approval page (we never see your card or PayPal credentials).
• PayPal returns to us a transaction or subscription identifier, the amount paid, the currency, and your PayPal payer ID. We store these in our subscriptions and subscription_events tables to grant entitlement and produce billing history.
• For recurring subscriptions, PayPal stores a billing agreement linked to your payment instrument and re-uses it for renewals. You can review and revoke this agreement at any time in your PayPal account (Activity → Recurring payments).
• We receive a webhook from PayPal on each capture, refund, dispute, or renewal event. PII fields (payer name, email, addresses, free-text dispute reasons) are stripped before being persisted to our audit log.
• We do not share your financial usage data (income, expenses, etc.) with PayPal — only the transaction itself.

7. Your rights

You have the right to:

• Access all data we hold about you — request it via Settings → Data → Export
• Correct any inaccurate data — edit it directly in your dashboard at any time
• Delete your account and all associated data — Settings → Data → Delete account (processed within 24 hours)
• Withdraw consent for optional processing (e.g. email digest) — Settings → Notifications
• Data portability — export everything as CSV or JSON from Settings → Data
• Object to processing based on legitimate interests — write to privacy@profinancecast.com
• Restrict processing while a request is being resolved — write to privacy@profinancecast.com
• Lodge a complaint with your national data protection authority — see the European Data Protection Board's directory for your supervisory authority

8. Cookies and similar technologies

We use only essential cookies required to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can clear cookies at any time in your browser settings, which will log you out of ProFinanceCast.

For full transparency, the following non-cookie technologies are used:

• Plausible and Cloudflare Web Analytics issue a single page-view beacon per visit. Neither sets cookies. Neither retains your IP address beyond aggregated, anonymised statistics.
• Sentry (error monitoring) may write a short-lived localStorage key on your device to correlate errors within a single browsing session. We have configured Sentry to scrub personally identifiable information (financial figures, user IDs, email addresses) before any data leaves your browser. The library is loaded on every page; if you wish to disable it, blocking the script source js.sentry-cdn.com via your browser will not affect product functionality.
• Our own application uses localStorage and IndexedDB on your device to store your forecast data locally, encrypted with AES-256 before any server contact. This is essential to the product and cannot be disabled while the app is in use.

None of the above is used for advertising, cross-site tracking, or profiling.

9. Data retention

We keep your data for as long as your account is active. If you delete your account, all personal data is permanently removed within 24 hours. Anonymised, aggregated usage statistics (with no link to your identity) may be retained indefinitely to improve the service.

10. Children

ProFinanceCast is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, please contact us and we will delete it immediately.

11. Changes to this policy

If we make material changes to this policy, we will notify you by email and display a notice in the app at least 14 days before the change takes effect. The date at the top of this page always reflects the most recent update.

12. EU representative

If we are required to appoint an EU representative under Article 27 of the GDPR, their contact details will be published here. Until then, EU users may contact us directly at privacy@profinancecast.com for any GDPR-related request.