← Back to Burnrate

Legal · Privacy

Privacy Policy

Effective 2026-05-24. Hosted at baniamin.com.

Summary

Burnrate is a personal money-tracking app. We store the financial entries you make and the minimum identity needed to sign you in. We do not sell your data. We do not run trackers, analytics pixels, ads, or in-app AI. You can export everything you have and delete your account at any time.

What we collect

  • Account identity: your email address, and (if you sign in with Google) your name and profile image URL as provided by Google. We do not request access to your Gmail, Drive, contacts, or any other Google service.
  • Authentication sessions: a session identifier (cookie) and approximate IP address plus user-agent string for each active session, used to keep you signed in and let you see and revoke sessions from the Account page.
  • Finance data you enter: accounts, categories, transactions, recurring rules, tags, subscriptions, budgets, savings goals, and any notes or amounts you record.
  • Operational metadata: timestamps of account creation and last activity, and counts of your rows. Used for uptime and to populate your own Account page.

What we never collect

We do not use third-party analytics (no Google Analytics, no Plausible, no Mixpanel). We do not use advertising trackers or marketing pixels. We do not have payment processing. We do not send your finance data to any AI service from inside the app. The AI-ready exports are generated for you to download or copy and paste yourself, on a service you choose.

How we use your data

  • To authenticate you and keep you signed in.
  • To render your dashboard, runway, and exports — only ever to you.
  • To send transactional email: the magic-link sign-in email and, if enabled, the weekly digest email of your own data. We do not send marketing email.
  • For operational integrity: backups, error monitoring (no payload contents), and abuse prevention.

Subprocessors

We rely on the following providers to operate Burnrate. Each receives only what is necessary for its function.
  • Vercel — application hosting and serverless function execution. Receives standard HTTP request/response data.
  • Turso (libSQL) — managed database storing your account row, finance data, and sessions. Hosted in the region configured by the maintainer.
  • Resend — transactional email delivery for magic-link sign-in and weekly digests. Receives your email address and the email body that you would receive.
  • Google — OAuth identity provider when you sign in with Google. Google sees that you authenticated to Burnrate. We receive only your email, name, and profile image URL.

Cookies

Burnrate uses a single first-party authentication cookie issued by the Better Auth library. It exists so you remain signed in across page loads. It is not used for analytics, advertising, or any cross-site tracking. Sign out (or delete the cookie from your browser) to invalidate it locally; use “Sign out everywhere” on the Account page to invalidate every session server-side.

Data location and retention

Your data lives in the Turso (libSQL) database for this Burnrate instance. It is retained until you delete your account from the Account page, at which point all your rows are removed from the active database. Database backups may retain deleted rows for up to 30 days before being overwritten. Vercel function logs are retained per Vercel’s defaults and contain request metadata, not finance payloads.

International users

Burnrate may be accessed worldwide. Hosting regions for Vercel and Turso may be outside your country of residence. By using Burnrate you consent to your data being processed in those regions.

Children

Burnrate is not directed to children under 13. If you believe a child has signed up, contact us and we will remove the account.

Your rights

You can, at any time, from the Account page:
  • Export your data as JSON.
  • Wipe transactions by date range from the Account → Danger zone section.
  • Sign out everywhere to invalidate all active sessions.
  • Delete your account entirely, which cascades to every finance row you own.
For correction requests, questions, or to exercise rights granted by laws in your jurisdiction (GDPR, CCPA, etc.) email us at the address below.

Changes to this policy

When this policy materially changes, we will update the “Effective” date at the top. Continued use after a change indicates acceptance.

Contact

Maintainer email: baniamin.shams@cefalo.com.