Privacy Policy

1. Who we are

Superbasic Finance (“Superbasic Finance,” “we,” “us,” or “our”) is a personal finance application operated by Superbasic Finance. We provide a web and mobile service that lets you connect your financial accounts, view your transactions, organize them, and keep plain-text notes. This policy applies to our marketing website at superbasicfinance.com and to our application at app.superbasicfinance.com (together, the “Service”).

We are the data controller for the personal information described in this policy. If you have questions, contact us at privacy@superbasicfinance.com.

2. Information we collect

Account information

When you create an account we collect your email address and the name you provide. If you sign in with a third-party provider such as Google, Apple, or GitHub, we receive basic profile information (such as your name and email address) from that provider. We store a securely hashed version of your password and never store it in plain text.

Financial account data (via Plaid)

When you connect a bank or financial institution, you do so through Plaid Inc. (“Plaid”). You enter your institution credentials directly with Plaid — we never see or store your online banking username or password. Through your authorization, Plaid provides us with information such as:

• account names, types, masked account numbers, and balances;
• transaction history (we request up to 24 months of available history), including amounts, dates, descriptions, merchant names, and categories;
• the financial institution’s name and identifier.

We currently support U.S. financial institutions only. For details on how these connections work, see our Plaid & Data Connection Policy, and review Plaid’s End User Privacy Policy, which governs Plaid’s own handling of your data.

Information you enter

You can add manual accounts and transactions, create custom groups, filters, sorts, and rules, organize your finances into workspaces, and write plain-text notes and sheets. We store this content so the Service can display it back to you.

Payment and billing information

Paid subscriptions are processed by Stripe, Inc. When you subscribe, your card details are collected and processed directly by Stripe — we do not receive or store full card numbers. We store billing records such as your Stripe customer and subscription identifiers, subscription status, the number of connection slots you have purchased, and your current billing period.

Usage, device, and log data

Like most online services, we automatically collect limited technical information when you use the Service, such as your IP address, browser or device type, and timestamps of requests. We use this information to operate, secure, and troubleshoot the Service, including rate limiting and abuse prevention. To protect sign-in and password-reset flows, we use Cloudflare Turnstile for bot detection. We design our security counters so that your raw email address is not stored or logged in connection with these checks.

Communications

We send transactional emails — such as email verification, password resets, and workspace invitations — through our email provider, Resend. If you contact support, we keep a record of that correspondence.

3. How we use your information

We use the information we collect to:

• provide, maintain, and improve the Service;
• retrieve, display, categorize, and organize your financial accounts and transactions;
• authenticate you and keep your account secure;
• process subscriptions, payments, and billing;
• send you service-related communications and respond to your requests;
• detect, prevent, and address fraud, abuse, security, and technical issues; and
• comply with legal obligations and enforce our terms.

We do not use your financial transaction data to serve third-party advertising, and we do not sell your personal information.

4. How we share your information

We do not sell your personal information. We share information only in the following circumstances:

• Service providers (sub-processors). We share information with vendors who process data on our behalf to run the Service, under contracts that limit their use of it. These include Plaid (account connectivity), Stripe (payments), Cloudflare (bot defense), Resend (transactional email), database hosting (Neon as our primary database, with Supabase as a disaster-recovery standby), and cloud infrastructure providers (such as Google Cloud).
• Within your workspaces. If you make a connected bank visible in a workspace, the members of that workspace can see the accounts and transactions made available to it. Sharing your bank is always your choice, but a workspace’s owners and admins — who may be people other than you — manage that workspace’s membership and can invite additional members who will then have the same access.
• Legal and safety. We may disclose information if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect the rights, property, or safety of our users, the public, or us.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your information.

A more operational summary of the data we hold and the providers we rely on is available in our Data Policy.

5. Payments

Payment processing is handled by Stripe and is subject to Stripe’s Privacy Policy. See our Subscription & Billing Terms for how charges, renewals, and cancellations work.

6. Cookies and similar technologies

Our marketing website uses local browser storage to remember your theme preference. Our application uses strictly necessary cookies to keep you signed in and to remember your active workspace. We do not use third-party advertising or cross-site tracking cookies. For details, see our Cookie Policy.

7. Data retention

We keep your information for as long as your account is active or as needed to provide the Service. When you disconnect a bank, the historical data already imported may be retained as manual records unless you delete it. When you delete your account, we delete or de-identify your personal data, except where we must retain certain records to comply with legal obligations, resolve disputes, or enforce our agreements. See Data Deletion for how to remove your data.

8. Security

We use technical and organizational measures to protect your information, including encryption of sensitive credentials and data in transit. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Learn more on our Security page.

9. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing. You can:

• view and edit much of your data directly in the app;
• disconnect a bank or delete data at any time;
• delete your entire account from your account settings, or by contacting us; and
• request access, correction, deletion, or a copy of your data by emailing privacy@superbasicfinance.com.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete, and correct, and the right not to be discriminated against for exercising them. We do not sell or “share” personal information as those terms are defined under California law. If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR/UK GDPR. We will verify requests and respond within the time required by applicable law. You also have the right to lodge a complaint with your local data protection authority.

10. Children’s privacy

The Service is not directed to children, and you must be at least 18 years old to use it. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction). If you believe a child has provided us personal information, contact us and we will delete it.

11. Where we operate

The Service is operated from, and intended for users in, the United States, and we currently support U.S. financial institutions. If you access the Service from outside the United States, you understand that your information will be processed in the United States, where data protection laws may differ from those in your country.

12. Third-party links

The Service may link to third-party websites and services that we do not control. This policy does not apply to those third parties, and we encourage you to review their privacy policies.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

14. Contact us

For privacy questions or to exercise your rights, email privacy@superbasicfinance.com or visit our Contact & Support page.