Privacy Policy

Last updated: January 30, 2026

Active Budget ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal budgeting application and website (collectively, the "Service"). This policy also describes how our third-party partners — including Stripe (payment processing) and Google (AI-powered features via the Gemini API) — handle your data in connection with the Service.

Please read this policy carefully. By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, do not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

We collect the following information that you voluntarily provide to us:

• Account Information: Your name, email address, and password when you create an account.
• Profile Information: Optional information such as your currency preference, household size, or financial goals that you provide to personalize the Service.
• Financial Information You Enter Manually: Budget categories, expense entries, income data, savings goals, and other financial data you input into the Service.
• Communications: Information you provide when you contact us for support, submit feedback, or participate in surveys.

1.2 Payment Information Collected via Stripe

If you subscribe to a paid plan, your payment is processed by Stripe, Inc. ("Stripe"). When you enter your payment details, that information is transmitted directly to Stripe's servers using their secure, PCI DSS Level 1-certified infrastructure. Specifically:

• What Stripe collects: Your payment card number, expiration date, CVC, billing address, and name on card. Stripe may also collect your IP address, browser type, and device information for fraud prevention purposes.
• What we receive from Stripe: We receive only a truncated card identifier (last four digits), card brand (e.g., Visa, Mastercard), expiration date, billing postal code, and a tokenized reference to your payment method. We never receive, process, or store your full card number or CVC.
• Stripe's cookies and scripts: Stripe may place cookies and run JavaScript (Stripe.js) on our website for payment processing, fraud detection, and analytics. These scripts may operate on pages beyond the checkout page to support Stripe's advanced fraud prevention (Stripe Radar).
• Stripe's data use: Stripe processes your payment data in accordance with the Stripe Privacy Policy. Stripe may use your data to provide its services, prevent fraud, and comply with legal obligations. We encourage you to review Stripe's privacy policy for full details.

By providing your payment information, you consent to Stripe collecting, processing, and storing your payment data as described in Stripe's privacy policy. Your payment data may be transferred to and processed in the United States or other jurisdictions where Stripe operates.

1.3 Information Processed Through Google Gemini (AI Features)

The Service uses the Google Gemini API to provide AI-powered features such as financial insights, budget recommendations, spending analysis, transaction categorization, and natural-language responses. When you interact with these features, certain data is sent to Google's servers for processing:

• What we send to Google: Your prompts and questions to the AI features, along with financial context necessary to generate relevant responses (e.g., transaction summaries, budget categories, spending patterns). We do not send your bank login credentials, full account numbers, or payment card information to Google.
• What Google returns: AI-generated text responses, insights, categorizations, and recommendations based on the data provided.
• How Google uses this data: Data is processed by Google in accordance with the Gemini API Additional Terms of Service and the Google Privacy Policy. Google does not use your prompts or responses to train or improve its models. Data is processed under Google's Data Processing Addendum, with Google acting as a data processor. Logs are retained only for a limited period to detect abuse and ensure policy compliance.
• Data storage: Data sent to Google may be stored transiently or cached in any country where Google or its agents maintain facilities.
• Sensitive information: In accordance with Google's terms, you should avoid submitting highly sensitive personal information (such as Social Security numbers, full account numbers, or passwords) through AI features. We design our prompts to minimize the inclusion of such data.

By using the AI-powered features of the Service, you consent to the transmission and processing of your data by Google as described above and in Google's applicable policies.

1.4 Information Collected Automatically

When you use the Service, we may automatically collect:

• Device Information: Device type, operating system, browser type, screen resolution, and unique device identifiers.
• Usage Data: Pages visited, features used, time spent on the Service, click patterns, and interaction data.
• Log Data: IP address, access times, referring URLs, and error logs.
• Cookies and Tracking Technologies: We and our third-party partners (including Stripe) use cookies, web beacons, and similar technologies to collect information about your browsing activity. See Section 7 for details.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service and its features.
• Process subscription payments and manage your billing through Stripe.
• Categorize and analyze your financial data to provide budgeting insights, spending breakdowns, and savings progress.
• Generate AI-powered financial insights, recommendations, and natural-language responses through Google Gemini, based on your financial data and prompts.
• Send you notifications, bill reminders, and spending reports related to your account activity.
• Communicate with you about account updates, Service changes, and support requests.
• Send you promotional communications about new features or offers (with your consent, and with the ability to opt out at any time).
• Detect, prevent, and address security issues, fraud, and technical problems.
• Comply with legal obligations, resolve disputes, and enforce our Terms of Service.
• Generate anonymized, aggregated data for analytics and product improvement. Anonymized data cannot be used to identify you individually.

3. How We Share Your Information

We do not sell, rent, or trade your personal information or financial data to third parties. We may share your information only in the following circumstances:

3.1 Stripe (Payment Processing)

We share the minimum information necessary for Stripe to process your subscription payments, manage billing, and prevent fraud. This includes your name, email address, and the tokenized payment method reference. Stripe acts as an independent data controller for the payment data it collects directly from you. For details, see the Stripe Privacy Policy.

3.2 Google (AI-Powered Features)

When you use AI-powered features, we transmit your prompts and relevant financial context to Google through the Gemini API. Google processes this data to generate AI responses and may retain it as described in Section 1.3. Google acts as a data processor for this data. Google's handling of this data is governed by the Google Privacy Policy and the Gemini API Terms of Service.

3.3 Other Service Providers

We share data with trusted third-party service providers that help us operate the Service, including cloud hosting providers, email delivery services, analytics platforms, and customer support tools. These providers are contractually obligated to protect your information and may only use it to provide services to us.

3.4 Legal and Compliance Disclosures

We may disclose your information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to:

• Comply with applicable law or legal obligations.
• Protect and defend our rights, property, or safety.
• Protect the safety of users of the Service or the public.
• Detect, prevent, or address fraud, security, or technical issues.

3.5 Business Transfers

If Active Budget is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

3.6 With Your Consent

We may share your information for other purposes with your explicit consent.

4. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your data, including:

• Encryption: 256-bit AES encryption for data at rest and TLS 1.3 encryption for all data in transit.
• PCI DSS Compliance: We do not store, process, or transmit cardholder data ourselves. All payment card data is handled by Stripe, which is certified as a PCI DSS Level 1 Service Provider (the highest level of certification).
• Access Controls: Strict role-based access controls limit employee access to user data on a need-to-know basis.
• Monitoring: Continuous monitoring of systems for unauthorized access attempts, with logging and alerting on suspicious events.
• Vulnerability Management: Regular security audits, penetration testing, and timely patching of known vulnerabilities.
• Multi-Factor Authentication: MFA options are available for your Active Budget account.
• Incident Response: A documented incident response plan for detecting, containing, and remediating security incidents.

We comply with the requirements of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule as applicable to our handling of nonpublic personal financial information. We require our service providers to maintain equivalent security standards.

While we use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify you and applicable regulatory authorities in accordance with applicable law.

5. Data Retention

• Account Data: Retained for as long as your account is active, plus a reasonable period after account closure to comply with legal obligations.
• AI Feature Data: Data sent to Google through the Gemini API is retained by Google in accordance with the Gemini API Terms of Service. Google retains logs only for a limited period for abuse detection and policy compliance. We do not independently store copies of your AI prompts or Gemini responses beyond what is necessary to display them in your current session.
• Payment Data: Stripe retains payment data in accordance with its own retention policies. We retain billing records (transaction amounts, dates, and subscription status) as needed for accounting and legal compliance.
• Account Deletion: If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, audit, or compliance purposes. Note that deleting your Active Budget account does not automatically delete data held by Stripe or Google — you should contact those services directly to manage data they hold.
• Anonymized Data: Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely for analytics and product improvement.

6. Card Network and Financial Data Compliance

In connection with payment processing through Stripe, we comply with applicable card network rules (Visa, Mastercard, American Express, Discover) governing the privacy, protection, use, storage, and disclosure of cardholder data, including the Payment Card Industry Data Security Standard (PCI DSS). Because we do not directly handle card data — Stripe does — our PCI compliance obligations are satisfied through Stripe's Level 1 certification and our use of their hosted payment fields.

We comply with the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations to the extent they apply to our handling of nonpublic personal information. We do not sell, rent, or share "nonpublic personal information" (as defined under GLBA) except as necessary to provide the Service or as required by law.

We are monitoring and preparing for compliance with the Consumer Financial Protection Bureau's Section 1033 final rule regarding personal financial data rights, including requirements for authorized data access, data transparency, and periodic reauthorization. As compliance deadlines take effect, we will update our processes, disclosures, and this Privacy Policy accordingly.

7. Cookies and Tracking Technologies

We and our third-party partners use the following types of cookies and similar technologies:

7.1 Cookies We Set

• Essential Cookies: Required for the Service to function (session management, authentication, security). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Service so we can improve it. We use anonymized or pseudonymized analytics.
• Preference Cookies: Remember your settings and preferences (e.g., currency, display options).

7.2 Third-Party Cookies

• Stripe: Stripe.js and Stripe's fraud prevention system (Stripe Radar) may set cookies and collect device information on pages where Stripe scripts are loaded. This may include pages beyond the payment/checkout page. Stripe uses this data for payment processing, fraud prevention, and analytics. See the Stripe Cookie Policy for details.

You can control cookies through your browser settings. Disabling certain cookies may limit your ability to use some features of the Service (for example, disabling Stripe cookies may prevent payment processing).

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements. Note: this applies to data we hold. For data held by Stripe, contact Stripe.
• Portability: Request a copy of your data in a structured, machine-readable format (e.g., CSV export of your transactions and budgets).
• Opt-Out of Marketing: Opt out of promotional communications at any time by clicking "unsubscribe" in any email or updating your notification preferences in account settings.
• Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@activebudget.app. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell your personal information as defined under CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information we collect: Identifiers (name, email, IP address); financial information (account data, transactions, billing data processed via Stripe); internet/electronic activity (usage data, cookies); and inferences drawn from the above (spending categories, budget insights).

Categories of third parties with whom we share information: Payment processors (Stripe), AI service providers (Google, for Gemini-powered features), cloud infrastructure providers, analytics services, and email delivery services.

To exercise your CCPA/CPRA rights, contact us at privacy@activebudget.app or use the data management tools in your account settings. You may also designate an authorized agent to submit requests on your behalf.

10. European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, the following additional provisions apply:

• Legal Basis for Processing: We process your personal data based on: (a) your consent (e.g., when you provide payment information to Stripe); (b) performance of a contract (e.g., to provide the Service); (c) our legitimate interests (e.g., fraud prevention, analytics, improving the Service); and (d) legal obligations.
• International Transfers: Your personal data may be transferred to and processed in the United States and other countries where Active Budget, Stripe, and Google operate. Stripe participates in the EU-U.S. Data Privacy Framework. Google participates in the EU-U.S. Data Privacy Framework. We ensure appropriate safeguards (such as Standard Contractual Clauses) are in place for international transfers.
• Your Rights: In addition to the rights listed in Section 8, you have the right to lodge a complaint with your local data protection supervisory authority.
• Data Controller: Active Budget acts as the data controller for the personal data we collect. Stripe acts as an independent controller for the personal data it collects directly from you (e.g., payment card data submitted to Stripe). Google acts as a data processor for data processed through the Gemini API.

11. International Data Transfers

Your personal data may be transferred to and processed in the United States or other countries where our service providers operate. Specifically:

• Stripe may process payment data in the United States and other countries where Stripe has operations. Stripe participates in the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework.
• Google may process Gemini API data in the United States and other countries where Google or its agents maintain facilities. Data may be stored transiently or cached across these locations.
• Active Budget hosts the Service on infrastructure located in the United States.

Where required by applicable data protection laws (including GDPR), we ensure that appropriate safeguards — such as Standard Contractual Clauses or participation in recognized data transfer frameworks — are in place before transferring your data internationally.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@activebudget.app.

13. Third-Party Links and Services

The Service may contain links to third-party websites or services (including Stripe interfaces). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party service you interact with. Key third-party privacy policies relevant to the Service:

• Stripe Privacy Policy
• Google Privacy Policy
• Google Gemini API Additional Terms of Service

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last updated" date.
• Sending you an email notification for material changes that affect how we collect, use, or share your financial data.
• Displaying an in-app notice if the change requires renewed consent.

We encourage you to review this page periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy, except where renewed consent is required by law.

15. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or how Stripe or Google handle your information in connection with the Service, please contact us at:

Active Budget
Email: privacy@activebudget.app
Website: activebudget.app

For questions about data held directly by our partners:
Stripe: stripe.com/privacy
Google: Google Privacy Policy or Gemini API Terms