Last updated: 10 May 2026
Privacy Policy
budgetku ("we", "us") is committed to protecting your personal data. This policy explains what data we collect, why, and your rights under the Indonesian Personal Data Protection Act (UU PDP No. 27/2022).
Data we collect
When you sign up and use budgetku, we collect:
- Email address — for authentication, account recovery, and important notifications.
- Password — stored as an Argon2id hash; we never see your raw password.
- Workspace name, base currency, language preference.
- Financial transaction data you input (accounts, categories, transactions, budgets, invoices).
- IP address, User-Agent, and request timestamps — for security, abuse prevention, and technical analytics.
- Login history (network, device) for suspicious-activity detection.
How we use your data
We use your data to:
- Provide the core service — authentication, workspace isolation, transaction storage.
- Process subscription payments for paid plans.
- Send transaction notifications, invoices, team invitations, and security emails.
- Prevent abuse (rate limiting, suspicious-login detection).
- Comply with legal and audit obligations (UU PDP, ITE Law, tax regulations).
Third parties
We share the minimum data required with the following service providers. Each has its own privacy policy worth reading.
- Midtrans (PT Midtrans Solusi Pembayaran) — processes card, QRIS, e-wallet, and virtual account payments.
- Resend (Resend.com) — delivery of transactional email (invoices, verification, password reset).
- Database hosting provider (cloud) — stores encrypted data at rest.
Storage and retention
Your data is stored in data centres in the Asia-Pacific region with encryption at rest. While your account is active, data remains available. After you delete your account, personal authentication data (email, password hash) is removed immediately; workspace data is retained for audit and tax compliance up to 7 years, unless you request earlier deletion in writing and no legal hold applies.
Your rights (UU PDP 2022)
As the data subject, you have the right to:
- Access and download all your data — self-service in Settings → Account → Download my data.
- Correct inaccurate data — via the app interface or by contacting us.
- Request account deletion — Settings → Account → Delete account.
- Withdraw consent at any time — withdrawal is not retroactive.
- Object to specific processing — contact us for review.
Cookies
We use essential cookies (httpOnly authentication) that are required for the app to work and do not need consent. Optional cookies (analytics, marketing) are only set after you give explicit consent via the cookie banner. You can change your preferences at any time by clearing your browser's localStorage.
Security
We apply Postgres Row-Level Security for workspace isolation at the database layer, Argon2id password hashing, TLS for all traffic, audit logging for sensitive actions, and rate limiting on sensitive endpoints. No system is 100% secure — you remain responsible for keeping your password confidential.
Changes to this policy
We may update this policy from time to time. Material changes will be announced via email and/or in-app notice at least 14 days before they take effect.
Contact
For privacy questions, data access requests, or complaints about how we process your personal data, contact: [email protected].