Last updated: 10 May 2026

Privacy Policy

budgetku ("we", "us") is committed to protecting your personal data. This policy explains what data we collect, why, and your rights under the Indonesian Personal Data Protection Act (UU PDP No. 27/2022).

Data we collect

When you sign up and use budgetku, we collect:

  • Email address — for authentication, account recovery, and important notifications.
  • Password — stored as an Argon2id hash; we never see your raw password.
  • Workspace name, base currency, language preference.
  • Financial transaction data you input (accounts, categories, transactions, budgets, invoices).
  • IP address, User-Agent, and request timestamps — for security, abuse prevention, and technical analytics.
  • Login history (network, device) for suspicious-activity detection.

How we use your data

We use your data to:

  • Provide the core service — authentication, workspace isolation, transaction storage.
  • Process subscription payments for paid plans.
  • Send transaction notifications, invoices, team invitations, and security emails.
  • Prevent abuse (rate limiting, suspicious-login detection).
  • Comply with legal and audit obligations (UU PDP, ITE Law, tax regulations).

Third parties

We share the minimum data required with the following service providers. Each has its own privacy policy worth reading.

  • Midtrans (PT Midtrans Solusi Pembayaran) — processes card, QRIS, e-wallet, and virtual account payments.
  • Resend (Resend.com) — delivery of transactional email (invoices, verification, password reset).
  • Database hosting provider (cloud) — stores encrypted data at rest.

Storage and retention

Your data is stored in data centres in the Asia-Pacific region with encryption at rest. While your account is active, data remains available. After you delete your account, personal authentication data (email, password hash) is removed immediately; workspace data is retained for audit and tax compliance up to 7 years, unless you request earlier deletion in writing and no legal hold applies.

Your rights (UU PDP 2022)

As the data subject, you have the right to:

  • Access and download all your data — self-service in Settings → Account → Download my data.
  • Correct inaccurate data — via the app interface or by contacting us.
  • Request account deletion — Settings → Account → Delete account.
  • Withdraw consent at any time — withdrawal is not retroactive.
  • Object to specific processing — contact us for review.

Cookies

We use essential cookies (httpOnly authentication) that are required for the app to work and do not need consent. Optional cookies (analytics, marketing) are only set after you give explicit consent via the cookie banner. You can change your preferences at any time by clearing your browser's localStorage.

Security

We apply Postgres Row-Level Security for workspace isolation at the database layer, Argon2id password hashing, TLS for all traffic, audit logging for sensitive actions, and rate limiting on sensitive endpoints. No system is 100% secure — you remain responsible for keeping your password confidential.

Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and/or in-app notice at least 14 days before they take effect.

Contact

For privacy questions, data access requests, or complaints about how we process your personal data, contact: [email protected].