Privacy Policy

Effective date: May 4, 2026 · Commonwealth Finance Tracker Pro

Our core commitment to you

Your personal and financial data belongs to you — full stop. We will never sell, share, trade, rent, or transfer it to any third party for commercial, advertising, or marketing purposes.

Commonwealth Finance Tracker exists solely to help you manage your money. Every data and security decision we make reflects that.

1. Information We Collect

We collect only what is necessary to operate the app:

Account credentials — your email address and a bcrypt-hashed version of your password. Your plaintext password is never stored.
Financial data you enter — transactions, accounts, budgets, savings goals, recurring entries, and bill reminders. This data is created entirely by you and stored in your private account.
Session tokens — a short-lived authentication token (JWT) stored in an httpOnly cookie to keep you signed in securely.
Temporary 2FA codes — six-digit codes sent to your email on each login. These expire within 10 minutes and are deleted immediately after use.

We do not collect device identifiers, browsing history, or biometric data. We use a Pinterest advertising pixel to measure the performance of our Pinterest ad campaigns — it records page visits and conversion events (without your name, email, or phone number) on our site. We also use Google Analytics 4 to understand how visitors use this website; it collects anonymized usage data (pages viewed, device type, referral source, approximate location) but has no access to any data you enter in the app. No financial data is ever shared with either service. See Section 5 for full details.

2. How We Use Your Information

Your data is used exclusively to provide the app's features to you:

Authenticating your identity when you sign in
Displaying and persisting the financial records you create
Sending login verification codes to your registered email address
Processing your subscription payments (handled entirely by Stripe — see Section 5)

We do not use your data for profiling, targeted advertising, or any purpose beyond operating the service you signed up for.

3. What We Will Never Do

This is unambiguous and unconditional:

Sell your personal data or financial information to any third party
Share your financial records, transaction history, or account balances with any other company
Trade or exchange your data in any form for commercial value
Use your financial data to build advertising profiles or sell insights to data brokers
Allow any third-party advertiser or analytics provider access to your personal financial data (transactions, balances, budgets, credentials, or any data you enter inside the app)
Disclose your information to law enforcement without a valid subpoena, court order, or search warrant

If we are ever legally compelled to share your information with law enforcement, we will notify you before complying — unless we are legally prohibited from doing so.

4. Data Security

We apply industry-standard security measures at every layer:

Password Hashing

All passwords are hashed with bcrypt (12 rounds) before storage. Your plaintext password is never written to disk or database.

Encryption at Rest

All data is stored in MongoDB Atlas, which provides AES-256 encryption at rest across all storage volumes.

Encryption in Transit

All communication between your browser and our servers is encrypted with TLS. Database connections also enforce TLS.

Session Security

Authentication tokens are stored in httpOnly cookies, making them inaccessible to JavaScript and protecting against XSS attacks.

Two-Factor Authentication

Every login requires a one-time code sent to your registered email, adding a second layer of identity verification.

Automatic Expiry

Temporary codes expire after 10 minutes and are deleted at the database level — no stale credentials persist.

Sensitive Personal Information. We treat your financial data — including transactions, account balances, and budget information — as Sensitive Personal Information. This means we apply heightened security and disclosure standards to it and never use it for any purpose other than providing the service to you.

5. Third-Party Service Providers

We work with a small number of carefully chosen service providers who process data strictly on our behalf. None of these providers receive your financial data (transactions, balances, budgets, etc.).

Provider	Purpose	Data shared
Stripe	Subscription billing & payment processing	Email address and payment method only. No financial records from the app are ever shared.
SMTP email provider	Sending login verification codes	Your email address only. No financial data is included in any email we send.
MongoDB Atlas	Secure cloud database storage	Stores all app data on our behalf as a data processor. Data is encrypted at rest. Atlas does not use your data for any purpose other than storage.
Pinterest	Advertising measurement	Page visit events and conversion events (without your name, email, or phone number). No financial data is sent. We do not use Pinterest's enhanced match feature. You can opt out via Pinterest's privacy settings or your browser's tracking protection.
Google Analytics 4	Website analytics & usage measurement	Anonymized IP address, device type, browser, pages viewed, referral source, and approximate location (city/region level). No financial data from the app is ever shared. IP anonymization is enabled — no full IP address is stored or processed by Google. You can opt out via the Google Analytics Opt-out Browser Add-on.

We use Pinterest's advertising measurement pixel to track the performance of our paid Pinterest campaigns. We also use Google Analytics 4 for website analytics as described above and in the section below. We do not use Meta Pixel or any other advertising or analytics platform.

We honor browser-level privacy signals, including Do Not Track (DNT) and Global Privacy Control (GPC). If your browser sends these signals, we will respect them where technically feasible.

Google Analytics 4

We use Google Analytics 4 (GA4), provided by Google LLC, to understand how visitors use this website. This helps us improve the site experience and measure the effectiveness of our content.

Data collected by Google Analytics:

IP address (anonymized) — truncated before it reaches Google's servers; no full IP address is ever stored.
Device and browser information — device type, operating system, browser name and version.
Pages viewed — which pages of this public site you visit and in what sequence.
Referral source — how you arrived at this site (e.g., a search engine, a social media link, or direct navigation).
Approximate location — city or region level, derived from the anonymized IP address.

What Google Analytics does not collect: your name, email address, password, or any financial data you enter in the app. GA4 only sees public-facing website pages — it has no access to any data inside your account.

IP Anonymization: We configure GA4 with IP anonymization enabled (anonymize_ip: true). Your IP address is truncated by Google before storage. No full IP address is written to Google's servers.

Google may process the analytics data it receives in accordance with its own privacy policy. You can review Google's data practices at policies.google.com/privacy.

Opt out: You can prevent Google Analytics from collecting data about your visits by installing the Google Analytics Opt-out Browser Add-on. Browser-level privacy features, ad blockers, and tracking protection tools that block googletagmanager.com will also prevent collection.

6. Shared Access (Partner Accounts)

If you invite a partner to share your dashboard, that person will have read and write access to all data in your account. Shared access is always explicitly initiated by you and can be revoked at any time from Settings. Your partner's password is separate and private — neither of you can see the other's credentials.

7. Data Retention & Deletion

Your data is retained for as long as your account is active. You are in full control at all times:

Export — use "Download Backup" in Settings to export a full JSON copy of your data at any time
Delete all records — use "Reset App" in Settings to permanently delete all financial records while keeping your account
Delete your account — contact us and we will permanently delete your account and all associated data within 30 days

8. Your Rights

Depending on your location, you may have rights under applicable privacy law (GDPR, CCPA, or similar), including the right to access, correct, or delete your personal data, and to lodge a complaint with a data protection authority. Contact us to exercise any of these rights — we will respond within 30 days.

Right to Appeal: If we deny any of your data requests, you may appeal our decision by contacting us within 30 days of the denial. We will review your appeal and respond within 30 days.

9. Changes to This Policy

If we make material changes, we will notify you by email before the changes take effect. We will never weaken our core commitment — that your data is never sold, shared for commercial purposes, or traded — without your explicit consent.

10. Contact Us

For any questions, concerns, or data requests regarding this policy:

Commonwealth Finance Tracker CommonwealthFinancialEducation@gmail.com