Privacy Policy

Effective date: May 4, 2026 · Commonwealth Finance Tracker Pro

Our core commitment to you

Your personal and financial data belongs to you — full stop. We will never sell, share, trade, rent, or transfer it to any third party for commercial, advertising, or marketing purposes.

Commonwealth Finance Tracker exists solely to help you manage your money. Every data and security decision we make reflects that.

1. Information We Collect

We collect only what is necessary to operate the app:

Account credentials — your email address and a bcrypt-hashed version of your password. Your plaintext password is never stored.
Financial data you enter — transactions, accounts, budgets, savings goals, recurring entries, and bill reminders. This data is created entirely by you and stored in your private account.
Session tokens — a short-lived authentication token (JWT) stored in an httpOnly cookie to keep you signed in securely.
Temporary 2FA codes — six-digit codes sent to your email on each login. These expire within 10 minutes and are deleted immediately after use.

We do not collect device identifiers, browsing history, analytics events, advertising IDs, or any biometric data.

2. How We Use Your Information

Your data is used exclusively to provide the app's features to you:

Authenticating your identity when you sign in
Displaying and persisting the financial records you create
Sending login verification codes to your registered email address
Processing your subscription payments (handled entirely by Stripe — see Section 5)

We do not use your data for profiling, targeted advertising, or any purpose beyond operating the service you signed up for.

3. What We Will Never Do

This is unambiguous and unconditional:

Sell your personal data or financial information to any third party
Share your financial records, transaction history, or account balances with any other company
Trade or exchange your data in any form for commercial value
Use your financial data to build advertising profiles or sell insights to data brokers
Allow any third-party advertiser or analytics provider access to your data
Disclose your information to law enforcement without a valid legal obligation

4. Data Security

We apply industry-standard security measures at every layer:

Password Hashing

All passwords are hashed with bcrypt (12 rounds) before storage. Your plaintext password is never written to disk or database.

Encryption at Rest

All data is stored in MongoDB Atlas, which provides AES-256 encryption at rest across all storage volumes.

Encryption in Transit

All communication between your browser and our servers is encrypted with TLS. Database connections also enforce TLS.

Session Security

Authentication tokens are stored in httpOnly cookies, making them inaccessible to JavaScript and protecting against XSS attacks.

Two-Factor Authentication

Every login requires a one-time code sent to your registered email, adding a second layer of identity verification.

Automatic Expiry

Temporary codes expire after 10 minutes and are deleted at the database level — no stale credentials persist.

5. Third-Party Service Providers

We work with a small number of carefully chosen service providers who process data strictly on our behalf. None of these providers receive your financial data (transactions, balances, budgets, etc.).

Provider	Purpose	Data shared
Stripe	Subscription billing & payment processing	Email address and payment method only. No financial records from the app are ever shared.
SMTP email provider	Sending login verification codes	Your email address only. No financial data is included in any email we send.
MongoDB Atlas	Secure cloud database storage	Stores all app data on our behalf as a data processor. Data is encrypted at rest. Atlas does not use your data for any purpose other than storage.

We do not use any advertising networks, social media trackers, or analytics platforms.

6. Shared Access (Partner Accounts)

If you invite a partner to share your dashboard, that person will have read and write access to all data in your account. Shared access is always explicitly initiated by you and can be revoked at any time from Settings. Your partner's password is separate and private — neither of you can see the other's credentials.

7. Data Retention & Deletion

Your data is retained for as long as your account is active. You are in full control at all times:

Export — use "Download Backup" in Settings to export a full JSON copy of your data at any time
Delete all records — use "Reset App" in Settings to permanently delete all financial records while keeping your account
Delete your account — contact us and we will permanently delete your account and all associated data within 30 days

8. Your Rights

Depending on your location, you may have rights under applicable privacy law (GDPR, CCPA, or similar), including the right to access, correct, or delete your personal data, and to lodge a complaint with a data protection authority. Contact us to exercise any of these rights — we will respond within 30 days.

9. Changes to This Policy

If we make material changes, we will notify you by email before the changes take effect. We will never weaken our core commitment — that your data is never sold, shared for commercial purposes, or traded — without your explicit consent.

10. Contact Us

For any questions, concerns, or data requests regarding this policy:

Commonwealth Finance Tracker CommonwealthFinancialEducation@gmail.com