Legal
How Ridgeline Budget handles your data — written to be read, not just agreed to.
Ridgeline Budget is a personal household budgeting application operated by an individual developer. This policy explains what information is collected, how it is stored and protected, what rights you have over it, and how this application relates to major privacy regulations.
This policy applies to the Ridgeline Budget web application at app.ridgelinebudget.com and the associated marketing website at ridgelinebudget.com. It does not apply to third-party services linked from these sites.
Understanding the architecture is essential to understanding the privacy model. Ridgeline Budget is a client-side-first application. All data processing — budgeting calculations, encryption, and decryption — happens in your browser. The server is a storage relay, not a data processor.
In guest mode, all data is stored exclusively in your browser's localStorage. Nothing is transmitted to any server. Your financial data never leaves your device.
When you create an account, your workspace data is encrypted in your browser before being sent to the server. The server stores an opaque, encrypted blob. The encryption key is stored only in your browser's localStorage — it is never transmitted to the server in any form.
The sync architecture uses an operation log (op_log) and a workspace state snapshot (workspace_state). Both tables store only encrypted ciphertext when encryption is enabled. The server cannot reconstruct any financial data from what it stores.
Even with full database access, the server (and the developer) can see only:
enc: — unreadable without your keyIf you choose no encryption, your financial data is stored as readable JSON on the server. This is clearly disclosed during setup. Encryption is strongly recommended and enabled by default for new workspaces.
| Data | Purpose | Stored where |
|---|---|---|
| Email address | Account identity, sign-in, password reset, partner invitation emails | Supabase Auth (server) |
| Hashed password | Authentication | Supabase Auth (server) — bcrypt hash, never plaintext |
| Passkey credential | Password-free authentication | Server — credential ID and public key only. Private key never leaves your device. |
| Workspace financial data | Core application function — budgets, income, expenses, history | Encrypted in browser; encrypted ciphertext stored on server |
| Encryption key | Encrypting and decrypting your data | Browser localStorage only — never sent to server |
| Session tokens | Maintaining your signed-in state | Browser localStorage and server-side session record |
| Operation timestamps | Conflict resolution for real-time sync | Server — ISO timestamps only, no content |
| Subscriber status | Tracking paid plan status, sponsor/partner relationship | Server — plan tier and associated email |
| Debug logs | Optional diagnostic output to your own browser console | Browser only — never transmitted. Off by default. |
We do not collect: IP addresses beyond what Supabase's infrastructure logs for security purposes, device fingerprints, behavioral analytics, browsing history, or any data for advertising purposes.
Encryption is implemented entirely in your browser using the Web Crypto API — the same standard cryptography interface used by banks and password managers. No third-party encryption library is involved.
| Mode | Algorithm | Key storage | Key recovery |
|---|---|---|---|
| Random key | AES-GCM-256, 96-bit random IV per operation | Browser localStorage |
None — must transfer key manually to new devices |
| Passphrase | AES-GCM-256, key derived via PBKDF2 (600,000 iterations, SHA-256) | Browser localStorage after derivation |
Re-enter passphrase on any new device |
| None | No encryption | N/A | N/A — data readable on server |
In this application it means the data is encrypted before it leaves your browser and decrypted after it arrives in your browser. The server never holds the key. This is structurally identical to end-to-end encryption in messaging applications — the transit layer and the storage layer both handle only ciphertext.
Encryption protects your data at rest on the server and in transit. It does not protect against malware on your own device that can read localStorage, or against someone who has physical access to an unlocked device where you are signed in.
The backend database, authentication, and serverless functions run on Supabase (supabase.com), which is hosted on AWS infrastructure. Supabase processes your email address, hashed credentials, and encrypted workspace data as a data processor on our behalf. Supabase is SOC 2 Type II certified and GDPR-compliant. Their privacy policy is available at supabase.com/privacy.
The marketing website loads fonts (Instrument Serif, DM Sans, JetBrains Mono) from Google Fonts. This causes your browser to make a request to Google's servers, which may log your IP address. Google's privacy policy applies to this request. The application itself (app.ridgelinebudget.com) does not load any external font resources.
Ridgeline Budget does not use Google Analytics, Mixpanel, Amplitude, Segment, Sentry, Hotjar, Intercom, or any other third-party analytics, error tracking, or behavioral monitoring service. There are no advertising networks, no tracking pixels, and no data brokers involved.
This application does not use HTTP cookies. Authentication sessions and encryption keys are stored in localStorage, which is not transmitted with every request the way cookies are. There is no cookie banner because there are no cookies to consent to.
Your account data is retained for as long as your account exists. Workspace data (encrypted) is retained indefinitely to support the app's multi-year history feature.
You can permanently delete your account at any time via Settings → Account → Delete Account. Deletion requires typing DELETE to confirm. Upon deletion, your account record, all workspace memberships, all encrypted workspace data, and all operation log entries are permanently removed from the server. This action is irreversible.
Deleting a workspace removes all associated data from the server immediately. If you are a member (not the owner) and are removed from a workspace, your access is revoked but the workspace data remains for the owner.
Guest mode data lives only in your browser's localStorage. Clearing your browser data, using a private window, or switching browsers removes it permanently. There is no server copy to delete.
Supabase maintains infrastructure-level backups as part of its standard operations. These backups are encrypted at rest and are used only for disaster recovery purposes, not for data analysis. Point-in-time recovery is available for a limited window per Supabase's standard retention policies.
Regardless of where you live, you have the following practical controls over your data:
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to your personal data.
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Storing encrypted workspace data | Contract performance (Art. 6(1)(b)) — core function of the service |
| Sending partner invitation emails | Legitimate interests (Art. 6(1)(f)) — necessary to fulfil the collaboration feature you initiated |
| Subscriber / payment status | Contract performance (Art. 6(1)(b)) — necessary to manage paid plan access |
Supabase hosts data on AWS infrastructure, which may involve servers outside the EEA. Supabase relies on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. Details are available in Supabase's Data Processing Agreement.
Ridgeline Budget is operated by an individual developer and does not meet the thresholds requiring a formal Data Protection Officer appointment under Art. 37 GDPR. Privacy inquiries should be directed to the contact address below.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights.
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Email address, account ID | Yes |
| Financial information | Budget data, income, expense records | Yes — encrypted; we cannot read it |
| Internet / network activity | Browsing history, interaction data | No |
| Geolocation data | Precise location | No |
| Biometric information | Fingerprints, facial data | No — passkeys use device-local biometrics; biometric data never leaves your device |
| Inferences / profiles | Consumer profiles, preferences | No |
| Sensitive personal information | Financial account details | Yes — encrypted before transmission; inaccessible to us |
Ridgeline Budget does not sell personal information and does not share personal information with third parties for cross-context behavioral advertising purposes. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.
We will respond to verified consumer requests within 45 days. Requests may be submitted to the contact address below. We may need to verify your identity before fulfilling a request.
Canadian users have rights to access and correct personal information held about them. Québec's Law 25 additionally requires privacy impact assessments for new personal information technologies. Contact us to exercise these rights. Data may be processed on servers outside Canada (AWS via Supabase).
Australian users have rights under the Australian Privacy Act 1988 and the Australian Privacy Principles. You may request access to or correction of your personal information by contacting us. The app does not collect sensitive information as defined under Australian law beyond encrypted financial data we cannot access.
Brazilian users have rights under the Lei Geral de Proteção de Dados. Legal basis for processing is contract performance and consent. You may exercise access, correction, deletion, portability, and objection rights by contacting us.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US state privacy laws grant similar rights to access, correct, delete, and opt out of sale/profiling. We do not sell data or engage in targeted advertising. Exercise rights via the contact address below.
Across all jurisdictions, our core commitments are the same: we collect the minimum data necessary, we do not sell or share it, your financial data is encrypted and inaccessible to us, and you can delete everything at any time.
Ridgeline Budget is intended for use by adults managing household finances. The service is not directed to children under 13 years of age (or under 16 in the EEA and UK), and we do not knowingly collect personal information from children.
If you believe a child has provided personal information through this service, please contact us immediately and we will delete it. The COPPA (Children's Online Privacy Protection Act) safe harbor provisions do not apply to this service as it is not directed at children.
We may update this policy from time to time. If changes are material — meaning they meaningfully expand the data we collect, change who we share it with, or reduce your rights — we will notify signed-in users by email and update the effective date at the top of this page.
Continued use of the service after the effective date of any changes constitutes acceptance of the updated policy. The previous version of this policy will always be available upon request.
For privacy-related questions, data requests, or to exercise any rights described in this policy, contact us at:
Ridgeline Budget
Operated by an individual developer
For privacy inquiries: privacy@ridgelinebudget.com
We aim to respond to all privacy inquiries within 14 days. For formal GDPR or CCPA requests, we will respond within the legally required timeframe (30 days for GDPR, 45 days for CCPA) and may ask you to verify your identity before fulfilling the request.