← Back to Home

Privacy Policy

Effective Date: April 21, 2026

PennyHelm ("we," "us," or "our") is a personal finance management application. We take your privacy seriously and are committed to protecting the personal and financial information you entrust to us. This Privacy Policy explains what data we collect, how we use it, how we store and protect it, and your rights regarding your information.

1. Information We Collect

1.1 Account Information

• Email address — used for authentication and account recovery
• Display name — a name you choose to personalize the app
• Authentication credentials — managed securely by Firebase Authentication (we never store your password in plaintext)

1.2 Financial Data You Enter

All financial data is entered voluntarily by you. This may include:

• Bills, recurring payments, and payment history
• Bank account names, types, and balances
• Debts (credit cards, loans, mortgages) with balances and interest rates
• Income information and pay schedules
• Credit scores
• Tax deduction records and document metadata
• Savings goals
• Vehicle mileage and trip logs
• Custom bill categories

1.3 Bank Data via Plaid

If you choose to connect a bank account, we use Plaid Inc. to securely retrieve:

• Account names and types (checking, savings, credit, etc.)
• Account balances (current and available)
• Last four digits of account numbers (mask)
• Institution name

We do not access or store your bank login credentials. Plaid handles authentication directly with your financial institution. We do not currently import or store transaction history.

Plaid's access tokens (used to refresh your balances) are stored securely on our servers and are never exposed to your browser or device. For more information, see Plaid's End User Privacy Policy.

1.4 Notification Preferences (Mobile App)

If you enable bill reminders on the mobile app, we store your preferences:

• Whether notifications are enabled
• Reminder timing (how many days before a due date)
• Preferred notification time
• Whether to include auto-pay bills

Notifications are scheduled locally on your device. We do not use push notification servers or send notifications from our servers.

1.5 App Telemetry (Mobile App Only)

The mobile app collects limited usage telemetry to help us identify bugs and improve the experience:

• Screen navigation events
• App lifecycle events (open, background, foreground)
• Error reports (error type, message, and a brief stack trace)
• App version, platform (Android/iOS), and OS version

Telemetry data is associated with your user ID for debugging purposes, is accessible only to administrators, and is automatically deleted after 30 days. No financial data is included in telemetry events.

1.6 Information We Do NOT Collect

• We do not display advertisements inside the app
• We do not use third-party analytics SDKs (no Google Analytics, Mixpanel, Segment, etc.)
• We do not collect location data
• We do not access your contacts, camera, or photos
• We do not sell, rent, or share your data with advertisers, data brokers, or any third party for their own marketing

1.7 Marketing Attribution (Ad Landing Pages Only)

When you arrive at a PennyHelm marketing landing page — currently just pennyhelm.com/switch, used for paid ads on platforms like Reddit — we record a small amount of information so we can measure which ads are working and which aren't. This tracking runs only on those landing pages, never inside the app itself.

What we record on a landing-page visit:

• An anonymous visitor ID stored in your browser's localStorage. This is a random identifier we generate — it is not linked to your name, email, or any account. Its only purpose is to let us tell whether the person who clicked the "Start Free Trial" button is the same person who saw the page five minutes earlier
• UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) from the URL, if present. These tell us which ad platform and creative brought you here
• The referring URL (document.referrer), if your browser sends one
• The landing page path (e.g. /switch)
• Your IP address, used only for rate limiting the endpoint — not persisted in the attribution record itself and discarded within two minutes

We do not use Meta Pixel, Google Tag Manager, or any off-platform behavioral-tracking script on landing pages or inside the app. The one exception is a single Google Ads conversion tag that fires only on the sign-up event itself (see §1.9 below) — we use it to count completed signups, not to profile visitors. The attribution data listed above is sent to PennyHelm servers only and never shared with the ad platform beyond the conversion count the platform requires.

Records are stored in a protected Firestore collection readable only by PennyHelm administrators and automatically deleted after 90 days. You can clear the anonymous visitor ID at any time by clearing your browser's site data for pennyhelm.com.

1.8 Usage Activity (Logged-In Users)

To understand how many people actually use PennyHelm — e.g. daily and monthly active user counts — we record, once per calendar day per user, a small activity marker containing:

• Your user ID
• The date (UTC, e.g. 2026-04-20)
• A timestamp

No page, action, bill, balance, or financial detail is recorded — the marker only says "this user opened the app today." Markers are stored in a protected Firestore collection readable only by administrators and automatically deleted after 90 days. They are used solely to compute aggregate active-user counts and are never shared externally.

1.9 Google Ads Sign-Up Conversion Tracking

When you successfully create a PennyHelm account via pennyhelm.com/login, we fire a single Google Ads conversion event so that when we run paid ads on Google, we can measure how many of those ad clicks resulted in a completed signup. This is used only to count signups, never to show you ads or build a profile about you.

What gets sent on a single conversion ping:

• That a signup occurred on pennyhelm.com
• The Google Click Identifier (gclid), if you arrived from a Google Ads click
• Cookies that Google sets on its own domains when the tag loads — subject to the consent rules below

We do not send your email address, name, user ID, or any financial data to Google. The tag loads only on the login page, never inside the app, and never on any page where you are viewing bills, balances, or transactions.

EEA / UK / Switzerland visitors (Consent Mode v2): we implement Google Consent Mode v2 in advanced mode. All consent categories (ad_storage, ad_user_data, ad_personalization, analytics_storage) default to denied until you click "Accept" on the cookie banner shown on /switch. If you decline or never choose, the conversion ping still fires but is sent in cookieless mode — no identifiers are stored in your browser and Google can only use the aggregate signal for statistical modeling. Your choice is remembered in your browser's localStorage under the key pennyhelm-consent; you can change it any time by clearing site data for pennyhelm.com.

Non-EEA visitors: the conversion tag runs with consent granted by default, consistent with US/other jurisdictions where prior opt-in is not legally required. You can still block the tag by installing any standard ad blocker.

Self-hosted installations: the Google Ads tag is not loaded in self-hosted builds. If you run PennyHelm on your own server, nothing about your signup is ever sent to Google.

2. How We Use Your Information

We use your information solely to provide and improve the PennyHelm service:

• Authentication — to verify your identity and secure your account
• Financial tracking — to display your bills, accounts, debts, and budgets within the app
• Bank balance refresh — to fetch updated account balances from connected banks (once daily via Plaid)
• Bill reminders — to schedule local notifications on your device
• Shared access — to allow people you explicitly invite (partner, financial planner, CPA) to view or edit your data
• Bug diagnosis — to identify and fix app issues using telemetry data
• Email communication — to send invite notifications and account setup emails

3. Data Sharing

3.1 People You Invite

You can invite others (a partner, financial planner, or CPA) to access your financial data. When you send an invite:

• The invitee receives an email with a link to access your data
• You choose whether they get view-only or edit access
• You can revoke access at any time from Settings

We never share your data with anyone you have not explicitly invited.

3.2 Third-Party Services

Service	Purpose	Data Shared
Firebase (Google Cloud)	Authentication, data storage, cloud functions	Email, display name, encrypted financial data
Plaid	Bank account linking and balance retrieval	Bank credentials (handled by Plaid, not PennyHelm)
SMTP Email Provider	Sending invite and account setup emails	Recipient email address, email content
Google Ads (cloud hosting only)	Counting completed signups from paid ad clicks — see §1.9	A single conversion ping at signup time (no email, name, or user ID). Cookieless in EEA/UK/CH unless consent is granted.

We do not sell, rent, or trade your personal information to any third party.

4. Data Storage and Security

4.1 Where Your Data Is Stored

• Cloud: Your financial data is stored in Google Cloud Firestore, secured by Firebase Authentication and Firestore Security Rules
• Device: The mobile app may cache data locally for offline access using device storage
• Plaid tokens: Bank access tokens are stored server-side only and are never sent to your browser or device

4.2 Security Measures

• All data transmitted between your device and our servers is encrypted in transit (HTTPS/TLS)
• Firebase Authentication manages credentials with industry-standard security
• Firestore Security Rules enforce that only you (and people you invite) can access your data
• Admin access is restricted via Firebase custom claims
• Plaid access tokens are stored in a separate, protected collection inaccessible to client applications

5. Data Retention

• Financial data: Retained as long as your account is active. You can delete your data at any time from the Settings page
• Telemetry data: Automatically deleted after 30 days
• Plaid connections: Active until you disconnect your bank or delete your account
• Invite records: Retained while active; revoked invites are marked as revoked

6. Your Rights and Controls

You have full control over your data:

• Export: Download all your financial data as a JSON file from Settings at any time
• Delete: Clear all financial data or reset your account entirely from Settings
• Revoke sharing: Remove any shared access at any time
• Disconnect banks: Remove connected bank accounts
• Disable notifications: Turn off bill reminders at any time
• Account deletion: Contact us to request full account deletion, including all associated data

7. Children's Privacy

PennyHelm is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the effective date at the top of this page. We encourage you to review this policy periodically.

9. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

• GitHub: github.com/administrativetrick/pennyhelm