Privacy Policy

Last updated: May 14, 2026

This policy explains what Penny collects, how it's used, and which third parties touch it. The short version: the only reason data exists in Penny is to show it back to you. It is never sold, never used to train AI models, and never shared with advertisers.

What's collected

Your account

• Email — used to sign in and to send transactional emails (password reset, account-deletion confirmation). No marketing emails are sent, ever.
• Name — shown in the sidebar greeting and on transactions you log.
• Password — never stored in plaintext. Hashed with scrypt and a per-user salt.

Financial data you enter

• Transactions: date, amount, merchant, category, notes, refund flag
• Budgets, goals, recurring rules, and installment plans
• Custom categories you create

Penny does not connect to any bank or financial institution. You enter all data yourself. Nothing is fetched, scraped, or imported from external sources.

Usage data

• Page views — which pages of the app you visit, when, and a coarse browser-family string. Used for a small admin dashboard that the operator looks at to understand how the app is being used.
• Activity log — record of actions in your household (added a transaction, set a budget, etc.) so household members and you can review history.
• Error reports — if the app crashes, anonymized error traces are sent to Sentry. Request bodies and cookies are stripped before sending, so passwords and session tokens are never included.

Device + session

• A randomly-generated session token in an HTTP-only cookie, so you stay signed in.
• The browser user-agent string of the device that created the session.
• Your IP address is visible to Cloudflare for rate-limiting and bot detection; it is not stored long-term by the app.

Why it's collected

• To operate the app — show your data, compute budgets, generate AI responses
• To authenticate you and protect your account from unauthorized access
• To send transactional emails when something happens you need to know about (password reset, account-deletion confirmation, restore link)
• To inform what the operator builds next, via aggregate metrics like daily/weekly/monthly active users

Your data is never sold. Your data is never used to train any third-party AI model. There is no advertising, no analytics pixels, no shared identifiers with marketing platforms.

Who else touches your data

These third-party services are used to run the app. They receive the minimum data needed for their function.

• Cloudflare — hosts the app (Pages), the database (D1), bot detection (Turnstile), and email routing for inbound support emails
• Resend — sends transactional emails. Receives your email address, name, and the email body.
• OpenRouter (LLM gateway) — when you use Penny chat, your question, recent conversation history, and a summary of your recent financial activity (merchants, amounts, categories, dates) are sent to the LLM provider. Your email, name, and password are never included. Avoid putting sensitive identifying information into chat messages.
• Sentry — server-side error monitoring. Anonymized stack traces only; request bodies, cookies, and session tokens are scrubbed.

Cookies

Penny sets a small number of cookies, all on the gopenny.app domain:

• session — HTTP-only, secure, SameSite=Lax. Contains a random session token. Required for sign-in. Expires after 30 or 90 days depending on whether you ticked "Keep me signed in."
• penny_sidebar_collapsed, penny_chat_open, penny_view_month — UI preferences. Not tracking.
• penny_cookie_consent — records that you've seen the cookie notice so it doesn't reappear.

There are no third-party tracking cookies, no Google Analytics, no Facebook Pixel, no advertising trackers of any kind.

Your rights

Anyone, anywhere, can do the following at any time:

• Access all your data: Settings → Data export → Full account (JSON). Download anytime.
• Delete your account: Settings → Danger zone → Delete my account. A 30-day grace period lets you cancel. After 30 days the data is gone.
• Correct any inaccurate information by editing it directly in the app.
• Withdraw consent for non-essential processing by deleting your account.

If you are in California, India, the EU, or the UK and have specific rights under the CCPA, DPDPA, GDPR, or similar laws, those still apply — email [email protected] to exercise them.

How long data is kept

• Active accounts: until you delete them
• Deleted accounts: erased within 30 days of your deletion request (the grace period). After 30 days, your data is gone — there is no recovery.
• Sessions: automatically expire after 30 days (or 90 with "Keep me signed in"), or immediately on sign-out or password change
• Error reports: retained by Sentry for up to 90 days, then deleted

Security

Standard practices are in place: TLS for all traffic, scrypt password hashing, HTTPS-only secure cookies, Content Security Policy, HSTS, X-Frame-Options blocking iframe embedding. No system is 100% secure. If a breach happens that affects your account, you will be emailed within 72 hours of the operator confirming it.

Where data lives

The app's infrastructure (Cloudflare, Resend, the LLM provider, Sentry) is globally distributed. Your data may be processed in countries other than where you live, including the United States. This is unavoidable for a small project using these providers.

Children

Penny is not intended for anyone under 18. If you become aware that a minor has created an account, email [email protected] and the account will be deleted promptly.

Changes

This policy may be updated as the project evolves. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent change.

Contact

For any privacy questions or to exercise your rights, email [email protected].