Budget Group Charts What-if Crypto Debts Friends Groups Alerts 0 Settings
Budget Group Debts Alerts 0
Charts What-if Crypto Friends Groups Settings

Privacy Policy

Last updated: May 2026  ·  Terms of Use

Summary: This is a personal hobby app. Your financial data is stored on this server only. Authentication uses a JWT token in localStorage. One technical session cookie is set by the framework. Two third-party services receive your browser's IP address directly: World Bank API (inflation data) and jsDelivr CDN (Chart.js). No advertising or tracking.

1. Who We Are

DebtApp is a personal pet project created and self-hosted by Maksym Shymchenko. It is not a company or commercial service. Contact: maxim.shymchenko337@gmail.com

2. What Data Is Stored on This Server

When you register and use the app, the following is stored in the server database:

  • Account: username, email address, hashed password (bcrypt — never plain text), preferred currency, account creation date
  • Debts & transactions: all debt records, payments, and settlements you create
  • Budget data: budget periods, categories, limits, and transactions you enter
  • Group data: groups you create or join, group budgets, shared transactions
  • Crypto holdings: coin names, amounts, purchase prices you enter manually
  • Notifications: pending settlement confirmations between users

All data is deleted permanently when you delete your account (Settings → Delete Account).

3. What Is Stored in Your Browser (localStorage)

The following keys are stored in your browser's localStorage (not cookies):

  • token — your JWT authentication token (keeps you logged in)
  • user — your userId, username, email, preferred currency
  • theme — dark or light theme preference
  • language — language preference (en / pl / ua)
  • cookiesAccepted — your consent status for this notice
  • includeGroupBudget — whether the "Include group budget" checkbox is checked
  • gbCatMapping — group budget category mapping for the budget UI
  • forecastMode — selected forecast cycle mode (calendar / cycle / range)
  • forecastCycleDay — salary day-of-month for the "From day N" forecast mode
  • forecastRangeFrom, forecastRangeTo — custom date range for forecast
  • _ac_* — short-lived API cache entries (auto-expire, e.g. inflation data)
  • wbinfl_* — World Bank inflation data cached for 24 hours

All localStorage data is cleared when you log out or delete your account.

4. Browser Cookies

One browser cookie is set automatically by the ASP.NET Core framework: .AspNetCore.Session — a strictly technical session identifier. It contains no personal data and is not used for tracking or authentication (authentication is handled by the JWT token in localStorage).

No advertising, analytics, or tracking cookies are set by this application.

5. Third-Party Services — Server-Side

The following services are called from the server (not your browser). Your IP address is not exposed to them — only the server's IP address is used. No personal data is sent.

  • CoinGecko API (api.coingecko.com) — fetches live cryptocurrency prices and coin list for the Crypto page. Sends: coin IDs and currency code only. Data is cached server-side for 5 minutes. CoinGecko Privacy Policy
  • ExchangeRate-API (api.exchangerate-api.com) — fetches currency exchange rates shown in Settings. Sends: base currency code only. ExchangeRate-API Docs

6. Third-Party Services — Client-Side (Your Browser Contacts Directly)

The following services are contacted directly by your browser, meaning your IP address is sent to these services:

  • World Bank Open Data API (api.worldbank.org) — fetches historical inflation data displayed on the Analytics page. Your browser makes this request directly. Only country codes and date ranges are sent. The World Bank receives your IP address. Data is cached in localStorage for 24 hours to minimise requests. World Bank Privacy Notice
  • jsDelivr CDN (cdn.jsdelivr.net) — the Chart.js library is loaded from jsDelivr on the Analytics, Budget, Crypto, and What-if pages. Your browser downloads the file directly, exposing your IP address. jsDelivr Privacy Policy

7. Your GDPR Rights

If you are in the EU/EEA:

  • Access — all your data is visible in the app
  • Rectification — edit your profile and data directly in the app
  • Erasure — delete your account from Settings → Delete Account (permanent)
  • Portability — your data can be exported from Settings
  • Object / Withdraw consent — you can stop using the app and delete your account at any time

For any privacy request: maxim.shymchenko337@gmail.com

Note: This is a non-commercial personal project. Formal GDPR DPA obligations may not apply, but the above rights are honoured in good faith.

8. Data Retention

Server data is retained as long as your account exists. Deleting your account permanently removes all associated data from the database. localStorage data is cleared on logout or account deletion.

9. Changes

This policy may be updated at any time. The "last updated" date above reflects the most recent revision. Continued use after changes constitutes acceptance.

Back to Settings Terms of Use

Privacy & Data Notice

Personal pet project by Maksym Shymchenko — not a commercial service. Please read before continuing.

Stored in your browser (localStorage)
JWT token (login) username & email theme & language budget & forecast settings 1 technical cookie (.AspNetCore.Session)
Third-party services — your IP is sent to
World Bank API — inflation data jsDelivr CDN — Chart.js

Server-side only (IP hidden): CoinGecko, ExchangeRate-API.

Disclaimer

No warranty. Use at your own risk. Delete your account and all data any time in Settings.

Privacy Policy ↗ Terms of Use ↗

Cannot Continue

This app needs to store a login token in your browser's localStorage to function.
No consent — no access.

You can read the full Privacy Policy and Terms before deciding.

Privacy & Data Notice

Personal pet project — not a commercial service. GDPR Art. 6(1)(a)

Data controller

Maksym Shymchenko — personal use only. Contact: maxim.shymchenko337@gmail.com

Stored in your browser (localStorage)
token — JWT login user — username, email, currency theme, language cookiesAccepted includeGroupBudget, gbCatMapping forecastMode, forecastCycleDay, forecastRange* short-lived API cache (_ac_*, wbinfl_*)

1 technical cookie: .AspNetCore.Session — no personal data, not used for auth.

Stored on the server

Account, debts & payments, budget data, groups, crypto holdings, notifications. Permanently deleted when you delete your account.

Third-party services — your IP is sent to
World Bank API — inflation data jsDelivr CDN — Chart.js

Server-side only (IP hidden): CoinGecko, ExchangeRate-API.

Purpose & legal basis

App functionality only — no ads, no tracking, no profiling. Legal basis: your consent (GDPR Art. 6(1)(a)). Withdraw anytime by deleting your account in Settings.

Your rights (EU / EEA)

Access — visible in app  ·  Rectification — edit in Settings  ·  Erasure — delete account  ·  Portability — export in Settings

Disclaimer

No warranty. Use at your own risk. The developer accepts no liability for your data.