Legal
Effective May 10, 2026 · This document is not legal advice; please review with counsel before publication.
Privacy policy
This policy explains what data Out Budget collects from you, why we collect it, how we use and share it, and what rights you have over it. It is written to satisfy both the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Who we are
Out Budget is operated by Lorenzo Bergamini, sole proprietor based in the United Arab Emirates (“we”, “us”, or “Out Budget”), located at MAG 218, Dubai Marina, Dubai, United Arab Emirates. We are the data controller for the personal data described in this policy. For any privacy-related question or request, contact us at support@outbudget.com.
2. What data we collect
We collect only what we need to run the service:
- Account data — email address, password hash, display name (if you set one), preferred currency, time zone.
- Financial data you enter — accounts, balances, categories, transactions, transfers, assumptions, scenarios, and any notes you attach. This is the data you create inside the app; it remains your property.
- Billing data — when paid plans launch, payment is processed by Stripe. We never receive or store your full card number; Stripe gives us a token plus the last four digits and brand for receipts.
- Technical data — IP address, browser type, device type, pages visited, timestamps. This is logged for security, abuse prevention, and analytics.
- Communications — if you email support, we keep that thread to help you and to improve the product.
3. How we use it
- To provide the service: authenticate you, store and display your data, run the forecast.
- To bill you (when paid plans launch): process subscriptions, send receipts, manage refunds.
- To communicate: respond to support, send service-related emails (e.g. password reset, billing changes). We do not send marketing email without explicit opt-in.
- To keep the service safe: detect abuse, prevent fraud, debug issues. We may inspect aggregated logs but do not browse your financial data without an explicit reason (e.g. a support ticket where you ask us to look).
- To comply with the law: respond to lawful requests and tax obligations.
4. Lawful basis (GDPR)
If you are in the EU/EEA/UK, we process your personal data only where we have a lawful basis under Article 6 GDPR. The table below maps each processing activity to its basis.
| Processing activity | Data involved | Legal basis | Art. 6(1) |
|---|---|---|---|
| Authentication & account management | Email, password hash, session token | Performance of a contract | (b) |
| Storage and display of financial data | Accounts, transactions, categories, scenarios, assumptions | Performance of a contract | (b) |
| Billing and payment processing | Email, Stripe token, last-four digits, subscription status | Performance of a contract; Legal obligation (tax records) | (b) and (c) |
| Product analytics | Aggregated page views and feature interactions (no financial content) | Consent — only fired after you accept analytics cookies | (a) |
| Error monitoring (browser) | Stack traces, page URL, browser/OS, and on errors a masked DOM replay (text redacted, media blocked). No IP address, cookies, or request headers. | Consent — the Sentry browser SDK only loads after you accept analytics cookies | (a) |
| Error monitoring (server) | Stack traces and request URL paths (query strings stripped) from server-side failures. No IP address, cookies, or request headers. | Legitimate interests (keeping the service reliable and debugging outages) | (f) |
| Non-essential cookies & marketing | Analytics cookies; any future marketing identifiers | Consent — freely given, withdrawable at any time via cookie preferences | (a) |
| Support communications | Email address, message thread content | Legitimate interests (responding to enquiries and improving service) | (f) |
| Security logging & abuse prevention | IP address (hashed after 30 days), request metadata, event timestamps | Legitimate interests (protecting users and service integrity) | (f) |
| Legal compliance & regulatory disclosure | Any data required by the applicable authority | Legal obligation | (c) |
Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests are not overridden by your rights and freedoms given the limited scope and sensitivity of the data processed. You may object to this processing at any time by emailing support@outbudget.com.
5. Sharing and subprocessors
We do not sell your personal data. We share it only with the third-party services we use to run Out Budget, listed on the Subprocessors page. Each one is bound by a data processing agreement and may only use your data on our instructions.
We will disclose data to authorities only when legally required and, where the law permits, will inform you first.
6. International transfers
Your data is stored in AWS eu-central-1 (Frankfurt). Some subprocessors may process data in other regions (e.g. the United States). When data leaves the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses or equivalent safeguards.
7. Retention
- Account and financial data: kept for as long as your account exists. After you delete your account, your data is removed from the live database within 24 hours and from backups within 7 days.
- Billing records: retained for the period required by tax law (typically 7–10 years), even after account deletion.
- Technical and log data: 30 days for application logs; 90 days for security logs.
- Support emails: 2 years from last reply.
8. Your rights (GDPR)
If you are in the EU/EEA/UK, you have the right to:
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”), subject to legal retention.
- Restrict or object to certain processing.
- Receive your data in a portable format (CSV export is available in-app at any time).
- Lodge a complaint with a supervisory authority — see below for the authority we are registered with.
To exercise any of these rights, email support@outbudget.com with the subject line “Data Request”. Please include your account email and a brief description of your request. We respond within 30 days; if the request is complex we will notify you of a one-time extension (maximum 3 months) within the initial 30-day window. A data export includes all financial data, account records, categories, scenarios, and consent logs associated with your account.
If you believe we have mishandled your data, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC), which is the supervisory authority we have designated as our EU lead authority.
9. California rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, use, and share; to delete your information; to correct inaccurate information; and to not be discriminated against for exercising these rights. Out Budget does not sell or share personal information for cross-context behavioural advertising. To exercise your rights, email support@outbudget.com.
10. Data security
See the Security page for the technical details. In short: TLS 1.3 in transit, AES-256 at rest, Postgres row-level security on every table, password hashes (no plaintext), no bank credentials stored.
11. Children
Out Budget is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.
12. Cookies and similar technologies
See the Cookie policy for the full list. In summary: we use a small number of strictly necessary cookies for authentication. Analytics and other non-essential cookies fire only with your explicit consent.
13. Changes
When we make material changes to this policy, we will update the effective date above and, for significant changes, notify you by email. Continued use of the service after the effective date means you accept the updated policy.
14. Contact
For any privacy question, write to support@outbudget.com. We answer every email.
15. Data Protection Officer
Out Budget is operated by a sole proprietor and does not meet the thresholds under GDPR Article 37 that mandate the designation of a Data Protection Officer (DPO). We have therefore not appointed a DPO.
All privacy enquiries, data-subject rights requests, and supervisory-authority correspondence should be directed to the controller directly:
Lorenzo Bergamini, sole proprietor based in the United Arab Emirates
support@outbudget.com
MAG 218, Dubai Marina, Dubai, United Arab Emirates
We aim to respond to all privacy requests within 30 days as required by GDPR Art. 12(3). If we cannot meet that deadline we will inform you of the reason and the extended deadline (maximum 3 months) within the initial 30-day window.