Out Budget

Security

How we protect your data.

Out Budget is a finance app. That means we treat security as a first-class concern, not a checkbox. Here is exactly what we do — and what we don’t.

  • In transit

    Every connection between your browser and Out Budget is encrypted with TLS 1.3. We don’t accept unencrypted requests; HTTP is redirected to HTTPS at the edge. HSTS is enforced.

  • At rest

    Data lives in a managed Postgres database hosted on Supabase, encrypted at rest with AES-256 at the disk level. Snapshots are taken nightly and retained for 7 days.

  • Row-level security

    Postgres row-level security (RLS) is enabled on every table that holds user data. Each query is scoped to your user ID at the database level — meaning even a logic bug in the application can’t expose another user’s data, because the database itself enforces the boundary.

  • Authentication

    Sign-in is email + password via Supabase Auth, which stores password hashes (bcrypt) — the plaintext never touches our servers. Sessions are short-lived JWTs with refresh tokens. Multi-factor authentication is on the roadmap.

  • No bank credentials

    Out Budget does not connect to your bank, brokerage, or any financial institution. There are no third-party scraping credentials in the system, because there is nothing to scrape — you log transactions yourself or import them as CSV. If a bank integration is ever added, it will be opt-in and clearly disclosed.

  • Vulnerability disclosure

    Found a security issue? Email support@outbudget.com with the subject “Security report”. We respond within 48 hours and will not pursue legal action against good-faith researchers who follow standard responsible disclosure practice.

  • Breach notification

    In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay and, where required by GDPR Article 33, report to the Irish Data Protection Commission (DPC) within 72 hours of becoming aware of the incident. To report a suspected breach, email support@outbudget.com.

Where data lives

User data is stored in a managed Postgres database on Supabase, hosted in AWS eu-central-1 (Frankfurt). The application is served from Vercel’s edge network, which terminates TLS and forwards requests to the Next.js runtime. Backups stay in the same region.

For the complete list of services that touch your data — and what each one is used for — see the Subprocessors page.

Your rights

You can export every row of your data as CSV from Settings → Export, at any time. If you delete your account, your data is removed from the live database within 24 hours and from backups within 7 days. We do not sell your data, share it with advertisers, or train any machine-learning model on it.

Read the privacy policy for the full picture, including your GDPR and CCPA rights.