Privacy Policy
Effective Date: January 2026 Last Updated: January 2026
1. Introduction
CrispBudget (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our mobile application and related services (the “Service”).
By using CrispBudget, you consent to the practices described in this Privacy Policy.
Data Controller: CrispBudget Contact: support@crispbudget.app
2. Information We Collect
2.1 Information You Provide
| Data Type | When Collected | Purpose |
|---|---|---|
| Account Information | Registration | Authentication, profile display |
| Email address | Email sign-up | Account access, notifications |
| Phone number | Phone sign-up | Account verification |
| Display name | Profile setup | Personalization |
| Profile photo | Optional upload | Profile display |
| Financial Data | User input | Core service functionality |
| Transactions | Manual entry | Budget tracking |
| Categories | User creation | Organization |
| Budgets | User setting | Budget management |
| Wallet names | User creation | Wallet identification |
| Notes and descriptions | User input | Record keeping |
| AI Feature Data | Feature usage | AI processing |
| Receipt images | Camera capture | Receipt scanning |
| Voice recordings | Microphone input | Voice-to-text |
| Chat messages | Text input | AI Advisor |
2.2 Information Collected Automatically
| Data Type | Method | Purpose |
|---|---|---|
| Device Information | Automatic | Security, compatibility |
| Device model | System API | App optimization |
| Operating system | System API | Compatibility |
| App version | App data | Support, updates |
| Usage Data | Automatic | Service improvement |
| Crash logs | Firebase Crashlytics | Bug fixing |
| Error reports | Automatic capture | Stability |
| Security Data | Firebase App Check | Fraud prevention |
| App attestation | Device verification | Security |
2.3 Information from Third Parties
| Source | Data Type | Purpose |
|---|---|---|
| Apple Sign-In | Name, email (if shared) | Authentication |
| Google Sign-In | Name, email, profile photo | Authentication |
| App Store | Purchase receipts | Subscription verification |
2.4 Information We Do NOT Collect
- Bank account details: We do not connect to or access your bank accounts
- Credit card numbers: Payment processing is handled entirely by Apple
- Precise location: We do not track your GPS location
- Contacts: We do not access your contact list
- Advertising identifiers: We do not collect IDFA for advertising
3. How We Use Your Information
3.1 Primary Purposes
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the Service | Contract performance |
| Create and manage your account | Contract |
| Sync data across devices | Contract |
| Process transactions and budgets | Contract |
| Enable wallet sharing | Contract |
| AI Feature Processing | Contract / Consent |
| Analyze receipt images | Contract |
| Convert voice to text | Contract |
| Generate AI advice | Contract |
| Subscription Management | Contract |
| Verify Premium status | Contract |
| Process renewals | Contract |
3.2 Secondary Purposes
| Purpose | Legal Basis (GDPR) |
|---|---|
| Service Improvement | Legitimate interest |
| Fix bugs and errors | Legitimate interest |
| Improve app stability | Legitimate interest |
| Security | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Protect against attacks | Legitimate interest |
| Communication | Consent / Contract |
| Respond to support requests | Contract |
| Send service notifications | Contract |
| Marketing (opt-in only) | Consent |
3.3 What We Don’t Do
- No selling: We never sell your personal data
- No advertising: We do not show ads or share data with advertisers
- No profiling for marketing: We do not build profiles for targeted advertising
- No third-party data sharing for their purposes: Data is only shared for our service operation
4. AI Feature Data Processing
4.1 Receipt Scanning
- Data collected: Photos of receipts
- Processing: Sent to Google AI (Gemini) for text extraction
- Retention: Images are processed in real-time and not permanently stored on our servers
- Result storage: Extracted transaction data is stored in your account
4.2 Voice Input
- Data collected: Voice recordings
- Processing: Converted to text using Google AI
- Retention: Audio is processed in real-time and not permanently stored
- Result storage: Recognized text and transaction data stored in your account
4.3 AI Advisor
- Data collected: Chat messages and conversation context
- Processing: Analyzed by Google AI to provide personalized insights
- Retention: Chat history stored in your account for continuity
- Context: May include anonymized transaction summaries for relevant advice
4.4 Third-Party AI Disclosure
Important: When you use AI features, your data is sent to third-party AI services:
| Feature | AI Provider | Data Sent |
|---|---|---|
| Receipt Scanning | Google AI (Gemini) | Receipt images |
| Voice Input | Google AI (Gemini) | Voice recordings |
| AI Advisor | Google AI (Gemini) | Chat messages, transaction summaries |
By using AI features, you explicitly consent to this data sharing. You can choose not to use AI features if you do not wish to share data with third-party AI services.
4.5 AI Data Safeguards
- AI processing occurs via Firebase AI Logic (Google infrastructure)
- Google’s AI services are subject to Google Cloud’s data processing terms
- We do not use your data to train AI models
- Google does not use API data to train models (per Google Cloud Terms)
- You can delete all AI-related data by deleting your account
5. Data Sharing and Disclosure
5.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Firebase (Google) | Infrastructure | All account and transaction data |
| Authentication | Account credentials | |
| Firestore | Data storage | |
| Cloud Functions | Backend processing | |
| Cloud Storage | File storage | |
| Crashlytics | Crash reports | |
| App Check | Security verification | |
| Google AI (Gemini) | AI features | Receipts, voice, chat |
| Apple | Payments | Purchase receipts |
| Authentication | Sign-in tokens |
5.2 Legal Requirements
We may disclose your information if required by law or in response to:
- Valid legal process (subpoenas, court orders)
- Government requests
- Protection of our rights, privacy, safety, or property
- Emergency situations involving potential threats to safety
5.3 Business Transfers
If CrispBudget is acquired or merged, your data may be transferred to the new entity. We will notify you before your data becomes subject to a different privacy policy.
5.4 With Your Consent
We may share data for purposes not described here only with your explicit consent.
5.5 Shared Wallets
When you join a shared wallet:
- Other members can see transactions in that wallet
- The wallet owner can view membership information
- Your private transactions remain visible only to you
- You control which wallets you join or leave
6. Data Storage and Retention
6.1 Storage Location
Your data is stored on Google Cloud servers, primarily in the United States. See Section 11 for international transfer information.
6.2 Retention Periods
| Data Type | Retention Period |
|---|---|
| Active Account Data | Retained while account is active |
| Transactions, budgets, categories | Until deletion request |
| Profile information | Until deletion request |
| Chat history | Until deletion request |
| Inactive Free Accounts | Deleted after 1 year of inactivity |
| Prior notification sent | 30 days before deletion |
| AI Processing Data | |
| Receipt images | Deleted immediately after processing |
| Voice recordings | Deleted immediately after processing |
| After Account Deletion | |
| Most data | Within 30 days |
| Backup data | Within 90 days |
| Anonymized analytics | May be retained indefinitely |
| Legal Requirements | |
| Purchase records | As required by tax law (up to 7 years) |
6.3 Deletion Process
When you delete your account:
- Immediate: Account access disabled
- Within 30 days: Primary data deleted from active databases
- Within 90 days: Backup copies purged
- Indefinite: Anonymized, aggregated statistics may be retained
7. Data Security
7.1 Technical Measures
- Encryption in transit: All data transmitted via HTTPS/TLS
- Encryption at rest: Data encrypted on Google Cloud servers
- Access control: Firestore Security Rules limit data access
- App verification: Firebase App Check prevents unauthorized access
- Authentication: Secure sign-in via Firebase Auth
7.2 Organizational Measures
- Limited personnel access to production data
- Regular security reviews
- Incident response procedures
7.3 Your Responsibilities
- Keep your account credentials secure
- Use device-level security (passcode, biometrics)
- Log out on shared devices
- Report suspicious activity promptly
7.4 Security Incidents
In the event of a data breach affecting your personal information:
- We will notify affected users within 72 hours
- We will notify relevant supervisory authorities as required
- We will take immediate steps to contain and remediate the breach
8. Your Privacy Rights
8.1 Rights for All Users
| Right | Description | How to Exercise |
|---|---|---|
| Access | View your data | Settings > Export Data |
| Correction | Fix inaccurate data | Edit in app |
| Deletion | Delete your account | Settings > Delete Account |
| Portability | Export your data | Settings > Export Data (JSON format) |
8.2 Additional Rights by Region
European Economic Area, UK, and Switzerland (GDPR)
If you are in the EEA, UK, or Switzerland, you have additional rights:
| Right | Description |
|---|---|
| Restriction | Request limited processing |
| Objection | Object to processing based on legitimate interest |
| Withdraw Consent | Withdraw consent at any time |
| Automated Decisions | Right not to be subject to solely automated decisions |
| Complaint | Lodge complaint with supervisory authority |
California, USA (CCPA/CPRA)
If you are a California resident, you have the following rights:
| Right | Description |
|---|---|
| Know | Know what personal information is collected |
| Access | Access your personal information |
| Delete | Request deletion of your data |
| Correct | Correct inaccurate information |
| Opt-Out of Sale | We do not sell personal information |
| Non-Discrimination | Equal service regardless of privacy choices |
We do not sell or share personal information for cross-context behavioral advertising.
9. Children’s Privacy
CrispBudget is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.
If we discover that we have collected information from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us information, please contact us at support@crispbudget.app.
10. Cookies and Tracking
10.1 Current Status
CrispBudget is a mobile app and does not use browser cookies. We do not use tracking pixels or third-party analytics that track you across apps or websites.
10.2 Future Plans
We may implement Firebase Analytics in the future for:
- App usage statistics
- Feature popularity
- Performance monitoring
If implemented, we will:
- Update this Privacy Policy
- Provide opt-out options where required
- Respect privacy settings (e.g., App Tracking Transparency)
11. International Data Transfers
11.1 Transfer Locations
Your data is processed and stored in the United States on Google Cloud infrastructure. If you are outside the US, your data will be transferred internationally.
11.2 Transfer Safeguards
For users in the EEA, UK, and Switzerland:
- Google Cloud operates under Standard Contractual Clauses (SCCs)
- Supplementary measures per Schrems II decision
- Google is certified under the EU-US Data Privacy Framework
For users in other regions:
- We rely on consent and contractual necessity as transfer mechanisms
- We ensure adequate protection regardless of location
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- In-app notification
- Email notification (if provided)
- Updating the “Last Updated” date
Continued use after changes constitutes acceptance. If you disagree with changes, please stop using the Service and delete your account.
13. Contact Us
For privacy-related questions, requests, or complaints:
Email: support@crispbudget.app
Response Time: We aim to respond within 30 days (or sooner as required by applicable law).
For EU Users: If you are unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority.
14. Language
This Privacy Policy is provided in English and Japanese. In case of any discrepancy, the English version shall prevail for non-Japanese users, and the Japanese version shall prevail for users in Japan.
Last updated: January 2026