BillForecast logo

Privacy Policy

Last updated: 2026-05-12

Introduction

At BillForecast.app, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal finance application.

Data Controller

The data controller responsible for your personal data is:

I MARIN, obrt za usluge
Kijevska 5
Split, Croatia, EU
MB: 3141721
OIB: 91775270726

Contact: privacy@billforecast.app

Information We Collect

Personal Information

When you register for BillForecast.app, we collect:

  • Email address (for account authentication)
  • Name (optional)
  • Password (hashed and never stored in plain text)

Financial Data

You voluntarily provide financial information including:

  • Transaction details (amounts, descriptions, dates)
  • Account information (names, balances, types)
  • Budget and category preferences
  • Receipt images (if you choose to upload them)

Usage Information

We automatically collect certain information about your device and usage:

  • Browser type and version
  • Operating system
  • IP address
  • Access times and dates
  • Features used within the application

How We Use Your Information

We use your information to:

  • Provide and maintain our service
  • Process and manage your transactions
  • Generate financial insights and analytics
  • Send important service-related communications
  • Improve and optimize our application
  • Detect and prevent fraud or security issues

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the Service after you create an account, including storing your transactions, managing your budgets, and generating financial insights
  • Consent (Art. 6(1)(a) GDPR) — for optional AI-powered features when you explicitly enable a cloud model provider. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
  • Legitimate interests (Art. 6(1)(f) GDPR) — for security monitoring, fraud prevention, and improving the Service. We balance these interests against your rights and freedoms

Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using SSL/TLS
  • Passwords are hashed using bcrypt
  • Database access is restricted and monitored
  • Regular security audits and updates
  • Secure authentication with JWT tokens

Data Sharing

We never sell your personal or financial data to third parties. We may share your information only in these limited circumstances:

  • With your explicit consent
  • To comply with legal obligations
  • To protect our rights and safety
  • In connection with a business transfer (merger or acquisition)

Sub-Processors

We use the following third-party processors to deliver the Service. Each is contractually bound to process your data only on our instructions and to maintain appropriate security measures:

ProcessorPurposeData sharedLocationSafeguard
Stripe, Inc.
stripe.com/privacy		Subscription payments, billing portal, invoicingEmail, name, IP address, payment-method tokens. Card numbers never reach BillForecast.United StatesEU Standard Contractual Clauses (2021/914/EU) + Stripe DPA
Zoho Corporation (ZeptoMail)
zoho.com/privacy		Transactional email (login verification, OTP, account notifications)Email address, email contentEuropean UnionEU data residency + Zoho DPA

Service hosting and database storage run on infrastructure located within the European Union, operated by I MARIN, obrt za usluge.

International Data Transfers

Your financial data (transactions, accounts, budgets, receipts) is stored and processed on servers located within the European Union. Payment-related data is transferred to Stripe, Inc. (United States) under the EU Standard Contractual Clauses as set out above. Any future sub-processors outside the EU will be added with equivalent safeguards in place, and this policy will be updated at least 30 days before any such change takes effect.

Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15) — obtain confirmation of whether your data is being processed and request a copy
  • Right to rectification (Art. 16) — correct inaccurate or incomplete personal data
  • Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18) — request limitation of processing in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests
  • Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

To exercise these rights, contact us at privacy@billforecast.app

Right to lodge a complaint: You have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, Croatia (azop.hr).

Cookies and Tracking

BillForecast uses a small number of strictly necessary cookies to keep you signed in and protect requests from cross-site attacks. We do not run ads, marketing pixels, or behavioural tracking — no Facebook Pixel, no Hotjar, no Mixpanel. This deployment does not load third-party analytics.

We also self-host our web fonts. Many sites load fonts from fonts.googleapis.com, which transmits your IP address to Google on every page load. BillForecast serves the JetBrains Mono font directly from billforecast.app, so your browser never talks to Google while reading this page.

The full list of cookies and browser storage BillForecast sets is below. All authentication cookies are httpOnly, Secure in production, and SameSite=Lax.

NameTypePurposeDurationCategory
accessTokenCookie (first-party)Signed JWT that authenticates your session.7 daysStrictly necessary
refreshTokenCookie (first-party)Extends your session without forcing a re-login.30 daysStrictly necessary
_csrfCookie (first-party)Cross-site request forgery protection token.24 hoursStrictly necessary
cookie-consentBrowser storage (localStorage)Remembers that you acknowledged the cookie notice so it stops reappearing.Until clearedStrictly necessary

Withdraw or Re-Review Consent

Under GDPR Article 7(3), withdrawing consent must be as easy as giving it. You can reset your cookie acknowledgement at any time — the notice will reappear on the next page load:

You can also clear cookies and site storage for billforecast.app directly in your browser settings. Doing so will sign you out of the app.

Local-First AI

BillForecast can run AI processing locally via Ollama so your prompts and context don't need to be sent to a third-party model provider.

  • Local AI is optional and must be enabled in configuration
  • If you choose to enable a cloud LLM provider, prompts may be transmitted to that provider
  • We do not sell or share your financial data for advertising

You can always use BillForecast without enabling any AI features.

Data Retention

We retain your data according to the following schedule:

  • Active accounts: data is retained for as long as your account is active and the Service is being provided
  • Deleted accounts: personal and financial data is permanently purged within 30 days of account deletion
  • Consent records: retained for 5 years after revocation to meet our GDPR accountability obligations
  • Security and audit logs: retained for 12 months

Where required by law, we may retain certain data for longer periods.

Children's Privacy

BillForecast.app is not intended for users under the age of 18. We do not knowingly collect information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

Email: privacy@billforecast.app
Website: billforecast.app