Your data, your control.

How we handle your account

Passwords are hashed with bcrypt (12 rounds) before they ever land on disk. The plain password is never logged, never stored, and never sent over the wire after the initial signup or login request.

Auth uses JWT bearer tokens signed with a server-only secret. Tokens expire after 7 days, after which you're bounced back to the login screen.

What we collect

• A username (you choose it)
• A bcrypt hash of your password
• The cards, transactions, and perks you add yourself

That's it. No bank credentials, no email tracking pixels, no third-party analytics SDKs in the app shell.

Privacy policy

We don't sell, share, or rent your data. We don't run ads. We don't profile you for any purpose other than running the app you signed up for.

If you delete your account, every card, transaction, and perk you owned is hard-deleted from our database within 24 hours. There's no soft-delete graveyard.

Terms of service

Finstracker is provided as-is. You're responsible for the accuracy of the data you enter. We make a best effort to keep the service available, but for a beta-scale deploy there is no formal SLA.

You may not use Finstracker to track activity that is not yours, or to circumvent any credit card issuer's terms.

Cookies

Finstracker uses one piece of browser storage: a JWT in localStorage so you stay logged in for 7 days. We don't set tracking cookies. We don't use third-party cookies for advertising or analytics.

Known trade-offs

A stolen JWT is valid until it expires because there is no server-side revocation list. For a single-tenant beta deploy this is an acceptable trade-off. For a multi-tenant production deploy we'd add a short access-token lifetime plus refresh tokens. There's no rate limiter on the login route today, which is on the roadmap.

Reporting a vulnerability

If you find a security issue, please email us directly rather than opening a public issue. We'll respond within 48 hours.