Privacy Policy

Last Updated: January 24, 2026

Your data is protected with AES-256-GCM encryption

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. Data Security Measures
  4. Information Sharing and Disclosure
  5. Data Retention and Deletion
  6. Your Rights and Choices
  7. International Data Transfers
  8. GDPR Compliance (EU Users)
  9. Children's Privacy
  10. California Privacy Rights (CCPA)
  11. Changes to Privacy Policy
  12. Contact Us

1. Information We Collect

We collect information to provide and improve our subscription tracking service. Here's what we collect and why:

1.1 Information You Provide Directly

  • Timezone: Required for accurate notification delivery at the correct local time
  • Main Currency: Your preferred currency for analytics and dashboard displays
  • Name: Optional, obtained from OAuth or manually entered, used in emails and billing
  • Phone Number: Optional, only if you opt in to WhatsApp notifications
  • Subscription Data: Service names, amounts, currencies, billing cycles, next charge dates, categories, and status

1.2 Information from OAuth Authentication

When you sign in with Google or Facebook via AWS Cognito, we receive:

  • Email address: Used for authentication and notifications
  • Name: Optional profile information
  • Profile picture: Not stored, used only during login

1.3 Payment Information (Pro Plan Only)

Payment processing is handled entirely by Stripe. We store:

  • Stripe Customer ID: Links your account to Stripe
  • Subscription Status: Active, past due, or canceled
  • Last 4 Digits of Card: For display purposes only

We never see or store your full credit card number, CVV, or other payment details. Stripe stores all payment information securely in PCI-DSS Level 1 certified infrastructure.

1.4 Automatically Collected Information

  • Browser and Device Information: Browser type, device type, operating system (for compatibility)
  • IP Address: Temporarily used for security and fraud prevention (not stored long-term)
  • Usage Logs: API requests, cron job executions, errors (for debugging and performance monitoring)
  • Cookies: Essential session cookies for authentication (no tracking or advertising cookies)

2. How We Use Your Information

2.1 Core Service Delivery

  • Display your subscriptions in calendar and list views
  • Calculate analytics, spending trends, and month-over-month comparisons
  • Convert subscription amounts to your main currency using real-time exchange rates
  • Automatically roll over subscription dates based on billing cycles

2.2 Notifications

  • Email Reminders: Sent via AWS SES 2 days before subscription charges at 09:00 in your timezone
  • WhatsApp Notifications: Optional, sent via Twilio only if you opt in and provide a phone number
  • Monthly Summaries: Email with spending breakdown, sent on the last day of each month at 18:00 in your timezone
  • Browser Push Notifications: Optional, for real-time updates

2.3 Payment Processing

  • Process Pro plan subscriptions via Stripe
  • Manage billing, invoices, and payment status
  • Send payment receipts and billing updates

2.4 Service Improvement

  • Analyze aggregated, anonymized usage patterns to improve features
  • Monitor performance and fix bugs
  • Understand which features are most valuable to users

2.5 Legal and Security

  • Comply with legal obligations and court orders
  • Prevent fraud, abuse, and unauthorized access
  • Enforce our Terms of Use
  • Protect user safety and service security

3. Data Security Measures

Industry-Standard Encryption

We protect your personal information with AES-256-GCM encryption, the same technology used by banks, government agencies, and encrypted messaging apps.

What's Encrypted:

  • Email addresses - Used for login and notifications
  • Names - Used in emails and billing
  • Phone numbers - Optional, for WhatsApp
  • Subscription service names - The services you track (e.g., "Netflix")

Technical Details:

  • Algorithm: AES-256-GCM (NIST-approved, authenticated encryption)
  • Key Size: 256 bits (industry-standard strength)
  • Unique Initialization Vectors: Every encrypted record has a unique random IV
  • Authentication Tags: Verifies data integrity and prevents tampering
  • Key Versioning: Supports annual key rotation for enhanced security

Compliance:

Our encryption meets requirements for PCI-DSS, HIPAA, SOC 2, and GDPR.

3.2 Key Management

Encryption keys are stored in Vercel encrypted environment variables with separate keys for development, staging, and production.

3.3 Infrastructure Security

  • MongoDB Atlas: Database encryption at rest enabled
  • Vercel: Serverless architecture with automatic security updates
  • AWS: Industry-leading cloud security (Cognito, SES)
  • Stripe: PCI-DSS Level 1 certified payment processing

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share data with trusted third-party services to operate OverSpend.me:

  • AWS Cognito: Email, name - OAuth authentication (US)
  • Stripe: Email, name, customer ID - Payment processing (US/EU)
  • AWS SES: Email, name - Email delivery (US)
  • Twilio: Phone, name - WhatsApp opt-in (US)
  • MongoDB Atlas: All data (encrypted) - Database hosting (Multi-region)
  • Vercel: All data (encrypted) - Application hosting (Global CDN)

4.2 Legal Requirements

We may disclose your information if required by law or to comply with court orders, subpoenas, enforce our Terms of Use, protect our rights, or prevent fraud.

4.3 Business Transfers

If OverSpend.me is acquired or merged with another company, your data may be transferred. We will notify you via email 30 days in advance and give you the option to delete your account.

5. Data Retention and Deletion

5.1 Active Account Data

While your account is active, we retain your data indefinitely in encrypted form to provide the Service.

5.2 Account Deletion

When you delete your account (Settings → Account → Delete Account):

  1. Immediate deletion: All subscription records, personal info, and settings deleted within 24 hours
  2. Stripe cleanup: Customer ID removed
  3. OAuth cleanup: Cognito associations removed
  4. Backup purge: All backup copies deleted after 60 days

Account deletion is permanent and cannot be reversed.

5.3 Data Portability

Before deleting your account, you can export all your data as a JSON file from Settings → Export Data.

6. Your Rights and Choices

6.1 Access and Correction

You can view and edit your personal information at any time through Settings.

6.2 Data Portability

Export all your data in machine-readable JSON format from Settings → Export Data.

6.3 Deletion Rights

You have the right to delete individual subscriptions or your entire account (Settings → Account → Delete Account).

6.4 Notification Control

Manage notification preferences in Settings → Notifications for email reminders, monthly summaries, WhatsApp, and browser push.

7. International Data Transfers

OverSpend.me uses cloud services that may store data in multiple regions including MongoDB Atlas (multi-region) and Vercel (global CDN). Some third-party services are based in the United States (AWS Cognito, Stripe, AWS SES, Twilio).

For users in the European Union, we ensure adequate data protection through Standard Contractual Clauses (SCCs), AES-256-GCM encryption, and full GDPR compliance.

8. GDPR Compliance (EU Users)

8.1 Legal Basis for Processing

  • Consent: OAuth login, WhatsApp notifications, email preferences
  • Contract: Providing subscription tracking service, Pro plan billing
  • Legitimate Interests: Fraud prevention, service improvement, security

8.2 Your GDPR Rights

  • Right to Access: View all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Delete your account and all data
  • Right to Data Portability: Export data in machine-readable format
  • Right to Restrict Processing: Limit how we use your data
  • Right to Object: Object to data processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

9. Children's Privacy

OverSpend.me is not intended for users under 18 years old. We do not knowingly collect personal information from children. If we discover that a user is under 18, we will immediately delete the account and all associated data.

10. California Privacy Rights (CCPA)

10.1 CCPA Rights

California residents have the right to know what personal information we collect, use, and share; request deletion; and receive equal service regardless of privacy choices. We do NOT sell personal information.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email notification and in-app notice. Material changes will take effect 30 days after notification.

12. Contact Us

For privacy-related questions, concerns, or data rights requests, contact us:

  • Privacy Questions: privacy@overspend.me (Response: 7 business days)
  • Security Concerns: security@overspend.me (Response: 24 hours)
  • General Support: support@overspend.me (Response: 2 business days)
  • Data Protection Officer: dpo@overspend.me (If required by GDPR)

Privacy Summary

  • What We Encrypt: Email, name, phone, subscription names
  • How We Encrypt: AES-256-GCM (bank-level security)
  • Your Rights: Access, update, delete, export
  • Compliance: GDPR, CCPA, PCI-DSS, HIPAA, SOC 2

© 2026 OverSpend.me. All rights reserved.