Privacy Policy

1. Controller

The data processing controller is:

Stephan Harbauer

c/o SHA Labs UG (haftungsbeschränkt)

Iznikstr. 4

13587 Berlin

Germany

Email: budget-base-imprint@sha-labs.de

The controller decides why and how personal data is processed for the Budget Base website, newsletter, registration flow, and app.

2. Data we process

Website access and technical logs

When you visit the website or app, technical data may be processed so the service can be delivered securely and reliably. This can include your IP address, browser and device information, the requested URL or endpoint, the time of access, language headers, and similar request metadata.

We process this data to operate the service, diagnose errors, protect against abuse, and keep Budget Base secure. The legal basis is our legitimate interest in secure and reliable service operation (Art. 6(1)(f) GDPR).

Account registration and authentication

When you register for Budget Base, log in, or manage your account, we process account data such as your name, email address, password hash, selected language, account role, account status, registration and update timestamps, last login time, failed login attempts, lockout status, session identifiers, and security tokens.

We process this data to create and manage your account, authenticate you, protect accounts from misuse, send registration verification emails, maintain sessions, and support password and account security. The legal basis is contract performance or pre-contractual steps (Art. 6(1)(b) GDPR) and our legitimate interest in secure account operation and abuse prevention (Art. 6(1)(f) GDPR).

Budget and financial app data

When you use the Budget Base app, we process the budget data you enter or import. This can include accounts, account names and types, balances, categories and category groups, budget months, budgeted amounts, goals, transactions, transaction dates, payees, memos, transfers, reconciliations, investment accounts, investment transfers, investment valuations, cash flow, market value, gain or loss calculations, and user settings such as currency, date format, number format, theme, first day of week, and language.

We process this data to provide the budgeting, account, transaction, recurring transaction, reconciliation, settings, data export/import, and investment tracking features you request. The legal basis is contract performance (Art. 6(1)(b) GDPR). Where processing is needed to maintain service integrity, prevent misuse, troubleshoot errors, or preserve operational reliability, the legal basis is our legitimate interest (Art. 6(1)(f) GDPR).

Data export and import

If you use Budget Base export or import features, we process the exported or imported app data file so you can download your budget data or restore it into your account. The in-app export is a product data portability feature for budget and account data; it is not necessarily a complete GDPR access package because authentication, security, admin, newsletter, email log, and feature-toggle records are not part of that app export file.

Newsletter signup and double opt-in

If you sign up for a Budget Base newsletter, we process the email address you enter and the information needed to verify the signup. This can include the newsletter slug, selected language, signup token, timestamp, Cloudflare Turnstile verification token, double opt-in token, unsubscribe token, subscription status, signup time, unsubscribe time, and technical request metadata needed to process the request.

We use a double opt-in process. After signup, Budget Base sends a verification email. The subscription becomes active only after you confirm the link in that email.

The legal basis for sending newsletter emails is your consent (Art. 6(1)(a) GDPR). You can withdraw that consent at any time by using the unsubscribe link in a newsletter email.

Email delivery and email logs

Verification emails, registration emails, security-related emails, and newsletter emails are sent through Budget Base's email delivery infrastructure. To operate email delivery, Budget Base stores email logs that may include the sender address, recipient address, subject, message body, delivery status, retry information, timestamps, sent-by information, newsletter or batch identifiers, and error messages.

We use double opt-in records, delivery logs, troubleshooting records, abuse-prevention records, and operational records for secure, reliable, and documented email operation. The legal basis is our legitimate interest in operating and documenting the email system (Art. 6(1)(f) GDPR). For account-related emails, the legal basis may also be contract performance or pre-contractual steps (Art. 6(1)(b) GDPR).

Backup, and support records

Budget Base may process database backups and backup operation records to protect against data loss and restore the service. If you contact us by email or through another support channel, we process your contact details and the content of your message to respond to your request.

3. Browser storage, cookies, and tracking

Budget Base uses browser storage and cookies that are needed to provide the service. This can include an HTTP-only JWT cookie for authentication, an XSRF-TOKEN cookie for CSRF protection, sessionStorage for non-sensitive user interface state such as cached user information and session-expiry notices, and localStorage for preferences such as theme, language, sidebar state, or localized website behavior.

The legal basis is our legitimate interest in secure, convenient, consistent, and reliable service operation (Art. 6(1)(f) GDPR) and, where storage is necessary for logged-in app functionality, contract performance (Art. 6(1)(b) GDPR).

For website analytics, Budget Base sends server-side pageview events from web server access logs to our self-hosted Umami analytics instance. This analytics setup does not load a frontend tracking pixel or set analytics cookies. The processed analytics data can include request metadata such as page path, referrer, language header, user agent, IP address-derived location, timestamp, and host name. We use this data to understand aggregate website usage and maintain the website. The legal basis is our legitimate interest in measuring and improving the website without client-side tracking pixels or advertising profiling (Art. 6(1)(f) GDPR).

We do not use advertising cookies, tracking pixels, or third-party social media widgets for profiling or advertising.

4. Cloudflare Turnstile and abuse prevention

We use Cloudflare Turnstile to protect newsletter signup and registration forms from automated abuse and spam. Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

When Turnstile is loaded, your browser may exchange technical signals with Cloudflare, such as IP address, user agent, browser and device characteristics, and the site key for this website or app. These signals are used to decide whether the request is likely to come from a person or an automated system.

When you submit a protected form, Budget Base sends the Turnstile token and your client IP address to Cloudflare's verification endpoint so the token can be checked before the request is accepted.

Budget Base also uses rate limiting, blocked email checks, token validation, login lockout, token revocation, and security logs to prevent abuse and protect accounts. These controls are used for security and service integrity, not for advertising profiling.

The legal basis is our legitimate interest in protecting Budget Base from abuse, spam, credential attacks, and automated misuse (Art. 6(1)(f) GDPR). More information is available in Cloudflare's Turnstile Privacy Addendum: https://www.cloudflare.com/turnstile-privacy-policy/

5. Recipients and service providers

Personal data is processed by Budget Base and by service providers that help us operate the website, app, database, backups, email delivery, security controls, and infrastructure. Not every provider receives every category of data. Each provider processes personal data only to the extent needed for the relevant service.

Known or planned recipient categories include: Cloudflare, Inc. for Turnstile and abuse prevention, and the self-hosted Umami analytics service operated on our own infrastructure for server-side website analytics.

Authorized Budget Base administrators and support personnel may access personal data only where necessary to operate the service, provide support, maintain security, troubleshoot issues, manage newsletters or email delivery, perform backups or restores, or comply with legal obligations. Public authorities, courts, advisers, or other recipients may receive personal data where disclosure is legally required or necessary to establish, exercise, or defend legal claims.

We do not sell your personal data. We do not share your financial app data with third parties for advertising.

6. International transfers

Budget Base aims to operate with strong privacy protections for users in Europe. Some service providers, including Cloudflare, may process data in the United States or other countries outside the European Economic Area.

Where required, international transfers are based on an adequacy decision, EU Standard Contractual Clauses, or other safeguards permitted by data protection law.

7. Storage duration

Account and app data is generally stored for as long as your Budget Base account exists or as long as needed to provide the app features you use. If data is deleted through the app, it is removed from active app records subject to technical processing, backups, legal obligations, and legitimate security or operational needs.

Newsletter signup data is stored for as long as the subscription is active. If you unsubscribe, the subscription status is updated and newsletter sending stops. After unsubscribing, your email address may be retained in a suppression or blacklist record where this is necessary to prevent future mailings and to respect your unsubscribe request.

Security logs, audit logs, email logs, backup records, support messages, and operational records are stored for as long as needed for security, troubleshooting, abuse prevention, documentation, backup and restore, legal obligations, or legitimate operational interests. Data is deleted or anonymized when it is no longer needed unless legal retention obligations or legitimate interests require longer storage.

Backups may contain copies of app, account, newsletter, audit, and operational data until the relevant backup is overwritten, rotated, or deleted under the configured backup retention process.

8. Your rights

You have the right to request information about your personal data, to request correction or deletion, to request restriction of processing, and to receive data you provided in a commonly used, machine-readable format where the legal requirements are met.

You may object to processing based on legitimate interests where the legal requirements are met. You may withdraw consent for newsletter emails at any time. The withdrawal does not affect processing that took place before the withdrawal.

The in-app export function can help you download budget and account data, but it does not replace your GDPR rights. If you need a broader access, deletion, portability, objection, or restriction request, contact us at the address below.

You also have the right to lodge a complaint with the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin, Germany, mailbox@datenschutz-berlin.de, https://www.datenschutz-berlin.de/.

To exercise your rights, contact us at: budget-base-imprint@sha-labs.de

9. Automated decision-making and profiling

Budget Base does not use your app or financial data for automated decision-making that produces legal effects concerning you or similarly significantly affects you.

We do not use your financial data for advertising profiling. Turnstile, rate limiting, login lockout, token validation, and similar security controls may automatically accept, block, or require retrying a request when they indicate abuse, spam, or security risk. These controls protect the service and accounts; they do not evaluate your creditworthiness or financial behavior.

10. Contact by email

If you contact us by email, we process the information you send, including your email address and the content of your message, to handle your request.

If your request relates to a contract or pre-contractual steps, the legal basis is Art. 6(1)(b) GDPR. In other cases, the legal basis is our legitimate interest in responding to inquiries (Art. 6(1)(f) GDPR).

11. Secure transmission

Budget Base uses TLS encryption for transmission. You can recognize an encrypted connection by the https:// address and the lock icon in your browser.

Encrypted transmission reduces the risk that third parties can read data sent between your browser and Budget Base. It cannot guarantee complete protection against every risk on the Internet.