Effective date: 21 April 2026
This policy explains what information Buckets ("we", "us") collects when you use the Buckets household budgeting app (available at thebuckets.app), how we use it, and your rights around it.
The short version: your budget data is end-to-end encrypted. We cannot read your numbers, names, or notes — only you and your household members can.
When you create an account we store your email address and a bcrypt hash of your password. We never store your password in plain text.
All budget data you enter — transaction amounts, bucket names, account names, notes, and descriptions — is encrypted in your browser before it reaches our servers. We store only ciphertext. We have no technical means to read your budget contents.
We store the structure of your household (member list, invite codes, key material required for encryption) so that authorised members can sync data across devices. This metadata does not include any budget amounts or descriptions.
Our infrastructure providers generate standard server access logs (IP addresses, timestamps, HTTP status codes). These are used for security and debugging and are not linked to your budget data.
When you set a password, your browser derives a cryptographic key from it using PBKDF2. That key never leaves your device. It is used to unlock a per-household encryption key (RSA-OAEP wrapped), which in turn encrypts all your budget data with AES-GCM before anything is sent to our servers.
This means that if you forget your password and have not set up account recovery, your data cannot be decrypted — not even by us. We strongly recommend completing the recovery setup inside the app.
When you use the “Report a bug or suggestion” feature, the text you write is stored in plaintext in our database. This is intentional — the message is something you are explicitly sharing with us so we can act on it. Please do not include financial amounts or other sensitive information in feedback messages. The stored feedback includes the page URL you were on (with any IDs removed) and is only accessible to the app owner.
Your encrypted data is shared with other members of your household — that is the core purpose of the app. Outside of your household, we do not share personal data with any third parties except our infrastructure subprocessors listed below.
We use the following third-party services to operate Buckets:
Vercel Inc.
Hosts and serves the Buckets application. Processes standard web traffic data.
Vercel Privacy Policy →Neon Inc.
Stores the encrypted database. Neon only ever holds ciphertext — it has no ability to read your budget data.
Neon Privacy Policy →Your account and household data are kept for as long as your account exists. If you wish to delete your data, contact us at support@thebuckets.app and we will remove your account and associated records.
Infrastructure access logs are retained according to each provider's default rotation policies (typically 30–90 days).
You have the right to:
To exercise any of these rights, email support@thebuckets.app.
Buckets uses a single first-party session cookie to keep you signed in. This cookie contains an encrypted session token and no personal information. We do not use any tracking or advertising cookies.
Buckets is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us and we will delete it promptly.
If we make material changes to this policy we will update the effective date at the top of this page. Continued use of Buckets after changes are posted constitutes acceptance of the updated policy.
Questions about this policy? Email us at support@thebuckets.app.
© 2026 Buckets · Home