Back to Buckets

Privacy Policy

Effective date: 21 April 2026

Introduction

This policy explains what information Buckets ("we", "us") collects when you use the Buckets household budgeting app (available at thebuckets.app), how we use it, and your rights around it.

The short version: your budget data is end-to-end encrypted. We cannot read your numbers, names, or notes — only you and your household members can.

Data we collect

Account information

When you create an account we store your email address and a bcrypt hash of your password. We never store your password in plain text.

Encrypted budget content

All budget data you enter — transaction amounts, bucket names, account names, notes, and descriptions — is encrypted in your browser before it reaches our servers. We store only ciphertext. We have no technical means to read your budget contents.

Household metadata

We store the structure of your household (member list, invite codes, key material required for encryption) so that authorised members can sync data across devices. This metadata does not include any budget amounts or descriptions.

Technical logs

Our infrastructure providers generate standard server access logs (IP addresses, timestamps, HTTP status codes). These are used for security and debugging and are not linked to your budget data.

How end-to-end encryption works

When you set a password, your browser derives a cryptographic key from it using PBKDF2. That key never leaves your device. It is used to unlock a per-household encryption key (RSA-OAEP wrapped), which in turn encrypts all your budget data with AES-GCM before anything is sent to our servers.

This means that if you forget your password and have not set up account recovery, your data cannot be decrypted — not even by us. We strongly recommend completing the recovery setup inside the app.

How we use your data

  • To authenticate you and keep your session secure.
  • To sync encrypted budget data between household members.
  • To allow account recovery when a recovery key has been set up.
  • To collect aggregate, non-identifying usage metrics (for example: number of sign-ups, which features are used most) so we can improve the product. We use PostHog (EU region, Frankfurt) for event analytics. Events are identified by your account UUID only — your email address is never sent to PostHog. Session recording is disabled. Amounts, names, and descriptions are never included in any event property.

Feedback you submit

When you use the “Report a bug or suggestion” feature, the text you write is stored in plaintext in our database. This is intentional — the message is something you are explicitly sharing with us so we can act on it. Please do not include financial amounts or other sensitive information in feedback messages. The stored feedback includes the page URL you were on (with any IDs removed) and is only accessible to the app owner.

What we don't do

  • We do not sell your data to anyone.
  • We do not show you ads.
  • We do not share your data with third parties except as described below.
  • We cannot read your budget amounts, names, or notes.

Data sharing

Your encrypted data is shared with other members of your household — that is the core purpose of the app. Outside of your household, we do not share personal data with any third parties except our infrastructure subprocessors listed below.

Subprocessors

We use the following third-party services to operate Buckets:

Vercel Inc.

Hosts and serves the Buckets application. Processes standard web traffic data.

Vercel Privacy Policy →

Neon Inc.

Stores the encrypted database. Neon only ever holds ciphertext — it has no ability to read your budget data.

Neon Privacy Policy →

Data retention

Your account and household data are kept for as long as your account exists. If you wish to delete your data, contact us at support@thebuckets.app and we will remove your account and associated records.

Infrastructure access logs are retained according to each provider's default rotation policies (typically 30–90 days).

Your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Deletion — ask us to delete your account and all associated data.
  • Correction — update your email address via the app settings.

To exercise any of these rights, email support@thebuckets.app.

Cookies

Buckets uses a single first-party session cookie to keep you signed in. This cookie contains an encrypted session token and no personal information. We do not use any tracking or advertising cookies.

Children

Buckets is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us and we will delete it promptly.

Changes to this policy

If we make material changes to this policy we will update the effective date at the top of this page. Continued use of Buckets after changes are posted constitutes acceptance of the updated policy.

Contact

Questions about this policy? Email us at support@thebuckets.app.

© 2026 Buckets · Home