Sign inStart a plan
Pre-publication scaffold. This document is brand-voiced and codebase-accurate but has not been reviewed by a lawyer. Do not ship without legal review in your jurisdictions.

Privacy policy

What we collect, and why.

Last updated · 2026-05-21

In plain English

Holdfast sees your money to help you organize it. Your bank credentials never touch our servers — Plaid handles that. Your transactions, budgets, and goals are stored in Firebase under per-user access rules.

We use Claude (Anthropic) to suggest categories and narrate drift. We send the model the financial summary it needs to answer your question, never your bank credentials, full account numbers, or routing details.

We do not sell your data. We do not run ad networks. We share data with the service providers listed below — only what each one needs to do its job.

You can export, correct, or delete everything from Settings, any time. The full details, with the specific data fields and the specific providers, are below.

1 · Who this applies to

This policy covers Holdfast Budget Planner (“Holdfast”, “we”, “us”) — the web app at holdfastbudget.com, the iOS app, and the Android app. All three are the same product wrapped for different platforms.

If you are a resident of California, the EU/UK, or another jurisdiction with specific data-rights laws, additional protections apply — see Your rights.

2 · What we collect

We collect only what we need to plan budgets and narrate drift. We do not collect data we don’t actively use.

Information you give us directly

FieldWhy
Email addressSign-in, account recovery, transactional emails (receipts, plan-committed confirmations).
Display name (optional)So AI narration can say your first name — never required.
Sign-in provider (Google / Apple / email)Authentication via Firebase.
Onboarding situation (free-text)What brought you to Holdfast. Used once to greet you; not shared.
Income, bills, goals, manual editsThe budget you build.

Information we receive on your behalf

SourceWhat
PlaidAccount balances, account names, masked numbers (last 4), institution names, the last 90 days of transactions and ongoing updates. We never see your bank credentials.
StripeSubscription status, payment method type (e.g. “Visa ending 4242”), invoice history. We never see full card numbers or CVCs.
Apple / Google (App Stores)If you sign in with Apple or Google, we receive a stable identifier and your authenticated email.

Technical telemetry

We collect minimal product analytics through PostHog(events like “wizard step viewed”, “budget committed”) and error reports through Sentry (stack traces, browser/OS, screen size). No financial values are sent to PostHog or Sentry — only the structure of what you did, not what the numbers were.

3 · How we use it

We use your data for these specific purposes, and no others:

  • Run the product. Pull transactions, categorize them, draft your budget, reconcile against it, narrate drift.
  • Process payments. Charge subscriptions, send receipts, honor cancellations.
  • Respond when you contact us. support@holdfastbudget.com.
  • Improve the product. Aggregate, anonymized usage trends — what features are used, what onboarding steps lose users. Never individual-level for marketing or sale.
  • Stay legal. Comply with subpoenas, tax obligations, anti-fraud rules.

What we do not do, and never will:

Sell your data. Share it with brokers, ad networks, or affinity-marketing partners. Use your transaction history to target you with offers. Train large language models on your data.

4 · Service providers

We rely on a small number of vendors to operate the product. Each one receives only the data needed for its specific function, governed by a data-processing agreement.

ProviderPurpose
PlaidBank connection, transaction sync. Plaid privacy policy.
Firebase (Google Cloud)Authentication, database (Firestore), Cloud Functions, push notifications. Hosted in us-central1. Firebase privacy.
Anthropic (Claude)AI categorization, drift narration, chat. See AI & your data for what we send. Anthropic privacy.
StripePayment processing, subscription management. Stripe privacy.
PostHogProduct analytics (event names only, no financial values). PostHog privacy.
SentryError tracking. Sensitive fields are stripped before send. Sentry privacy.
Resend (or equivalent)Transactional email delivery (receipts, password resets, plan-committed confirmations).

5 · AI & your data

Holdfast uses Claude (made by Anthropic) for three things:

  1. Category suggestion. When new transactions arrive, we send the model just the merchant string and amount, with no link to your identity.
  2. Drift narration. Once a month, we send the model a structured summary of your plan vs. actuals — totals, category names, and the period — to generate a plain-English narration. We never send raw transaction lists or merchant detail.
  3. Chat. When you ask a question, the model receives only what it needs to answer it — usually the relevant slice of your financial summary, not the entire history.

Anthropic does not train its models on data sent through the API. We do not allow Anthropic, or any other AI vendor, to use your data for model improvement.

Holdfast never gives financial or legal advice. The AI is constrained by a system prompt and a server-side classifier that refuse prescriptive guidance and surface professional resources when crisis language appears. This is technical, not just policy.

6 · Where data lives

Your data is stored in Firebase Firestore in the us-central1 region (Iowa, United States). Auth tokens are managed by Firebase Auth. Payment data is held by Stripe.

Transit is TLS 1.2+. At rest, Firebase encrypts data on disk. Firestore rules enforce per-user access: a signed-in user can only read or write their own documents.

If you are outside the United States, your data is transferred to and processed in the U.S. We rely on standard contractual clauses for EU/UK transfers.

7 · Retention

  • Transactions: kept as long as you have an account, capped at 24 months of history (Plus users see 12 months in the app).
  • Budgets:retained indefinitely while your account exists — they’re your history.
  • Stripe records: retained for as long as required by law (typically 7 years for tax purposes).
  • Telemetry & error reports: 90 days.
  • Deleted accounts:data is hard-deleted within 30 days of deletion request, except for records we’re legally required to keep.

8 · Your rights

You have the right to:

  • Access: see what we have. Settings → Export data.
  • Correct: fix anything inaccurate. Edit it in the app, or email us.
  • Delete: remove your account and the data tied to it. Settings → Delete account, or email us.
  • Port: take it elsewhere. The export is structured JSON.
  • Opt out of analytics: Settings → Privacy → Analytics.

California residents (CCPA / CPRA)

You may request to know what we collect, request deletion, and request that we do not “sell” or “share” your data — although we do not sell or share for cross-context advertising in the first place. To exercise these rights, email privacy@holdfastbudget.com from the address tied to your account.

EU / UK residents (GDPR / UK GDPR)

Our legal basis for processing your account data is contractual necessity (we need the data to provide the service you signed up for). For analytics, the legal basis is legitimate interest. You may withdraw consent for analytics at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your supervisory authority.

9 · Cookies & tracking

Holdfast uses cookies and localStorage for these purposes:

  • Authentication. Keep you signed in across sessions.
  • UI state. Remember which side panel you collapsed.
  • Product analytics. PostHog assigns an anonymous identifier on first visit; you can opt out from Settings.

We do not use third-party advertising cookies. We do not run remarketing pixels (Meta, Google Ads, TikTok). We do not participate in cross-site tracking networks.

10 · Children

Holdfast is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a minor has created an account, email privacy@holdfastbudget.com and we will remove it.

11 · Changes to this policy

When we change this policy, we will update the date at the top and, if the change is material, send you an email and surface a banner inside the app. Continued use after the change indicates acceptance of the updated terms.

12 · Contact

Questions about this policy, or about a specific piece of data we hold about you, go to:

privacy@holdfastbudget.com
Holdfast Budget Planner
[postal address before publication]

For general support: support@holdfastbudget.com.
For crisis, legal, or financial-aid resources, see our always-on Resources page.