Budgitify Privacy Policy

Effective Date: June 16, 2025
Last Updated: May 13, 2026

Budgitify ("we", "us", or "our") is a budgeting application operated by LzCtrl LLC. This Privacy Policy explains how we collect, use, and protect your information when you use the Budgitify app or website (the "Services").

1. Information We Collect

Account Info: Email address and authentication ID via Firebase. We protect access to bank-linked data with biometric authentication (Face ID / Touch ID / device passcode) on your device.
Budgeting Data: Transactions, categories, budgets, and preferences you enter manually.
Bank Connection Data: When you connect a bank account through Plaid, we receive read-only access to your financial institution data. This includes account names, masked account numbers (last four digits), account types and subtypes, current and available balances, institution name, and your transaction history (descriptions, amounts, dates, and categories). We do not store your bank login credentials. Plaid's collection and use of your data is governed by the Plaid End User Privacy Policy.
Payment Info: Subscription billing is handled by Apple (App Store) or Stripe. We do not store your full payment card details.
Phone Number: Optional. Only collected if you choose to provide it in your profile.
Device & Usage Data: Device identifiers, app version, and usage analytics via Firebase Analytics.

2. How We Use Your Data

We use your data to:

Provide and improve the Services, including populating your transaction history from connected bank accounts (contract performance)
Secure your account and detect fraud or abuse (legitimate interests)
Process subscription payments and manage billing (contract performance / legal obligation)
Send transactional notifications, e.g. budget alerts (contract performance)
Fix bugs and optimize performance (legitimate interests)

We do not sell your data or use it for advertising purposes.

Marketing Communications: With your consent, we may use your email address to send newsletters and product updates related to Budgitify and other LzCtrl apps. You can opt out at any time by clicking "Unsubscribe" in any email or by contacting info@lzctrl.com.

3. Data Storage & Security

Your data is stored on infrastructure operated by Render (SOC 2 Type 2 certified), located in the United States. Authentication and analytics are powered by Firebase (Google). Bank connections are facilitated by Plaid, and your bank access tokens are encrypted at rest using industry-standard authenticated encryption. All data is transmitted over TLS. We implement security best practices throughout our infrastructure.

4. Data Retention & Deletion

We only retain your data for as long as it is necessary to provide the Services or as required by law.

Active accounts: All personal and financial data (transactions, accounts, categories, and preferences) is retained for the lifetime of your account.
Account deletion: When you delete your account, your personal information is deactivated and made inaccessible immediately. Your data is scheduled for permanent deletion within 30 days, except where retention is required by law.
Bank connection data: If you disconnect a linked bank account or delete your Budgitify account, your bank connection access token is revoked immediately through Plaid's API. No further data is fetched after revocation.
Subscription & billing records: Records related to purchases and billing are retained for up to 7 years to comply with applicable financial record-keeping laws.
Phone number & contact email: Retained for the lifetime of your account. Permanently deleted when you delete your account.
Backups: Encrypted database backups are purged within 90 days of creation.

You may request deletion of your data at any time by deleting your account in the app or by emailing info@lzctrl.com. We will respond to verified deletion requests within 30 days.

5. Sharing of Information

We do not sell your personal information. We share data only with the following trusted service providers, strictly to operate the Services:

Firebase / Google — authentication and analytics
Plaid — bank account connectivity and transaction data retrieval
Stripe — payment processing for web subscriptions
Apple — payment processing for App Store subscriptions and Sign in with Apple
Render — cloud infrastructure and database hosting

We may also disclose information when required by law or to protect our legal rights. For an up-to-date list of subprocessors, see our Subprocessors page.

6. International Data Transfers

Budgitify is operated from the United States. If you access the Services from outside the US, your data — including data retrieved from your bank via Plaid — is transferred to and processed in the United States. Where required by applicable law (including the EU GDPR and UK GDPR), we rely on Standard Contractual Clauses or equivalent safeguards published by our service providers (Plaid, Firebase / Google, Render, Stripe) to legitimize these transfers.

7. Your Rights

You may delete your account in the edit profile section of the app. You may also request access to or deletion of your data by emailing info@lzctrl.com.

8. EU / UK / EEA Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws give you the following rights with respect to your personal data:

Right of access — obtain a copy of the personal data we hold about you.
Right to rectification — request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing — request that we limit how we use your data.
Right to data portability — receive your data in a structured, commonly used format.
Right to object — object to processing based on our legitimate interests, including direct marketing.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
Right to lodge a complaint — with the supervisory authority in your country of residence.

The data controller is LzCtrl LLC. To exercise any of these rights, email info@lzctrl.com. We respond within 30 days, extendable by up to a further 60 days for complex requests (we will notify you if an extension is needed). The legal bases on which we process your personal data are indicated in Section 2 above. We do not engage in automated decision-making that produces legal or similarly significant effects on you.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know: You may request information about the categories and specific pieces of personal data we have collected about you.
Right to Delete: You may request deletion of your personal data, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, email us at info@lzctrl.com. We will respond within 45 days.

10. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law, and will notify affected users without undue delay where the breach is likely to result in a high risk to them.

11. Children's Privacy

Budgitify is not intended for children under 13. We do not knowingly collect personal data from children. If you are a resident of the EU/EEA or UK, you must be at least 16 years of age to use the Services.

12. Changes to This Policy

We may update this Privacy Policy. Changes will be reflected on this page with an updated "Last Updated" date.

13. Contact

If you have questions or concerns about this Privacy Policy, please contact: info@lzctrl.com