Privacy Policy
Last updated: March 12, 2026
TrackRack ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our web application and iOS app (collectively, the "Service"). Please read this policy carefully. If you disagree with its terms, please stop using the Service.
1. Information We Collect
Account Information
When you register, we collect your name, email address, and a hashed password managed through Supabase Auth. If you sign in via Google or Apple, we receive your name and email from those providers — we never receive or store your social account password.
Financial Data
You may manually enter expenses, budgets, and financial events. If you connect your bank account via TrueLayer (Open Banking), we receive read-only access to your account balances and transaction history. We store this data in our database to power the dashboard. We do not have the ability to initiate payments or move money on your behalf.
Usage Data
We collect standard server logs including IP address, browser/device type, pages visited, and timestamps. This is used for security monitoring and improving the Service.
iOS App
On iOS, session tokens are stored in the system Keychain (hardware-encrypted). The app requests notification permissions (optional) to send weekly digest summaries. The app does not access your contacts, location, camera, or microphone.
Payment Information
Subscription payments are processed by Stripe. We never see or store your full card number, CVV, or bank account credentials. Stripe provides us with a customer ID and subscription status only. Stripe's privacy policy applies to payment data: stripe.com/privacy.
2. How We Use Your Information
- To provide, operate, and maintain the Service
- To personalise your experience (AI-powered expense categorisation)
- To sync bank transactions via Open Banking (only if you explicitly connect a bank)
- To send optional weekly digest emails summarising your finances
- To process subscription payments and manage your account tier
- To send transactional emails (e.g. password reset, email confirmation)
- To detect and prevent fraud, abuse, and security incidents
- To comply with legal obligations
We do not sell your personal data to third parties. We do not use your financial data for advertising purposes.
3. AI & Automated Processing
TrackRack uses AI to automatically suggest category labels for your expenses. Your expense descriptions and amounts may be sent to an AI API (such as OpenAI) to generate label suggestions. These requests do not include your name, email, or any directly identifying information. You can override or disable AI suggestions at any time.
4. Data Storage & Security
Your data is stored in a PostgreSQL database hosted by Supabase. All data is protected by Row Level Security (RLS) policies — your data is cryptographically isolated from other users' data at the database level. All data in transit is encrypted via HTTPS/TLS. Access tokens are short-lived JWTs signed by Supabase Auth.
While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication where available.
5. Data Retention
We retain your data for as long as your account is active. If you delete your account, your profile, expenses, budgets, events, and bank connections are permanently deleted from our systems within 30 days. Stripe may retain billing records for up to 7 years for legal and tax compliance — this is governed by Stripe's own retention policy.
6. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Auth & database hosting | All user data |
| Stripe | Subscription payments | Email, payment info |
| TrueLayer | Open Banking (optional) | Bank account access (read-only) |
| OpenAI / AI provider | Expense AI categorisation | Expense descriptions (anonymised) |
| Google / Apple | OAuth sign-in (optional) | Name, email |
7. Cookies & Local Storage
We use strictly necessary cookies to maintain your authentication session. We do not use advertising cookies or third-party tracking cookies. On the iOS app, session tokens are stored in the Keychain, not cookies.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — delete your account and all associated data
- Portability — export your expenses as CSV from the Data Transfer settings
- Objection — opt out of AI categorisation (available in settings)
You can delete your account at any time from Settings → Manage Account → Danger Zone in the app. For any other data requests, contact us at the address below.
9. Children's Privacy
TrackRack is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email. Your continued use of the Service after changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: