SpendWiseSign in

Privacy Policy

Effective May 16, 2026

Who runs SpendWise

SpendWise is a personal-finance dashboard operated by Ryan Snyder as a non-commercial project for friends and family. There are no employees, contractors, or other staff with access to your data. No fees are charged to end users.

What we collect

We only collect data that's directly required to give you a working spending dashboard:

  • Account information: the email address and password you provide when registering. Passwords are stored only as a bcrypt hash; we cannot read them.
  • Profile: an optional avatar image if you upload one.
  • CSV files you upload: the original file plus the transactions parsed from it.
  • Bank-connected transactions: if you choose to connect a bank account through Plaid, we receive your transaction history, account names, masks, and the institution name. We do not receive your bank login credentials — those are handled entirely by Plaid (see below).
  • Two-factor-authentication data: if you enable MFA, your authenticator-app secret and one-time backup-code hashes.
  • Preferences: minor UI state like your last-used dashboard period.
  • Standard server logs: request errors and basic operational data, kept to help us debug problems. We do not log passwords, MFA secrets, full transaction descriptions, or full CSV contents.

We do not collect: bank login credentials, Social Security numbers, full account numbers, payment-card data, advertising identifiers, location data, or any data that would enable us to move money on your behalf.

How we use your data

  • To show you your own transactions, categories, and spending insights.
  • To parse the CSV files you upload.
  • To fetch new transactions from your bank through Plaid when you request a sync.
  • To authenticate you when you sign in.
  • To respond to your support requests.

We do not use your data for advertising, profiling, training machine-learning models, or any purpose unrelated to running this app.

Who we share data with

We share your data with the minimum number of service providers needed to run the application. These are:

  • Plaid — when you choose to connect a bank account, Plaid handles the authentication with your financial institution and returns transaction data to us. Plaid's handling of your data is governed by Plaid's own privacy policy, which is shown to you when you start a Plaid Link flow. Read Plaid's end-user privacy policy.
  • Hosting provider (Vercel) — runs the application and stores its database. Your data is encrypted at rest on Vercel's infrastructure.

We do not sell your data, share it with advertisers, or share it with anyone else. Your data is never shown to other users of the application.

How we protect your data

  • All traffic between your browser and our servers uses HTTPS (TLS 1.2 or higher).
  • Your password is stored as a bcrypt hash. The original password cannot be recovered.
  • Plaid access tokens and MFA secrets are encrypted with AES-256-GCM before being written to the database. Encryption keys are kept separately from the database.
  • The database disk itself is encrypted at rest with AES-256 by our hosting provider.
  • Every data query is scoped to your account ID. There is no admin role, no cross-user access path, and no impersonation feature.
  • Two-factor authentication is available and recommended for every account.

Your choices and rights

  • Disconnect a bank at any time from the Files page. Disconnecting invalidates the access token with Plaid. Transactions already imported remain in your account unless you also delete them.
  • Delete an uploaded file at any time. Deleting removes the file from disk and all transactions parsed from it.
  • Freeze an uploaded file to exclude its transactions from your dashboard without deleting them.
  • Delete your account by contacting us. Deletion cascades to remove all of your files, transactions, Plaid connections, MFA data, and preferences.
  • Export your data by contacting us; we'll provide a copy in a standard format on request.

Data retention

We retain your data for as long as your account exists. If you delete your account, your data is removed from the active database immediately. Routine database backups, retained for short-term operational recovery, may include a copy for up to 30 days before being overwritten.

Children's privacy

SpendWise is not intended for use by children under 13, and we do not knowingly collect information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to this policy

If we make material changes to this policy, we will notify you by email at the address associated with your account at least 14 days before the changes take effect. Continued use of the application after that date constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Contact Ryan Snyder at 1rksnyder@gmail.com.