Your data stays on your phone.

1Summary

Dudget is a local-first app. Your budget data lives on your device, encrypted, and never leaves it. We do not operate servers that store your financial information. We do not sell, share, or monetize your data.

The only data that leaves your device is:

• Crash diagnostics — anonymous technical data sent to Firebase Crashlytics when the app crashes (you can opt out).
• Subscription status — anonymous purchase records processed by RevenueCat if you subscribe to Dudget Premium.

That's it. No analytics, no advertising, no behavioral tracking.

2Data stored on your device

Dudget stores the following data locally on your device in an encrypted SQLite database:

• Budget names, income amounts, and period settings
• Transaction amounts, dates, notes, and categories
• Category names, icons, and spending limits
• Budget period history and rollover amounts
• Category rules for smart merchant categorization
• Notification preferences and read/unread status

This data is encrypted at rest using SQLite3MultipleCiphers. The encryption key is stored in your device's secure enclave (iOS Keychain / Android Keystore) and is never transmitted off-device.

We cannot access, read, or recover your local data. It exists only on your device.

3Data we do NOT collect

Dudget does not collect, transmit, or have access to:

• Your name, email address, or any personally identifiable information (PII)
• Bank account numbers, credit card numbers, or financial institution data
• Location data (GPS, network-based, or otherwise)
• Contacts, photos, calendar, microphone, or other device data
• Advertising identifiers (IDFA, GAID, or equivalent)
• Usage analytics, behavioral tracking, or profiling data
• Browsing history or cross-app tracking data

4Data sent off-device

Dudget uses two third-party services that transmit limited, non-personal data:

4a. Firebase Crashlytics (crash reporting)

Purpose: To identify and fix bugs that cause the app to crash.

Lawful basis: Legitimate interest (improving app stability and reliability). See Section 8 for your right to opt out.

When the app crashes, Firebase Crashlytics may send:

• Device model and operating system version
• App version and build number
• Stack trace (the code path that caused the crash)
• Anonymous installation identifier (a random ID generated by Firebase — not linked to your identity, your Apple ID, your Google account, or any personal information)

What is NOT sent: No budget amounts, transaction details, merchant names, category names, currency amounts, or any financial data is included in crash reports. All monetary values are stripped from crash logs before transmission.

Data processor

Google LLC (Mountain View, California, USA)

Retention period

90 days, then automatically deleted

Privacy policy

firebase.google.com/support/privacy

Sub-processors

privacy.google.com/businesses/subprocessors

Opt-out: You can disable crash reporting at any time in Settings → About → Crash Reporting. When disabled, no crash data is sent to Firebase. The opt-out takes effect immediately. See Section 8 for additional rights.

4b. RevenueCat (subscription management)

Purpose: To manage Dudget Premium subscriptions and restore purchases across devices.

Lawful basis: Contract performance (processing your subscription purchase).

If you purchase Dudget Premium, RevenueCat processes:

• Anonymous app user ID (generated by RevenueCat — not linked to your identity)
• Purchase receipt (validated with Apple App Store or Google Play Store)
• Subscription status (active, expired, cancelled, or in grace period)

What is NOT sent: No budget data, transaction amounts, merchant names, or financial information is shared with RevenueCat. Payment card details are handled entirely by Apple or Google and are never seen by Dudget or RevenueCat.

Data processor

RevenueCat, Inc. (San Francisco, California, USA)

Retention period

Duration of subscription plus 3 years (tax/audit compliance)

Privacy policy

revenuecat.com/privacy

4c. Frankfurter.dev (exchange rates)

Purpose: To provide daily currency exchange rates for multi-currency support.

Dudget fetches publicly available exchange rate data from Frankfurter.dev and caches it locally on your device. No personal data is transmitted in these requests — only the currency pair being requested (e.g., "USD to PHP"). No cookies, identifiers, or device information are sent.

Provider

Frankfurter.dev (open-source, operated by the European Central Bank data feed)

Terms

frankfurter.dev

5Biometric and PIN security

Dudget offers optional biometric (Face ID / Touch ID / fingerprint) and PIN lock protection:

• Biometric data is handled entirely by your device's operating system (iOS LocalAuthentication / Android BiometricPrompt). Dudget never accesses, stores, processes, or transmits biometric data. It only receives a pass/fail authentication result from the system.
• PIN codes are hashed with SHA-256 and a cryptographically random salt before storage. The hash is stored in the device's secure enclave (iOS Keychain / Android Keystore). The original PIN is never stored in plaintext and cannot be recovered.
• PIN lockout: After 5 failed attempts, the app locks for 30 seconds before further PIN entries are allowed. The wrong-attempt counter resets to zero on a successful unlock (PIN or biometric).
• No remote unlock: Since there are no user accounts in MVP, there is no "forgot PIN" recovery via email or SMS. If biometric authentication is enabled, it can be used to bypass the PIN and reset it.

6Data deletion

Since all data is stored locally on your device:

• Uninstalling the app removes all budget data, transactions, categories, and settings from your device.
• iOS note: The iOS Keychain may retain encryption keys and PIN hashes after uninstall. Dudget detects this on reinstall and automatically clears stale Keychain data on first launch.
• No server-side data: Dudget MVP does not require or create user accounts. There is no server-side data to request deletion of.
• RevenueCat data: If you have purchased Dudget Premium and wish to delete your RevenueCat records, contact us at privacy@dudget.app and we will request deletion from RevenueCat on your behalf.

7Children's privacy

Dudget does not knowingly collect any personal information from children. Since Dudget does not collect personal information from users of any age, does not require account creation, and does not engage in behavioral profiling, there is no age-gated data to protect.

For reference, the minimum age of digital consent varies by jurisdiction:

• European Economic Area (GDPR): 16 years (member states may lower to 13)
• United Kingdom (UK GDPR): 13 years
• United States (COPPA): 13 years
• Canada (PIPEDA): No specific age threshold; consent validity depends on the child's capacity to understand
• Philippines (DPA): 18 years for sensitive personal information; parental consent required for minors

If we learn that we have inadvertently collected personal information from a child below the applicable age of consent, we will delete that information promptly.

8Your rights by jurisdiction

8a. European Economic Area (EU GDPR)

If you are located in the European Economic Area, the General Data Protection Regulation (EU 2016/679) applies to the limited data we process (crash reports via Firebase Crashlytics and subscription records via RevenueCat).

Data controller

Joevanni Parairo, Santo Tomas, Batangas, Philippines

Lawful bases:

• Crash reporting: Legitimate interest (Article 6(1)(f)) — maintaining app stability. You may object at any time (see opt-out in Section 4a).
• Subscription management: Contract performance (Article 6(1)(b)) — fulfilling your Premium purchase.

Your rights under GDPR:

• Right of access (Art. 15): Request a copy of any data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18): Request that we limit processing of your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest, including crash reporting. To exercise this right, disable crash reporting in Settings.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You may file a complaint with your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.

International data transfer: Crash data is processed by Google LLC in the United States. Google participates in the EU-US Data Privacy Framework and applies Standard Contractual Clauses (SCCs) for data transfers.

Representative in the Union (Article 27 GDPR): Dudget is an independent developer with limited-scale processing activities and has not appointed a representative in the European Union under Article 27 GDPR. This position will be reassessed as the user base and processing activities grow. You may contact us directly at the address below.

To exercise any of these rights, contact us at privacy@dudget.app. We will respond within 30 days.

8b. United Kingdom (UK GDPR / Data Protection Act 2018)

If you are located in the United Kingdom, the UK General Data Protection Regulation and the Data Protection Act 2018 apply. Your rights are substantially similar to those listed in Section 8a above.

UK representative (Article 27 UK GDPR): Dudget has not appointed a UK representative, relying on the limited-scope nature of our processing activities. This position will be reassessed as the UK user base grows.

Supervisory authority: Information Commissioner's Office (ICO)

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Complaints: ico.org.uk/make-a-complaint

The UK has been granted data adequacy status by the European Commission. Data transfers between the UK and the EU/EEA are permitted without additional safeguards.

8c. Canada (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. In Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (Quebec Law 25) may also apply.

Your rights under PIPEDA:

• Right to know: You may request information about what personal data we hold about you, why we collect it, and how it is used.
• Right to access: You may request a copy of your personal data.
• Right to challenge accuracy: You may request correction of inaccurate or incomplete data.
• Right to withdraw consent: You may withdraw consent for crash reporting at any time via Settings. Withdrawal of consent does not affect the functionality of the app.

Privacy officer

Joevanni Parairo

Supervisory authority

Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca

Complaints

priv.gc.ca/en/report-a-concern

PIPEDA requires that personal information be collected only for purposes that a reasonable person would consider appropriate. We collect crash data solely to fix bugs and improve app stability. We collect subscription data solely to fulfill your purchase. We consider these purposes reasonable and proportionate. Financial data (such as budget amounts, transactions, and categories) is classified as sensitive under PIPEDA and is never collected or transmitted.

8d. United States (state privacy laws)

Dudget does not currently meet the revenue, data volume, or data sale thresholds that trigger obligations under the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), or other US state privacy laws. We do not sell or share personal information as defined by these laws.

However, we proactively disclose the following for transparency:

• Data collected: Anonymous crash diagnostics (device model, OS version, stack trace, anonymous installation ID). Anonymous subscription records (app user ID, purchase receipt, subscription status).
• Data NOT collected: We do not collect, sell, or share personal information for advertising, profiling, or any commercial purpose beyond crash reporting and subscription management.
• Opt-out: You can disable crash reporting in Settings. There is no personal data sale or sharing to opt out of.
• Data deletion: Uninstalling the app deletes all local data. Contact us to request deletion of RevenueCat subscription records.

If US state privacy laws become applicable to Dudget in the future (e.g., due to growth in user base or revenue), we will update this policy and implement any required mechanisms (such as "Do Not Sell or Share My Personal Information" links).

8e. Philippines (Data Privacy Act of 2012 — RA 10173)

As a Philippines-based developer, we comply with the Data Privacy Act of 2012 and its Implementing Rules and Regulations:

• Transparency: This policy clearly describes all data processing activities, their purposes, and the third parties involved.
• Legitimate purpose: Crash reporting improves app stability for all users. Subscription management enables premium feature delivery. Both purposes are proportionate and necessary.
• Proportionality: Only the minimum data necessary is processed for each stated purpose. No sensitive personal information (as defined by RA 10173 §3(l)) is collected or transmitted.
• Right to access: You may request details of any data we process about you.
• Right to erasure: Uninstalling the app deletes all local data. Contact us to request deletion of any off-device records.
• Right to object: You may object to crash data collection at any time via Settings.
• Right to damages: You may claim compensation for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized processing of personal data.
• Right to file a complaint: You may file a complaint with the National Privacy Commission (NPC).

Supervisory authority

National Privacy Commission (NPC) — privacy.gov.ph

Complaints

privacy.gov.ph/complaints-assisted-form

Breach notification: In the unlikely event of a data breach affecting personal information, we will notify the NPC and affected data subjects within 72 hours as required by NPC Circular 16-03.

9Data processors and sub-processors

We use the following third-party data processors:

Both Google and RevenueCat act as data processors on our behalf. They process data only for the purposes described above and are contractually bound to protect your data. They do not use your data for their own advertising or profiling purposes.

10Data security

We implement the following security measures to protect your data:

• Encryption at rest: Your local database is encrypted using SQLite3MultipleCiphers with a key stored in iOS Keychain / Android Keystore.
• PIN protection: PIN codes are hashed with SHA-256 + random salt. Original PINs are never stored.
• No plaintext storage: Sensitive settings (encryption key, PIN hash) are stored in the device's secure enclave, not in plaintext files.
• Screenshot prevention: On Android, FLAG_SECURE prevents screenshots and the app appearing in the recent apps thumbnail. On iOS, a blur overlay is applied when the app enters the background.
• Release hardening: Production builds use code obfuscation (--obfuscate) with debug symbols stored separately (--split-debug-info).
• No logging in production: Debug print statements and detailed error messages are removed from release builds.
• Dependency auditing: We regularly run dart pub audit to check for known vulnerabilities in our dependencies.

11Cookies and tracking technologies

Dudget is a native mobile app. It does not use cookies, web beacons, pixels, localStorage, or any browser-based tracking technologies. It does not use advertising identifiers (IDFA or GAID). It does not participate in cross-app or cross-site tracking.

The iOS privacy manifest (PrivacyInfo.xcprivacy) declares:

• NSPrivacyTracking: false — no tracking
• NSPrivacyTrackingDomains: [] — no tracking domains
• Collected data type: crash data (not linked to identity, not used for tracking)
• API usage: NSUserDefaults (app settings) and FileTimestamp (database management)

12International data transfers

Your budget data never leaves your device. The only international data transfers occur when:

1. Crash data is sent to Google's Firebase Crashlytics servers in the United States.
2. Subscription data is sent to RevenueCat's servers in the United States.

For users in the EEA: Google applies Standard Contractual Clauses (SCCs) approved by the European Commission and participates in the EU-US Data Privacy Framework for data transfers to the US.

For users in the UK: Google and RevenueCat rely on the UK's International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs for data transfers.

For users in Canada: Google and RevenueCat maintain comparable levels of protection as required by PIPEDA Principle 9 (Safeguards) for cross-border data transfers.

For users in the Philippines: The NPC has not issued a comprehensive adequacy determination for the United States. We rely on contractual protections with our data processors, consistent with NPC Circular 2016-02 on cross-border data transfers.

13Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Note the changes in the app's release notes on the App Store and Google Play Store
• For significant changes affecting your rights, provide in-app notification

Your continued use of Dudget after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Previous versions of this policy are available upon request.

15App store privacy disclosures

Apple App Store — App Privacy Label

Google Play Store — Data Safety

Data is encrypted in transit (TLS) and at rest (SQLite3MultipleCiphers). Users can request deletion of off-device data by contacting us.