Your data, on speaking terms.

Gumdrop is a budgeting app, which means you trust us with some pretty personal numbers. This policy explains exactly what we collect, what we do with it, who we share it with (spoiler: basically no one), and what control you have. We tried to keep the legalese to a minimum.

1. Who we are

"Gumdrop," "we," or "us" refers to the operator of Gumdrop (gumdropmoney.com). You can reach us at shray@gumdropmoney.com with any privacy questions.

2. What we collect

Information you provide

• Account info: your email address and (if you choose) a display name, collected when you sign up.
• Financial info you enter: transactions (amount, date, category, optional notes), categories, budget limits, income, and any accounts you add. All of this is self-reported, Gumdrop does not connect to your bank.
• Onboarding responses: why you're budgeting and how you get paid, used to personalize your setup.

Information collected automatically

• Minimal technical info: app version and platform (iOS/Android/web), used to diagnose crashes and compatibility issues.
• Authentication metadata: session tokens and sign-in timestamps, handled by our auth provider (Supabase).

We do not collect advertising identifiers, location, contacts, or browsing history. We don't use third-party analytics that fingerprint users.

3. How we use your information

• To provide the service, compute budgets, render charts, sync your data across devices.
• To send critical account emails (confirmations, password resets, security notices). Only transactional, never marketing.
• To improve Gumdrop, debug issues, understand what's broken. Always in aggregate, never tied to individual accounts.

4. Who we share it with

We share as little as possible. Specifically:

• Supabase, stores your account data and handles authentication. Data is stored in the United States with row-level security so accounts are isolated from each other.
• Vercel, hosts this marketing site. Vercel does not have access to in-app data.
• Legal obligations, if required by law (subpoena, court order, safety emergency), we'll comply but push back where reasonable.

We never sell your data, share it with advertisers, or use it to train AI models.

5. How we protect it

• All traffic between your device and our servers is encrypted (HTTPS/TLS).
• Your data at rest is encrypted by Supabase using AES-256.
• Row-level security policies prevent any other Gumdrop user from accessing your data.
• No company employees have casual access to your financial data, access is logged and scoped to debugging issues you report.

6. Your rights

• Access: every piece of data we store is visible inside the Gumdrop app.
• Correction: edit anything directly in-app.
• Deletion: Settings → Delete account. This is permanent and removes your profile, categories, transactions, and accounts within a reasonable timeframe.
• Export: email us at shray@gumdropmoney.com and we'll send a JSON export of your data.

If you're in the EU, UK, or California, you have additional rights under GDPR / UK-GDPR / CCPA (to object, to portability, to know). Email us and we'll honor them within the statutory deadline.

7. Children's privacy

Gumdrop is not intended for anyone under 13. We don't knowingly collect data from children under 13. If you believe a child has created an account, email us and we'll delete it.

8. Data retention

We keep your data for as long as your account is active. If you delete your account, we remove your personal data from live systems within 30 days. Encrypted database backups may retain your data for up to 90 days before cycling out.

9. International transfers

Gumdrop servers are in the United States. If you're accessing from outside the US, you're consenting to your data being processed there.

10. Changes to this policy

If we make material changes we'll update the effective date above and send a heads-up email to active users. Your continued use of Gumdrop after a change constitutes acceptance.