Back to Home

Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to monthtomonths. We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy or our practices with regards to your personal information, please contact us.

2. Information We Collect

We collect personal information that you voluntarily provide to us when you register on the App, express an interest in obtaining information about us or our products and services, when you participate in activities on the App or otherwise when you contact us.

  • Personal Info: Names, email addresses, passwords (hashed with bcrypt — we never store your plaintext password).
  • Financial Info: Transaction data, income sources, expense categories, budget goals.
  • Usage Data: How you interact with our dashboard.
  • OAuth Data: If you sign in with Google, we store authentication tokens (encrypted at rest).

3. How We Use Your Information

We use personal information collected via our App for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations.

4. Data Encryption & Security

We take the security of your financial data seriously and employ multiple layers of protection:

  • Encryption at rest: Sensitive financial data (transaction names, notes, and shared expense details) is encrypted using AES-256-GCM before being stored in our database.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
  • Password hashing: Passwords are hashed using bcrypt with unique salts and are never stored in plaintext.
  • OAuth token encryption: Third-party authentication tokens (e.g., Google) are encrypted at rest using AES-256-GCM.
  • CSRF protection: All API requests are verified against origin to prevent cross-site request forgery.

5. AI Processing & Third-Party Data Sharing

We believe in transparency about when your data is processed externally. Here is exactly how data flows in our app:

Local Processing (No External Sharing)

The following file types are parsed entirely on our servers — your data never leaves our infrastructure:

  • PDF files (parsed using pdf-parse)
  • Excel files (.xlsx, .xls — parsed using xlsx library)
  • CSV and plain text files

AI-Powered Processing (Requires Your Consent)

Image files (PNG, JPEG, WebP, HEIC) require AI-powered OCR to extract text. When you upload an image:

  • You are shown a clear consent dialog before any processing occurs.
  • If you consent, the image is sent to OpenAI (via their API) for text extraction.
  • The image is transmitted over an encrypted connection (HTTPS).
  • We do not store the image after processing.
  • OpenAI's data usage policy applies to the processing — see OpenAI API Data Usage Policy.
  • You can always decline and use a PDF, spreadsheet, or text file instead.

Other Third-Party Services

  • Stripe: Processes payments for PRO subscriptions. We never store your credit card details — Stripe handles this under PCI compliance. Your email and name are shared with Stripe for billing purposes.
  • Google OAuth: If you sign in with Google, your email, name, and profile picture are received from Google. Authentication tokens are encrypted at rest.
  • Cloudflare Turnstile: Bot protection on login and signup forms. No personal data is shared — only an interaction token is verified.

6. Data Retention & Deletion

Your data is retained for as long as your account is active. You can delete all your data at any time through the Settings page using the "Reset to Defaults" feature (requires email confirmation). If you wish to delete your account entirely, contact us at privacy@monthtomonths.app.

7. Your Rights

You have the right to:

  • Access: Export your data at any time using the PDF or Excel export features.
  • Deletion: Delete all your financial data via Settings, or request full account deletion.
  • Consent withdrawal: You can decline AI processing at any time — all non-image imports work without external services.
  • Portability: Export your data in PDF or Excel format for use with other services.

8. Contact Us

If you have questions or comments about this policy, you may email us at privacy@monthtomonths.app