מדיניות פרטיות

Privacy Policy

Last updated: February 21, 2026

1. Data Controller

BudgetOps is operated by an individual freelancer based in Israel. For privacy inquiries, contact us at: [email protected]

2. What We Collect

3. What We Do NOT Collect

• We do not use analytics, tracking pixels, or advertising SDKs
• We do not collect device fingerprints, IP addresses for profiling, or location data
• We do not use cookies except the essential session cookie required for authentication
• We do not collect payment card details (future payments will be processed by a certified third-party provider)

4. Legal Basis for Processing

• Contract performance — Processing your data is necessary to provide the Service you signed up for
• Legitimate interest — Security monitoring, audit logging, preventing abuse
• Consent — When you explicitly agree (e.g., by creating an account)
• Legal obligation — When required by Israeli law or valid legal process

5. Cookies

We use a single essential session cookie (next-auth.session-token) for authentication. This cookie is strictly necessary for the Service to function and cannot be declined while using the Service. We do not use any marketing, analytics, or preference cookies.

6. Third-Party Services

We do not share your data with any other third parties.

7. Data Storage & Security

• Location: All data is stored in the European Union (Frankfurt, Germany) on Fly.io infrastructure
• Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest
• Passwords: Stored using bcrypt hashing — we never store or can view your plaintext password
• 2FA secrets: Encrypted before storage
• File uploads: Stored on encrypted persistent volumes, accessible only through authenticated API endpoints
• Access control: Role-based permissions, tenant isolation, and approval workflows

8. Data Retention

• Active accounts: Data is retained for as long as your account is active
• Closed accounts: Data is retained for 30 days after account closure, then permanently deleted
• Audit logs: Retained for the lifetime of the associated budget structure for compliance purposes
• Uploaded files: Deleted when the associated invoice is deleted or account is closed

9. Your Rights

Under Israeli privacy law and GDPR, you have the right to:

• Access — Request a copy of your personal data
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your data ("right to be forgotten")
• Data portability — Receive your data in a structured, machine-readable format (CSV/JSON export)
• Restriction — Request limitation of processing in certain circumstances
• Objection — Object to processing based on legitimate interest

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

10. International Transfers

Your data is processed and stored within the EU (Germany). If you access the Service from outside the EU, your data transits to our EU servers. We do not transfer your data outside the EU/EEA.

11. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email of material changes. The "last updated" date at the top reflects the latest revision.

13. Contact

For privacy-related questions or to exercise your rights: [email protected]

For general support: [email protected]