← Back

Privacy Policy

Last updated 13 June 2026

DebtKeeper is a personal project, operated by an individual, that lets people track private debt agreements between themselves. This policy explains what personal data we process, why, and the rights you have over it. We are the data controller for the purposes of the EU/UK GDPR.

What we collect

  • Account data — your name, email address, and password (stored only as a salted bcrypt hash, never in plain text).
  • Profile data — an avatar emoji or, if you choose to upload one, a small profile image.
  • Contract data — the debts, payments, charges, demands and notes you and the other party record. This is shared between the two participants of each contract.
  • Preferences — display settings such as currency, timezone and text size.
  • Technical data — your IP address (used briefly to rate-limit sign-in and protect against abuse) and, if you enable them, push-notification tokens.

Cookies

We use a single, strictly necessary cookie to keep you signed in. We do not use advertising or tracking cookies, and we do not profile you, so no cookie-consent banner is required. Usage statistics, if collected, are gathered in an aggregate, cookieless way that does not identify you.

Why we use it (legal basis)

We process account and contract data to provide the service you sign up for (performance of a contract), and technical data to keep the service secure (legitimate interest). We send transactional emails — verification and password reset — because they are necessary to operate your account.

Who we share it with

We do not sell your data. It is processed by a small number of service providers acting on our behalf:

  • Neon — database hosting (EU region).
  • Vercel — application hosting and cookieless analytics.
  • Resend — sending verification and password-reset emails.
  • Apple / Google / Mozilla push services — only if you enable notifications, to deliver them to your device.

The other participant in any contract you take part in can see that contract's shared details and your display name and avatar.

How long we keep it

We keep your data while your account is active. If you delete your account, your personal data (name, email, avatar, login) is erased. Where you are a party to a contract that the other person relies on as a record, that contract is retained in an anonymised form, with your identity removed and shown as an unreachable/closed account.

Your rights

Under GDPR you have the right to access, correct, export, or delete your personal data, and to object to or restrict its processing. In the app you can:

  • Edit your name and avatar at any time from your profile.
  • Delete your account from your profile, which erases your personal data as described above.

For any other request, contact us using the details below. You also have the right to complain to your local data-protection authority.

Security

Passwords are hashed with bcrypt, all traffic is encrypted over HTTPS, sessions use httpOnly cookies, and access to your data requires authentication. No system is perfectly secure, but we take reasonable measures to protect it.

Contact

For any privacy question or request, email privacy@debtkeeper.app.

DebtKeeper is provided as-is for personal use. This policy may be updated; material changes will be reflected by the date above.

Privacy Policy · DebtKeeper