GrandTracker Privacy Policy

Effective date: 2026-05-05 Hosted at: https://grandtracker.panabakers.com/privacy Contact: privacy@panabakers.com

GrandTracker is a household spend-tracking app. We built it for our own families and we treat your data the way we'd want ours treated. This page explains what we collect, why we collect it, who else sees it, and what you can do about it. We've kept it short and skipped the legalese. If something here is unclear, write to us.

Who we are

GrandTracker is operated by Ruston Panabaker, an individual developer based in the United States. There is no company entity yet — when there is, this notice will be updated. References to "we", "us", and "our" mean the developer; "you" means the person using the app.

What we collect

We try to collect the smallest amount of information that lets the product work. That is:

Account information — your name (or whatever you put in the display-name field) and your phone number. We use the phone number to sign you in via SMS one-time codes; we don't email you or call you.

Household information — the household name you (or someone who invited you) pick, and the list of members in it. Up to eight members per household.

Spends you record — for each spend you log: the amount, an optional description, an optional category, the date the spend happened, an optional free-form note, and an optional photo of the receipt. If you set up a recurring spend (rent, internet, etc.), we store that template too — the same fields, plus how often it repeats.

Push registration — a Firebase Cloud Messaging (FCM) device token so we can send you a notification when another member adds a spend. Tokens are tied to your install, not to your phone number.

Engineering metrics — anonymous, content-free counters that help us see when something is broken: how long sync round-trips take, how often the realtime connection drops, when our daily background job ran. These are keyed to a rotating anonymous device ID, not your account, and they never include the contents of your spends, descriptions, notes, or receipts.

What we don't collect — we don't ask for your email, address, date of birth, government IDs, bank account numbers, credit card numbers, or any third-party account credentials. We don't track your location. We don't run advertising or behavioral analytics SDKs. The app does not have a Facebook SDK, an AdMob SDK, or any similar tracker.

Why we collect it

Each item above maps to a specific use:

Name + phone: to identify you to your household members and to send you the SMS one-time code that signs you in.
Household + members: to make the shared ledger work. Other members of your household see your name and the spends you record; that's the entire point of the product.
Spends, recurring templates, receipts: to provide the ledger feature. We don't analyze your spends, sell them, share them with advertisers, or use them to train any model.
Push token: to send notifications to your device when something happens in your household.
Engineering metrics: to operate the service. If sync is slow or crashes are happening, we want to know without reading your data.

If a use isn't on this list, we're not doing it.

Who we share it with

We use a small number of third-party services to actually run the app. Each one is on our subprocessor list at the subprocessor page. The short version:

Supabase — our database, authentication, file storage, and realtime sync. Hosts everything we store.
Twilio — sends the SMS one-time code when you sign in.
Firebase / Google (FCM) — delivers push notifications to your Android device.
Sentry — receives crash reports and error traces from the app and from our backend functions. We strip phone numbers, descriptions, and notes before they're sent; Sentry sees stack traces and error context, not your ledger.
Cloudflare — provides DNS and serves the public website (this page). Does not see your in-app data.
Better Stack — receives heartbeat pings from our background jobs and structured operational logs (no PII). Does not see your data.
Doppler — manages our secrets (API keys, signing certificates). Does not see your data.
Google Play — distributes the app to your Android device.

We do not sell your data. We do not share it with advertisers or data brokers. We do not share it with any party outside the subprocessor list. If a court order or law enforcement request comes in, we will narrow it to the minimum required by law and notify you unless legally prohibited from doing so.

Where it lives

All of your data is stored in the United States, in Supabase's us-east-1 region. If you're in Canada, you are consenting to your information being processed in the US when you sign up; we surface this at signup so the consent is informed.

How long we keep it

Spends and recurring templates: until you delete them. Deletes are "soft" first (the row is marked deleted but kept for sync hygiene), then hard-deleted permanently 90 days later. If you want it gone immediately, ask — see "Your rights" below.
Receipts: kept as long as the spend they're attached to. Deleting the spend deletes the receipt.
Pending invites: kept for 30 days after the invite expires (so the Members screen can show "INVITED APR 22"), then automatically pruned.
Authentication sessions: persist on your device until you sign out, uninstall the app, or someone (you or us, on your request) calls the "sign out everywhere" function.
Engineering metrics: kept for 90 days, then deleted.
Account deletion: when you delete your account, all of your spends, recurring templates, receipts, and profile data are hard-deleted within 30 days. Backups containing the deleted data age out within 35 days.

Your rights

Whether or not you live in California, the EU, or Canada, you have the following rights with us. We aim to align with CCPA/CPRA in the US and PIPEDA / Quebec Law 25 in Canada by default.

See your data. You can read all of your spends in the app at any time. From version M8 onward, Settings → Export will give you a CSV and a JSON of everything we have on you.

Correct your data. Every spend is editable from its detail screen. Your name and phone are editable in Settings → Profile.

Delete your data. Settings → Delete account. We complete the deletion within 30 days. Your fellow household members will see your spends remain in their copy of the ledger (we have to — they own the household record too) but your name will be replaced with "Former member" and your phone number is removed.

Export your data. Same Settings → Export action. CSV for human consumption, JSON for portability.

Object or restrict. If you'd like us to stop processing some part of your data, write to privacy@panabakers.com. We'll respond within 30 days.

Complain. If you think we've mishandled your data, tell us first at privacy@panabakers.com so we can fix it. You can also complain to your local data-protection authority — the California Privacy Protection Agency in California, your provincial commissioner in Canada (e.g. the CAI in Quebec), or the federal Privacy Commissioner of Canada elsewhere.

How we protect it

The data we hold isn't catastrophic if breached, but it's still a window into your household's finances and we treat it that way:

In transit: TLS 1.2 or higher on every connection. HSTS on the website.
At rest: encrypted on disk by Supabase's managed infrastructure. Receipts are stored in a private bucket with row-level security; downloads use short-lived signed URLs.
Access controls: the database enforces "you can only read rows for your own household" at the database layer, not just in the app code. Two members of two different households cannot see each other's data even if the app had a bug.
Authentication: SMS one-time codes for sign-in. Multi-factor options (TOTP, passkey) are on the roadmap and will be optional when available.
Backups: daily, encrypted, tested. Tested means we've actually restored from one and confirmed it works.
No PII in logs: our error tracking and engineering metrics are scrubbed of phone numbers, descriptions, and notes before they leave the device or the server.
No password storage for your other accounts. GrandTracker does not, and will never in this version, store credentials for any other service. We track the fact of a spend, not your bank login.

The full security architecture is described in docs/threat-model.md in our public repo. If you find a security issue, please email privacy@panabakers.com or use the "Responsible disclosure" link on our website.

Children

GrandTracker is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has signed up, write to privacy@panabakers.com and we will delete the account.

Changes to this policy

If we change this policy in a way that materially affects how we use your data, we will notify you in-app before the change takes effect, and update the "Effective date" at the top. Minor wording changes are made without notice; the latest version is always at https://grandtracker.panabakers.com/privacy.

Contact

For privacy questions, deletions, exports, complaints, or anything else covered above:

privacy@panabakers.com

We'll acknowledge your message within 5 business days and respond substantively within 30 days.

Privacy questions: privacy@panabakers.com · Source: docs/legal/privacy-policy.md