Privacy Policy — BlackSquad Budget

Overview

BlackSquad Budget is designed with privacy as a core principle. Your financial data is stored locally on your device by default. We do not collect personal information, analytics, or tracking data. This policy explains how data is handled, what happens if you use optional sync, and your rights.

Data Storage

Local-First Architecture

All your financial data — accounts, transactions, budgets, goals, debts, and settings — is stored in your browser's localStorage. This data never leaves your device unless you explicitly:

Download a backup file (which you control completely)
Enable optional encrypted sync (see below)

We never have access to your data in plain text. Without optional sync, no budget copy is uploaded. With sync enabled, the server stores only an opaque encrypted blob. If you clear browser storage and have neither a usable sync copy nor a backup, the local data is gone — which is why backups remain important.

Optional Encrypted Sync

What It Does

If you choose to enable sync, your data is encrypted on your device and uploaded to our server. This allows you to keep your budget in sync across multiple devices (phone, tablet, laptop) without compromising security.

Encryption Details

Sync uses military-grade encryption:

Algorithm: AES-256-GCM
Key derivation: PBKDF2-SHA256 with 310,000 iterations
Salt: 16 random bytes (unique per sync session)
IV: 12 random bytes (unique per encryption)

Your passphrase is never sent to our server. It stays on your device. The server only stores the encrypted blob. Even if someone gained access to our servers, they would see only encrypted data with no way to decrypt it without your passphrase.

Passphrase Storage

If you check "Remember on this device," your passphrase is stored in your browser's localStorage on that device only. This is convenient but should only be used on devices you trust. We recommend:

Use "Remember" on personal devices only
Do not use "Remember" on shared or public devices
Regularly change your sync passphrase from the Sync settings

What We Store on Our Server

If you use optional sync, we store:

Your sync key (a unique identifier for your sync group)
An encrypted blob of your budget data
Timestamp of the last sync

We do not store:

Your passphrase (in any form)
Your unencrypted data
Personal information (name, email, age, location, etc.)
Cookies, tracking pixels, or analytics
IP addresses or usage logs (beyond standard server logs for security)

Data You Control

Backup Files

You can export your budget as a .bsb (plain-text JSON) or .bsbe (encrypted) backup file at any time. These files are downloaded to your device and are entirely under your control. We have no access to them.

Synced Data Deletion

You can delete your remote sync copy at any time from Sync settings. This removes the encrypted blob from our server. Your local data on that device remains untouched.

Device Disabling

You can disable sync on a specific device without affecting other synced devices. That device is removed from your sync group but retains all local data.

Passphrase Recovery

We cannot recover your sync passphrase. If you forget it:

Start a new sync with a new passphrase (this device becomes a new member of a new sync group)
Restore from a backup file you previously exported

There is no "forgot password" flow because we never store or have access to your passphrase in the first place.

Data Deletion and Retention

Your data is yours to control.

Clearing your browser's localStorage deletes all local data
Deleting a remote sync copy removes the encrypted blob from our server permanently
We retain server logs for security purposes only, not for analytics or marketing
If you delete your account (sync group), we delete all associated encrypted data

Third-Party Services

BlackSquad Budget does not integrate with or send data to:

Banks or financial institutions
Analytics services (Google Analytics, Mixpanel, etc.)
Marketing platforms (Mailchimp, Hubspot, etc.)
Payment processors (except optional PayPal donation link)
Cloud storage services (data stays on your device)

When you import a CSV bank statement, that file is processed entirely in your browser. The file is not sent anywhere.

Security Practices

HTTPS-only: All communication with our sync server uses TLS/SSL encryption
No plain-text storage: Synced data on the server is encrypted at rest
No logging of sensitive data: We do not log passphrases, decrypted data, or account information
Regular updates: The app receives security updates and bug fixes

Children and Minors

BlackSquad Budget is not directed at children under 13. We do not knowingly collect data from children. If you believe we have inadvertently done so, please contact us immediately.

Your Rights

Data access: All your data is stored on your device in your browser. You have full access at any time.

Data portability: You can export your data as a backup file at any time and import it elsewhere.

Right to deletion: You can delete your data locally or request deletion of your remote sync copy.

Right to know: This policy fully discloses what we store and how. We have no hidden data collection.

Changes to This Policy

We may update this privacy policy occasionally. Material changes will be noted in a clear way. Your continued use of the app after changes indicates your acceptance. If you disagree with any changes, you may discontinue using sync or the app.

Contact

Questions about privacy or sync encryption?

Email: feedback@blacksquadja.com
GitHub: Issues and feature requests can be filed if the app is open-sourced

Key Takeaway: Your financial data is yours. It lives on your device by default. Encryption is strong. We never see your passphrase or unencrypted data. You control all exports, backups, and deletions.

Last updated: June 8, 2026
Effective date: June 8, 2026 (v4.1 — Sync introduction)