Privacy Policy

Last updated: January 2026

What We Collect

Budget Inbox accesses the following data to provide our service:

  • Email (Gmail): We read emails exclusively from Amazon's order confirmation address (auto-confirm@amazon.com). We use a strict filter that only retrieves these emails. We do not access, read, or process any other emails in your inbox.
  • YNAB: We access your budget name, account names, and category names to create split transactions for your Amazon orders.
  • Account Info: Your email address for login and OAuth tokens to maintain API connections.

How We Use Your Data

  • Parse Amazon order confirmation emails to extract order details
  • Extract line items, prices, tax, and shipping costs
  • Send product names to AI for categorization (see AI Processing below)
  • Create split transactions in your selected YNAB budget and account

AI Processing

We use Anthropic Claude to categorize your order items. Here's exactly what we send:

  • Sent: Product names only (e.g., "Anker USB-C Cable 6ft")
  • Sent: Your YNAB category names (e.g., "Groceries", "Electronics")
  • NOT sent: Your name, email, order IDs, prices, addresses, or any other personal information

Anthropic's data retention policy applies to this processing. We recommend reviewing their privacy policy at anthropic.com.

Data Storage

We store minimal data required to operate the service:

  • OAuth tokens: Encrypted at rest using AES-256-GCM to maintain your Gmail and YNAB connections
  • Order metadata: Amazon order IDs, dates, amounts, and item names to prevent duplicate syncs and show your history
  • Category preferences: Your YNAB category mappings for consistent categorization

We do NOT store:

  • The full content or HTML of your emails
  • Your complete YNAB transaction history
  • Your shipping addresses or payment methods from Amazon

Data Retention

Your data is retained for as long as your account is active. When you disconnect a service, the OAuth tokens are deleted immediately. When you delete your account, all associated data (orders, items, sync logs, connections) is permanently deleted immediately via cascading deletion.

Cookies

We use cookies for:

  • Essential: Authentication session management (required for the service to function)
  • Preferences: Theme settings (light/dark mode)

We do not use advertising or tracking cookies. You can manage cookie preferences through the consent banner.

Third-Party Services

We integrate with the following services to provide Budget Inbox:

  • Google Gmail API: To read Amazon order confirmation emails only
  • YNAB API: To create transactions in your budget
  • Anthropic Claude: To categorize items (only product names sent)
  • Polar: To process subscription payments (we never see your card details)
  • Clerk: For authentication and account management
  • Resend: For transactional emails (sync notifications, account alerts)
  • Vercel: For application hosting
  • Supabase: For database hosting (PostgreSQL)
  • Inngest: For background job processing

Your Data Rights

Regardless of where you live, you have the right to:

  • Access: Download a complete copy of your data at any time
  • Rectification: Correct inaccurate data by contacting us
  • Deletion: Delete your account and all associated data
  • Portability: Export your data in JSON format
  • Withdraw consent: Disconnect services at any time from your dashboard

For California residents (CCPA): We do not sell your personal information.

For EU/UK residents (GDPR): Our legal basis for processing is your consent when connecting services, and legitimate interest for service operation.

Data Deletion

You can disconnect Gmail or YNAB at any time from your dashboard. This immediately deletes the associated OAuth tokens. To delete all your data including order history, delete your account through Clerk's account management. All data is removed via cascading deletion.

Security

We protect your data with:

  • AES-256-GCM encryption for OAuth tokens at rest
  • HTTPS/TLS for all data in transit
  • Server-side authorization ensuring you can only access your own data
  • Database hosted on Supabase (PostgreSQL) with encrypted connections
  • Regular security audits and dependency updates

Contact

For privacy-related questions or to exercise your data rights: