Your FamSpend data is your data: it belongs to you, it's exportable, and we host it in the simplest, most standard way possible. No cloud magic, no esoteric architectures — a PostgreSQL database on a managed EU provider.
What's in your data
| Data | Example | Sensitive? |
|---|---|---|
| Account email | you@example.com | Medium |
| Signup name | First and last name | Low |
| Password (hashed) | bcrypt hash, not recoverable | High, but protected |
| Workspace | Workspace name | Low |
| Cost Centers | Names, icons, colors | Low |
| Planned expenses | Title, amount, due date, Center | Medium |
| Paid expenses | + payment date, final amount | Medium |
| Associated people | Names (and email if member) | Low/medium |
| App usage history | When you logged in, from what IP | Medium |
What's NOT there (deliberately)
- Bank balances — we don't ask, we don't know
- Current account number — not stored
- Credit card number — not stored
- Uploaded documents (e.g. PDF bills) — the AI Helper extracts the fields and then discards the PDF: we don't keep it
- Conversations with the AI Helper — they live on ChatGPT (OpenAI server), not on FamSpend
Where they are hosted physically
- Database — Supabase Cloud (managed PostgreSQL, EU Frankfurt region). Data at rest is AES-256 encrypted by the provider.
- Web app — Vercel (EU Frankfurt primary, global fallback for static assets). Servers process requests, don't keep persistent data.
- Transactional email — Resend (EU provider). The emails you receive (signup confirm, invites, notifications) go through here — not your spending data.
All providers are GDPR-compliant and have signed standard DPAs with FamSpend.
Data transmission: HTTPS always
All traffic between your browser/app and our servers goes only over HTTPS (TLS 1.3). No HTTP fallback. No clear-text data on public networks.
If you're on an open public Wi-Fi, viewing FamSpend is safe.
Who can see what
| Who | Sees what |
|---|---|
| You | All your data, always |
| Members of your workspace | All shared workspace data, per their role (see Roles) |
| Other FamSpend users (in other workspaces) | Nothing. Zero access to your data. |
| FamSpend team | Only metadata strictly necessary for support and debugging — and only after your explicit support request |
| Subprocessors (Supabase, Vercel, Resend) | Data strictly necessary for their service. None of them resells your data |
Backup and disaster recovery
- Daily automated backups of the database, 30-day retention
- Point-in-time restore to any minute in the last 7 days
- Disaster recovery: if the primary Frankfurt datacenter goes down, the standby in another region picks up traffic in under 1 hour
Backups are encrypted, not accessible to third parties.
Data export (portability)
To request a full workspace export (expenses, income, Centers,
people, payment history) write to privacy@famspend.io. We'll
respond within 72 hours with the file. A self-service "Export
data" function in settings is on the roadmap.
Account deletion
From Settings → Delete account:
- Workspaces where you're the only admin are permanently deleted (with double explicit confirmation)
- In workspaces where you're a member, you're removed (the workspace stays, managed by other admins)
- Email + password + account name are deleted
- Backups are purged within 30 days (for disaster-recovery safety)
From that moment your data on FamSpend no longer exists.
GDPR compliance
FamSpend respects GDPR rights:
- Right of access → data export on request to
privacy@famspend.io - Right to rectification → edit data anytime in the app
- Right to erasure → account deletion anytime in settings
- Right to portability → export on request (CSV/JSON format)
- Right to object → marketing email opt-out
- DPO → reachable at
privacy@famspend.io
Technical security
- OAuth tokens with scoped permissions for integrations like the AI Helper (see Revoking a connected app)
- Row Level Security on PostgreSQL — workspaces are isolated at DB level, not just at application level
- Hashed passwords (bcrypt) — not recoverable in clear text
On the roadmap: optional 2FA, active session management, annual external pen-test.
Known limits / things we DON'T do
- No client-side encryption of expense data — saved in clear on FamSpend DB (with provider's encryption at rest). We don't offer zero-knowledge yet.
- No end-user self-hosting — FamSpend is a cloud service, we don't distribute the app to host at home. If this is a blocker for you, write to us.
Privacy contacts
For any GDPR request, doubt, or concern: privacy@famspend.io. A
person answers, not a bot, within 72 business hours.