Privacy Policy
Last updated: February 11, 2026
Version: 2026-05-17 · Effective date: 17 May 2026 · Last reviewed by Information Officer: 17 May 2026
This Privacy Policy explains how Budget Hub (“Budget Hub”, “we”, “us”, “our”) processes your personal information in compliance with the Protection of Personal Information Act 4 of 2013 (“POPIA”). It applies to www.budget-hub.com and any associated services we operate.
By creating an account, you agree to the processing of your personal information as described below. You may withdraw your consent at any time — see Your rights below.
1. Who is responsible for your personal information?
Budget Hub is the “responsible party” under POPIA (the equivalent of “controller” in GDPR).
| Operator | Budget Hub (sole proprietor, Dalton Marhufu) |
|---|---|
| Address | Available on request via [email protected] (operating in South Africa) |
| Website | www.budget-hub.com |
| General contact | [email protected] |
2. Information Officer
Your privacy and POPIA queries should be directed to our Information Officer:
| Name | Dalton Marhufu |
|---|---|
| [email protected] | |
| Information Regulator registration | Pending — we will update this entry once the registration number is issued. |
3. What personal information we collect
| Category | Examples | Source |
|---|---|---|
| Account information | Username, email address, password (hashed), account type (personal/business) | You, at signup |
| Profile information | Theme preference, notification preferences, optional profile picture | You, in settings |
| Financial information | Income, expenses, savings goals, investments, business revenue, budgets — stored encrypted with a key derived per user | You, as you use the service |
| Bank statement uploads | CSV statements you import (parsed into transactions, then the source file is discarded) | You, when importing |
| Receipt images (Business) | Photos of receipts you upload for OCR | You, when scanning |
| Subscription / payment information | Plan, billing cycle, PayFast subscription token, payment history. We do not store full card numbers or CVV — these are handled by PayFast. | PayFast (on your payment) |
| Communication data | Messages you send to support, your email replies | You |
| Technical data | IP address, browser type, device identifiers, pages visited, timestamps | Automatically collected on each request |
| Security audit data | Login events, failed login attempts, financial-data access events, IP / user-agent of each event | Automatically logged for fraud / compliance monitoring |
| Consent records | Each time you accept the Privacy Policy or Terms: version, timestamp, IP, user-agent | Recorded on each acceptance |
Budget Hub does not intentionally collect “special personal information” as defined in section 26 of POPIA (race, religion, health, biometrics, criminal history, etc.). Please do not submit such information.
4. Why we process your personal information (purpose)
We process personal information only for these purposes:
- To create and maintain your account and authenticate you (account, profile, technical, audit data)
- To deliver the core service — tracking your income, expenses, goals, investments, and business finances (financial data)
- To process your subscription payments and renewals (subscription, payment data)
- To send you transactional emails (account verification, password change, payment receipts, security alerts)
- To detect, investigate, and prevent fraud and security incidents (technical, audit data)
- To comply with our legal obligations under POPIA and South African tax / consumer law
- To improve the service (aggregated, de-identified usage analytics — only if you have consented to analytics cookies)
- To respond to your support requests (communication data)
5. Legal basis for processing
Under POPIA section 11, we process personal information on these grounds:
- Your consent — given when you signed up and re-confirmed when we update this policy. You may withdraw consent at any time.
- Performance of a contract — processing necessary to deliver the service you signed up for.
- Compliance with a legal obligation — e.g. retaining payment records as required by South African tax law.
- Our legitimate interests — fraud prevention, network and information security, and protecting our rights, balanced against your privacy.
6. Who we share your information with (operators / processors)
POPIA calls third parties that process personal information on our behalf “operators”. We have written agreements with each operator that bind them to confidentiality and security obligations consistent with POPIA.
| Operator | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting (PostgreSQL) | All account and (encrypted) financial data | European Union (Ireland / UK) |
| Vercel Inc. | Application hosting | Server logs, request metadata, IP addresses | European Union (primary) / United States (edge) |
| PayFast (Pty) Ltd | Subscription payments | Name, email, payment amount, subscription token. Card data goes directly to PayFast — we never see it. | South Africa |
| Brevo (Sendinblue SAS) | Transactional email delivery | Email address, message content (account / payment / security notifications) | European Union |
| Functional Software Inc. (Sentry) | Error and performance monitoring | Anonymous error reports, request paths. PII is filtered before sending (send_default_pii=False). |
United States |
| Google LLC (Cloud Vision API) | Receipt OCR for business accounts | The receipt image you upload, only at the moment of scanning | United States |
| OpenRouter (NewLight Industries Inc.) | AI-powered insight generation | De-identified, pre-summarised financial facts (no names, no transaction descriptions, no bank details). Raw transactions are never sent. | United States |
| Cloudflare Inc. (Turnstile) | Bot / abuse detection on sign-up | IP address, browser challenge data | Global (CDN), data processed primarily in the US |
| Google LLC (Analytics) | Aggregated visitor analytics — only if you have accepted analytics cookies | Anonymised page views, device type, country | United States |
We do not sell your personal information. We do not share it with advertisers. We share it with operators only as listed above, and only with regulators or law enforcement when legally required.
7. Cross-border transfer (POPIA section 72)
Some of the operators above are outside South Africa. Where this happens, we rely on one or more of the following bases under POPIA section 72:
- Your consent — given when you accept this Privacy Policy. By signing up you specifically consent to the transfer of your personal information to the operators listed in section 6 above, in the jurisdictions shown.
- Adequate level of protection — transfers to operators in the European Union are protected by the GDPR, which the Information Regulator recognises as substantially similar to POPIA.
- Contractual safeguards — transfers to operators in the United States are governed by data processing agreements that impose POPIA-equivalent obligations, including confidentiality, security, and breach notification.
- Necessary for performance of the contract with you — e.g. processing your payment via PayFast or sending you a receipt via Brevo.
8. How we keep your information secure (safeguards)
- Encryption in transit: TLS 1.2+ enforced site-wide; HSTS with preload.
- Encryption at rest: Financial fields are encrypted with a per-user key derived using PBKDF2 + Fernet before being written to the database. A database breach alone does not expose your financial data.
- Authentication: Passwords hashed with Django’s PBKDF2 algorithm. Rate limits on login, signup, and password reset. Optional Google OAuth.
- Session security: HTTP-only cookies, SameSite restrictions, IP / user-agent change detection.
- Audit logging: Sensitive actions (login, financial updates, deletions) are logged with timestamp, IP, and user agent.
- Content Security Policy with hash-based script and style whitelisting to mitigate XSS.
- Bot / abuse protection via Cloudflare Turnstile on signup.
- Limited internal access: only the Information Officer can access raw user data, and only when responding to a support or compliance request.
9. How long we keep your information (retention)
| Data category | Retention period |
|---|---|
| Account, profile, and financial data | For as long as your account is active. |
| Account after you request deletion | Hard-deleted within 30 days. |
| Account where consent has been withdrawn but not deleted | Frozen (no further processing). Deleted automatically after 180 days of inactivity if you do not return. |
| Payment / subscription records | Retained for 5 years after the tax year in which the transaction occurred, as required by South African tax law. |
| Audit logs (security events) | Retained for 12 months, then pruned. |
| Consent records | Retained for the life of your account plus 5 years, as evidence of lawful processing under POPIA. |
| Receipt images sent for OCR | Not stored by us. Sent to Google Cloud Vision at the moment of scanning; only the parsed text is kept. |
| Server logs | Retained by our hosting provider (Vercel) for up to 30 days. |
10. Your rights
Under POPIA sections 23–25 you have the right to:
- Access — ask us to confirm what personal information we hold about you and request a copy. Use the “Export my data” button in your account settings to download everything in JSON format.
- Correction — ask us to correct inaccurate or incomplete information. You can edit most fields yourself in your account.
- Deletion — ask us to delete your account and personal information. Use the “Delete account” button in your account settings, or email the Information Officer.
- Object — to processing of your personal information on reasonable grounds.
- Withdraw consent — at any time. If you withdraw consent we will stop processing your data, but we may need to retain certain records to comply with legal obligations (e.g. tax records).
- Lodge a complaint with the Information Regulator (see section 14).
We will respond to your request within 30 days. If your request is complex we may extend by a further 30 days and let you know why. We do not charge a fee for reasonable requests.
11. Cookies and similar technologies
We use cookies in three categories. You control them via the cookie banner that appears on your first visit, or by clearing cookies in your browser.
| Category | Purpose | Consent required? |
|---|---|---|
| Essential | Authentication, session, CSRF protection, cookie-preference itself | No — the service cannot function without these. |
| Analytics | Google Analytics — aggregated traffic measurement | Yes — loaded only if you accept the analytics cookie. |
| Marketing | We do not currently set marketing cookies. | n/a |
12. Children
Budget Hub is intended for users aged 18 and older. We do not knowingly collect personal information from children. If you believe a child has signed up, please contact the Information Officer and we will delete the account.
13. Direct marketing
Under POPIA section 69, we will only send you direct marketing communications (newsletters, product tips, promotions) if you have given your explicit opt-in consent. Transactional emails (verification, payment receipts, security alerts) are sent as part of the service and are not marketing.
You can opt out of marketing at any time via the unsubscribe link in every marketing email, or by emailing the Information Officer.
14. Complaints to the Information Regulator
If you believe we have processed your personal information unlawfully you may lodge a complaint with the Information Regulator of South Africa:
| Website | https://inforegulator.org.za/ |
|---|---|
| Email (general) | [email protected] |
| Email (POPIA complaints) | [email protected] |
| Postal | JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 |
We would appreciate the chance to address your concern directly before you escalate — please contact our Information Officer first.
15. Data breaches
If we become aware that your personal information has been accessed or acquired by an unauthorised person, we will notify you and the Information Regulator within 72 hours, as required by POPIA section 22, unless law enforcement instructs us to delay.
16. Changes to this policy
When we make material changes to this policy we will bump the version number at the top, email you, and ask you to re-accept the updated policy the next time you log in. Minor clarifications may be made without re-acceptance.
17. Contact
For privacy queries: [email protected]
For general support: [email protected]