Privacy¶
BillTracker is designed to run on infrastructure you control. It does not use hosted analytics, advertising, or telemetry.
Data Stored Locally¶
Depending on the features you use, SQLite may contain:
- Usernames, password hashes, OIDC identifiers, sessions (stored as
SHA-256(token), not the raw cookie value, since v0.37), and recent login metadata - Display names, TOTP secrets and recovery codes, WebAuthn credentials and challenges (encrypted at rest)
- Bills, categories, monthly overrides, notes, debt fields, autopay trust timestamps, and cancellation reasons
- Payments, including autopay-failure flags and per-payment interest deltas
- Summary planning values and user preferences (including per-user
search_bars_collapsedanddisplay_name) - Imported accounts and transactions, including the per-user
user_catalog_descriptorsfor custom bank payee strings - Encrypted SimpleFIN access URLs, SMTP passwords, OIDC client secrets, and push notification tokens
- Encrypted login history (IP, user agent, city, region, country, ISP) when a user has enabled login geolocation in Profile
- Calendar feed tokens (hashed)
- Import history, notifications, settings, and audit records
Managed database backups are stored on the server filesystem. User exports are generated on request.
Optional External Communication¶
| Service | When used | Data involved |
|---|---|---|
| SimpleFIN Bridge | A user connects bank sync | Setup token exchange, encrypted stored access URL, accounts, and transactions |
| OIDC provider | An admin enables OIDC login | Browser login redirects and identity claims |
| SMTP server | An admin enables reminders | Configured recipient address and bill reminder content |
| Repository API | The app checks release status | Running app version and standard HTTP request metadata |
| ip-api.com (per-user opt-in) | A user enables Login geolocation in Profile → Privacy (default off) | A one-shot GET /json/{ip} request on new-device login. Disabled by default; no outbound call is made and no location data is stored when the user's toggle is off. |
BillTracker does not send bill data to a hosted BillTracker service.
Admin And Operator Access¶
The protected bootstrap admin cannot browse user bills or payments through the normal application UI. Admins can manage users, configuration, backups, and maintenance.
A server operator with filesystem access, or an admin who downloads a full database backup, can inspect SQLite data outside the app. Treat host and backup access as sensitive.
Export And Deletion¶
Users can export their own SQLite dataset and an Excel workbook from the Data page. Admins can create full database backups. Users and admins can remove data through the available UI actions, and operators can remove the persisted volume when decommissioning an installation.
Protect Your Data¶
- Restrict access to the mounted data directory.
- Use HTTPS for the app and protected channels for backup transfer.
- Store downloaded backups and exports on encrypted media where appropriate.
- Review optional integrations before enabling them.
Next steps¶
- Read the security model in Security.
- Tune your login privacy in Profile and Login Privacy.
- See how backups are stored in Back Up and Restore.