Skip to content

Privacy policy

Privacy, in plain English.

Last updated: 20 April 2026

A plain-English note: this page is written by the CoinSprout team in clear language so you can actually read it. It hasn’t been reviewed by a lawyer. If you represent a company or have questions that need legal advice, email [email protected] and we’ll work through it with you.

This page explains what data CoinSprout collects about you, why we collect it, who we share it with, and what control you have. We try hard to collect as little as possible and keep everything in your account under your control.

TL;DR

  • We only collect the data you give us or that you produce by using the app.
  • We never sell your data. We don’t run ads.
  • Uploaded bank statements are processed by AI for parsing only. They are never used to train models.
  • You can export all your data or delete your account at any time.
  • We use Google Analytics 4 — and only if you accept the cookie banner.

What we collect

Account information

When you sign up, we store your email address and a hashed password. If you add a display name or upload a profile picture, those are stored too.

Financial data you enter or upload

Accounts, transactions, budgets, goals, recurring templates, categorization rules, custom reports, FX rates, and any receipt images you attach to transactions — everything you create inside the app is stored in your CoinSprout account.

Uploaded bank statements

When you upload a bank statement (CSV, TSV, PDF, or image), the file is stored in CoinSprout file storage and sent to our AI provider for parsing. You can delete the file from your account at any time — and we recommend doing so once you’ve committed the parsed transactions.

Household activity

If you’re part of a household (joint accounts with a partner), we log material household events (joining, leaving, joint account creation, goal completion, unusually large transactions) to the household’s activity feed. These logs are visible only to household members.

Analytics (only if you opt in)

We use Google Analytics 4 to understand which pages are useful. The cookie banner on every page lets you accept or decline analytics — if you decline (or don’t respond), no GA4 script is loaded at all. If you accept, GA4 stores a client-side identifier in a cookie and sends pageview and interaction events to Google. GA4 is configured with IP anonymization.

What we do NOT collect

  • We don’t access your bank accounts directly. You upload statements; we don’t connect via Plaid or any bank API.
  • We don’t collect your contact list, location, or device sensors.
  • We don’t use fingerprinting, behavioral ad profiles, or cross-site tracking.

How we use the data

  • To run the service. Your financial data is used to show you dashboards, reports, budgets, goals, and net worth.
  • To parse statements. Uploaded files are sent to our AI provider to extract transactions. Processing is per-upload; nothing is retained by the AI provider for training.
  • To send digests you opted into. Weekly or monthly summary emails via AhaSend, only when you’ve enabled them in Settings.
  • To improve the product. Aggregate, anonymized analytics — only if you’ve accepted the cookie banner.

Who we share data with (sub-processors)

These are the third-party services that process your data so that CoinSprout can function. Each is listed with the category of data they see.

  • Convex (convex.dev/privacy) — hosts our database, file storage, authentication, and cron jobs. All account data, transactions, and uploaded statements are stored here.
  • OpenAI (openai.com/policies/privacy-policy) — parses uploaded bank statements via GPT-4o. We send only the contents of the file you uploaded. OpenAI processes the request and returns structured data; per their API terms, inputs submitted through the API are not used to train their models.
  • Vercel (vercel.com/legal/privacy-policy) — hosts the web app. Vercel sees HTTP requests, IP addresses, and response logs.
  • AhaSend (ahasend.com/legal/privacy-policy) — sends opt-in digest emails. AhaSend sees your email address and digest content only if you’ve opted in.
  • Google Analytics 4 (policies.google.com/privacy) — only loaded if you accept the cookie banner. Sees page views and interactions, not your financial data.

We use these services because it’s infeasible for a small product to operate all of this infrastructure in-house. We chose vendors with strong privacy track records. If we add a new sub-processor, we’ll update this page and — where possible — notify active users.

Where your data is stored

Your data is stored in data centres operated by the vendors above. Convex, Vercel, OpenAI, and Google Analytics primarily operate out of the United States. AhaSend operates out of the European Union. If you’re in the EU / EEA, your data may be transferred to the US for processing; we rely on the standard contractual clauses offered by each vendor to legitimize those transfers.

How long we keep data

  • Account data: for as long as your account exists. Delete your account and it’s gone.
  • Uploaded statement files: until you delete them. We recommend removing statements after commit.
  • Receipt images: until you detach them from a transaction or delete the transaction.
  • Analytics cookies: Google Analytics sets cookies with a default 14-month expiry; you can clear them at any time.

Your rights

You have the right to:

  • Access your data — visible throughout the app, or exportable as JSON via the Settings page.
  • Correct your data — editable through the app.
  • Delete your data — via the “Delete account” flow in Settings. This permanently removes all transactions, accounts, budgets, goals, rules, and uploaded files.
  • Port your data — the JSON export from Settings is a complete dump you can take elsewhere.
  • Withdraw consent for analytics — clear your browser cookies or re-open the consent banner.

If you’re in the EU / EEA, you also have the right to lodge a complaint with your national data protection authority.

How we protect your data

  • All traffic to and from CoinSprout is encrypted with TLS.
  • Passwords are hashed with scrypt and never stored in plaintext.
  • Every query and mutation performs access checks before returning or writing data — personal data stays private, household data stays scoped to its household.
  • Sub-processors listed above encrypt data at rest.

Children

CoinSprout is not intended for children under 13 (or under 16 in the EU). We don’t knowingly collect data from children. If you believe we have, email us and we’ll delete the account.

Changes to this page

We’ll update this page when things materially change. The “Last updated” date at the top always reflects the current version.

Contact

Questions about privacy or data? Email [email protected].

Questions? Email [email protected]. The other legal page is Privacy / Terms.