Privacy Policy

This Privacy Policy explains how StuFin (“we”, “us”, or “our”) collects, uses, and safeguards information about you when you use our web application at stufin.starkandco.site(“Service”).

StuFin is a personal project operated by Dylan, a student developer based in Melbourne, Australia. We are committed to handling your personal information responsibly and in accordance with the Australian Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR).

We collect information in two ways:

A. Information you provide directly

• Account information: your email address and a hashed password (or OAuth provider identifier if you sign in with Google)
• Financial data: asset balances, account values, income/expense entries, net worth snapshots, and check-in records that you manually enter
• Communications: if you contact us via email, we retain those messages for support purposes

B. Information collected automatically

• Log data: IP address, browser type, pages visited, and timestamps — used for security monitoring and debugging
• Session data: authentication session tokens necessary for keeping you logged in

We do not collect bank account numbers, card details, tax file numbers, or any other sensitive financial identifiers. All figures are manually entered by you.

We use the data we collect to:

• Provide, maintain, and improve the StuFin service
• Authenticate you and keep your account secure
• Display your financial data back to you within the application
• Respond to your support requests or enquiries
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations

We do not use your financial data to build advertising profiles, train machine-learning models, or benchmark you against other users.

Your data is stored on servers in a cloud environment. We implement industry-standard security measures including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Password hashing using bcrypt — we never store plaintext passwords
• Access controls limiting who can access production data

While we take security seriously, no system is perfectly secure. We cannot guarantee absolute security and encourage you to use a strong, unique password.

We retain your account and financial data for as long as your account is active, or as needed to provide the service. If you request account deletion, we will delete your data within 30 days, except where retention is required by law.

We do not sell, rent, or trade your personal information.

We may share data only in the following limited circumstances:

• Service providers: third-party providers (e.g., cloud hosting, authentication) who access data only as necessary to provide their services and are bound by confidentiality obligations
• Google OAuth:if you sign in with Google, we receive your name and email address from Google in accordance with Google's own privacy policy
• Legal requirements: if required by law, court order, or government authority
• Business transfer: if the service is ever sold or transferred, your data may be transferred as part of that transaction, with prior notice to you

StuFin uses a minimal number of cookies strictly necessary to operate the service:

• Session cookies: to keep you authenticated between page loads
• CSRF protection tokens: to protect against cross-site request forgery attacks

We do not use advertising cookies, cross-site tracking cookies, or analytics platforms that profile individual users (e.g., Google Analytics is not currently deployed on StuFin).

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your account and associated data
• Portability: request your financial data in a machine-readable format
• Objection: object to certain types of processing

To exercise any of these rights, contact us at stufinsupport@gmail.com. We will respond within 30 days.

If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

StuFin is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13 without parental consent, we will promptly delete it. If you believe we may have such information, please contact us at stufinsupport@gmail.com.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. Material changes will be communicated via email or a prominent in-app notice.

Your continued use of StuFin after any changes constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please reach out: