Privacy Policy

Last updated: 2026-06-10

Granary is a personal-finance and retirement-planning tool. We take privacy seriously because the data you give us is sensitive — net worth, income, medical costs, family details. This document describes exactly what happens to that data.

1. What we collect

• Financial data you enter: portfolio, income, expenses, assets, debts, goals, medical, family. Synced to Google Firestore behind your account so your plan follows you across every device you sign in on. Cached locally in your browser for speed and offline reads.
• Account metadata: signup date, founding-member status, schema version. Used to drive the app, never sold.
• Subscription state: which plan you're on, billing status. Provided by Stripe or Square via secure webhooks. We never store your card details.
• Email address: only if you sign up with Firebase email auth. Used for login and for backup emails (when enabled).

2. What we don't collect

• Card numbers (Stripe / Square handle these directly).
• Bank account credentials (we never ask).
• Behavioral analytics that fingerprint you. Page views are counted anonymously and in aggregate via our hosting provider (Vercel Web Analytics) — no cookies, no cross-site tracking, and the data is never sold. We don't use Google Analytics.
• Marketing trackers from social networks.

3. Where data lives

• Your browser (localStorage + IndexedDB) — a local cache so reads are instant and the app works briefly offline. The cloud copy in Firestore is the source of truth.
• Google Firestore (Firebase, US-based) — when you're signed in, your data is synced here so it follows you across devices. Per-user isolation is enforced by Firestore security rules: only the authenticated owner of an account can read or write that account's data, verified by the rules in our repository.
• Stripe / Square — billing data only (subscription status, customer ID, period end). We never see or store your card details.
• Resend (when configured) — for backup-export emails and transactional notifications. We send only what you request; we don't send marketing.

Local-only mode: if you turn on local-only storage in Settings → Data & Sync, your financial data stays on your device and is not synced to Firestore. Your email address is still used for sign-in and billing, and the app makes one cloud read — your subscription status — when it loads. Cloud copies that existed before you switched are kept until you delete them from the same Settings card. Daily backup emails are always opt-in; if you opt in, each backup sends your data through our email service. AI features are also opt-in per run — local-only mode controls where your data is stored, and running an AI analysis is a separate, explicit choice that sends a snapshot off your device (see "AI features" below).

4. Encryption

• In transit: all traffic between your browser and Firestore is encrypted with TLS.
• At rest: Google encrypts all Firestore data at rest with AES-256.
• Application-level encryption(a layer on top of TLS and Google's at-rest encryption): live.When you use a Cloud account, your financial records are encrypted in your browser with a per-user data key (AES-256-GCM) before they are written to our database. That key is wrapped by a server-side master key and is never stored in your browser — it is held in memory only for the duration of your session. In plain terms: what sits in the database is ciphertext, and a breach of the database alone would not expose your numbers. One honest caveat: if encryption hasn't finished initializing — for example, the very first write of a session, before your key has arrived — a record may be stored unencrypted until your next save re-writes it encrypted. We are closing this edge. Because the master key lives on our servers, Granary engineers with admin access could technically reconstruct a user's data key; we do not access user data except to investigate a support request you initiate, and we log all such access.

5. AI features

What's sent:when you run an AI feature (AI Insights, What-If advice, AI CSV mapping, or AI categorization), Granary sends the relevant financial snapshot — the same numbers you see in the app, without your name or email — to Google's Gemini API via our server. When: only when you explicitly run an AI feature; nothing is sent in the background, and the first run on each device asks you to confirm. Retention:Granary doesn't store the snapshot and doesn't retain AI request history; we also strip email and IP from error reports before they reach Sentry. Once the snapshot reaches Google, processing is subject to Google's API terms — we can't independently verify how Google handles data on the API tier we use, so if that tradeoff isn't acceptable to you, simply don't run the AI features; the rest of the app works without them.

6. Sharing

We do not sell, rent, or share your personal data. Specific exceptions:

• Service providers (Firebase, Stripe / Square, Gemini, Resend) acting on our behalf, bound by their own privacy policies.
• If required by law (court order, subpoena). We will fight any over-broad request.

7. Your rights

• Access: download a full JSON backup of your data at any time from Settings → Backup.
• Deletion: Settings → Data Management → Delete my account permanently wipes localStorage, IndexedDB, Firestore, and your Firebase auth account.
• Correction: edit anything in the app; changes are immediate.
• Portability: the JSON backup is in a documented schema; you can take it elsewhere.

8. Cookies

Granary uses no advertising cookies. We use a small number of strictly necessary cookies / localStorage entries to keep you signed in and remember your preferences (theme, dashboard layout). Our page analytics (Vercel Web Analytics) are cookie-free.

9. Contact

Privacy questions: Everyoneneedsasamwise@gmail.com. We respond within 5 business days.

This is a good-faith summary, not legal advice. The latest revision applies to all use of the service from the date noted above.