# BalanceTab — Privacy Policy _Effective 2026-04-25. Last updated 2026-04-25._ This privacy policy explains what personal information BalanceTab collects, how we use it, and the choices you have. BalanceTab is a service provided by [Provider name to fill] (the "Operator"). Reach us at **privacy@learnature-ly.com**. ## 1. Who this covers BalanceTab is used by: - **Adults (16+)** for shared expense management, time-tracking and family budgeting. - **Children (under 16)** only when added by a parent or legal guardian who has provided **explicit prior consent** through the in-app COPPA / GDPR-K parental consent flow. If you are a child, please ask a parent before signing up. ## 2. Data we collect | Category | Data | Why we collect it | Retention | |---|---|---|---| | Account | Email, username, optional display name, password hash | Authentication | Until account deletion | | Profile | Optional: birthdate (for age-gating only), language, preferences | Localization, COPPA gating | Until account deletion | | Group activity | Transactions you create, balances, validations, redemption requests, sibling gifts | Core product feature | Until you delete the group or your account | | Communications | Invitations, palier-notifications, redemption alerts logged to `bt_notification_archive` | Triple-archive audit trail (DB + email + WhatsApp) you can review in your Inbox | 24 months, then purged | | Optional contact | Phone number (if you add one) | Sending you WhatsApp deep-links to settle debts or notify | Until you remove it | | Local-only | Payment handles (Venmo/Revolut/Wise/PayPal/IBAN) when you save them via the "Pay via…" feature | Never sent to our servers — stored exclusively in your browser's localStorage | Lives in your browser only; clear browser data to remove | | Technical | IP address, browser/device user-agent, request timestamps | Rate limiting, security audit, fraud detection | 12 months | We **do not** sell, rent or trade your personal information. We **do not** show third-party ads. ## 3. Kids-points specifics When a parent enables kids-points for a child, the following extra data is processed: - **Source-of-points tagging** on every grant: which game / Memoriz session / chore / parent grant produced the points. Parents see this provenance breakdown when reviewing redemption requests so they can decide accordingly. - **Activity events** from Games and Memoriz are forwarded to BalanceTab via an authenticated server-to-server hook (`/v1/activity-events/auto-process`). The kid's `user_id` is shared, plus the relevant game score / memorization grade. No biometric, no audio, no video. - **Redemption requests** stored with a 7-day expiry and full audit trail (request, decision, parent_note, settlement transaction). - **Sibling gifts** logged as a paired audit-trail debit/credit transaction. - **Streak shields** (grace days for missed activity) stored per kid. The system **never converts religious-act points (Quran review, dhikr, prayer streaks) directly to cash**. Parents always have the final say at redemption time and may counter-offer to preserve intrinsic motivation. ## 4. Triple-archive notifications For every invitation, palier crossing, redemption decision and sibling gift, BalanceTab writes: 1. A **DB record** in `bt_notification_archive` (your `Inbox` view, accessible via `/me/inbox`). 2. An **email** queued to your stored email address (if any). 3. A **WhatsApp** message: - If the Operator has Twilio configured → automatic send via Twilio. - Otherwise → a **wa.me deep-link** is generated; clicking it opens your WhatsApp app with the message pre-filled. Nothing is sent without your click. You can disable email and/or WhatsApp via your notification preferences. The DB record always exists for accountability and you can mark it read or delete the entire archive when deleting your account. ## 5. Sharing with third parties - **Hosting**: production server in [region to fill], Cloudflare for CDN/DDoS, MariaDB for storage. - **Email delivery**: SMTP via [provider to fill]. - **WhatsApp**: only if Twilio is configured by the Operator. Otherwise WhatsApp messages are sent client-side from your device — Meta/WhatsApp's privacy policy applies to those. - **Identity provider**: Learnature-ly Identity SSO for authentication (same Operator). - **No analytics SDKs, no marketing pixels.** ## 6. Your rights (GDPR / CCPA / similar) You can at any time: - **Access** all data we hold about you: `GET /api/balance-tab/me` + `GET /me/inbox` + the BalanceTab UI. - **Export** your data as JSON/CSV via the in-app `Export my data` button (DSAR endpoint). - **Correct** profile data via `PUT /auth/profile`. - **Delete** your account: `DELETE /me` — purges your transactions, redemptions, archive entries, and tombstones the row in 30 days. - **Object** to processing — write to privacy@learnature-ly.com. - **Withdraw consent** for kids-points specifically: a parent toggles kids-points off in `Group Settings`. Past data stays unless you also delete the group or the kid's account. ## 7. Security - **TLS 1.2+** for all client-server traffic. - **JWT-only auth** (HttpOnly cookie, algorithm-pinned, strong JTI, prod-secret guard ≥32 chars). - **CSRF protection** for all POST/PUT/PATCH/DELETE. - **Rate limiting** on login (5/15min), signup (3/hour), API (100/hour), financial endpoints (20/60s). - **Concurrent-session cap** of 10 sessions per account. - **Stripe webhook idempotency** on subscription events. - **Audit log** of every sensitive action (`audit_logs`). - **Encrypted secrets** via SOPS (`api/.env` for committed secrets). - **Backups**: weekly encrypted DB snapshot. If we suffer a breach affecting your data, we will notify affected users within 72 hours. ## 8. Cookies We use only **essential cookies**: - `bt_jwt` (HttpOnly, Secure, SameSite=Lax) — your login session. - `learnature_token` — Identity SSO bridge. No third-party cookies. No tracking pixels. ## 9. Changes to this policy We will email you when we materially change this policy and post a banner in-app. Past versions are kept in `docs/legal/`. ## 10. Contact privacy@learnature-ly.com — we respond within 7 working days.