Privacy Policy

Last updated: May 1, 2026

🔑 Zero-Knowledge Encryption Summary

Your financial data (debts, balances, budgets, AI results) is encrypted in your browser before it is ever sent to our server. We store only the encrypted ciphertext. We cannot read your financial data. Your encryption phrase is never transmitted to or stored by us.

1. What this service is

DebtExpeditor is a self-hosted debt consolidation and financial planning tool. "Self-hosted" means the operator (the person running the server) and the user (you) may be the same person, or the operator may be a third party providing you with access to their deployment. This policy covers all deployments.

2. Data we store on the server

We store the following categories of data on our servers:

Account & authentication data (plaintext):

Email address
Hashed password (bcrypt, never stored in plaintext)
Display name
Account creation date
Your unique account UUID — this acts as the cryptographic salt for your encryption key. It is not a secret by itself.
Login timestamps and email verification records
AI request logs (timestamps only — no content)

Financial data (encrypted ciphertext only):

Debt records (names, balances, interest rates, payment amounts)
Budget items (income and expense categories and amounts)
Consolidation scenarios
Income projection events
AI recommendations and chat messages

All items in the second category are encrypted with AES-256-GCM using a key that only you hold. The server receives and stores opaque ciphertext. We have no ability to decrypt this data.

3. How the encryption works

When you set up your account, you choose a personal encryption phrase — a memorable word or sentence. This phrase is combined with your account UUID using PBKDF2 (310,000 iterations, SHA-256) to derive a 256-bit AES-GCM key. Each piece of data is encrypted with a unique random IV before being sent to the server.

Your encryption phrase is never sent to the server. It lives only in your browser (in sessionStorage, or localStorage if you choose "remember on this browser"). When you close your browser tab, the in-memory key is discarded and you will be asked to re-enter your phrase on your next visit.

To access your account from a different browser, you simply log in normally and then enter your encryption phrase when prompted. Your encrypted data is fetched from the server and decrypted locally using the key derived from your phrase + UUID.

4. AI processing

When you request AI-powered advice, the following happens:

Your browser decrypts your financial data locally.
The decrypted data is sent to our server in transit (over HTTPS) to be forwarded to the OpenAI API.
We do not log or store the plaintext data on our server. It exists in server memory only for the duration of the API call.
OpenAI processes the request according to their own privacy policy.
The AI response is returned to your browser and encrypted before being stored.

⚠️ When using AI features, your financial details are temporarily processed by OpenAI. If you are concerned about this, you may use DebtExpeditor without the AI features — all calculations and projections run entirely in your browser and never leave your device.

5. What happens if you forget your encryption phrase

There is no password reset for your encryption phrase. Because we do not store the phrase, we cannot recover it for you. If you forget your phrase:

Your existing encrypted data on the server becomes permanently inaccessible.
You can request that we delete all your stored data via your account settings. You would then start fresh with a new phrase.
If you still have access to a browser where you are logged in, you can view your current phrase under Account Settings → Encryption.

6. Your data rights

You may, at any time:

Export or view all your data (it will be returned encrypted; your phrase is needed to read it).
Request full deletion of your account and all associated data from your account settings page.
Contact the operator of your DebtExpeditor deployment to exercise any additional rights under applicable data protection law.

7. Cookies

We use a single session cookie (debtcon_session) to maintain your login state. This cookie is HttpOnly, SameSite=Lax, and Secure in production. It contains only your session credentials — no financial data. It expires after 7 days of inactivity.

We do not use third-party tracking cookies, advertising cookies, or analytics services.

8. Third-party services

OpenAI — Used for AI-powered advice (optional). Data sent to OpenAI is subject to OpenAI's Privacy Policy.
Cloudflare Turnstile — Optional CAPTCHA to prevent automated account creation. Subject to Cloudflare's privacy policy.

9. Security

All connections use HTTPS/TLS. Passwords are hashed with bcrypt (cost factor 12). Financial data is encrypted with AES-256-GCM. We do not store credit card numbers or bank account credentials. DebtExpeditor only stores data you manually enter.

10. Contact

For privacy questions or data deletion requests, contact the operator of your DebtExpeditor deployment. If you are running a self-hosted instance, you are the operator.

← Back to home