Privacy Policy

We collect what we need to run the product, nothing more. Your transactions, accounts, categories, and budgets are stored so you can use them — we never sell them, never use them for ads, never analyze them to train models. Limited operational data (IP, device fingerprint, recent sign-in events) is kept for security and abuse prevention. You can export everything as CSV anytime, and delete your account whenever you want.

Currents is a personal finance tracker operated by an independent developer based in Dhaka, Bangladesh. For the purposes of data protection law, we're the data controller of your personal data. You can reach us at mdsabbirhowlader420@gmail.com.

We collect data in three categories:

Account data. When you sign up, we store your email address, your chosen name, and a hashed version of your password (we never see your actual password). If you sign in with Google, we store the email address and profile name Google sends us — nothing more.

Application data. The things you create in Currents: accounts, transactions, categories, budgets, and the notes and tags you attach to them. This is yours; it exists because you typed it. We store it so you can use the app.

Operational data. For security, abuse prevention, and debugging, we keep:

• Sign-in events — IP address, user-agent string, and timestamp of each sign-in (successful and failed), for up to 90 days
• Active session metadata — IP, user-agent, and last-seen time for every device you're currently signed into, until you sign out or revoke that session
• Rate-limit counters — temporary counts per IP for login, signup, and password-reset endpoints, which expire within an hour

We do not run analytics on your application data. We don't track what categories you spend on, who you transact with, or what time of day you log expenses.

We use the data we collect to:

• Operate Currents — show you your data, run reports, send budget warnings, render charts
• Send transactional emails — verification, password reset, new-device alerts, account-deletion confirmation
• Protect your account and our service — detect unauthorized access, rate-limit abusive traffic, investigate security incidents
• Comply with legal obligations when required

We don't use your data for advertising or to train machine learning models, and we never will. If we ever introduce features that change this, we'll ask for your explicit opt-in first.

Currents is a small product and relies on a few infrastructure providers. The companies below process some of your data on our behalf:

• MongoDB Atlas — primary database. Stores account data, application data, and operational data described above. Data is encrypted at rest and in transit.
• Vercel — application hosting. Receives every HTTP request to Currents, including your IP and request metadata, as part of normal serving.
• Resend — transactional email provider. Receives your email address and the contents of any email we send you (verification, password reset, security notifications).
• Upstash — Redis provider used for rate limiting. Stores short-lived counters keyed by IP and email, expiring within an hour.
• Cloudflare — provides Turnstile (CAPTCHA) on signup and password reset. Cloudflare receives a CAPTCHA challenge response and may briefly inspect your browser's fingerprint to distinguish humans from bots.
• Frankfurter — provides historical foreign-exchange rates. We send only date and currency-pair queries; no user data is shared.

Each of these providers has its own privacy practices. We picked them in part because they don't mine the data we send them for unrelated purposes.

To convert transactions between currencies, we fetch daily exchange rate snapshots from Frankfurter (a free, open-source ECB-backed service). These requests include only a date and currency codes — they don't include your identity or any of your transactions. We cache rates locally in our database so the same rate isn't fetched twice.

We take security seriously, especially because Currents handles money information. Specifically:

• Passwords are hashed with bcrypt before storage; we never see your plaintext password
• All traffic is encrypted in transit with TLS
• Sessions are bound to a cryptographically unique session identifier; password changes immediately revoke every existing session
• State-changing requests require a CSRF token (double-submit with HMAC signature)
• Sign-in endpoints are rate-limited; signup and password reset require CAPTCHA
• Security headers — Content Security Policy, HSTS, X-Frame-Options, Referrer-Policy — are sent on every response
• We log every sign-in attempt and surface them to you in Settings → Security
• Unrecognized device sign-ins trigger an email alert

Read more on our Security page. If you find a vulnerability, please email mdsabbirhowlader420@gmail.com — we appreciate responsible disclosure.

Application data (transactions, accounts, etc.) is kept for as long as your account exists. If you delete your account, we soft-delete it and keep your data for a 30-day grace period, in case you change your mind. After 30 days, all your data is permanently and irreversibly deleted by an automated job.

Operational data (sign-in events, session metadata) has shorter automatic retention:

• Sign-in events are deleted after 90 days
• Revoked sessions are deleted after 30 days
• Inactive sessions are deleted after 90 days of no activity
• Rate-limit counters expire automatically within an hour
• Email verification tokens expire in 24 hours; password reset tokens in 1 hour

Depending on where you live, you may have legal rights over your personal data. Currents gives every user these rights regardless of local law:

• Access and export. You can export every transaction as a CSV file anytime from Settings → Data. Email us if you need a copy of your operational data (sign-in log, sessions).
• Correction. Profile, regional, and preference data is editable directly from Settings.
• Deletion. Settings → Data → Delete account starts a soft-delete with a 30-day grace period. After 30 days, all data is irreversibly purged.
• Withdrawal of consent. Since we don't use your data for marketing or analytics, there's no consent to withdraw. If you want to stop using the service, delete your account.
• Complaint. If you're in the EU, UK, or a similar jurisdiction, you can file a complaint with your local data protection authority. We'd appreciate hearing from us first so we can fix the issue.

Currents uses a small number of cookies, all of them strictly necessary for the service to function:

• Session cookie — your authenticated session, set by NextAuth. Expires in 30 days.
• CSRF token cookie — protects against cross-site request forgery. Expires in 7 days.
• Theme and preference cookies — remember your light/dark mode and hide-balance state.

We don't use cookies for advertising, behavioral tracking, or third-party analytics. Because all our cookies are strictly necessary for the app to work, we don't show a cookie consent banner — there's nothing optional to consent to.

Currents is not intended for children under 13 (or under the minimum age of digital consent in your country, whichever is higher). We don't knowingly collect data from anyone in that age group. If we learn that we have, we'll delete it.

Currents is operated from Bangladesh. Our infrastructure providers (MongoDB Atlas, Vercel, Upstash, Cloudflare, Resend) may store and process data in regions including the United States, the European Union, and Asia. By using Currents, you understand your data may be transferred internationally for the purposes described in this policy.

We may update this policy. When we make material changes, we'll notify you by email and post the updated version here at least 14 days before it takes effect. The “Effective” date at the top of this page always reflects the latest version.

Privacy questions, data requests, or anything else covered here: mdsabbirhowlader420@gmail.com.