Privacy Policy
UrbanPX, LLC ("we," "us," "our," or "Almighty") operates the Almighty Budget and Almighty Split mobile and web applications (collectively, the "Services"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our Services.
By creating an account or using our Services, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use our Services.
1. Who We Are
The Services are operated by UrbanPX, LLC, a limited liability company registered in the United States.
- Almighty Budget — a personal budgeting application for tracking income, expenses, accounts, investments, and net worth.
- Almighty Split — a group expense-splitting application for shared bills and settlements.
Together, these apps form the Almighty ecosystem, which allows optional cross-app data integration for users who subscribe to the Almighty tier.
Contact:
- Email: support@urbanpx.com
- Website: https://almighty.money
2. Information We Collect
2.1 Information You Provide
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Account registration | Authentication, account recovery, communications |
| Display name (Split) | Account registration | Identify you to group members |
| First name, last name (Budget) | Account registration | Personalize your experience |
| Company name (Budget, optional) | Account registration (business accounts) | Business account identification |
| Password | Account registration | Authentication (hashed by Firebase Auth; we never store plaintext passwords) |
| Consent timestamp | Account registration | Record when you agreed to these terms |
| Financial transactions | Manual entry or Plaid sync | Budgeting, expense tracking, net worth calculation |
| Group and expense data (Split) | Created in-app | Bill splitting and settlement tracking |
2.2 Information Collected Automatically
| Data | Source | Purpose |
|---|---|---|
| Device and usage analytics | Firebase Analytics (GA4) | Understand how the app is used, improve features |
| App version and platform | Firebase Analytics | Compatibility and support |
| Crash reports | Sentry | Diagnose and fix errors |
| Subscription status | RevenueCat / Apple / Google | Entitlement verification |
2.3 Information We Receive from Plaid (Almighty Budget Only)
If you choose to link a financial institution through Plaid, we receive the following data from Plaid, Inc.:
- Account information: Account name, type (checking, savings, credit card, loan, investment), and institution name.
- Account balances: Current and available balances.
- Transaction history: Transaction date, amount, merchant name, pending status, and Plaid's transaction categorization.
- Liability details: For credit cards, student loans, and mortgages — interest rates (APR), minimum payment amounts, payment due dates, payment history, overdue status, and payoff information.
- Investment holdings: Securities held (name, ticker symbol, type, ISIN, CUSIP), quantities, cost basis, and current values.
- Investment transactions: Buy, sell, dividend, fee, and transfer records including dates, amounts, and related securities.
- Recurring transaction patterns: Plaid's auto-detected subscriptions, regular bills, and income streams, including merchant name, average amount, frequency, and predicted next date.
2.4 Information We Do NOT Collect
We do not request, receive, or store:
- Bank account numbers or routing numbers (Plaid Auth product is not used)
- Social Security numbers or government-issued identification
- Income verification documents
- Your banking login credentials (entered directly into Plaid's secure interface)
- Biometric data
- Precise geolocation
- Contact lists or address books
- Personally identifiable information (PII) in analytics events — our analytics contracts explicitly prohibit logging names, email addresses, financial amounts, or user IDs as event parameters
3. How We Use Your Information
We use the information we collect to:
- Provide the Services: Display your budgets, transactions, accounts, balances, group expenses, and settlements.
- Sync data across apps: If you subscribe to the Almighty tier, expenses created in Almighty Split can be synced to Almighty Budget via our Cloud Functions so you can track shared expenses alongside personal spending.
- Auto-categorize transactions: When you categorize a Plaid-imported transaction, we learn that mapping and apply it to future transactions with the same Plaid category.
- Detect duplicates: When Plaid imports a transaction, we compare it against your manually entered transactions to flag potential duplicates for your review.
- Detect recurring transactions: Plaid identifies recurring transaction patterns (subscriptions, bills, income), which we display to help you manage recurring expenses.
- Verify subscriptions: We check your subscription status through RevenueCat to enable premium features.
- Improve the Services: Aggregated, anonymized analytics help us understand usage patterns, diagnose issues, and prioritize features.
- Communicate with you: Account-related notifications, service announcements, and support responses.
4. Financial Data Disclaimer
Almighty Budget is not a financial advisor. Information provided through our Services — including account balances, transaction categorization, net worth calculations, budget summaries, debt payoff projections, and investment portfolio views — is for personal tracking and informational purposes only and does not constitute financial, investment, tax, or legal advice. Always consult a qualified financial professional before making financial decisions.
5. How We Store and Protect Your Information
5.1 Infrastructure
All data is stored in Google Cloud Firestore, part of the Firebase platform operated by Google LLC. Firestore provides:
- Encryption at rest: AES-256 encryption for all stored data.
- Encryption in transit: TLS 1.2+ for all data transmitted between your device and our servers.
- Geographic region: Data is stored in Google Cloud's us-central1 region.
5.2 Authentication
We use Firebase Authentication for identity management. Passwords are securely hashed by Firebase — we never have access to your plaintext password. Authentication is performed via email and password. We do not currently support social login (Google, Apple, Facebook).
5.3 Firestore Security Rules
All user data in Firestore is scoped to your authenticated user ID (UID). Our security rules enforce:
- User isolation: You can only read and write data under your own
users/{uid}path. No user can access another user's data. - Server-only collections: Sensitive data such as Plaid access tokens is stored in collections that are completely blocked from client access. Only our server-side Cloud Functions (running with administrative privileges) can read or write these collections.
- Read-only Plaid data: Financial data synced from Plaid (holdings, investment transactions, recurring streams) is read-only from the client. Only our Cloud Functions can create or modify this data.
- Platform collections: Administrative data such as sync logs and audit logs are accessible only via server-side administrative access.
Our security rules are covered by automated test suites to verify these access controls.
5.4 Plaid Access Token Security
When you link a financial institution, Plaid provides us with an access token that allows us to retrieve your financial data. This token:
- Is stored exclusively in a server-only Firestore collection (
plaidItems) that is completely blocked from client-side reads and writes. - Is never transmitted to your device or exposed in any client-side code.
- Is used only by our server-side Cloud Functions to fetch account data from Plaid.
- Our Plaid API credentials (client ID and secret) are stored in Firebase Secrets Manager and are never embedded in client-side code.
5.5 Webhook Security
Real-time updates from Plaid are received via webhooks. Each webhook request is verified using:
- JWT signature verification with Plaid's public keys (ES256 algorithm)
- SHA-256 body hash validation to prevent tampering
- 5-minute maximum age to prevent replay attacks
6. Cross-App Data Flows
The Almighty ecosystem supports optional data syncing between Almighty Split and Almighty Budget for Almighty tier subscribers.
How It Works
When an expense is created in Almighty Split, our Cloud Functions can create a corresponding synced expense record in Almighty Budget for each participant in the split. This allows you to see your share of group expenses alongside your personal budget.
What Is Synced
- Expense description, your share amount, total expense amount, expense date, the group it belongs to, and who paid.
- A unique sync identifier is used to prevent duplicate entries.
What Is NOT Synced
- No bank transaction data flows from Budget to Split.
- Split does not receive any of your Plaid-linked account data, balances, or transaction history.
- We do not share your Budget data with other Split group members.
Identity Linking
To enable cross-app syncing, we create a platform identity (almightyUID) that links your Budget and Split accounts. This identifier is used solely for matching your accounts across our apps and is never shared with third parties.
7. Automatic Syncing with Plaid
Once you link a financial institution, we automatically refresh your data:
- Scheduled sync: Approximately every 6 hours, we fetch updated balances, transactions, liability details, investment holdings, and recurring transaction patterns.
- Real-time webhooks: Plaid sends us notifications when new transactions or account changes are detected, triggering immediate syncs.
- On-demand refresh: You can manually trigger a balance and transaction refresh at any time from within the app.
8. Data Retention
8.1 User Data
| Data Type | Retention Period |
|---|---|
| Account profile (email, name) | Until you delete your account |
| Financial transactions (manual and Plaid-synced) | Indefinite, until you delete them individually or delete your account |
| Plaid access tokens | Until you unlink the institution or delete your account |
| Plaid-linked account metadata | Until you unlink the institution or delete your account |
| Investment securities and holdings | Until removed by Plaid sync, you unlink the institution, or delete your account |
| Recurring transaction streams | Until removed by Plaid sync, you dismiss them, or delete your account |
| Category learning mappings | Until you delete your account |
| Group expenses and settlements (Split) | Until you delete them or delete your account |
| Consent acceptance timestamp | Until you delete your account |
8.2 Infrastructure Backups
We maintain automated daily backups of all three Firebase projects (Platform, Budget, and Split) with a 30-day rolling retention period. Backups older than 30 days are automatically deleted. Backups are stored in Google Cloud Storage and are encrypted at rest.
8.3 Analytics Data
Firebase Analytics (GA4) data is retained according to Google's default retention policy (up to 14 months for user-level data, up to 50 months for event-level data). We do not have the ability to delete individual user records from Google Analytics. Analytics events contain no personally identifiable information.
9. Third-Party Services
We use the following third-party services to operate the Almighty ecosystem:
| Service | Provider | Purpose | Their Privacy Policy |
|---|---|---|---|
| Firebase Authentication | Google LLC | User authentication (email/password) | Google Privacy Policy |
| Cloud Firestore | Google LLC | Database for all user data | Google Privacy Policy |
| Firebase Analytics (GA4) | Google LLC | Anonymous usage analytics | Google Privacy Policy |
| Cloud Functions for Firebase | Google LLC | Server-side logic (sync, Plaid integration) | Google Privacy Policy |
| Plaid | Plaid, Inc. | Financial institution connectivity | Plaid End User Privacy Policy |
| RevenueCat | RevenueCat, Inc. | Subscription and entitlement management | RevenueCat Privacy Policy |
| Sentry | Functional Software, Inc. | Error tracking and crash reporting | Sentry Privacy Policy |
We do not sell your personal information to any third party. We share data with these providers only as necessary to operate the Services.
10. Cookies and Tracking (Web Versions)
When you use Almighty Budget or Almighty Split in a web browser, the following technologies may be used:
- Firebase Authentication tokens: Stored in your browser's local storage or IndexedDB to keep you signed in. These are not tracking cookies.
- Firebase Analytics (GA4): Uses first-party cookies and local storage to collect anonymous usage data (page views, feature usage, session duration). No advertising cookies are used. No data is shared with advertising networks.
- AsyncStorage / IndexedDB: Used to store your app preferences (theme, notification settings) locally on your device.
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Social media tracking widgets
- Fingerprinting technologies
If you prefer to limit analytics data collection, you can clear your browser's cookies and local storage. We are evaluating an in-app analytics opt-out option for a future release.
11. Your Rights
11.1 Access Your Data
You can view all your personal data within the apps at any time — your profile information, transactions, accounts, budgets, groups, and expenses are always accessible to you.
11.2 Correct Your Data
You can update your display name, email, transactions, accounts, budgets, groups, expenses, and other personal data directly within the apps.
11.3 Export Your Data
You have the right to receive a copy of your data in a portable format. To request a data export, email us at support@urbanpx.com with the subject line "Data Export Request." We will provide your data within 30 days in a structured, machine-readable format (JSON).
11.4 Delete Your Data
You can request deletion of your account and all associated data. Deletion can be initiated:
- In-app: Through the account settings / delete account flow.
- By email: Send a request to support@urbanpx.com with the subject line "Account Deletion Request."
When you delete your account, we perform a comprehensive deletion cascade:
- Platform data: Your cross-app identity link, sync logs, and audit log entries are deleted.
- Budget data: Your entire user document tree is deleted, including all accounts, transactions, budgets, categories, holdings, investment transactions, securities, recurring stream data, and category mappings.
- Split data: Your user profile, group memberships, and associated data are deleted.
- Plaid access revocation: All Plaid access tokens associated with your account are revoked (preventing any future data retrieval from your financial institutions), and the Plaid item records are deleted from our servers.
- Authentication record: Your Firebase Authentication record is deleted.
This deletion is irreversible. Once processed, we cannot recover your data. Deletion is typically completed immediately upon request, though backup copies may persist for up to 30 days before being rotated out.
11.5 Revoke Plaid Access
You can disconnect any linked financial institution at any time from within Almighty Budget's account settings. When you disconnect:
- We revoke the access token with Plaid, which immediately stops all future data retrieval from that institution.
- All Plaid-specific metadata is removed from your account records.
- Your previously synced transactions and last-known account balance are preserved (you can delete them manually if you wish).
- No further syncs will occur for that institution.
You can also revoke Almighty's access through Plaid's portal at my.plaid.com.
11.6 Opt Out of Analytics
Firebase Analytics events contain no personally identifiable information. If you wish to limit analytics collection on the web, you may clear your browser cookies and local storage or use browser privacy extensions that block Firebase Analytics.
12. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, and our business purposes for collecting it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt Out of Sale: We do not sell your personal information to any third party. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, email support@urbanpx.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
Categories of personal information we collect (as defined by the CCPA):
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Email address, display name | Yes |
| B. Financial information | Account balances, transaction history (via Plaid), manually entered budget data | Yes |
| C. Internet or network activity | App usage analytics (anonymous, no PII) | Yes |
| D. Geolocation data | Precise location | No |
| E. Professional or employment information | Company name (optional, business accounts only) | Yes |
| F. Biometric information | Fingerprints, face data | No |
| G. Sensory data | Audio, visual | No |
13. European Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following applies:
Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Storing and displaying your financial data | Contract performance |
| Plaid data retrieval and syncing | Your explicit consent (given during Plaid Link) |
| Cross-app data syncing | Contract performance (Almighty subscription) |
| Analytics and crash reporting | Legitimate interest (improving service quality) |
| Responding to support requests | Legitimate interest |
Your GDPR Rights
- Access: Request a copy of your personal data.
- Rectification: Request correction of inaccurate data.
- Erasure ("Right to be forgotten"): Request deletion of your data.
- Restriction: Request that we limit how we process your data.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Withdraw consent for Plaid data access at any time by unlinking your financial institution in the app.
To exercise these rights, email support@urbanpx.com. We will respond within 30 days.
Data Transfers
Your data is stored and processed in the United States (Google Cloud's us-central1 region). By using our Services, you consent to the transfer of your data to the United States. We rely on Google's data processing terms and standard contractual clauses for international data transfers.
Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority.
14. Children's Privacy
Our Services are not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child under the applicable age, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@urbanpx.com.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you via an in-app notification or email (for material changes).
- Post the revised policy at https://almighty.money/privacy.
Your continued use of the Services after changes are posted constitutes your acceptance of the revised policy.
16. Contact Us
If you have any questions about this Privacy Policy, your data, or your rights, contact us at:
UrbanPX, LLC Email: support@urbanpx.com Website: https://almighty.money
For CCPA or GDPR-specific requests, email support@urbanpx.com with the applicable subject line ("CCPA Request," "GDPR Request," or "Data Export Request").