1. Introduction
Butterfly ("we," "our," or "the Service") is a personal finance dashboard operated by Brian Barnes. This Privacy Policy explains how we collect, use, store, and protect your personal and financial information when you use our Service.
By creating an account or using Butterfly, you agree to the collection and use of information as described in this policy.
2. Information We Collect
Account Information
- Email address (used for authentication and account recovery)
- Display name (optional)
- Hashed password (we never store your password in plain text)
Financial Data via Plaid
When you link a financial institution through Plaid, we may receive:
- Account names, types, and balances
- Transaction history (descriptions, amounts, dates, categories)
- Investment holdings and securities
- Liability details (loans, credit cards)
- Account and routing numbers (if applicable)
We do not have access to your bank login credentials. Plaid handles all authentication directly with your financial institution.
Manually Entered Data
- Manual asset entries (name, type, value, portfolio assignments)
- Account information you create manually
Usage Data
- Server-side request logs (non-personally identifiable)
3. How We Use Your Information
- Display your financial accounts, balances, and net worth
- Show transaction history and categorization
- Track investment holdings and portfolio performance
- Send email verification and password reset emails
- Improve the Service's performance and user experience
We do not sell, rent, or share your personal or financial data with third parties for marketing purposes.
4. Data Storage & Security
Encryption
- Plaid access tokens are encrypted at rest using AES-256-GCM before storage
- Passwords are hashed using bcrypt with salting
- All data in transit is encrypted via TLS/HTTPS
- Database connections use SSL
Infrastructure
- Application hosted on Railway with automatic SSL certificate provisioning
- Database hosted on Neon (PostgreSQL) with encryption at rest
- All environment variables and secrets are stored securely and never committed to source code
Access Control
- Each user can only access their own data — all API routes enforce user-scoped queries
- Session tokens are signed with HMAC-SHA256
- CSRF protection on all form submissions
- Account lockout after repeated failed login attempts
5. Third-Party Services
We use the following third-party services to operate Butterfly:
| Service | Purpose | Data Shared |
|---|
| Plaid | Financial account linking and data retrieval | Account and transaction data (see Plaid's Privacy Policy) |
| Neon | Database hosting | All stored application data (encrypted) |
| Resend | Transactional email delivery | Email address (for verification and password reset emails) |
| Railway | Application hosting | Application code and environment variables |
6. Data Retention
- Your data is retained for as long as your account is active
- Transaction history is synced from Plaid and stored for your reference
- You may delete your account at any time from the Profile page, which permanently removes all your data including linked accounts, assets, transactions, and personal information
7. Your Rights
You have the right to:
- Access your personal data through the application dashboard
- Correct your personal information via the Profile page
- Delete your account and all associated data at any time
- Disconnect linked financial institutions at any time
- Contact us with any privacy-related questions or concerns
8. Children's Privacy
Butterfly is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be reflected on this page with an updated revision date. Continued use of the Service after changes constitutes acceptance of the revised policy.
10. Contact
If you have questions about this Privacy Policy or your data, please contact us at:
support@butterfly.zip