Privacy Policy

Last updated: 2026-05-28

Operator: Jen Built It LLC, a US limited liability company.
Mailing address: 10800 S Lloyd Drive, Worth, IL 60482, USA.
Privacy contact: privacy@jenbuiltit.com
General support: support@jenbuiltit.com

This policy explains what data we collect when you use Emergency Fund Aquarium (the "Service"), why we collect it, who we share it with, and what choices you have. Throughout this policy, "we," "us," and "our" refer to Jen Built It LLC.

1. What we collect

Account data. Your email address and a salted PBKDF2 hash of your password (100,000 iterations, 16-byte random salt, SHA-256). We never store your password in plain text and never see it again after you set it.
Savings data. The goals you create (name, target amount, date), the deposits you record (amount, date, optional note), and the aquarium theme you choose. All of this is visible only to you when you are logged in.
Account preferences. Your selected currency.
Security data. A bounded record of failed login attempts and rate-limit counters, keyed by IP address or email, used solely to throttle abuse. Reset and email-verification tokens are stored as SHA-256 hashes so a database snapshot leak cannot directly compromise pending resets.
Cross-app Pro status. If you upgrade to Pro on Jen's App Hub, this Service receives a signed token from App Hub that confirms your Pro status and your email. We do not receive your Stripe payment details. Card numbers, CVV, and other payment data stay with Stripe and App Hub.
Newsletter consent. If you check the optional newsletter box at signup, we store that you consented and the timestamp of consent, and we pass your email and that consent flag to the Seeding Serendipity newsletter list.

2. Why we collect it

To create and secure your account (legal basis: contract).
To store the goals and deposits you ask us to store (legal basis: contract).
To recognize you across the Jen Built It app family when you have a Pro subscription (legal basis: contract).
To prevent brute-force login, credential stuffing, and abuse (legal basis: legitimate interest).
To send you transactional emails (verification, password reset) (legal basis: contract).
To send you the Seeding Serendipity newsletter, only if you opt in (legal basis: consent).

3. Who we share it with (processors)

We use a small set of vendors to operate the Service. Each vendor only receives the minimum data they need.

Cloudflare hosts the Service and our database (Cloudflare Workers + D1).
Resend sends transactional emails (verification, password reset).
Jen's App Hub issues a signed Pro entitlement token that this Service can verify locally to grant Pro features. App Hub itself uses Stripe for payment processing; Stripe never communicates directly with Emergency Fund Aquarium.
Kit (via an n8n workflow) stores newsletter subscribers, only if you opt in.

We do not sell your personal data. We do not share your data with advertisers. We do not transfer your data to third parties for their own marketing.

4. How long we keep your data

Account, goals, and deposits: as long as your account exists. When you delete your account from the Progress tab, we delete every row tied to your user ID (users, goals, deposits, reset tokens, email-verification tokens) immediately and irrevocably.
Security data (failed-login counters, rate-limit rows): purged automatically when they expire (15 minutes for failed-login records, up to 5 minutes for rate-limit rows).
Newsletter consent: until you unsubscribe from the newsletter.

5. Cookies and local storage

We use a token in browser localStorage to keep you logged in. We do not use advertising cookies, third-party tracking pixels, or cross-site analytics. The aquarium theme you pick is stored only in your browser.

6. Your rights

Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, and similar laws), you may have the right to:

Access the personal data we hold about you. Use the Download my data (JSON) button on the Progress tab to export every record tied to your account.
Correct inaccurate data (edit your goals, deposits, or email).
Delete your account and all your data (Progress tab → Delete Account). Deletion is immediate and we cannot undo it.
Withdraw newsletter consent at any time from your profile or via the unsubscribe link in any newsletter we send.
Lodge a complaint with your local data protection authority.

For anything that requires our help (CCPA right-to-know, GDPR Article 15 statement, dispute over a deletion), email privacy@jenbuiltit.com from the address tied to your account. We respond within 30 days (45 days for California requests).

7. Security

We protect your data using TLS in transit (HSTS), salted PBKDF2 password hashing, parameterized SQL with per-user row filtering, signed JWT sessions with revocation, account lockout after repeated failed logins, request body size caps, per-IP and per-account rate limiting, and a strict Content Security Policy. No system is perfectly secure, but if we detect a breach affecting your data we will notify you and the appropriate authorities as required by law.

8. Children

The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has created an account, email privacy@jenbuiltit.com and we will delete it.

9. International users

The Service is operated from the United States. By using the Service from outside the US, you consent to the transfer of your data to the US. We rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors where required.

10. California residents

If you are a California resident, you have the rights described in Section 6 above (right to know, delete, correct) under the CCPA/CPRA. You also have the right to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising; see our Do Not Sell or Share My Personal Information page for the formal statement.

11. Cross-app Pro verification

If you have a Pro subscription on Jen's App Hub, this Service receives a signed JWT containing only your email and your Pro expiration date. We verify the signature locally using a shared secret. No payment details, no profile data beyond email, no usage data from other Jen Built It apps is shared with this Service.

12. Changes to this policy

If we update this policy in a way that materially changes how we handle your data, we will notify you by email and post a notice on the Service. The "Last updated" date at the top will always reflect the current version.

13. Contact

Questions about this policy or your data:

Jen Built It LLC
10800 S Lloyd Drive
Worth, IL 60482
USA
privacy@jenbuiltit.com