Privacy Policy
1 Introduction
Welcome to Fire Trajectory (“we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use our web application at firetrajectory.com (the “Service”).
By creating an account or using Fire Trajectory, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.
If you have any questions, please contact us at privacy@firetrajectory.com.
2 Information We Collect
The following table describes the categories of personal information we collect, the sources, the purposes, and how long we retain each category:
| Category | Examples | Source | Purpose | Retention |
|---|---|---|---|---|
| Identifiers | Email address, account ID, device ID (random token) | You provide directly | Account creation, authentication, 2FA device trust | Until account deletion + 30 days |
| Credentials | Hashed password, MFA enrollment | You provide directly | Authentication, account security | Until account deletion + 30 days |
| Financial information | Income, expenses, debts, investment balances, savings goals, subscriptions, retirement projections | You enter voluntarily | Providing the Service’s core planning features | Until account deletion + 30 days |
| Commercial information | Pro subscription status, billing history (via Stripe) | You & Stripe | Subscription management, payment processing | Until account deletion + 30 days; Stripe retains per its policy |
| Internet/electronic activity | Pages visited, features used, browser type, OS, IP address | Collected automatically | Security, diagnostics, aggregate analytics | 90 days (IP); aggregated/anonymized data retained indefinitely |
| Geolocation (coarse) | Country/region derived from IP address | Collected automatically | Security, abuse prevention, legal compliance | 90 days |
Sensitive Personal Information (California CPRA)
Under the California Privacy Rights Act, financial information may be considered sensitive personal information. We use your financial data solely to provide the Service you requested (financial planning calculations). We do not use sensitive personal information for profiling, advertising, or any secondary purpose. You have the right to limit the use of sensitive personal information — see Section 10.
Information We Do NOT Collect
- We do not collect Social Security numbers, government-issued IDs, or biometric data.
- We do not collect payment card numbers — all payment processing is handled by Stripe, Inc.
- We do not use advertising cookies, social media trackers, or third-party analytics that receive your personal financial data.
3 How We Use Your Information
We use the information we collect for the following purposes:
- Service delivery — Provide, operate, and maintain Fire Trajectory’s financial planning features.
- Cross-device sync — Sync your financial data across devices when you are logged in.
- Partner/household features — If you opt in to Partner Mode, share specified data with your linked partner (see Section 6).
- Account communications — Send transactional emails (password resets, security alerts, policy updates). We will never send marketing emails without your explicit opt-in consent.
- Product improvement — Analyze aggregate, anonymized usage patterns to improve features and fix bugs. Individual financial data is never used for this purpose.
- Security — Detect, investigate, and prevent fraudulent or unauthorized activity, including rate-limiting and abuse prevention.
- Legal compliance — Comply with applicable laws, regulations, and legal processes.
We will never sell, rent, or share your personal financial data with third parties for advertising, marketing, or any purpose unrelated to providing the Service.
4 Sharing & Disclosure of Information
We share personal information only in the following limited circumstances:
- Service providers — We use Supabase (database/auth), Netlify (hosting), and Stripe (payments) to operate the Service. These providers process data on our behalf under contractual obligations to protect your information. They do not receive your financial planning data for their own purposes.
- Your linked partner — If you opt in to Partner Mode and enable data sharing, your linked partner can view data you have explicitly chosen to share. You control this in your settings and can revoke it at any time.
- Legal requirements — We may disclose information if required by law, subpoena, court order, or government request, or to protect the rights, property, or safety of Fire Trajectory, our users, or the public.
- Business transfers — If Fire Trajectory is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email before your information is transferred and becomes subject to a different privacy policy.
We Do NOT:
- Sell personal information (as defined by CCPA/CPRA).
- Share personal information for cross-context behavioral advertising.
- Disclose personal information to data brokers.
- Use or disclose sensitive personal information for purposes other than providing the Service.
5 Cookies & Local Storage
We use browser storage (localStorage and sessionStorage) to operate the Service. We do not use traditional HTTP tracking cookies, advertising cookies, or third-party analytics cookies.
| Storage Key | Type | Purpose | Duration |
|---|---|---|---|
| ft_access_token | Session or localStorage | Authentication session token | Session (cleared on browser close) or up to 30 days if “Remember me” is checked |
| ft_refresh_token | Session or localStorage | Silent session renewal | Same as above |
| ft_user_email | Session or localStorage | Display your email in the UI | Same as above |
| ft_device_id | localStorage | Trusted device recognition for 2FA | Persistent (random ID, no personal info) |
| ft_* (various) | localStorage | Locally cached financial data and app preferences (theme, default tab, etc.) | Persistent until you clear browser data or delete your account |
To clear all stored data, use the “Clear Local Data” option in your account settings or clear your browser’s site data. This will sign you out.
Do Not Track (DNT)
Fire Trajectory honors Do Not Track browser signals. Because we do not engage in cross-site tracking, advertising tracking, or behavioral profiling, all users receive the same privacy protections regardless of DNT settings.
6 Partner Mode & Household Data Sharing
Fire Trajectory offers an optional Partner Mode (Pro feature) that lets two users link their accounts for household financial planning. Here is how it works:
- Opt-in only — Partner linking requires both users to actively opt in. No data is shared until you explicitly enable the “Share Data” toggle.
- Granular control — You control whether your partner can view your data, and separately whether they can edit it.
- Revocable — You can disable data sharing or dissolve the partnership at any time from your settings. Revocation takes effect immediately.
- No third-party access — Shared data is visible only to your linked partner and is never disclosed to any other user or third party.
7 Data Storage & Security
Your data is stored securely using Supabase, hosted on Amazon Web Services (AWS) infrastructure in the United States. All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256.
We implement industry-standard security practices including:
- Row-level security (RLS) ensuring each user can only access their own data at the database level.
- Server-side authentication — no API keys or database credentials are exposed in the browser.
- Rate limiting on all API endpoints to prevent brute-force and abuse.
- Input validation and HTML escaping to prevent injection attacks.
- Optional two-factor authentication (TOTP-based 2FA) for your account.
- All passwords are hashed using bcrypt — we never store plaintext passwords.
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and encourage you to use a strong, unique password and enable 2FA.
8 Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
- Account and financial data — retained for as long as your account is active. Upon account deletion, all personal data is permanently and irreversibly deleted within 30 days.
- IP addresses and access logs — retained for 90 days for security and abuse prevention, then automatically purged.
- Aggregated, anonymized analytics — retained indefinitely. This data cannot identify any individual.
- Stripe billing records — retained by Stripe per their data retention policy. We store only your Stripe customer ID and subscription status.
If you delete your account, we may retain limited data if required by law (e.g., tax records for payment transactions), but all personal financial planning data is permanently deleted.
9 Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and California Civil Code § 1798.82.
- Describe the nature of the breach, the categories and approximate number of individuals affected, the data involved, and the steps we are taking to address it.
- Notify the relevant supervisory authority where required by law.
10 California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:
- Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete — You may request deletion of personal information we have collected, subject to certain legal exceptions (e.g., completing a transaction, security, legal obligations).
- Right to Correct — You may request correction of inaccurate personal information. You can also correct data directly in the app.
- Right to Opt Out of Sale/Sharing — We do not sell your personal information and do not share it for cross-context behavioral advertising. No opt-out is required because no sale or sharing occurs.
- Right to Limit Use of Sensitive Personal Information — We use sensitive personal information (financial data) only to provide the Service you requested. You may request that we limit its use; however, limiting use may prevent us from providing the Service.
- Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA/CPRA rights. You will not receive a different level of service or pricing.
How to Exercise Your Rights
Submit a verifiable consumer request by emailing privacy@firetrajectory.com with the subject line “California Privacy Request.” We will verify your identity using the email associated with your account. We will respond within 45 days (extendable by 45 additional days with notice). You may make up to two requests per 12-month period.
Authorized Agents
You may designate an authorized agent to submit a request on your behalf. The agent must provide written proof of authorization (e.g., a signed letter or power of attorney) and we may still verify your identity directly.
California “Shine the Light” (Civil Code § 1798.83)
We do not disclose personal information to third parties for their direct marketing purposes. Therefore, no “Shine the Light” opt-out is necessary.
Do Not Sell or Share My Personal Information
We do not sell or share personal information with third parties for cross-context behavioral advertising. This has been the case since the Service launched and will remain our policy.
CCPA Data Disclosure (Previous 12 Months)
In the preceding 12 months:
- Categories collected: Identifiers, financial information, commercial information, internet/electronic activity, geolocation (coarse). See the table in Section 2.
- Categories sold: None.
- Categories shared for behavioral advertising: None.
- Categories disclosed to service providers: Identifiers and commercial information (to Supabase for database storage, to Stripe for payment processing, to Netlify for hosting).
11 European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation.
Legal Basis for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Providing financial planning features | Performance of a contract (Art. 6(1)(b)) |
| Partner Mode data sharing | Your explicit consent (Art. 6(1)(a)) |
| Payment processing via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Security and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Aggregate analytics | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
Your GDPR Rights
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”).
- Right to restrict processing (Art. 18) — Request that we limit how we use your data.
- Right to data portability (Art. 20) — Request your data in a machine-readable format. CSV export is available directly in the app.
- Right to object (Art. 21) — Object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
- Right related to automated decision-making (Art. 22) — We do not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. All financial projections are informational tools, not automated decisions.
- Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority.
International Data Transfers
Your data is stored and processed in the United States. Transfers of personal data from the EEA/UK to the US are conducted under appropriate safeguards, including the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs) maintained by our infrastructure providers (Supabase/AWS, Netlify, Stripe).
To exercise any GDPR rights, contact us at privacy@firetrajectory.com. We will respond within 30 days.
12 Third-Party Services
Fire Trajectory uses the following third-party services to operate:
- Supabase (database, authentication) — Data is stored on AWS infrastructure. Supabase Privacy Policy.
- Netlify (web hosting, serverless functions) — Netlify Privacy Policy.
- Stripe (payment processing) — We do not store your payment card information. Stripe Privacy Policy.
We do not use Google Analytics, Facebook Pixel, advertising networks, or any third-party service that receives your personal financial data.
13 Children’s Privacy
Fire Trajectory is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will promptly delete it. If you believe a child has provided us with personal information, please contact us immediately at privacy@firetrajectory.com.
This policy complies with the Children’s Online Privacy Protection Act (COPPA) and GDPR Article 8.
14 Email Communications (CAN-SPAM)
We comply with the CAN-SPAM Act. All emails from Fire Trajectory:
- Will not use false or misleading subject lines.
- Will identify the message as an advertisement if applicable.
- Will include our physical mailing address.
- Will honor opt-out/unsubscribe requests within 10 business days.
Transactional emails (password resets, security alerts, policy change notices) are exempt from opt-out requirements as they are necessary to provide the Service.
15 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Notify registered users via email at least 30 days before the changes take effect.
- Update the “Last updated” and “Effective date” at the top of this page.
- Post a prominent notice within the Service.
For non-material changes (e.g., formatting, clarifications), continued use of Fire Trajectory after changes are posted constitutes your acceptance. If you disagree with any changes, you may delete your account at any time.
16 Contact & Data Controller
Fire Trajectory is the data controller for personal information collected through this Service.
- Privacy inquiries: privacy@firetrajectory.com
- General support: support@firetrajectory.com
- Website: firetrajectory.com/contact
- Mailing address: Fire Trajectory, Sebago, Maine 04029, United States
We do not currently have a Data Protection Officer (DPO) as we are a small-scale processor. If this changes, we will update this section. For GDPR-related inquiries, please email privacy@firetrajectory.com with “GDPR Request” in the subject line.
For California privacy requests, include “California Privacy Request” in the subject line. We aim to respond to all privacy requests within 30 days (45 days for CCPA requests).