hearth.

Privacy

A plain-English account of what we keep, where it lives, and who else sees it.

Hearth is a small, private app for managing a household's money. It's not a product we sell — it's a tool we run for ourselves and a short list of people we've invited. The same care we'd want for our own finances is the care we take with yours.

This page is the long version. The short version: we collect what's needed to make Hearth useful to you, we don't sell anything, and you can take it all back at any time.

Who this applies to

Anyone signed in to Hearth at hearthapp.ca. Access is invitation-only — your email has to be on the household's allowlist before you can sign in.

What we collect

Only what Hearth needs to run:

• Your email. Used to sign you in and send the occasional one-time code. Nothing else.
• Sign-in tokens and sessions. Short-lived 6-digit codes (10 minutes) and a session cookie that lasts 30 days so you don't have to sign in every visit.
• Your profile. A display name, your monthly net pay, and how often you're paid. You enter these; we don't infer them.
• Your transactions and budgets. The merchant, amount, date, account, and category for every transaction you import or enter — plus the budgets, savings goals, and envelopes you set up.
• Statement files you upload. The CSV or PDF you drop into the import flow. We keep the original file so we can re-run the import if something looks off, and so you have a record of what was processed.
• Passkeys, if you create one. Just the public key and credential ID — your device holds the private half. Hearth never sees a fingerprint or face scan.
• Basic technical logs. The kind of thing every web app records: request timestamps, which endpoint was hit, error codes. Useful when something breaks.

We don't run analytics, advertising trackers, or third-party scripts. There is no tracking pixel on this site.

Where it lives

Hearth runs on Cloudflare. Specifically:

• Cloudflare D1 — your transactions, budgets, goals, profile, and account records sit in a SQLite database hosted by Cloudflare.
• Cloudflare R2 — uploaded statement files (the original CSV/PDF) are stored here.
• Cloudflare Pages and Workers — the app and its API run on Cloudflare's edge.

Cloudflare's data centres are global, so your data may be processed in regions outside Canada. Their privacy practices are at cloudflare.com/privacypolicy.

Who else sees what

Hearth uses two outside services to deliver specific features. Both are kept on a tight leash.

• Resend — sends the sign-in email containing your one-time code. Resend sees your email address and the code itself for as long as it takes to deliver. Their policy: resend.com/legal/privacy-policy.
• Anthropic — when a transaction has a merchant we haven't seen before, we send the merchant text only (e.g. "TIM HORTONS #1234") to Anthropic's Claude Haiku model so it can suggest a category. We do not send the amount, the date, your account, or your name. The result is cached so we don't ask twice. Their policy: anthropic.com/legal/privacy.

That's the entire list. We don't share data with anyone else, and we don't sell anything to anyone.

How long we keep it

Transactions, budgets, and goals stick around as long as your account does — that's the point of a budgeting app. You can delete any individual transaction, account, or upload at any time.

If you delete your account, it goes into a 7-day grace period (so a misclick doesn't lose years of records). Sign in within those seven days to cancel. After that, your data is removed from the database, and statement files are removed from R2.

Sign-in codes expire after 10 minutes whether they're used or not. Sessions expire after 30 days.

What you can do

• See it. Everything Hearth knows about you is visible in the app.
• Change it. Edit any transaction, budget, goal, or profile field directly.
• Export it. Ask and we'll send you a JSON dump.
• Delete it. The profile sheet has a delete-account control. Or email us.

Security

Sign-in is by one-time email code or passkey — no passwords to leak. Sessions use HttpOnly, Secure cookies. Statement uploads and database access are scoped to your household: another household's data is never returned by any endpoint. We rate-limit sign-in attempts so a stranger can't brute-force a code.

That said, no system is bulletproof. If something goes wrong we'll tell you directly — there's a short list of users, and we know how to reach you.

Children

Hearth isn't for kids. We don't knowingly collect data from anyone under 13.

Changes to this page

If we change how Hearth handles your data, we'll update this page and bump the date at the top. If the change is meaningful, we'll send a note to your sign-in email.

Get in touch

Questions, requests, or just want to know what we have on you? Email [email protected]. A real person reads it.