Privacy Policy

Maaser Tracker (the “Service”) is operated by BizzAssist Inc. (“we”, “us”, “our”). The Service helps you track tithing (ma'aser) on your income and donations.

If you have any questions about this policy or how we handle your information, contact us at support@bizzassist.com.

We collect the minimum information needed to give you a useful maaser tracker:

• Account information — your email address, your display name, and a hashed (PBKDF2) version of the password you choose. We never store plain-text passwords.
• Financial information you give us — the income and donation transactions you enter manually, upload via CSV, or import by connecting a bank through Plaid. This includes amounts, dates, memos, and account labels.
• Billing information — if you subscribe to Maaser Tracker Pro, our payment processor Stripe collects your payment card details directly; we never see or store your full card number. We store your Stripe customer and subscription identifiers and your subscription status so we can unlock Pro features on your account.
• Operational data — session tokens (random opaque values stored in our database), one-time codes (hashed) used for email verification and two-factor authentication, and logs that include IP addresses for rate-limiting and abuse prevention.
• Passkeys — if you set up passwordless sign-in, we store the passkey's public key and credential identifier only. Your fingerprint, face, and the passkey's private key never leave your device and are never sent to us.
• Messages you send us — if you use the in-app contact form, the name, email address, and message you submit. We use this only to read and reply to your inquiry; it is not used for marketing or any other purpose.

We do not sell your personal information. We do not show third-party advertising in the Service.

• To provide the Service: storing transactions, computing maaser balances, sending verification and security codes.
• To keep your account secure: rate-limiting sign-in attempts, detecting abuse, and authenticating sensitive actions with one-time codes.
• To communicate with you about your account (verification, password resets, security alerts).
• To comply with legal obligations.

If you choose to connect a bank or financial account using Plaid (a Pro feature), you will authorize Plaid to share data from that institution with us on your behalf. We receive only the data Plaid permits and you authorize — typically transactions, account names, and balances. We use that data only to populate your maaser inbox and to compute your maaser totals. We never receive or store your bank username or password — you enter those directly with Plaid or your bank. The access credentials Plaid issues to us are stored encrypted (AES-256) in our database.

Plaid's own handling of your data is governed by Plaid's end-user privacy policy. You can revoke our access to your bank data at any time from within Maaser Tracker or from Plaid's consumer portal at my.plaid.com.

Pro subscriptions are billed by Stripe. When you subscribe or start a free trial, you are taken to a Stripe-hosted checkout page; your card details go directly to Stripe and are governed by Stripe's privacy policy. Stripe shares with us your subscription status (for example active, trialing, or canceled) and identifiers we use to link the subscription to your account. You can manage or cancel your subscription at any time from Account → Manage subscription, which opens Stripe's billing portal.

To run the Service we rely on a small number of subprocessors:

• Cloudflare — hosting (Workers), database (D1), and key-value storage (KV). Data at rest is encrypted by Cloudflare's platform.
• Resend — transactional email (verification codes, password resets, billing notices).
• Web3Forms — delivery of messages you send through the in-app contact form to our support inbox. It receives only the name, email, and message you submit on that form.
• Plaid — financial-account aggregation, only if you choose to connect a bank.
• Stripe — payment processing and subscription billing for Maaser Tracker Pro. Stripe collects your payment details directly and acts as its own controller for that data.

These providers process your information on our behalf under their own contractual confidentiality and security obligations.

All traffic to the Service is encrypted in transit with TLS 1.2 or higher. Passwords are stored only as PBKDF2 hashes. One-time codes are stored as hashes with expiry and attempt caps. Session tokens are opaque random values, scoped to your account, and revocable from the Service. Passkeys are stored as public-key credentials only — the private key and your biometrics never leave your device. We rate-limit sensitive endpoints (sign-in, password reset, code resends) at the network layer.

No system is perfect. If you believe your account has been compromised, change your password and email us at support@bizzassist.com.

We keep your account data for as long as your account is active. You can delete your account at any time from Settings → Delete account, or start a deletion request without the app at maaser tracker's account-deletion page. When you delete your account, we permanently delete your user record, sessions, one-time codes, accounts, transactions, imports, and recurring series from our primary database; we also cancel any active Stripe subscription and revoke our access to any bank you connected via Plaid. Backup copies are rotated and fully purged within 30 days. Records that Stripe retains for tax and anti-fraud compliance (for example invoices) are kept by Stripe per its own retention rules.

Depending on where you live (for example, the EU/UK under GDPR, California under the CCPA/CPRA), you may have rights to:

• access the personal information we hold about you;
• correct it if it is inaccurate;
• delete it (the in-app “Delete account” button does this);
• export it in a portable format;
• object to or restrict certain processing.

To exercise any of these rights, email support@bizzassist.com from the address associated with your account.

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, email us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via an in-app notice before they take effect. The “Last updated” date at the top of this page always reflects the most recent revision.

BizzAssist Inc.
Email: support@bizzassist.com