My TinAustralia 🇦🇺

Privacy Policy

Effective: 1 June 2025 · Last updated: 8 June 2026

My Tin (“we”, “our”, “the app”) is a personal finance budgeting tool operated by Philipp Burath, Australia. This policy explains what personal information we collect, why we collect it, how it is stored and disclosed, and your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Plain-language summary: We store your spending data so the app works. We do not sell it, share it with advertisers, or send it to anyone except the infrastructure providers listed in section 5. Your data is encrypted and can be exported or permanently deleted at any time.

1. Who this policy applies to

This policy applies to all users of mytin.app. My Tin currently falls within the small-business exemption under the Privacy Act 1988 (annual turnover below $3M), but we voluntarily apply the Australian Privacy Principles in full because your financial data deserves that level of care. When Australian Government reforms remove the small-business exemption (expected late 2026), we will be fully compliant.

2. What we collect

Account information: Your name, email address, and a bcrypt-hashed password. Your plaintext password is never stored or transmitted.
Transaction and financial data you enter: Transaction amounts, dates, merchant descriptions, account names, balances, budget targets, savings goals, and categorisation rules. You create this data — we do not access your bank account.
Imported bank statement data: When you upload a CSV bank statement, we store the rows you choose to import. No bank login credentials are ever held by My Tin.
Preferences and settings: Timezone, currency, display font, colour theme, and session timeout settings.
Activity audit log: A timestamped log of key actions (logins, imports, edits). Visible to you in Settings and can be cleared at any time.
Transactional emails: Your email address is used to send account-related emails (welcome, password reset). We do not send marketing email without explicit consent.

3. What we do not collect

Credit or debit card numbers, CVVs, or expiry dates
Bank account numbers or BSB codes
Tax file numbers or government identifiers
Biometric data
Location data
Advertising identifiers or cross-site tracking cookies
Bank login credentials (we use CSV import only)

4. How we use your information

We use your personal information only to:

Provide the budgeting and financial tracking features of the app
Authenticate your identity on every request
Send transactional emails you explicitly request (password reset, welcome)
Detect and prevent fraudulent or abusive use
Maintain an audit log for your security (accessible to you only)

Automated decision-making:The app includes a rules engine that automatically categorises transactions based on rules you define (e.g. “transactions containing ‘Woolworths’ → Groceries”). This operates only on data you have entered and using rules you have configured. No fully-automated decisions with legal or significant effects are made without your input.

Not financial advice: My Tin is a personal budgeting tool. Nothing in the app constitutes financial product advice, investment recommendations, or financial services as defined under the Corporations Act 2001 (Cth). We do not hold an Australian Financial Services Licence (AFSL). For financial advice, consult a licensed financial adviser.

5. Third-party services and overseas storage (APP 8)

Your data is processed on infrastructure operated by the following overseas providers. Per APP 8 of the Privacy Act 1988, we have taken reasonable steps — including Data Processing Agreements (DPAs) and contractual commitments — to ensure these providers handle your data consistently with the APPs.

ServiceLocationPurposeData shared
TursoUS (AWS)Database hostingAll app data (encrypted at rest, TLS in transit, SOC 2 Type II)
VercelUS (AWS)Web hosting & CDNHTTP request logs (IP, timestamp, URL path)
ResendUSTransactional emailEmail address and email content (password reset, welcome)

All providers are bound by their respective DPAs and applicable US and international data protection standards. No data is sold, rented, or shared with advertisers, data brokers, or any other third party not listed above.

Note: US-based cloud providers may be subject to compelled disclosure under the US CLOUD Act. Data at rest in the database is encrypted with AES-256-GCM at the application level to mitigate this risk.

6. Data security

Transaction descriptions and merchant names are encrypted at the application level (AES-256-GCM) before being written to the database
Passwords are hashed with bcrypt (12 rounds) — the plaintext is never stored or logged
All API routes require authenticated JWT sessions; unauthenticated requests are rejected with 401
Database queries use parameterised statements (Prisma ORM) to prevent SQL injection
HTTPS is enforced on all connections (TLS 1.2+)
An auto-logout session timeout is available and configurable in Settings

7. Data breach notification (NDB Scheme)

We take data security seriously. In the event of a data breach that is likely to cause serious harm to your interests, we will:

Assess the breach as quickly as possible (within 30 days)
Notify you and the Office of the Australian Information Commissioner (OAIC) if there is a likely risk of serious harm
Provide information about the steps you can take to protect yourself

If you believe there has been unauthorised access to your account or data, contact us immediately at privacy@mytin.app.

8. Your rights (APP 12 & APP 13)

Access: Export all your transactions at any time from Settings → Export Data. Your export includes all transactions in CSV format.
Correction: Edit any transaction, account, or category directly within the app at any time.
Deletion: Delete your account and all associated data permanently from Settings → Danger Zone. Deletion is immediate and irreversible — all records (transactions, accounts, categories, budgets, goals, rules, and audit logs) are permanently removed.
Audit log: View a timestamped log of every action taken on your account from Settings. You can clear this log at any time.
Complaint: Lodge a complaint with us using the contact details below. If unsatisfied, escalate to the OAIC at oaic.gov.au.

9. Data retention

Your data is retained for as long as your account exists. When you delete your account, all personal data is permanently removed from the database immediately. Vercel infrastructure access logs are retained for up to 30 days per Vercel's standard policy.

10. Changes to this policy

We may update this policy as our service evolves or as Australian privacy law changes (including the anticipated removal of the small-business exemption under tranche 2 reforms). Material changes will be communicated in-app. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

For privacy enquiries, data access requests, or complaints under the Privacy Act 1988:

My Tin — Privacy Officer

Australia

Email: privacy@mytin.app

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

© 2026 My Tin. All rights reserved.

Pricing← Back to app