Privacy Policy
Last updated: July 9, 2026
We wrote this in plain English. vondo teaches the Vondo Method and gives you an app to put it into practice; this policy covers the data side of that. The short version: we collect what we need to run vondo, we don't sell or share your data, and you can take it with you or delete it whenever you want.
Who we are
vondo is operated by Vondo LLC, a company registered in Wyoming, USA (30 N Gould St, STE R, Sheridan, WY 82801). For privacy questions, write to privacy@vondo.app, we read every message.
What we collect
We only collect what we actually need to run the app:
- Account info, your name, email, and a securely hashed password. Passwords are never stored in plain text.
- The records you create, accounts, transactions, budgets, categories. This is your data, entered by you.
- Preferences, language, theme, timezone, currency.
- Session info, a secure cookie so you don't have to sign in every visit, and a refresh token so we can issue you new sessions safely. For each active session we also store a short description of the device or browser (e.g. "Chrome on macOS") and the last time it was used, so you can review and revoke sessions from your profile.
- Billing info, if you subscribe, we store your plan, status, and invoice history. We never store your card details. Web subscriptions are processed by LemonSqueezy; App Store and Google Play subscriptions are processed by Apple or Google, with RevenueCat managing your subscription status.
- Operational logs, basic request logs (IP, timestamp, endpoint) kept short-term for security and debugging.
- Error reports, if the app crashes or hits an unexpected error, we record what went wrong (stack trace, the action you were taking, the response code) so we can fix it. We deliberately do not include the contents of your transactions, request bodies, or any personal financial information in these reports.
Why we collect it
Each piece of data above maps directly to something the app does for you: signing you in, showing you your budget, syncing your preferences across devices, charging your subscription, and keeping the service secure. We don't collect anything we don't use.
We don't sell your data, share it with advertisers, or use it for ad targeting. No tracking pixels. No third-party analytics on your personal information.
Who we share it with
The only third parties that touch your data are the ones we need to run the service:
- LemonSqueezy, handles checkout, billing, and invoices for web subscriptions. They see your name, email, and payment details directly (we don't).
- RevenueCat + the app stores, when you subscribe through the Apple App Store or Google Play, Apple or Google processes the payment and RevenueCat manages your subscription status for us. RevenueCat receives your purchase/receipt information and an anonymous household identifier so your plan unlocks across your devices; it never sees your transactions or financial records.
- Our email provider, delivers transactional emails like password resets and receipts. They see your email address and the contents of those emails.
- Our hosting provider, runs the servers your data lives on. They don't access your data; they host it.
- OAuth providers, if you sign in with Google, Microsoft, or Apple, that provider confirms your identity to us (and shares your name and email address). They don't see your transactions.
- Sentry, receives the error and crash reports described above. We've configured Sentry to strip out personally identifiable information by default: no request bodies, no transaction contents, no passwords or MFA codes. What's left is technical context (stack traces, breadcrumbs of recent actions, response codes) that helps us diagnose bugs.
We don't share your data with anyone else, and we'd push back hard against any government or legal request that wasn't narrow and properly authorized.
How we protect it
Your password is hashed with bcrypt before it's stored and never transmitted in plain text. MFA secrets are encrypted at rest. Session cookies are secure, HTTP-only, and SameSite-strict, JavaScript can't read them. All traffic is encrypted over HTTPS.
Two-factor authentication is available from your profile and we strongly recommend turning it on. If you sign in only with Google or Microsoft, your account is already protected by that provider's authentication; if you want vondo's MFA on top of that, you can set a password from your profile first and then enable MFA. No system is 100% immune to breaches, which is why we also ask you to use a strong, unique password.
When you share a household
vondo lets you share a budget with other people through the household feature. Sharing a household means deliberately giving other members visibility into the household's financial data, that's the entire point, so it's worth being clear about exactly what each member can and cannot see.
What other members of YOUR household can see:
- All of the household's financial data, accounts, balances, transactions, categories, payees, budgets, reconciliation history. There is no per-category permission or view-only mode. If you record a transaction in a shared household, every other member sees it.
- Your name and email address, on the household's members list. This is unavoidable, the host who invited you sent the invite to your email; everyone else needs to know who's in the household.
- When you joined the household and your role (owner or member).
What other members CANNOT see:
- Your password, authentication factors, or MFA recovery codes.
- Linked OAuth providers (Google, Microsoft, Apple) on your account.
- Your trusted-device list or active session history.
- Any other household you're a member of, or what data is in it.
- Your billing history or subscription status.
- Your personal preferences (theme, language) unless the household-level setting differs.
Invites by email: the household owner sends invitations to email addresses they choose. We send the invitee a tokenized invitation link (the token is single-use and expires). If the invitee already has a vondo account, accepting the invite adds them to the household; if they don't, they're prompted to create one first. We never share invitee email addresses with anyone other than the owner who entered them.
Cross-device sync: a change made by one member (a new transaction, a budget edit, a category rename) flows to every other member's devices on the next sync. On mobile, those changes are stored locally so the household's data continues to be available offline. The same local-storage rules described above apply on every member's device.
Leaving or being removed: when you leave a household (or the owner removes you), your access to that household's data ends immediately on your next request. The household's data remains intact for the remaining members; only your own membership row is deleted. We notify the other members of the membership change through the standard sync stream. If the entire household is deleted, all of its data is permanently removed from our servers within the retention window described below, and from every former member's device on next sync.
Your rights over your data
You're in control. Specifically, you can:
- See it, request a copy of everything we hold about you.
- Fix it, update your name, email, or other details from your profile.
- Export it, download your transactions and budget data as CSV anytime, directly from the app.
- Delete it, close your account from your profile page. All your data is permanently deleted within 30 days.
- Object or restrict, if you're in the EU/EEA/UK, you can ask us to stop or limit certain processing.
- Complain, EU/EEA/UK residents can also lodge a complaint with their local data protection authority.
Email privacy@vondo.app and we'll respond within 30 days.
How long we keep it
We keep your data for as long as your account is active. Once you delete your account, your personal data is gone within 30 days. We may keep anonymous, aggregate stats (like total number of users) indefinitely, but nothing that can be traced back to you.
Backups are encrypted and rotated; deleted data falls out of backups within the rotation window.
Cookies
We use cookies for one thing: keeping you signed in. The cookies we set are access_token (your session), refresh_token (used to renew your session without making you sign in again), and mfa_device (so trusted devices skip the MFA challenge for 30 days). All are HTTP-only and SameSite-strict. We don't use cookies for tracking, analytics, or advertising.
On your mobile device
The vondo mobile app works offline, which means it keeps a copy of your records on your device so you can budget without a connection. Here's what's stored locally and how to clear it:
- A local copy of your records, transactions, accounts, categories, budgets, and your preferences are mirrored in an on-device database so the app loads instantly and continues to work offline. The mirror stays in sync with our servers when you have a connection.
- Pending changes, edits you make while offline are queued on the device until they can reach our servers. The queue is processed automatically when you reconnect.
- Authentication tokens, your session and refresh tokens are stored in the operating system's secure storage (Keychain on iOS, Keystore on Android), encrypted at rest by the OS.
- Trusted-device token, if you choose to trust a mobile device after passing MFA, a token is stored in the same secure storage for up to 180 days so you don't have to re-enter your code on every sign-in. You can revoke it any time from your profile.
Clearing the device copy: signing out ends your session on the device but leaves your local copy in place, so signing back in is instant. That local copy is wiped only when a different person signs in on the same device, so one person never sees another's data. Uninstalling the app removes everything the app stored on the device. None of this affects the copy on our servers, your data is still available the next time you sign in.
Subscription management on mobile: the mobile app shows your current plan status. Where you change or cancel a subscription depends on where you bought it: subscriptions purchased in the app are billed by the Apple App Store or Google Play and managed in your store account settings, and subscriptions bought on the web are managed from your profile on the web. The app points you to the right place when you want to make a change.
Children's privacy
vondo is not intended for children under 13 (or 16 in the EU/EEA). If you believe a child has signed up, contact us and we'll close the account and delete the data.
Where your data lives
Our servers are located in the United States. If you're outside the US, your data may be transferred to and processed in the US. We rely on standard contractual clauses where required by EU/EEA/UK law.
If something goes wrong
In the unlikely event of a data breach that could affect you, we'll notify you by email as quickly as possible and give you a clear explanation of what happened, what data was involved, and what we're doing about it. Where required by law, we'll also notify the relevant authority within 72 hours.
When we update this policy
If we make meaningful changes, we'll let you know by email at least 14 days before they take effect, and we'll prompt you to re-accept on your next visit. Minor edits will just update the "last updated" date.
Contact us
Questions, concerns, or requests about this policy: privacy@vondo.app.
Version v5.0 ยท View Terms of Service โ