← Back

Privacy Policy

Last updated: May 2026

1. Who we are

Kushimio ("we", "us", "our") is an online accounting and ledger platform available at kushimio.com. We are the data controller responsible for your personal data.

For any privacy-related questions or requests, contact us at privacy@kushimio.com.

2. What data we collect

We collect only what is necessary to provide the service:

  • Account data: email address, username, and a hashed (bcrypt) version of your password. We never store your password in plain text.
  • Ledger data: the names, countries, and financial transaction entries you create inside Kushimio. This is the core content of the service.
  • Billing data: your subscription plan and status. Payment details (card numbers, etc.) are handled exclusively by Stripe and never stored on our servers.
  • Usage data: your last login timestamp and IP address. IP addresses are used temporarily for rate limiting and are not permanently stored.

3. Why we process your data and our legal basis

  • Contract performance (Art. 6(1)(b) GDPR): providing you with the Kushimio service — storing your ledgers, authenticating your account, and managing your subscription.
  • Legitimate interests (Art. 6(1)(f) GDPR): protecting the service from abuse via rate limiting, and maintaining basic security logs.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining billing records to comply with accounting and tax regulations.

We do not send marketing emails. The only emails we send are transactional: email verification and password reset.

4. Who we share your data with

We do not sell your data. We share it only with the following third-party processors, each bound by their own privacy and data processing agreements:

  • Neon (neon.tech): our database host. All account and ledger data is stored on Neon's PostgreSQL infrastructure.
  • Stripe (stripe.com): our payment processor. Stripe receives your email address and handles all billing. Stripe is PCI-DSS compliant and maintains its own privacy policy.
  • Resend (resend.com): our transactional email provider. Resend receives your email address and username solely to deliver verification and password reset emails.
  • Cloud hosting provider: our application servers run on a cloud platform which may process request data (including IP addresses) in transit.

5. Cookies

We use a single cookie: auth_token. This is a strictly necessary, HttpOnly, SameSite=Lax session cookie used to keep you logged in. It expires after 7 days. We do not use advertising, tracking, or analytics cookies.

Because this cookie is strictly necessary for the service to function, it does not require your consent under ePrivacy regulations.

6. Data retention

  • Account and ledger data: retained for as long as your account exists. When you delete your account, all your data is permanently erased from our database immediately.
  • Billing records: Stripe retains transaction records independently for legal and financial compliance purposes, according to their own retention policy.
  • Unverified accounts: accounts that are never verified may be removed periodically at our discretion.

7. Your rights under GDPR

If you are located in the European Economic Area, you have the following rights:

  • Right of access: you can download a full copy of your data at any time from your account settings.
  • Right to erasure: you can permanently delete your account and all associated data from your account settings.
  • Right to portability: your exported data is provided in JSON format, a standard machine-readable format.
  • Right to rectification: you can update your username from your account settings. If you need to correct other information, contact us.
  • Right to object or restrict processing: contact us at privacy@kushimio.com and we will respond within 30 days.
  • Right to lodge a complaint: you have the right to lodge a complaint with your local data protection authority.

8. Data security

Passwords are hashed using bcrypt before storage and are never recoverable in plain text. All data is transmitted over HTTPS. Access to the database is restricted to application infrastructure only.

9. Children

Kushimio is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us and we will delete it promptly.

10. Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page. For significant changes, we will notify you by email. Continued use of Kushimio after changes are posted constitutes acceptance of the updated policy.