Effective Date: May 25, 2026
This Privacy Policy describes how Debt Escape ("Company," "we," "us," or "our") collects, uses, stores, protects, and shares your personal information when you use the Debt Escape web application and any related services (collectively, the "Service"). By creating an account or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.
This Privacy Policy is designed to comply with: the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); the General Data Protection Regulation (GDPR) for users in the European Economic Area and United Kingdom; applicable U.S. state privacy laws including Virginia (VCDPA), Colorado (ColoPA), Connecticut (CDPA), Texas, Oregon, and Montana; and general best practices for financial data security.
Section 1: Information We Collect
1.1 Information You Provide Directly
When you register for and use Debt Escape, you voluntarily provide us with the following categories of personal information:
Account Information: Your first name, last name, and email address, collected at signup. Your password is hashed using industry-standard bcrypt encryption and is never stored in plain text. We cannot retrieve your password.
Debt and Financial Information: Debt names, debt types (credit card, student loan, auto loan, medical, personal loan, other), current balances, original balances, interest rates, minimum monthly payments, payment due dates, lender or creditor names, and the last four digits of account numbers. This is the core data required to generate your personalized payoff plan.
Payment Transactions: Records of payments you log manually within the app, including date, amount, and the associated debt. We do not process your actual bank transactions.
Uploaded Documents: Bank statements, creditor letters, loan agreements, and other financial documents you choose to upload to the Document Vault feature. All documents are encrypted with AES-256-GCM encryption before storage. The encryption key is derived from your unique user ID and a randomly generated salt. Only you possess the information necessary to decrypt your documents. Debt Escape employees and systems cannot read the contents of your uploaded documents.
AI Conversation History: Messages you send to the AI Coach feature (Pro plan). Conversations are stored to provide continuity across sessions. Conversation content is not used to train AI models.
Account Preferences: Your notification settings, privacy mode preference, onboarding responses, and any other settings you configure.
Billing Information: When you subscribe to a paid plan, your payment is processed entirely by Stripe, Inc. Debt Escape never receives, stores, or has access to your full credit card number, CVV, or billing address. We store only your Stripe Customer ID, subscription status, plan type, and next billing date for account management purposes.
1.2 Information Collected Automatically
Usage Data: Pages viewed, features used, buttons clicked, time spent in the app, and general navigation patterns. This data is used to improve the Service and identify bugs or usability issues.
Device and Browser Information: Browser type and version, operating system, screen resolution, and device type (desktop or mobile). This information is used for compatibility and security purposes.
IP Address and Approximate Location: We log your IP address for security purposes (detecting suspicious login activity and rate limiting) and derive your approximate city and country from it. We do not track your precise geographic location.
Session Information: Login timestamps, session duration, and the device and browser associated with each active session. This data is displayed to you in Settings > Security so you can monitor and revoke active sessions.
Authentication Logs: Records of successful and failed login attempts, including timestamp, IP address, and device information. Failed attempt logs are used to enforce rate limiting and detect unauthorized access attempts. Logs are retained for 90 days.
1.3 Information We Do NOT Collect
Debt Escape does not collect: your Social Security Number (SSN) or Tax Identification Number; your full bank account numbers or routing numbers; your actual bank login credentials (we do not use Plaid or any bank-linking service in the current version of the app); biometric data of any kind; information about your race, ethnicity, religion, or national origin; your precise real-time location; or data from your device contacts, camera, or microphone.
Section 2: How We Use Your Information
2.1 To Provide the Service
- Generating your personalized debt payoff plan (avalanche, snowball, or AI-optimized strategy)
- Calculating projected debt-free dates and interest savings
- Generating negotiation scripts customized to your specific debts and creditors
- Providing AI Coach responses that are contextualized to your debt profile
- Tracking your payment history and progress milestones
- Storing and retrieving your encrypted documents
2.2 To Manage Your Account and Subscription
- Creating and maintaining your user account
- Processing subscription payments through Stripe
- Sending transactional emails (email verification, password reset, payment receipts)
- Enforcing subscription plan limits and unlocking features based on your current plan
2.3 To Improve and Secure the Service
- Analyzing usage patterns to improve features and fix bugs
- Detecting and preventing fraudulent activity, unauthorized access, and security breaches
- Enforcing rate limits on authentication to prevent brute-force attacks
- Monitoring system performance and uptime
2.4 To Communicate With You
- Sending weekly progress summary emails (if enabled)
- Sending payment reminder notifications (if enabled)
- Sending milestone achievement notifications (if enabled)
- Responding to support requests and inquiries
- Sending important account and security notices (these cannot be opted out of)
2.5 Automated Decision-Making Disclosure (CCPA/CPRA)
2.6 What We Never Do With Your Data
We do not sell your personal information. We do not share your financial data with advertisers, data brokers, or marketing companies. We do not use your debt information to make creditworthiness determinations. We do not display advertisements in the Service. We do not share your data with your creditors or lenders.
Section 3: How We Share Your Information
3.1 Service Providers (Data Processors)
We share data with third-party service providers who process data on our behalf and are contractually prohibited from using it for any other purpose:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database, auth, file storage | All user data, encrypted | United States |
| Anthropic, PBC | AI Coach and plan generation | Debt profile summary and chat messages | United States |
| Stripe, Inc. | Payment processing | Email, subscription plan | United States |
| Vercel, Inc. | Hosting and CDN | Request logs, IP addresses | United States, global CDN |
3.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or valid legal process. We will notify you of any such request unless prohibited by law.
3.3 Business Transfers
If Debt Escape is acquired by or merged with another company, your information may be transferred. We will notify you via email and a prominent in-app notice at least 30 days before transfer.
3.4 Protection of Rights
We may disclose information where necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, threats to safety, or violations of our Terms of Service.
3.5 With Your Explicit Consent
We will share your information with any other third party only with your explicit consent.
Section 4: Data Retention
- Active account data: Retained for as long as your account is active.
- Account data after deletion: 30-day grace period, then permanently deleted within 7 days. Encrypted backups purged within 90 days.
- Authentication and security logs: 90 days.
- Billing records: 7 years to comply with tax obligations.
- Support communications: 2 years from last contact.
- Aggregated, anonymized analytics: Indefinite (cannot be linked to an individual).
Section 5: Data Security
Encryption at Rest: All data in our Supabase database is encrypted at rest using AES-256. Particularly sensitive fields are encrypted at the application layer using pgcrypto. Uploaded documents are encrypted client-side using AES-256-GCM before transmission.
Encryption in Transit: TLS 1.2 or higher (HTTPS). Unencrypted HTTP connections are rejected.
Access Controls: Row Level Security (RLS) is enforced at the database level so each user can only access their own records.
Authentication Security: Passwords hashed using bcrypt. Login rate-limited (5 failed attempts → 15-minute lockout). Sessions expire after 1 hour of inactivity. Active sessions visible in Settings > Security.
API Security: Secret API keys (Stripe, Anthropic) are stored as server-side environment variables and never exposed to the browser.
Third-Party Security: We select service providers (Supabase, Stripe, Vercel) that maintain SOC 2 Type II compliance.
Data Breach Response: In the event of a breach posing risk to your rights, we will notify affected users and regulatory authorities within 72 hours, per GDPR Article 33.
Despite these measures, no security system is impenetrable. Report vulnerabilities to security@debtescape.app.
Section 6: Your Privacy Rights
6.1 Rights for All Users
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion (subject to legal retention requirements in Section 4)
- Data Portability: Request your data in a structured, machine-readable format (JSON export in Settings > Privacy)
- Opt-Out of Marketing: Unsubscribe at any time via notification settings
6.2 California Residents (CCPA/CPRA)
Additional rights: Right to Know, Right to Delete, Right to Correct, Right to Opt Out of Sale or Sharing (already honored by default — we do not sell), Right to Limit Use of Sensitive Personal Information, Right to Opt Out of Automated Decision-Making (see Section 2.5), and Right to Non-Discrimination. Email privacy@debtescape.app with "CCPA Request" in the subject. We respond within 45 days.
6.3 EEA and UK Residents (GDPR/UK GDPR)
Legal bases for processing: contract performance, legitimate interests (security, fraud prevention, improvement), consent (marketing, optional analytics), and legal obligation (tax retention, law enforcement). You have the right to lodge a complaint with your local data protection authority.
6.4 Exercising Your Rights
Email privacy@debtescape.app. We respond within 30 days (45 days for CCPA). We may need to verify your identity. No fee for reasonable requests.
Section 7: Cookies and Tracking
Essential Session Cookies: Maintain your authenticated session. httpOnly, expire when you close your browser or after 7 days. Required for the Service.
No Third-Party Advertising Cookies: We do not use advertising cookies, retargeting pixels, Facebook Pixel, Google Ads, or third-party behavioral tracking.
No Third-Party Analytics Cookies: We use Supabase's built-in usage analytics, which do not use cookies and do not share data with third-party providers.
Section 8: Children's Privacy
The Service is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18. Parents or guardians may contact privacy@debtescape.app to request deletion.
Section 9: International Data Transfers
Debt Escape is operated from the United States and our service providers are U.S.-based. If you access the Service from the EEA, UK, or other regions, your data will be transferred to and processed in the United States. For EEA and UK users, we rely on Standard Contractual Clauses (SCCs) where applicable.
Section 10: Changes to This Privacy Policy
If we make material changes, we will notify you by email at least 14 days before the changes take effect and display a prominent in-app banner. Continued use after the effective date constitutes acceptance.
Section 11: Contact Us
Privacy team: privacy@debtescape.app — within 5 business days for general inquiries; within 30 days for formal rights requests.
Security vulnerability reports: security@debtescape.app.
Section 12: Smart Spending Analyzer — PDF, CSV, and Image Processing
The Smart Spending Analyzer supports four file types: CSV exports, digital PDFs, scanned PDFs, and photos of bank statements (JPG, PNG, WEBP).
CSV and Digital PDF Processing: All processing happens entirely in your browser before any data is transmitted. A PII redaction process automatically removes account numbers, routing numbers, full names, Social Security Numbers, email addresses, and physical addresses. Only anonymized spending categories and dollar amounts reach our AI analysis system. Your raw file is never uploaded to our servers.
Scanned PDF and Photo Processing (OCR): When you upload a scanned PDF or a photo, optical character recognition is performed locally in your browser using Tesseract.js. The image never leaves your device for the OCR step. The same PII redaction pipeline then removes all identifying information before any data is transmitted. OCR confidence scores are shown so you understand the reliability of the extraction.
Security Validation: All PDF files are scanned for dangerous content (embedded scripts, auto-execute actions, launch triggers) before any parsing begins. Files containing these patterns are rejected. PDF parsing uses pdfjs-dist with JavaScript execution disabled (isEvalSupported: false) to prevent exploitation of known PDF.js vulnerabilities (CVE-2024-4367). The Vite build tool is maintained at a patched version to prevent file-read vulnerabilities (CVE-2025-31125).
Data Retention: Anonymized spending analysis results are retained for 90 days and then automatically deleted. Raw files, OCR images, and extracted text are never stored on our servers. You may delete your analysis results at any time from the Analyzer page.