Legal

Privacy Policy

Effective Date: February 24, 2026 · Last Updated: February 2026 · App Version: v1.0.3

The short version: SideStream is a manual income tracker. We don't connect to your bank. We don't sell your data. All financial data you enter is manually created by you and stored securely in your account. We use Firebase and Supabase under the hood — both reputable, privacy-respecting services.

Information We Collect
How We Use Your Information
Third-Party Services
Data Storage and Security
Data Retention
Your Rights
Children's Privacy
International Data Transfers
Android Permissions
Changes to This Policy
Contact Us

SideStream ("we," "us," or "our") operates the SideStream mobile application (the "App"), available at the package name com.sidestream.finance. This Privacy Policy explains how we collect, use, store, and protect your information when you use our App. We believe in transparency — this policy is written in plain language so you can understand exactly what data we handle and why.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account and use SideStream, you provide us with:

Account Information: Your email address and password (stored only in hashed form — we never see or store your actual password). If you sign in with Google or Apple, we receive an authentication token and your email address from those services.
Financial Data: Income stream names and descriptions, income amounts (planned and actual), income entry amounts, dates and notes, goal names, target amounts and dates, goal contributions, expense names and amounts, tax deductible flags, and recurring schedule data.
Preferences and Settings: Currency preference, theme mode (light, dark, or system), and notification reminder settings.

We do not collect bank account numbers, credit card details, or direct access to any financial institution. All financial data in SideStream is entered manually by you.

1.2 Information Collected Automatically

Subscription and Billing Data: When you subscribe to SideStream Premium, your purchase is processed entirely through Google Play or the Apple App Store. We receive a purchase verification token, product ID, subscription status, and renewal dates. We never receive or store your payment card details — that is handled solely by Google or Apple.
Device and Technical Data: Device model and manufacturer, operating system version, app version and build number, timezone and locale settings. This helps us diagnose bugs and ensure compatibility.
Crash and Error Data: We use Firebase Crashlytics to collect crash reports including unhandled exceptions and stack traces, a truncated version of your user ID (first 8 characters only), device model and OS version. Crashlytics is only active in production builds.
Analytics Events: We use Firebase Analytics to understand aggregate App usage — login and sign-up methods, goal creation counts, income entry counts, onboarding completion, reminder opt-in status. We do not use analytics to build advertising profiles.
Engagement Data: Your weekly logging streak (consecutive weeks with income entries) and related dates to power gamification features.

1.3 Device Fingerprinting

To prevent trial abuse and protect our freemium model, we collect a hashed device fingerprint generated from your device model, manufacturer, and device identifier (Android ID or iOS IDFA). The fingerprint is hashed using SHA-256 and truncated to 16 characters — we never store the full, original values. We also make a one-time request to an IP lookup service to obtain your IP address for this purpose. The IP address is hashed locally and is not stored on our servers in its original form.

Device fingerprinting exists solely to prevent abuse of the free tier. It is not used for advertising, tracking across apps, or any other purpose.

2. How We Use Your Information

To provide and operate the App: Creating and managing your account, syncing your financial data across devices, managing subscription status and premium feature access, and scheduling local notification reminders.
To improve the App: Identifying and fixing crashes through Crashlytics, understanding feature usage patterns through aggregate analytics, and optimising the onboarding experience.
To protect the service: Preventing trial abuse through device fingerprinting, enforcing rate limits on authentication attempts (5 attempts per 15 minutes), and ensuring Row-Level Security so users can only access their own data.
To communicate with you: Sending local push notifications (weekly reminders, if you opt in), and responding to support requests.

We do not use your data to serve advertisements, sell to third parties, build advertising profiles, or make automated decisions that produce legal effects.

Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following lawful bases:

Contract performance (Article 6(1)(b)): Processing your account and financial data is necessary to provide you with the App's core services.
Legitimate interests (Article 6(1)(f)): Crash reports, analytics events, and device fingerprints — assessed to not override your rights, given we minimise data collected and do not use it for profiling.
Consent (Article 6(1)(a)): For push notification permissions. You can withdraw consent at any time through your device settings or within the App.

3. Third-Party Services

We use the following third-party services to operate SideStream. Each receives only the data necessary for its specific purpose:

Service	Purpose	Data Shared	Privacy Policy
Supabase	Database, authentication, real-time sync	Account data, financial data, subscription status	supabase.com/privacy
Google Sign-In	Optional OAuth authentication	Temporary OAuth tokens, email address	policies.google.com/privacy
Apple Sign-In	Optional OAuth on iOS	OAuth request, ID token	apple.com/privacy
Firebase Crashlytics	Crash reporting and bug fixing	Crash reports, truncated user ID, device info, OS version	firebase.google.com/support/privacy
Firebase Analytics	Aggregate App usage insights	Feature usage events — no financial amounts or personal content	firebase.google.com/support/privacy
Google Play / Apple StoreKit	Premium subscription purchases	Purchase tokens, receipts for verification	Google Play / Apple
IP Lookup Services (ipify.org, icanhazip.com)	Device fingerprinting (trial abuse prevention only)	Standard HTTP request — IP hashed locally, not stored in original form	—

4. Data Storage and Security

Where Your Data Is Stored

Cloud (Supabase): Account data, financial records, subscription status, and engagement data. All data is encrypted at rest and in transit using SSL/TLS. Row-Level Security ensures every query is scoped to your user account only.
Your Device — Secure Storage (encrypted): Authentication tokens, session credentials, device fingerprint hash, and security logs (last 100 entries), stored in platform-native encrypted storage (EncryptedSharedPreferences on Android, Keychain on iOS).
Your Device — Local Cache: Cached copies of your income streams, goals, entries, and expenses for offline access. This mirrors what is in Supabase and is cleared when you uninstall the App.

Security Measures

Network: All API communication is encrypted with SSL/TLS. Cleartext traffic is disabled in the App.
Authentication: Rate limiting on login attempts (5 attempts per 15 minutes). Optional biometric authentication. Tokens stored in platform-native secure storage.
Data minimisation: User IDs truncated to 8 characters in logs. Device fingerprints hashed, not stored in full. IP addresses used solely for fraud prevention and hashed locally.
Database: Row-Level Security on all Supabase tables ensures auth.uid() = user_id for every query. No user can access another user's data.

5. Data Retention

Data Type	How Long We Keep It	How It's Deleted
Account data	Until you request account deletion	User-initiated via support request
Financial records (income, goals, expenses)	Until you request account deletion	Cascading delete with account
Subscription data	Until you request account deletion	Cascading delete with account
Local cache (on your device)	Until you uninstall the App or clear the cache	Automatic
Crash reports (Firebase Crashlytics)	90 days	Automatic (Firebase default)
Analytics data (Firebase Analytics)	14 months	Automatic (Firebase default)
Security logs	Last 100 entries	Rolling deletion (oldest entries removed as new ones are added)

6. Your Rights

Rights Under GDPR (European Economic Area, UK)

Right of access: You can request a copy of all personal data we hold about you.
Right to rectification: You can request that we correct any inaccurate data. You can also update most data directly within the App.
Right to erasure ("right to be forgotten"): You can request deletion of your account and all associated data. We process deletion requests within 30 days.
Right to data portability: You can request your data in a structured, machine-readable format.
Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
Right to object: You can object to processing based on our legitimate interests (such as analytics or device fingerprinting). We will cease processing unless we have compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent (such as push notifications), you can withdraw consent at any time through your device settings or within the App.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Rights Under CCPA (California, USA)

Right to know: Details about the categories and specific pieces of personal information we have collected about you.
Right to delete: Request deletion of personal information we have collected, subject to certain exceptions.
Right to opt-out of sale: We do not sell your personal information to third parties. We have never sold personal information and have no plans to do so.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Rights Under the Australian Privacy Act

If you are located in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 give you the right to access your personal information, request correction of inaccurate information, and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Account Deletion

Email support@sidestream.app to request full deletion of your account and all associated data. Upon a verified deletion request, we will delete your account data and all associated financial records from Supabase, remove your user ID association from Firebase services where technically possible, and confirm deletion via email within 30 days.

We are working on adding an in-app account deletion feature in a future update.

To exercise any of these rights, contact us at support@sidestream.app.

7. Children's Privacy

SideStream is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@sidestream.app and we will promptly delete that information.

8. International Data Transfers

Your data may be processed and stored in countries outside your country of residence through our use of Supabase (cloud infrastructure) and Firebase (Google's infrastructure). Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions as maintained by our third-party service providers.

9. Android Permissions

SideStream requests only the permissions necessary to function. Here is a complete list:

INTERNET and ACCESS_NETWORK_STATE: Required for communicating with our backend and detecting offline status.
USE_BIOMETRIC and USE_FINGERPRINT: Optional biometric unlock for app security. Only used if you enable it.
POST_NOTIFICATIONS: Required to send weekly reminder notifications. Only used if you opt in.
SCHEDULE_EXACT_ALARM and USE_EXACT_ALARM: Required for precise notification timing.
RECEIVE_BOOT_COMPLETED: Ensures your scheduled reminders survive device restarts.
VIBRATE: Haptic feedback for notifications.

We explicitly block access to your photos (READ_MEDIA_IMAGES), videos (READ_MEDIA_VIDEO), and storage (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE). SideStream does not need and cannot access your media files.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this policy. For significant changes, we will notify you through the App or via email. Your continued use of the App after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Questions about privacy?

Email support@sidestream.app or info@sidestream.app — we reply within 24 hours.

Website: sidestream.app · App: com.sidestream.finance

For GDPR-related inquiries, you may also contact your local data protection authority. For Australian privacy concerns, contact the Office of the Australian Information Commissioner at oaic.gov.au.

This Privacy Policy applies to the SideStream mobile application (com.sidestream.finance), version 1.0.3 and later.