Privacy Notice

Last updated: May 6, 2026

1. Who we are

This Privacy Notice describes how Astrid Burgos, based in Canada ("we", "us"), collects and uses personal data in connection with the DebtBreaker web application (the "Service"). We act as the data controller(or "organization" under Canadian privacy law) for the personal data described below.

2. Personal data we collect

• Account data: email address, login credentials, display name.
• Financial inputs you enter: debts, income, expenses, goals, and notes. You choose what to enter; we do not connect to your bank.
• Support communications: messages you send us.
• Usage and device data: pages visited, actions taken, browser type, device identifiers, IP address, approximate location derived from IP, log timestamps.
• Cookies and similar technologies: see Section 9.

Payment card data is collected and processed directly by our payment provider, Paddle, and is not received or stored by us.

3. Why we use your data and on what legal basis

• Provide the Service (creating your account, saving your data, computing payoff plans) — performance of contract.
• Process subscriptions via Paddle — performance of contract and legal obligation.
• Security and fraud prevention — legitimate interests in protecting users and the Service.
• Customer support — performance of contract / legitimate interests.
• Product improvement and analytics — legitimate interests; aggregated where possible.
• Marketing communications (only if you opt in) — consent, which you can withdraw at any time.
• Compliance with legal obligations — accounting, tax, and lawful requests.

4. Who we share data with

• Service providers and subprocessors: hosting, database, authentication, analytics, error monitoring, and customer support tooling.
• Merchant of Record (Paddle): for sale of subscriptions, billing, tax compliance, refunds, and invoicing.
• Professional advisers: legal, accounting, and audit.
• Authorities: where required by law, court order, or to protect rights, safety, or property.

We do not sell your personal data.

5. International transfers

We are based in Canada and our subprocessors may process data outside Canada, including in the United States and the European Economic Area. By using the Service, you acknowledge that your data may be transferred to and stored in countries with different data-protection laws than your own. Where personal data of users in the UK or EEA is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or recognised adequacy decisions. Canadian users' data is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

6. Data retention

We keep your account data for as long as your account is active. When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to keep certain records for longer (for example, billing and tax records held by Paddle, or as required by applicable law).

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to receive a portable copy, and to withdraw consent at any time. Canadian users have rights under PIPEDA, including the right to access their personal information and to file a complaint with the Office of the Privacy Commissioner of Canada. UK and EEA users also have the right to lodge a complaint with their supervisory authority. We will respond to verifiable requests within one month. You can exercise most of these rights directly inside the Service, including deleting your account at /account/delete.

8. Security

We use appropriate technical and organisational measures to protect your data, including encryption in transit, access controls, and least-privilege principles. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Cookies

We use strictly necessary cookies to keep you signed in and to remember your preferences. We may also use limited analytics cookies to understand usage. You can control cookies through your browser settings; disabling strictly necessary cookies may break parts of the Service.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us so we can remove it.

11. Changes

We may update this Privacy Notice. Material changes will be notified through the Service or by email.

12. Contact

For privacy questions or to exercise your rights, contact us through the support channel provided inside the Service.