Privacy Policy

Last updated: 29 May 2025

Applies to UK, EU & EEA users — UK GDPR & EU GDPR compliant

CTMoneyGoal ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information you provide when using ctmoneygoal.com (the "Service"). It applies to all users worldwide, with enhanced rights for UK, EU, and EEA residents under UK GDPR and EU GDPR respectively.

1. Who We Are (Data Controller)

CTMoneyGoal is operated as a small business registered in the United Kingdom. As the operator of this Service, we act as the Data Controller for your personal data.

Contact for data matters: privacy@ctmoneygoal.com

2. What Personal Data We Collect

Account data: username, email address, display name, bcrypt-hashed password
Financial goal data: goal names, target amounts, saved amounts, transaction notes and dates
Technical / log data: IP address, browser user agent string, login timestamps, session identifiers
Cookie data: session cookie and optional 30-day remember-me token (see Section 8)

We do not collect payment card details directly. Any future payment processing will use a PCI-DSS compliant processor (e.g. Stripe). We do not collect sensitive personal data (health, ethnicity, biometric data etc.).

3. How We Use Your Data

To create and manage your account and provide the Service
To authenticate your identity securely on each login
To send transactional emails (password reset, email verification)
To send optional weekly digest emails if you opt in
To monitor for abuse, fraud, and security incidents
To comply with legal obligations

We do not sell your data. We do not use your data for advertising or profiling for third parties.

4. Data Retention

Account and goal data is retained for as long as your account is active
Free accounts with no login activity for 24 consecutive months will receive a 30-day deletion notice by email
Security logs (IP, login timestamps) are retained for 12 months
You may request deletion at any time — see Section 6
Some data may be retained longer where required by UK/EU law (e.g. financial records)

5. Data Storage & Transfers

Your data is stored on servers located in the European Economic Area / United Kingdom via our hosting provider (Plesk / Cloudflare infrastructure). We do not transfer your personal data to countries outside the UK or EEA unless adequate safeguards are in place (e.g. Standard Contractual Clauses).

Google Fonts are loaded from Google's CDN — Google may log your IP. See Google's Privacy Policy. If you wish to avoid this, you may disable Google Fonts via your browser.

6. Your Rights

Under UK GDPR and EU GDPR you have the following rights. These apply to all users; EU/EEA residents may additionally escalate to their national supervisory authority.

✅ Right of AccessRequest a copy of all personal data we hold about you (Subject Access Request)

✏️ Right to RectificationAsk us to correct inaccurate or incomplete personal data

🗑️ Right to Erasure"Right to be forgotten" — request deletion of your data where no legal basis remains

⏸️ Right to RestrictionAsk us to restrict processing of your data in certain circumstances

📦 Right to PortabilityReceive your goal data in a structured, machine-readable format (CSV — Paid tier)

🚫 Right to ObjectObject to processing based on legitimate interests at any time

🔁 Withdraw ConsentWithdraw consent for optional emails at any time without affecting prior processing

⚖️ Right to ComplainUK: ICO (ico.org.uk) — EU: your national DPA (e.g. CNIL, BfDI, AEPD)

To exercise any right, email privacy@ctmoneygoal.com. We will respond within 30 days (extendable by 2 months for complex requests with notice).

7. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Article 22 UK/EU GDPR).

8. Cookies & Tracking

We use strictly necessary cookies only — no advertising, analytics, or tracking cookies.

Session cookie: keeps you authenticated during your browser session. Automatically deleted when you close your browser. No consent required (strictly necessary).
Remember-me cookie (optional, 30 days): set only if you tick "Keep me signed in" at login. Contains a cryptographically random token — no personal data stored in the cookie itself. You may delete it by logging out.

Under the UK PECR and EU ePrivacy Directive, strictly necessary cookies do not require consent. We will seek consent if we ever add non-essential cookies.

9. Security Measures

Passwords hashed with bcrypt (cost factor 12) — never stored in plain text
All connections encrypted via TLS 1.2+ (HTTPS enforced)
CSRF tokens on all forms
Session IDs regenerated on login and after authentication changes
Private configuration files stored outside the public web root
Regular security updates applied to server software

In the event of a personal data breach that risks your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Article 33/34 UK/EU GDPR.

10. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. Users aged 13–17 must have parental consent. If you believe a child has provided us data without consent, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy. We will notify registered users by email at least 14 days before material changes take effect and update the "Last updated" date. Continued use after that date constitutes acceptance of the updated policy.

12. Contact & Data Controller Details

For any privacy or data protection queries:
Email: privacy@ctmoneygoal.com
We aim to respond to all queries within 5 working days.