Legal

Privacy Policy

Last updated: 3 June 2026 · My Debt Plan operates at mydebtplan.uk

🔒

Your data stays here

All data is stored on our server only. Nothing is sent to third-party analytics, advertising networks or data brokers.

🚫

No data sold. Ever.

We do not sell, rent, trade or share your personal data with any third party for commercial purposes.

🗑️

Delete anytime

You can permanently delete your account and all associated data at any time from your Profile settings, with no questions asked.

📵

No ads. No tracking.

No Google Analytics, no Facebook pixel, no advertising scripts. The only external scripts are Google Translate (optional) and Google Fonts.

1. Who we are

My Debt Plan (mydebtplan.uk) is a free personal finance platform that helps individuals track debt, build repayment plans, and manage their financial goals. The platform is operated as an independent project.

2. What data we collect

We collect only the minimum data necessary to provide the service.

Data	Why we collect it	How long we keep it
Username and password (hashed)	Account authentication	Until you delete your account
IP address at registration	Spam and abuse prevention	Until you delete your account
IP address at login	Session security and fraud detection	30 days
Debt names, amounts and payment history	Core app functionality	Until you delete your account
Budget settings and goals	Core app functionality	Until you delete your account
Forum posts and replies	Community feature	Until you delete your post or account
Documents you upload	Debt document storage feature	Until you delete them or your account
Language preference	Saved in your browser (localStorage)	Until you clear your browser data

We do not collect email addresses unless you voluntarily provide one. We do not collect payment card information. We do not use cookies except for Google Translate functionality if you choose to use it.

3. How we use your data

Providing the service — storing and displaying your debts, budgets, goals and payments
Security — detecting brute-force login attempts and blocking abusive IP addresses
Forum moderation — reviewing posts before they are published to prevent spam and abuse
Platform improvements — anonymous aggregate statistics (total user count, total debt tracked) to understand usage. No individual data is used for this.

4. Passwords

Your password is never stored in plain text. It is processed using bcrypt hashing at cost factor 12, a one-way cryptographic function. Even if the database were compromised, passwords could not be recovered. We cannot see or retrieve your password — if you forget it, an admin can reset it for you.

5. Sessions and tokens

When you log in, a cryptographically signed session token is issued. This token is stored in your browser's localStorage and expires after 30 days. It is verified on every request. We log session IP addresses and browser information for security purposes. You can ask an admin to invalidate all your active sessions at any time.

6. Third-party services

The following external services may be used by the platform:

Google Fonts — loads font files from Google's CDN when you visit the site. Google may log your IP address as part of serving these files. Google Privacy Policy
Google Translate — if you click a language button, a Google Translate script is loaded which translates the visible page content. Google may process the page text. This is optional and only activates when you choose a non-English language. Google Privacy Policy

No other third-party services, analytics tools, advertising networks or social media pixels are used.

7. Forum posts

Content you post in the forum is visible to all registered users once approved. Your username appears alongside your posts. Posts are moderated by admins before being published. You can delete your own posts at any time within 15 minutes of posting, or contact an admin for removal after that window.

We log the IP address associated with forum posts for abuse prevention purposes. This is not displayed publicly and is only accessible to admins.

8. Your rights

Access — all your data is visible within the app
Correction — you can update your username, display name, and profile information at any time
Deletion — delete your account permanently from Profile → Delete Account. This removes your account, debts, payments, goals, savings, documents and forum posts immediately and irreversibly
Portability — you can export your debt data as CSV from the My Debts tab at any time

9. Data security

All database queries use parameterised prepared statements — SQL injection is structurally prevented
Passwords are bcrypt hashed with cost factor 12
Session tokens are HMAC-SHA256 signed and expire after 30 days
Brute-force protection locks accounts after 5 failed login attempts
IP addresses that exceed registration limits or show abuse patterns are blocked

10. Data retention

Your data is retained for as long as your account is active. If you delete your account, all personal data is permanently removed from our database immediately. We do not keep backups of deleted user data beyond our standard server backup rotation (typically 7 days). After this window, deleted data is completely unrecoverable.

11. Children

My Debt Plan is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has registered, please contact us and we will remove the account.

12. Changes to this policy

If we make material changes to this policy, we will notify registered users via a platform announcement. Continued use of the platform after changes constitutes acceptance of the updated policy. The date at the top of this page reflects the most recent update.

Questions about your data?

If you have any questions about this policy or want to request deletion of your data, open the app and use the Delete Account option in your Profile, or contact us through the forum.