Privacy Policy — Patrimonus

Last updated: 14 May 2026

Patrimonus is a self-hosted personal wealth-tracking tool ("we", "us"). This page describes what data the service collects, why, where it lives, and what you can do with it.

Plain English: we store the financial data you enter so you can come back to it, and your name + email if you sign in with Google. We do not sell, share, rent, or analyse your data for any commercial purpose. We do not run ads or third-party trackers.

1. What we collect

From you, when you choose to provide it:

Google sign-in (optional): email address, display name, profile picture URL, and a stable Google account identifier (the OpenID Connect sub). We only receive this if you click "Sign in with Google".
Passkeys (optional): when you register a passkey, your authenticator sends us a public key, a credential identifier, and a counter. We never see your biometric data, device PIN, or any private key — those stay on your device.
Financial data you enter: incomes, expenses, accounts, balances, RSU grants and vesting schedules, loans, exceptional events, simulation scenarios, and dashboard configurations.

Collected automatically while you use the service:

A signed session cookie (patrimonus_session, 7-day TTL) so we know it's still you between requests. Two short-lived helper cookies are set during sign-in ceremonies (patrimonus_intent, patrimonus_oidc_state).
Standard server-side request metadata in our logs (IP address, user-agent string, request path, response code, timing) for operational and security purposes.

2. Where your data is stored

Data is stored in a PostgreSQL database running on our private home-lab Kubernetes cluster located in France. The database volume lives on local network-attached storage. Backups, if taken, are stored on the same private infrastructure.

3. Third parties in the request path

Operating the service involves a few unavoidable third parties:

Google — if you sign in with Google, your browser talks to Google's OpenID Connect endpoints. Google receives standard sign-in telemetry; we receive only the identity claims listed in section 1.
Cloudflare — app.patrimonus.com and patrimonus.com are fronted by Cloudflare Tunnel. Cloudflare terminates TLS at its edge, so it can see request metadata (host, path, timing, IP) and the bytes of HTTPS-encrypted traffic before forwarding it to our origin. We rely on Cloudflare's published privacy practices.
Datadog — we send anonymised performance traces and logs to Datadog for operational monitoring (error tracking, latency). Traces include request paths and timings; they do not include the financial data you enter, your email, or your name.

We do not use any analytics, advertising, retargeting, or marketing trackers. There is no Google Analytics, no Facebook Pixel, no session-replay tool.

4. How we use your data

To authenticate you when you sign in.
To store your financial data so you can retrieve and edit it.
To detect and debug operational problems (logs, traces).

We do not profile you, build advertising audiences, train machine-learning models on your data, or share your data with any party not listed in section 3.

5. How long we keep it

Account data is kept as long as your account exists. Operational logs (nginx access logs, Datadog traces) are retained for up to 30 days for security and debugging. If you delete your account, your user record, OAuth identity, passkeys, simulations, scenarios and accounts are removed from the live database. Backup copies that include your data roll off as backups are rotated.

6. Your rights

Whether or not GDPR applies to you, we honour these requests on a best-effort basis for any user, and within the GDPR-mandated time frames for users in the EU:

Access: ask us for a copy of the data we hold about you.
Correction: edit your data inside the app, or ask us to correct it.
Deletion: ask us to delete your account and all associated data.
Withdraw consent: stop using the service and request deletion.

Email [email protected] to exercise any of these.

7. Cookies

The service sets only first-party, HttpOnly cookies it needs to operate:

patrimonus_session — signed session ID, 7 days.
patrimonus_intent — transient state during passkey signup/registration, 10 minutes.
patrimonus_oidc_state — transient OAuth state, set only during Google sign-in.

No analytics or marketing cookies are set.

8. Children

Patrimonus is not directed at children. We do not knowingly collect data from anyone under the age of 16. If you believe we have, contact us and we will delete it.

9. Security

Sign-in is passwordless: we never store passwords. Sessions are signed HttpOnly cookies. Passkey credentials are stored as public keys, not biometric data. The database is on a private network not exposed to the public internet. We use TLS everywhere.

10. Changes to this policy

We will update this page when something material changes, and bump the "Last updated" date at the top. There is no separate notification — check back here if you want to know.

11. Contact

Email: [email protected]