Privacy Policy

Effective date: March 2026

Nth is a personal productivity application operated by an individual developer, not a company. This policy explains what data Nth collects, how it is stored, and how it is used.

1. Data We Collect

When you use Nth, the following types of data may be collected and stored:

• Productivity data: Habits, tasks, notes, calendar events, projects, goals, weekly reviews, inbox items, and quick tasks that you create within the app.
• Financial data: Budget entries, expenses, income, investment holdings, contribution records, and portfolio snapshots that you enter manually.
• Bank transactions: If you connect a bank account via Plaid, transaction data including merchant names, amounts, dates, categories, and account balances are synced from your financial institution.
• Google Calendar data: If you enable Google Calendar sync, event titles, dates, times, and locations are synced between Nth and your Google Calendar.
• Profile information: Name, email address, and phone number if provided during account setup or Google OAuth.
• Login activity: IP addresses, timestamps, user agent strings, and login results (success, failure, lockout) are recorded in an encrypted security log.

2. How Your Data Is Stored

All data is stored on a secure, privately managed server. The following protections are in place:

• Encryption at rest: All data files are encrypted using AES-256-GCM before being written to disk.
• Encryption in transit: All connections use HTTPS with TLS, enforced via HSTS headers.
• Data isolation: Each user's data is stored separately. Users cannot access other users' data.
• Backups: Up to 10 rotating backups of your data are maintained on the server.
• Passwords: Passwords are hashed using scrypt and are never stored in plaintext.

3. Third-Party Services

Nth integrates with the following third-party services. Data shared with these services is governed by their respective privacy policies:

• Plaid (plaid.com/legal): Used to securely connect bank accounts and retrieve transaction and balance data. Nth does not store your bank login credentials; Plaid handles authentication directly.
• Google (policies.google.com/privacy): Used for Google Calendar two-way sync via OAuth 2.0. Nth requests only calendar read/write permissions and does not access other Google data.
• Finnhub (finnhub.io): Used to fetch real-time stock and ETF price quotes.
• CoinGecko (coingecko.com): Used to fetch cryptocurrency price quotes.
• ipapi.co (ipapi.co/privacy): If geo-blocking is enabled, your IP address is sent to ipapi.co to determine your country of origin. This is optional and can be disabled.

4. Cookies and Local Storage

• Session cookie (nth.sid): An httpOnly, secure cookie used to maintain your login session. Expires after 2 hours of inactivity.
• Remember-me cookie (nth.remember): An optional httpOnly, secure cookie that keeps you signed in for up to 30 days. Created only if you check "Remember me" at login.
• localStorage: An offline cache of your app data is stored in your browser's localStorage to improve load performance. This data is cleared when you log out.

Nth does not use any advertising cookies, tracking pixels, or analytics scripts.

5. No Advertising, Analytics, or Data Sales

Nth does not display advertisements, does not use third-party analytics or tracking services, and does not sell, share, or monetize your data in any way. Your data is used solely to provide the app's functionality to you.

6. Data Retention

Your data is retained on the server for as long as your account exists. When you delete individual items (habits, tasks, notes, etc.), they enter a "Recently Deleted" state and are automatically purged within 7 days.

7. Account Deletion

You can delete your account and all associated data at any time from within the app: open Account settings and tap "Delete My Account." You will be asked to confirm with your password. Upon deletion, your user record, all data files, per-user backups, OAuth tokens, and Plaid tokens are permanently removed from the server. This action is irreversible.

8. Children's Privacy

Nth is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided data to Nth, please contact us at privacy@justinuspro.duckdns.org.

9. Security

Nth implements multiple layers of security including password hashing (scrypt), optional two-factor authentication (TOTP), IP-based account lockout, CSRF protection, Content Security Policy headers, and rate limiting on all endpoints. See the app's security documentation for full details.

10. Changes to This Policy

This privacy policy may be updated from time to time. Changes will be reflected on this page with an updated effective date. Continued use of Nth after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this privacy policy or your data, contact the developer at privacy@justinuspro.duckdns.org.