Privacy Policy

Last updated: 27 April 2026 · Effective: 27 April 2026

Summary: Wet Paint is a personal budgeting tool. We collect only what's needed to run your account and connect your bank data. We don't sell your data. We don't share it with advertisers. Your financial information stays yours.

1. Overview

Wet Paint ("we", "us", "our") is operated by David Morgan, an Australian sole trader. This Privacy Policy explains how we collect, use, store and disclose your personal information when you use the Wet Paint personal finance application available at getwetpaint.app.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in that Act. This policy is written to meet those obligations. If you have any concern about your privacy, please contact us before using the service.

2. What Personal Information We Collect

2.1 Account Information

When you register for Wet Paint, we collect:

Your email address
A hashed version of your password (we never store your password in plain text)
Your account creation date and last login time
Two-factor authentication settings (if you enable them)

2.2 Financial Data You Enter

Wet Paint stores the financial data you enter directly, including:

Budget categories and budget amounts
Transaction records (date, description, amount, category)
Mortgage and investment details
CSV transaction files you upload

This data is stored on your account and is not shared with any third party except as set out in this policy.

2.3 Open Banking Data (Basiq)

If you choose to connect your bank accounts via Open Banking, we use Basiq (an ASIC-licensed CDR (Consumer Data Right) accredited data recipient) to retrieve your transaction data. See Section 4 for full details.

2.4 Usage and Technical Data

We automatically collect limited technical information when you use the app, including:

Your IP address (used for rate limiting and security logging)
Request logs (page visited, HTTP status, timestamp)
Error logs when the application encounters a problem

We do not use third-party analytics services (such as Google Analytics). We do not track you across other websites.

3. How We Use Your Information

We use your personal information only for the following purposes:

To provide the service — operating your account, storing your budget and transaction data, displaying your financial summaries
To communicate with you — sending account verification emails, password reset emails, and important account notifications
To secure the service — rate limiting, fraud prevention, detecting and investigating security incidents
To improve the service — reviewing aggregated, anonymised usage patterns to identify bugs and improve features
To comply with the law — responding to lawful requests from regulators or law enforcement agencies

We will not use your personal information for any other purpose without your consent, unless required or authorised by law.

4. Open Banking Data (Consumer Data Right)

If you connect your bank accounts, Wet Paint integrates with Basiq Pty Ltd, an ASIC-licensed CDR accredited data recipient (ABN 72 635 254 735). When you connect a bank account:

You authorise Basiq to retrieve your transaction data directly from your bank on your behalf
Basiq transmits that data to Wet Paint securely over HTTPS
We store only the transaction records (date, description, amount) in your Wet Paint account
We do not store your banking username, password, or any other bank login credentials
You can disconnect your bank account at any time from the Open Banking page
When you disconnect, we retain the historical transactions already imported; you may request their deletion separately (see Section 7)

Basiq's own privacy policy applies to the data they hold: basiq.io/privacy-policy

5. Disclosure of Your Information

We do not sell, rent or trade your personal information. We may disclose your information to:

Basiq Pty Ltd — solely to facilitate Open Banking connections you initiate
Railway (Railwayapp Inc, USA) — our hosting provider. Your data is stored on Railway's infrastructure. Railway does not have access to your unencrypted application data
SendGrid (Twilio Inc, USA) — used to send transactional emails (verification, password reset). We pass only your email address and the email content to SendGrid
Anthropic (USA) — if you use the AI categorisation feature, transaction descriptions are sent to Anthropic's Claude API. No other personal information is sent. Anthropic's privacy policy applies: anthropic.com/privacy
Law enforcement or regulators — where required by Australian law, court order, or to protect our legal rights

5.1 Overseas Disclosure

Some of the third-party services above are located in the United States. By using Wet Paint you consent to your personal information being disclosed to these overseas recipients. We take reasonable steps to ensure these recipients handle your information in accordance with the Australian Privacy Principles.

6. Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway's infrastructure. We implement the following security measures:

All data is transmitted over HTTPS (TLS)
Passwords are hashed using PBKDF2-SHA256 and are never stored in plain text
Sessions are protected with CSRF tokens and secure, HttpOnly cookies
Two-factor authentication (TOTP) is available and encouraged
Rate limiting is applied to login and registration to prevent brute-force attacks
Access to the database is restricted and not publicly accessible

While we take these precautions, no method of electronic storage or transmission is 100% secure. If you become aware of any security concern, please contact us immediately at hello@getwetpaint.app.

7. Data Retention

We retain your personal information for as long as your account is active. If you close your account, we will delete your personal information within 30 days, except where we are required by law to retain it for longer.

Server access logs are retained for a maximum of 90 days for security and debugging purposes.

8. Your Rights

Under the Privacy Act 1988, you have the right to:

Access the personal information we hold about you
Correct personal information that is inaccurate, out of date, incomplete, or misleading
Delete your account and associated personal data
Complain about a breach of the Australian Privacy Principles

To exercise any of these rights, email us at hello@getwetpaint.app. We will respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

9. Cookies and Local Storage

Wet Paint uses the following:

Session cookie — a secure, HttpOnly cookie that keeps you signed in. It expires after 30 days of inactivity
localStorage (theme preference) — stores your light/dark mode preference in your browser. This stays on your device and is never sent to our servers

We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.

10. Contact Us

For any privacy questions, access requests, correction requests, or complaints:

Email: hello@getwetpaint.app
Response time: Within 30 days

This policy may be updated from time to time. We will notify registered users of material changes by email. The effective date at the top of this page will always reflect the most current version.