Currency Calculator
Privacy policy

Privacy, plainly.

We don't run ads. We don't track you across the web. We don't sell or share your personal data with anyone. An account is entirely optional — we only ask for one if you want email rate alerts. Below is the full, specific picture: what we collect, why, who we share it with, and how to delete it.

Effective date: 29 April 2026 · Last updated: 29 April 2026

The short version

  • No analytics, no ads, no third-party trackers. No Google Analytics, no Facebook Pixel, no fingerprinting, no behavioural advertising.
  • No cookies that need a consent banner. The only cookie we set is a strictly-necessary login session, and only if you choose to log in.
  • An account is optional. Without one you can convert currencies, view charts, and see comparison tables. The only feature locked behind login is email rate alerts.
  • You can delete your account at any time. Deleting an account wipes your email, password hash, saved pairs, alerts, and alert history immediately and irreversibly.
  • We never sell your data. We have no business model that involves your data.

What we collect

We collect only what's needed to run the service. There are three categories:

1. Account data (only if you sign up)

  • Email address — used to log you in, send rate alerts, and recover access.
  • Password hash — your password is hashed before storage; we never see or store the plaintext.
  • Google account profile (only if you sign in with Google) — your email and name as returned by Google's OAuth flow.

2. Service data (only if you create favourites or alerts)

  • Saved currency pairs — the pairs you star ("favourites").
  • Rate alerts — the pair, direction (above/below), target rate, and cooldown for each alert you create.
  • Alert history — when each alert fired and the rate that triggered it. Used to enforce cooldowns and let you see past alerts in your account.

3. Operational logs

  • Edge access logs — Cloudflare records standard request metadata (IP address, timestamp, path, user-agent) for security, abuse prevention, and debugging. Retained per Cloudflare's standard retention (typically a few days to a few weeks). We never link these logs to account data.
  • Email delivery logs — when a rate alert email is sent, our email provider (Resend) records the recipient address and delivery status to handle bounces and spam complaints.

What we don't collect

  • No analytics — no Google Analytics, Plausible, Mixpanel, Segment, Heap, or any equivalent.
  • No advertising or marketing cookies. We don't run ads, and we don't share data with ad networks.
  • No browser fingerprinting.
  • No location beyond country-level inference from your IP (which Cloudflare uses for routing and abuse detection — we don't store it against your account).
  • No social-media sharing trackers (Like buttons, etc.).
  • No call-recording, session-replay, heatmap, or scroll-tracking tools.

How we use what we collect

  • Authentication. Your email and password (or Google profile) are used to log you in and keep you logged in via a secure HTTPS-only session cookie.
  • Email rate alerts. When a rate you've set hits its target, our scheduled job emails you using your account email.
  • Service operation. Saved favourites and active alerts are stored so they're there next time you log in.
  • Security & abuse prevention. Edge logs are used to rate-limit, block bots, and investigate incidents. We don't use them for any analytics purpose.

We do not use your data to build profiles, train models, sell, share, or rent it. We do not contact you for marketing — the only emails we'll send are transactional (rate alerts, password resets, security notices).

Sub-processors and third parties

We use a small number of third parties to run the service. These are the only entities that ever see your data, and only the minimum needed for their role.

ProviderRoleWhat it sees
Supabase Authentication and database Email, password hash, your favourites, alerts, alert history
Resend Transactional email delivery Your email address and the body of each rate-alert email
Cloudflare Hosting, DNS, edge security Standard edge logs (IP, request path, timestamps, user-agent)
Google OAuth "Continue with Google" sign-in (optional) Email + name returned during sign-in. Only if you choose this method.
Frankfurter European Central Bank exchange rates The currency codes we query. No personally identifiable information.
jsDelivr CDN Serves the Chart.js library Your IP, in standard CDN access logs.
Google Fonts Serves Inter, Instrument Serif, JetBrains Mono Your IP when fonts load. We don't pass any personal data.

Each provider has its own privacy practices. We choose providers we consider reputable, but you should consult their policies if you want their full picture.

Cookies and local storage

  • Login session cookie (strictly necessary, set by Supabase). Only present after you log in. HTTPS-only, used solely to keep you logged in. Cleared on logout.
  • cc_tracked_currencies in localStorage. The list of currencies pinned in the homepage rates table. Local to your browser; never sent to our servers.

We do not set advertising, analytics, or third-party tracking cookies. Because the only cookie we set is strictly necessary for the service you've explicitly asked for (logging in), no consent banner is required under the EU ePrivacy Directive or UK PECR.

Your rights

EU / UK / EEA (GDPR & UK GDPR)

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data (you can change your email yourself; for anything else, contact us).
  • Erasure ("right to be forgotten") — delete your account at any time. This wipes your email, password hash, favourites, alerts, and alert history through database cascade deletes.
  • Portability — request a machine-readable export of your data.
  • Restriction / objection — ask us to stop or limit processing.
  • Withdraw consent — for any processing we do based on consent.
  • Lodge a complaint — with your national data-protection authority.

California (CCPA / CPRA)

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete the personal information we hold about you.
  • Right to correct inaccurate information.
  • Right to opt out of sale or sharing — not applicable here, because we do not sell or share personal information for cross-context behavioural advertising.
  • Right to non-discrimination — exercising any of these rights doesn't affect your ability to use the service.

To exercise any of these rights, email admin@currencycalculator.exchange from the address on your account, or use the in-app delete-account control. We will respond within the timeframes required by the applicable law (typically 30 days for GDPR, 45 days for CCPA).

Data retention

  • Account data (email, password hash) — retained as long as your account exists. Deleted immediately when you delete your account.
  • Favourites and alerts — retained as long as your account exists, deleted on account deletion via foreign-key cascade.
  • Alert history — retained as long as your account exists, deleted on account deletion.
  • Cloudflare edge logs — retained per Cloudflare's standard policy (typically days to a few weeks).
  • Resend email logs — retained per Resend's standard policy.

Security

  • All traffic is served over HTTPS, terminated at Cloudflare's edge.
  • Passwords are hashed; the plaintext is never stored or logged.
  • Database tables are protected by row-level security so each user can only read or modify their own rows.
  • Privileged service credentials are kept out of the browser entirely; they only run inside server-side Edge Functions.
  • Email rate-alert delivery is gated by a shared cron secret so the scheduled job can't be triggered by anyone outside our infrastructure.

No system is perfectly secure. If you believe you've found a vulnerability, please email admin@currencycalculator.exchange.

Children

Currency Calculator is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has created an account, contact us and we will delete it.

International transfers

Our infrastructure providers (Supabase, Cloudflare, Resend) operate primarily from the United States. If you are in the EEA, the UK, or another jurisdiction with cross-border-transfer rules, we rely on the providers' standard contractual clauses and equivalent legal mechanisms for any transfer of personal data outside your home jurisdiction.

Not financial advice

Currency Calculator is an information tool. The exchange rates we display are mid-market reference rates from the European Central Bank, sourced via the Frankfurter API. They are indicative and not intended for trading or financial decisions. Bank-markup figures shown in the comparison tables are approximate retail-tier estimates and vary by transfer size, channel, and time of day. Always verify with your provider before transacting.

Changes to this policy

We will update the "last updated" date at the top of this page when this policy changes. For material changes, we will give prominent notice on the homepage and, if you have an account, by email. Continued use of the service after the effective date of a change means you accept the updated policy.

Contact

Questions, requests, or complaints about this policy or your data — including data-rights requests under GDPR / CCPA and security-vulnerability disclosures — go to admin@currencycalculator.exchange.