Skip to main content
← In The Black

Privacy Policy

Last updated: March 2026

This Privacy Policy explains what information In The Black collects, how we use it, how we protect it, and what rights you have over it. We have written it to be readable, not to obscure what we actually do.

1. What We Collect

Information you provide directly

  • Account information — your name, email address, and password (stored as a one-way hash; we cannot read your password)
  • Profile information — age range, primary financial goal, self-assessed familiarity, and UI theme preference
  • Financial figures — income, expense estimates, debt balances, and savings amounts you voluntarily enter. These are approximations you provide; we do not connect to your bank accounts
  • Learning progress — which modules you have started and completed, and when
  • Content you submit — any feedback or notes submitted through the platform

Information collected automatically

  • Session data — authentication tokens stored as secure, httpOnly cookies. These are not accessible to JavaScript and expire when you log out
  • Basic usage logs — server-side logs of API requests for error monitoring and security purposes. These contain timestamps, endpoint paths, and HTTP status codes — not your financial data

We do not use tracking pixels, third-party analytics scripts, advertising networks, or behavioral profiling tools. We do not sell or share your data with third parties for marketing purposes.

2. How We Use It

We use the information we collect only to:

  • Provide and improve the platform (authenticate you, show your progress, personalise content)
  • Compute your Financial Position score and populate your Flow diagram using figures you have entered
  • Send transactional emails if you request a password reset (no marketing emails without explicit opt-in)
  • Monitor for errors and security incidents

We do not use your financial data to make lending decisions, assess creditworthiness, or share with financial institutions.

3. How We Store and Protect It

  • Data is stored in a managed PostgreSQL database with encryption at rest
  • All data is transmitted over TLS (HTTPS) — never in plain text
  • Passwords are hashed using bcrypt with a strong cost factor before storage
  • Authentication tokens are stored as signed httpOnly cookies, not in localStorage or sessionStorage
  • Access to production data is restricted to authorised personnel only

4. Data Sharing

We do not sell your data. We do not share your personal or financial information with third parties except in the following limited circumstances:

  • Infrastructure providers — we use third-party cloud services (database hosting, application hosting) to operate the platform. These providers process data on our behalf under data processing agreements and do not use your data for their own purposes
  • Legal requirements — if required by law, court order, or to protect the rights, property, or safety of users or the public

5. Cookies

In The Black uses one functional cookie: itb_token, an httpOnly authentication cookie set when you log in. It expires when your session ends or you log out. It is necessary for the platform to function and is not used for tracking or advertising.

We do not use third-party cookies, analytics cookies, or advertising cookies.

6. Your Rights

You have the following rights over your data, regardless of where you are located:

  • Access — you can request a copy of all data we hold about you
  • Correction — you can update your profile and financial figures at any time through the platform
  • Deletion — you can request deletion of your account and all associated data. We will process deletion requests within 30 days
  • Portability — you can request your data in a machine-readable format (JSON)
  • Objection — you can object to any processing of your data that is not strictly necessary for the service to function

Users in the European Economic Area have additional rights under the GDPR. Users in Canada have rights under PIPEDA (Personal Information Protection and Electronic Documents Act). To exercise any of these rights, contact us through the platform or at the address in your account settings.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law (for example, basic transaction logs for security audit purposes, retained for up to 12 months).

8. Children

In The Black is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy as the platform evolves. We will update the date at the top of this page when we do, and for material changes, we will notify users within the platform. Continued use after changes are posted constitutes acceptance of the revised policy.

10. Contact

For privacy-related questions or to exercise your rights, contact us through the platform's profile page or at the email address listed in your account settings. We will respond within 10 business days.