Privacy Policy

Last updated: March 13, 2026

Overview

Capital Friends (capitalfriends.in) is a free, open-source family portfolio tracker built by Jagadeesh Manne. It helps you track investments, insurance, loans, and goals for your entire family using a Google Spreadsheet stored in your own Google Drive.

Capital Friends does not have any backend servers, databases, or analytics. Your financial data stays entirely within your Google account. The developer cannot access your financial data.

How Your Data is Stored

When you sign in for the first time, the app automatically creates a Google Spreadsheet named "Capital Friends - Your Name" in your Google Drive. All your financial data is written to this spreadsheet.

The spreadsheet is owned by you and stored in your Google Drive
Only you (and people you explicitly share it with) can access it
The developer has no server-side copy of your data
The web app is a static site hosted on GitHub Pages — there is no backend server or database
All data operations run via Google Apps Script (Execution API) — the script reads and writes only your Capital Friends spreadsheet

Google Permissions (OAuth Scopes)

When you sign in with Google, we request the following permissions. Each is required for the app to function:

auth/spreadsheets

Google Sheets Sensitive

See, edit, create and delete all your Google Sheets spreadsheets

Why we need this: Required to create your Capital Friends spreadsheet on first sign-in, and to read/write your portfolio data, goals, settings, family members, insurance, liabilities, and all other financial information. The app only accesses the Capital Friends spreadsheet it created — no other spreadsheets.

auth/drive.file

Google Drive (App-Created Files) Non-Sensitive

See, edit, create and delete only files created by this app

Why we need this: Used to create your Capital Friends spreadsheet via SpreadsheetApp.create() during first-time setup. This scope only grants access to the single spreadsheet the app creates — we cannot access any other files in your Google Drive.

auth/gmail.send

Gmail (Send Only) Sensitive

Send email on your behalf

Why we need this: Used to send periodic email reports containing your portfolio summary, goal progress, and fund performance. Emails are sent from your own Gmail account to yourself and/or family members you configure in Settings. We cannot and do not read, access, or delete your emails — the gmail.send scope only permits sending.

auth/script.scriptapp

Apps Script Execution Sensitive

Allow this application to run when you are not present

Why we need this: Required for time-based triggers that automatically refresh mutual fund NAV prices daily and send scheduled email reports. These triggers run as background tasks within Google Apps Script — not on any external server.

openid, email, profile

Sign-In Identity

Know who you are on Google, see your email address and profile info

Why we need this: Standard Google Sign-In scopes used to authenticate you and display your name, email, and profile picture within the app. This information is used only in-browser and is not sent to or stored on any server.

Google API Services User Data Policy

Capital Friends's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

How We Use Google User Data

Capital Friends accesses Google user data exclusively to provide its core portfolio tracking functionality. Below is a complete disclosure of how each type of data is used:

Google Sheets data: Your financial data (mutual fund holdings, stock portfolios, insurance policies, loan records, family members, goals, and transaction history) is read from and written to a single Google Spreadsheet that the app creates in your Google Drive. This data is used solely to render your dashboard, portfolio views, reports, and goal tracking within the app. It is never copied, cached on any server, or transmitted outside your browser session.
Google Drive access: Used only to create the Capital Friends spreadsheet during first-time setup. No other files in your Drive are listed, accessed, read, or modified.
Gmail (send only): Used exclusively to send scheduled portfolio summary emails and reminder notifications (SIP reminders, insurance renewal alerts, goal progress) from your own Gmail account to recipients you configure. Email content is generated on-the-fly from your spreadsheet data and is not stored anywhere. We do not read, search, or delete any emails.
Apps Script triggers: Used to schedule background tasks that refresh mutual fund NAV prices daily and send automated email reports. These triggers run entirely within Google's infrastructure under your authenticated session.
Profile information: Your name, email, and profile picture (from Google Sign-In) are displayed within the app's UI for identification purposes only. This information is not stored on any server or shared with any third party.

Data is never used for: advertising, profiling, selling to third parties, training AI/ML models, or any purpose other than providing the portfolio tracking features described above.

Data Protection & Security

Capital Friends implements the following measures to protect your sensitive financial data:

No server-side storage: Your financial data is never transmitted to or stored on any server owned or operated by Capital Friends. All data resides exclusively in your Google Drive, protected by Google's enterprise-grade security infrastructure.
Encryption in transit: All communication between your browser and Google APIs is encrypted using HTTPS/TLS. The app is served over HTTPS from GitHub Pages.
Encryption at rest: Your spreadsheet data is stored in Google Drive, which encrypts all data at rest using AES-256 encryption as part of Google's standard infrastructure security.
OAuth 2.0 authentication: The app uses Google's OAuth 2.0 protocol for authentication. Access tokens are stored only in your browser's session memory and are never persisted to disk, local storage, or any server.
Minimal data access: The app accesses only the single spreadsheet it created. It does not scan, index, or access any other files in your Google Drive, emails in your Gmail, or data in any other Google service.
No third-party data sharing: Your Google user data is never shared with, disclosed to, or made accessible to any third party, including analytics services, advertising networks, or data brokers.
Open source: The entire application source code is publicly available on GitHub, allowing independent verification of all data handling practices.

Data We Collect

We do not collect, store, or transmit any user data to our own servers.

No analytics or tracking scripts (no Google Analytics, no Mixpanel, no Sentry, etc.)
No cookies beyond what Google Sign-In requires for authentication
No server-side logging of user activity or API calls
No advertising, ad networks, or ad-related tracking
No user data is shared with, sold to, or disclosed to any third party
No user data is used for training machine learning or AI models

The web app is a static website hosted on GitHub Pages. It communicates directly with Google APIs from your browser. There is no intermediary server that processes or stores your data.

Email Reports

If you enable email reports in Settings, the app uses Google Apps Script (running under your authenticated session) to send a portfolio summary email via your Gmail account.

Emails are sent from your Gmail to recipients you configure (yourself and/or family members)
Email content is generated on-the-fly from your spreadsheet data — it is not stored anywhere
We cannot read, access, search, or delete your emails — the gmail.send scope only permits sending
You can disable email reports at any time from Settings

Data Deletion & Account Removal

Since all your data is stored in your own Google Drive, you have full control:

Delete all data: Delete the "Capital Friends" spreadsheet from your Google Drive. This permanently removes all your financial data.
Revoke app access: Go to Google Account Permissions and remove Capital Friends. This revokes all OAuth permissions.
No server-side cleanup needed: Since we store no data on any server, revoking access and deleting your spreadsheet is a complete removal.

Third-Party Services

Capital Friends interacts with the following third-party services:

Google APIs — Authentication (OAuth 2.0), Google Sheets API, Google Drive API, Gmail API, and Apps Script Execution API. Governed by Google's Privacy Policy.
AMFI (amfiindia.com) — Public mutual fund NAV data is fetched daily for price updates. No personal or user data is sent to AMFI — only scheme codes are used to look up public NAV values.
GitHub Pages — The static web app is hosted on GitHub Pages. GitHub serves the HTML/CSS/JS files but has no access to your Google data or authentication tokens.

Children's Privacy

Capital Friends is not intended for use by individuals under the age of 18. We do not knowingly collect information from children. The app is designed for adults managing family finances.

Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the app after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy, data handling, or the app:

Developer: Jagadeesh Manne

Email: jagadeesh.k.manne@gmail.com

GitHub: jagadeeshkmanne/capital-friends