Compass
Buy

Privacy Policy

Effective 2026-05-06 · Last updated 2026-05-25

TL;DR

Compass is a personal finance tracker. Your financial data (transactions, assets, debts, goals, subscriptions, net worth history) lives in your own Google Sheet in your Google Drive. We never see the contents of that Sheet server-side.

The one piece of personal data we DO store server-side is your Google OAuth refresh token, encrypted at rest (AES-GCM) on Cloudflare Workers KV. This token lets Compass silently renew your session so you don't have to re-authenticate every hour. We use it solely to mint short-lived access tokens for the Google Sheets API on your behalf — never to access your data outside of an active session you've initiated.

If you want to stop using Compass: open Settings → Disconnect from Google. This revokes the refresh token at Google and deletes it from our servers.

For privacy questions, email [email protected].

What data we have access to — and what we don't

  • Your transactions, assets, debts, goals, subscriptions, net worth history live in your Google Sheet in your Drive. We cannot read them server-side. During an active session in your browser, Compass uses a short-lived access token to read and write to only the Compass Sheet we created on your behalf.
  • Your name, base currency, FIRE assumptions, and a session JSON Web Token (JWT) live in your browser's localStorage on your device. localStorage never leaves your browser.
  • Your Google OAuth refresh token is stored on Cloudflare Workers KV, encrypted at rest with AES-GCM. Only the Compass auth Worker can decrypt it. We never share it with third parties.
  • Your purchase email, name, and billing address are held by our payment processor Lemon Squeezy under their privacy policy. We see the purchase record (name, email, amount, date) for support handling — that is the only personal billing data we hold.

How Compass works (technical detail)

  1. You visit firecompass.app — a static site hosted on Cloudflare Pages.
  2. Your browser downloads HTML, JavaScript, and CSS that are identical for every visitor.
  3. On first run a wizard asks you to paste your Compass license key, then sign in with Google. Google's OAuth consent screen asks you to grant Compass the drive.file scope. Click Allow.
  4. Compass exchanges the authorization code for an access token and a refresh token via Google's OAuth token endpoint. The refresh token is encrypted and stored on the Compass auth Worker (Cloudflare Workers KV). The access token comes back to your browser.
  5. Compass creates a new Google Sheet in your Drive on your behalf. The drive.file scope restricts Compass to only the Sheets Compass itself creates — Compass cannot see any other files in your Drive.
  6. Your browser then reads/writes data to that Sheet via the Google Sheets API, using the access token. All Sheet data traffic flows directly between your browser and Google — it does not pass through Compass servers.
  7. When the access token expires (~1 hour), the Compass auth Worker mints a fresh one via Google's token endpoint, using the stored refresh token. You stay signed in without re-consenting.

Google OAuth scopes Compass requests

  • https://www.googleapis.com/auth/drive.file — create and read/write only the Compass Sheet in your Drive (the most restrictive Sheets-compatible scope). Compass cannot see any other file in your Drive, and the same scope covers every Sheets operation Compass needs (creating the Sheet, reading/writing its cells, applying formatting and data validation).
  • openid + email — read your verified Google email for license-binding (your sign-in email must match the email you used at purchase).
  • profile — read your display name to greet you on the dashboard.

Cookies and tracking

Compass does not use cookies, fingerprinting, analytics, or tracking pixels. We do not embed Google Analytics, Mixpanel, Hotjar, Sentry, PostHog, or any equivalent. The static-site hosting provider (Cloudflare Pages) keeps standard server access logs at the network level, which we do not access for analysis.

Payment processor data

When you purchase Compass, our payment processor Lemon Squeezy collects your name, email, billing address, and payment details under their privacy policy: lemonsqueezy.com/privacy.

We receive a record of your purchase (name, email, amount, transaction ID) for support handling. We do not enrich this with any other data and we do not share it with third parties.

Data protection mechanisms

This section details the specific technical and organizational measures Compass uses to protect your data.

Encryption in transit

All communication between your browser, Compass's servers, and Google's servers uses HTTPS (TLS 1.2 or higher). This includes:

  • Page loads from firecompass.app
  • OAuth flows with Google
  • API calls between your browser and Google Sheets API (your data flows directly browser ↔ Google, never through Compass servers)
  • Calls between your browser and the Compass authentication Worker

Encryption at rest

The only piece of personal data Compass stores server-side is your Google OAuth refresh token. It is encrypted at rest with AES-GCM (256-bit) using a key derived from a per-deployment secret. Storage is Cloudflare Workers KV. Only the Compass authentication Worker can decrypt the refresh token; a database-level breach would yield only ciphertext.

Access controls

  • OAuth scope restriction: Compass requests the drive.file scope, which limits Compass's access to only the single Google Sheet Compass itself creates on your behalf. Compass cannot access any other file in your Drive — not your other Sheets, not your Docs, not anything else stored there.
  • No service account, no shared credentials: Compass uses your own Google account to read and write your Compass Sheet. There is no server-side service account that could be compromised independently of your Google account.
  • One-time license validation: Your Lemon Squeezy license is checked once at sign-in and cached locally. Compass does not re-call Lemon Squeezy on every request.

Data storage and processing locations

  • Your financial data: Lives in your Google Sheet, in your own Google Drive. Compass has zero server-side storage of this data.
  • Your encrypted refresh token: Stored on Cloudflare Workers KV. The Compass authentication Worker runs on Cloudflare's global edge network.
  • Static site files: Cloudflare Pages serves the Compass web application from Cloudflare's global edge network.

Incident response

In the event of a security incident affecting personal data, we will notify affected users by email (at the address used for purchase) within a reasonable timeframe, generally within 72 hours of confirming the incident, along with steps you can take to protect yourself.

Children

Compass is not intended for users under 13. We do not knowingly process data from children.

Data retention and deletion

To erase your Compass data:

  1. Open Compass → Settings → “Disconnect from Google”. This revokes the refresh token at Google AND deletes it from Cloudflare Workers KV.
  2. Delete the Compass Sheet from your Drive (or relevant rows) if you don't want to keep it.
  3. (Optional) In your Google account, visit myaccount.google.com/permissions and remove Compass from your apps — this severs the connection independently.

Changes to this policy

If we change this policy, the “Last updated” date above will reflect that. Material changes will be announced on the Compass website.

Contact

Email [email protected] for any privacy question, data request, or concern.