Privacy Policy

Table of Contents

1. Who we are

2. Scope

3. What we collect

4. How we use data

5. Legal bases

6. Sharing and disclosures

7. Data retention

8. Security

9. International transfers

10. Your rights

11. Children

12. Trackers/identifiers

13. Third-party policies

14. Android permissions

15. Changes

16. Contact

17. Google Play Data Safety

1. Who we are

FinTrack ("we", "our", "us") is a personal finance app that helps you track spending, budgets, subscriptions, and insights.

Contact: [Your Company/Name], [Address] • Email: support@fintrack.app

2. Scope

This policy explains how we collect, use, share, and protect information when you use the FinTrack mobile app and our related backend API/services.

3. What we collect

Account and profile

Google Sign‑In basic profile data: email, full name, avatar URL, and Google user ID.

Financial content you create

• Transactions: amount, type (income/expense), category, merchant, payment method (card/digital/bank/cash), description, transaction date.

• Budgets: name, amount, period (weekly/monthly/quarterly/yearly), start/end dates, status.

• Subscriptions: service name, amount, billing cycle, payment method, next billing date, status.

• Categories: name, icon, color, type (income/expense).

Optional SMS import metadata

Only if this feature is enabled and permitted

Non‑content metadata such as a raw hash (for deduplication), parsing confidence score, bank identifier, original SMS timestamp, and auxiliary SMS metadata used to correctly categorize transactions.

Important: We do not read your SMS without your explicit permission and action. If you do not grant permission or use this feature, we do not access SMS.

Device and app data

• Analytics events (screen views, feature usage, ad events) via Firebase Analytics.

• Performance telemetry (timings/trace metrics) via Firebase Performance.

• Push notification token (FCM token) to deliver notifications you enable.

• Advertising identifiers and ad telemetry via Google Mobile Ads (AdMob).

Network identifiers and diagnostics

IP addresses, device/platform info, timestamps, logs, and error details needed to secure and operate the service.

We do NOT collect: Precise location, bank login credentials, or card numbers.

4. How we use data

• Provide and improve core features: expense tracking, budgets, subscriptions, analytics insights.

• Authenticate accounts (Google), maintain sessions (Supabase) and protect access.

• Personalize the app experience (e.g., remembering categories and preferences).

• Show ads (AdMob). Where required by law, we request consent for ad personalization and allow opting out of personalized ads.

• Measure and improve performance/reliability (Firebase Performance, Analytics).

• Send notifications you enable (e.g., reminders, upcoming subscription alerts).

• Detect abuse, secure accounts, and comply with legal obligations.

5. Legal bases (where applicable: GDPR/UK GDPR)

• Performance of a contract: providing the app/services you requested.

• Legitimate interests: securing and improving the app, preventing fraud, and non‑essential measurement compatible with user expectations.

• Consent: ad personalization (where required), notifications, SMS import (if enabled). You may withdraw consent at any time.

6. Sharing and disclosures

Service providers (processors)

• Supabase (database, authentication)

• Google Firebase (analytics, performance, remote config, messaging)

• Google AdMob (advertising)

We do not sell your personal data.

• Legal and safety: we may disclose data to comply with law or protect rights, safety, and integrity.

• Business transfers: in a merger/acquisition, data may be transferred as allowed under this policy.

7. Data retention

• Account and profile: retained until you delete your account.

• Financial data (transactions, budgets, subscriptions, categories): retained until you delete them or delete your account.

• Analytics and telemetry: typically 14–26 months (provider defaults) unless you request deletion.

• Push tokens: retained until refreshed or you disable notifications.

• Backups: stored for limited periods for reliability and disaster recovery.

8. Security

• We use access controls, least‑privilege permissions, and industry‑standard protections.

• Production requires encryption in transit (HTTPS/TLS) and encryption at rest by our providers. Development builds may use non‑TLS endpoints strictly for testing; production releases use TLS.

• No method of transmission or storage is 100% secure, but we continuously improve protections.

9. International transfers

Data may be processed and stored in data centers outside your country. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses).

10. Your rights

• Access, correct, export, or delete your data.

• Opt out of personalized ads where supported and withdraw consent at any time.

• Delete account: In‑app flow (Settings → Delete Account) or email support@fintrack.app. Account deletion removes your profile and associated financial data from our systems, then removes your auth user.

11. Children

The app is not directed to children. We configure ads to not target children.

12. Trackers/identifiers

On mobile, we do not use web cookies. We use device identifiers and SDK telemetry for analytics and ads.

13. Third‑party policies

• Google AdMob and Mobile Ads SDK

• Firebase Analytics/Performance

• Supabase

14. Android permissions (purpose disclosure)

We request only the permissions needed to operate the app reliably. Depending on your device/OS version and build configuration, the following may apply:

• INTERNET — Connect to our API and cloud services.

• WAKE_LOCK — Keep the device awake briefly for critical tasks (e.g., syncing, notifications).

• FOREGROUND_SERVICE — Enable foreground tasks when required by the OS.

• RECEIVE_BOOT_COMPLETED — Resume scheduled tasks after device restarts.

• POST_NOTIFICATIONS — Deliver notifications you opt into (Android 13+ runtime permission).

• REQUEST_IGNORE_BATTERY_OPTIMIZATIONS — Optional reliability for scheduled tasks (never used to keep the device awake unnecessarily).

• RECEIVE_SMS (optional) — Only used if you explicitly enable the SMS import feature to parse transaction metadata locally. Not accessed without permission and user action; not required for normal operation.

• RECORD_AUDIO (optional) — Reserved for potential voice features; not required for normal operation.

• READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE (optional) — Used only if you choose to export/import files locally; not required for normal operation.

• SYSTEM_ALERT_WINDOW / VIBRATE — System/UI features and haptic feedback where applicable.

Note: If a feature is disabled in your build/region, the related permission will not be requested at runtime.

15. Changes

We will update this policy as features or regulations change. Material updates will be highlighted in‑app or via release notes.

16. Contact

Email: harshvardhansinhjadeja49@gmail.com

17. Google Play Data Safety (summary)

Collected

• Personal info: email, name, avatar (account creation and profile).

• Financial info: transactions, budgets, subscriptions, categories (app functionality).

• App activity: feature usage, screen views (analytics).

• Device/other IDs: ad ID, FCM token (ads/notifications).

• Diagnostics/performance: crash/trace metrics (performance/analytics).

Shared

With service providers (Firebase, Supabase, AdMob) only to operate the app; not sold.

Purposes

App functionality, analytics, advertising (with consent where required).

Data deletion

Supported in‑app and via support requests; account deletion cascades to your content.