Privacy Policy

Data Fiduciary Information

Under Section 2(i) of the Digital Personal Data Protection Act, 2023 (DPDP Act), Spendwisee operates as a Data Fiduciary — the entity that determines the purpose and means of processing your personal data.

This policy is published in compliance with DPDP Act Section 5 (obligation of Data Fiduciary), Section 6 (consent), and Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Information We Collect

👤 Account Information (Personal Data)

Name, email address, and authentication credentials collected during sign-up. If you use Google Sign-In or Apple Sign-In, we receive your profile name and email from the identity provider. Under DPDP Act Section 2(t), this constitutes personal data.

💰 Financial Data (Sensitive Personal Data or Information)

Expenses, budgets, savings goals, investments, income data, and payment method preferences — all manually entered by you. Under the IT (Reasonable Security Practices) Rules, 2011 — Rule 3, financial information qualifies as Sensitive Personal Data or Information (SPDI). We do not connect to your bank accounts, read SMS, or access transactions automatically.

⚙️ App Preferences

Theme, currency, tracking mode, notification preferences, and onboarding selections. These are functional settings, not personal data.

🛡️ Security Data

To protect the integrity of the App and prevent unauthorised access, we generate a device fingerprint — a one-way cryptographic hash derived from general device characteristics (brand, model, OS version) combined with a random seed. This fingerprint is stored locally in your device's secure enclave and used solely for detecting anomalous device migration patterns. It cannot be reversed to identify your device and is never transmitted to external parties.

📊 Usage Data

We do not collect analytics, IP addresses for profiling, location data, or browsing behavior. We do not use cookies for tracking on our website.

Purpose & Legal Basis for Processing

Under the DPDP Act, we process your personal data on the following lawful grounds:

• Consent (Section 6) — You provide explicit, informed, and free consent when creating your account and entering financial data
• Legitimate Use (Section 7) — Processing necessary to fulfill the service you expressly requested (expense tracking, synchronisation, AI analysis, report generation)

Under the IT (SPDI) Rules, 2011 — Rule 5, we collect SPDI only for a lawful purpose connected with a function of the App, and the collection is necessary for that purpose.

How We Use Your Data

Your data is processed solely for the following purposes:

• Service delivery — Expense tracking, budgeting, investment tracking, and financial insights
• AI processing — Powering Medha AI assistant with your spending context for personalised analysis
• Notifications — Daily reminders and budget alerts (only if you enable them)
• Cross-device sync — Securely synchronising your data between your devices via encrypted cloud storage
• Reporting — Generating PDF expense reports when you explicitly request export
• Security — Verifying identity, preventing unauthorised access, and detecting abuse

We follow the principle of data minimisation — we only collect and process the minimum data necessary for each stated purpose. We do not process your data for any purpose not disclosed in this policy.

Consent & Withdrawal

How We Obtain Consent

As required by DPDP Act Section 6, consent is obtained through clear, affirmative action:

• Account creation — by signing up, you consent to processing of account and financial data for the Service
• Medha AI — consent is obtained when you initiate a chat session
• Notifications — consent is obtained through your device's system permission prompt

Right to Withdraw Consent

Under DPDP Act Section 6(5), you may withdraw your consent at any time, as easily as it was given:

• Disable notifications in App Settings or your device settings
• Stop using Medha AI (no further AI processing occurs)
• Delete your account to withdraw all consent and erase all data

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. However, withdrawing consent may limit your ability to use certain features of the App.

Data Security

In compliance with IT Act Section 43A and the IT (Reasonable Security Practices) Rules, 2011 — Rule 8, we implement security standards aligned with globally recognised frameworks, including ISO/IEC 27001 and SOC 2 Type II practices:

🔐 Encryption

• All data is encrypted in transit using industry-standard transport-layer encryption protocols
• All data is encrypted at rest using server-side encryption with keys managed by certified cloud infrastructure
• Sensitive credentials on your device are stored in hardware-backed secure enclaves (Keychain / Keystore)

🛡️ Access Control & Authentication

• Cryptographic signature verification and token validation on all API requests
• Request signing with timestamped SHA-256 signatures to prevent replay attacks
• We never store your password — authentication is delegated to a trusted, certified identity provider
• Optional biometric lock (fingerprint / Face ID) for app-level access control

📱 App Integrity

• Package identity verification — the App validates its own bundle identifier at startup to detect repackaged or forged copies
• Environment detection — the App detects emulators, simulators, and rooted/jailbroken devices as a security signal
• SSL certificate pinning (Android) — API connections are pinned to specific certificates, preventing man-in-the-middle interception even on compromised networks
• Code obfuscation — production builds use aggressive obfuscation and debug-log stripping to resist reverse engineering
• These checks are informational safeguards — they generate security warnings but do not block access on flagged devices

🔒 Infrastructure Security

• Cloud infrastructure operated by providers maintaining SOC 2, ISO 27001, ISO 27017, and ISO 27018 certifications
• Rate limiting and IP-based abuse prevention on all public endpoints
• Input validation and sanitisation to prevent injection attacks
• Security headers enforced on all server responses (strict transport security, content-type validation, cache control)
• Cleartext HTTP traffic blocked at the network configuration level
• Minimal operational logging with no sensitive data in logs — all debug/info logs stripped from production builds

🧪 Security Testing

We conduct periodic security audits and vulnerability assessments. Our security posture is designed to meet or exceed the "reasonable security practices and procedures" standard prescribed under the IT Act and its Rules.

Data Storage & Retention

📱 Where Your Data Lives

Data is stored locally on your device (offline-first architecture) and synced securely to cloud infrastructure. Cloud servers are operated by globally certified providers with data centres in regions not restricted under DPDP Act Section 16(1).

⏱️ Retention Periods

• Active account data — Retained as long as your account is active and you use the Service
• Deleted account data — Permanently erased within 30 days of account deletion request
• Medha AI conversations — Not persisted on our servers; discarded at end of session
• OTP / verification codes — Automatically expire and are deleted within 10 minutes
• Server logs — Minimal operational logs (no personal data) retained for 90 days for security purposes, then purged

In line with the DPDP Act Section 8(7), we retain data only as long as necessary to serve the purpose for which it was collected, or as required by any law in force.

Cross-Border Data Transfers

Your data may be processed on servers located outside India for the purpose of cloud synchronisation, AI processing, and transactional email delivery.

Under DPDP Act Section 16(1), transfers are made only to countries and territories not restricted by the Central Government. Should any restrictions be notified by the Government of India, we will comply immediately.

All cross-border transfers are protected by:

• Contractual data processing agreements with every third-party processor
• End-to-end encryption during transit
• Processors bound to use data solely for providing the Spendwisee service
• Equivalent security standards regardless of data location

Third-Party Data Processors

Under DPDP Act Section 8(2), we engage the following categories of trusted service providers as data processors, each bound by contractual data processing agreements:

• Identity & authentication provider — Secure sign-in and account management
• Cloud infrastructure provider — Encrypted data storage and synchronisation
• AI processing provider — Powers Medha AI (per-session processing; no data retention or model training)
• Email delivery provider — Transactional emails only (OTP verification, feedback delivery)
• Subscription management provider — In-app purchase validation and subscription lifecycle

We share only the minimum data necessary for each service to function. No third party receives your complete financial dataset. Each provider maintains industry-standard security certifications.

Medha AI & Automated Processing

Medha is an AI-powered assistant that processes your data to provide financial insights. We disclose the following about automated processing:

What Medha Does

• Parses natural language to categorise expenses (e.g., "coffee 200" → Food category)
• Provides general spending insights and budget suggestions based on your data
• Answers financial questions within the context of your expense history

What Medha Does NOT Do

• Make binding financial decisions on your behalf
• Auto-approve transactions or move money
• Profile you for credit scoring, insurance, or employment purposes

AI Consent

Before your first Medha interaction, the App displays an explicit consent screen explaining how your data will be processed by the AI service. You must actively accept before any data is sent. This consent can be revoked at any time by ceasing to use Medha.

AI Data Handling

• Conversations are not stored on our servers beyond the active session
• Your data is never used to train AI models
• AI responses are suggestions only — you always have final control over your data
• All AI inputs are validated and sanitised for security

What We Never Do

• Sell, rent, trade, or share your data with advertisers or data brokers
• Access your bank accounts, UPI, or read SMS / call logs
• Track your GPS location or movement patterns
• Show advertisements or use data for ad targeting
• Train AI models on your personal financial data
• Share your financial data with other users or third-party apps
• Store your passwords in any form (delegated to a secure identity provider)
• Use dark patterns to obtain or retain consent
• Process children's data without verifiable parental consent

Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights as a Data Principal:

• Right to Access (Section 11) — Request a summary of your personal data and processing activities
• Right to Correction & Erasure (Section 12) — Correct inaccurate data or request complete deletion of your personal data
• Right to Grievance Redressal (Section 13) — File a complaint with our Grievance Officer, and if unsatisfied, escalate to the Data Protection Board of India
• Right to Nominate (Section 14) — Nominate an individual to exercise your rights in case of death or incapacity

How to Exercise Your Rights

• In-app: Export data (Menu → Export Data), edit any entry, or delete your account (Menu → Delete Account)
• By email: Send a request to feedback@spendwisee.com — we will respond within 30 days

International users: see Section 16 for supplemental rights under GDPR and CCPA.

Children's Privacy

In compliance with DPDP Act Section 9:

• Spendwisee is not intended for children under 18 years of age without verifiable parental consent
• We do not knowingly collect personal data from children without the consent of a parent or lawful guardian
• If we learn that a child's data has been collected without appropriate consent, we will delete it promptly
• We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children

If you believe a child has provided us data without consent, please contact us at feedback@spendwisee.com and we will take immediate action.

Data Breach Notification

In the unlikely event of a personal data breach, we will act in accordance with DPDP Act Section 8(6):

• Notify the Data Protection Board of India without unreasonable delay
• Notify affected Data Principals (you) without unreasonable delay
• The notification will include: the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to mitigate harm
• We will take immediate steps to contain the breach and prevent recurrence

Our incident response procedures are aligned with global best practices, including NIST SP 800-61 (Computer Security Incident Handling Guide) and ISO/IEC 27035 (Information Security Incident Management).

Grievance Redressal

As required by DPDP Act Section 8(10) and IT Act Section 43A read with IT (SPDI) Rules, 2011 — Rule 5(9), we have appointed a Grievance Officer:

For general inquiries:

feedback@spendwisee.com

Supplemental Rights for International Users

While this policy is governed by Indian law, we respect the data protection rights of users worldwide. The following supplemental provisions apply based on your jurisdiction:

🇪🇺 European Union / EEA (GDPR)

If you are located in the EU or EEA, you have additional rights under the General Data Protection Regulation (EU) 2016/679:

• Legal basis: Consent (Article 6(1)(a)) for AI and notifications; contract performance (Article 6(1)(b)) for core service; legitimate interest (Article 6(1)(f)) for security
• Data portability (Article 20) — Export your data as a PDF report from within the App
• Right to object (Article 21) — Object to processing based on legitimate interest
• Right to restriction (Article 18) — Request restriction of processing in certain circumstances
• Right to be forgotten (Article 17) — Request complete erasure of your data
• Automated decisions (Article 22) — Medha does not make decisions with legal or similarly significant effects; all outputs are suggestions
• Cross-border transfers — Protected by Standard Contractual Clauses (SCCs) approved by the European Commission
• Supervisory authority — You may lodge a complaint with your local Data Protection Authority

🇺🇸 California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know — Request categories and specific pieces of personal information collected about you
• Right to delete — Request deletion of personal information we hold
• Right to correct — Request correction of inaccurate personal information
• Right to non-discrimination — We will not discriminate against you for exercising any of your rights
• Do Not Sell / Share — Spendwisee does not sell and has never sold personal information. We do not share personal information for cross-context behavioural advertising
• Authorised agents — You may designate an authorised agent to submit requests on your behalf with proper verification

🌍 Other Jurisdictions

Where local data protection laws provide greater protections than this policy, those local laws shall prevail to the extent of any inconsistency. Contact us at feedback@spendwisee.com to exercise any data protection rights available under your local law.

Policy Changes

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make changes:

• The "Last updated" date at the top will be revised
• Material changes will be communicated via in-app notification or email
• Where required by law, we will obtain fresh consent before materially changing how your data is processed
• Continued use of Spendwisee after receiving notice of changes constitutes acceptance of the revised policy

Applicable Law

This Privacy Policy is primarily governed by Indian law:

• Digital Personal Data Protection Act, 2023 — and rules notified thereunder
• Information Technology Act, 2000 — including Section 43A (compensation for failure to protect data)
• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Data security and privacy practices are designed to meet or exceed globally recognised standards. For international users, applicable local laws (including GDPR and CCPA) apply as supplemental protections as described in Section 16.