ZenPaisa

1. Who we are

ZenPaisa ("we", "our", "us") is a personal finance management (PFM) app for India. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have under the Digital Personal Data Protection Act, 2023 ("DPDPA").

The policy applies to our mobile app and our website at zenpaisa.com.

2. Data we collect

Account data: name, email, optional phone number, password hash, sign-in provider (Google if used).

Financial data you enter or import: transactions, account balances, budgets, savings goals, debts, recurring payments, subscriptions, tax-section entries.

Bank SMS (optional, opt-in): with your explicit Android permission, the app reads transactional SMS from known bank sender IDs (HDFC, SBI, ICICI, etc.) to auto-import transactions. We filter out non-bank SMS on-device and never read personal messages.

Voice input (optional, transient): when you use voice entry, speech-to-text runs on your device. The transcribed text (not the audio) is sent to our AI service to extract transaction details. We do not store audio recordings.

Push tokens: if you opt in to notifications, your FCM device token is stored so we can send bill reminders and budget alerts.

Crash + diagnostics: anonymous crash reports and basic usage events (which screens were visited, which buttons were tapped) to fix bugs and improve UX. No financial values are included.

What we don't collect: bank login credentials, debit/credit card numbers, OTPs, Aadhaar, PAN (unless you explicitly enter it for tax features), or contacts.

3. How we use your data

Provide the core features: transaction tracking, budgets, goals, subscriptions, debt planner, tax calculators, AI CFO chat.
Generate AI insights via Anthropic Claude. Only the data needed for a query (e.g. summarized transactions, totals, your question) is sent — not your full ledger by default.
Send push notifications you opted into (bill due, budget breach, etc.).
Improve the app via aggregated, anonymous usage analytics.
Respond to support requests and grievances.
Comply with legal obligations (e.g. lawful requests from Indian authorities).

4. Who we share data with

We do not sell or rent your personal financial data. We share only with the processors needed to run the service:

Anthropic (Claude AI): snippets of your data (transaction summaries, the question you asked) are sent for the AI CFO and categorization features. Anthropic processes data on a no-training basis per their API terms.
Google Sign-In / Firebase Cloud Messaging: for sign-in (if you choose Google) and push notification delivery. Google receives only the data needed for these functions.
Twilio: for phone-number OTP verification when you choose phone sign-in.
Cloud hosting (Contabo, Germany): our database and backend servers are operated by Contabo. Data is encrypted at rest and in transit.
Crash reporting (Sentry, EU): anonymous crash reports. We scrub email/phone/PII before send.

We may disclose data when required by law (court order, lawful government request), or to protect the rights, safety, or property of ZenPaisa or our users.

5. Where data is stored

Our primary database is hosted in Germany (Contabo VPS, Frankfurt region). Transit to/from India is over TLS 1.2+. We may move to an India region as we scale.

6. How long we keep your data

Active accounts: as long as you use the service.
Inactive accounts (no login in 24 months): we may notify you and delete the account.
Deleted accounts: all personal data is purged from primary databases within 30 days. Encrypted backups age out within 90 days.
Anonymized aggregate analytics (e.g. "X% of users have a Goals tab") may be retained indefinitely.

7. Your rights under DPDPA

You can, at any time:

Access the data we hold about you (email us; we respond within 7 working days).
Export your transactions and analytics as CSV/PDF from inside the app (Analytics → Export).
Correct inaccurate information from your profile or by emailing support.
Delete your account and all personal data from Settings → Account → Delete account. This is irreversible; we cannot recover deleted data.
Withdraw consent for optional permissions (SMS, notifications, voice) from your device settings at any time.
Lodge a grievance with our Grievance Officer (see /grievance). If unresolved, you may approach the Data Protection Board of India.

8. SMS permission specifics

Per Google Play's sensitive permission rules, we use the READ_SMS and RECEIVE_SMS permissions only for the "Financial transaction" use case. Specifically:

SMS is processed on-device using an allow-list of bank sender IDs.
Only messages matching a transactional template (UPI, NEFT, debit, credit, etc.) are extracted.
The raw SMS body is sent to our backend solely for parsing into a structured transaction record (merchant, amount, date). The original SMS is not stored long-term beyond ingest.
Non-bank messages, personal SMS, and OTP messages are filtered out and never leave the device.
You can turn off SMS auto-import any time from device Settings → Apps → ZenPaisa → Permissions.

9. Security

TLS 1.2+ in transit; AES-encrypted at-rest database with full-disk encryption.
Passwords stored as bcrypt hashes (we cannot see your password).
JWT short-lived access tokens (~24h) with refresh-token rotation.
Rate limiting and anti-abuse on signup, login, and password reset.
Disposable-email and MX-validation gates on signup.
No bank credentials are ever requested, transmitted, or stored.

10. Children

ZenPaisa is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us data, email support@zenpaisa.com and we will delete it.

11. Changes to this policy

We may update this Privacy Policy. If changes are material, we will notify you in the app and via email at least 7 days before they take effect. Continued use after the effective date constitutes acceptance.

12. Contact us

For privacy questions or to exercise your rights:

Email: support@zenpaisa.com

Grievance Officer: see zenpaisa.com/grievance

Website: https://zenpaisa.com