Privacy Policy
Last updated: May 23, 2026
1. Who we are
2. Summary in plain English
- We do not sell your data. Ever.
- We do not show ads. The app has no advertising tracking.
- Your SMS messages stay on your phone. Only the parsed transaction (amount, merchant, date) is stored on our servers when you confirm it.
- You can delete your entire account and all data in one tap from Settings → Delete Account. No waiting period.
- You can revoke any Android permission at any time from system Settings. The app continues to work for the features that don't need that permission.
3. What data we collect
Data you give us:
- Account information — your email address and display name when you create an account. We use Supabase Auth for email + password sign-in.
- Financial data you enter or confirm — expense and income transactions, budgets, savings goals, loan records, and account balance.
- Preferences — your chosen currency, language, theme, biometric lock setting, and which notification types you've opted into.
- Payment information — when you subscribe, Razorpay processes your payment. We only store your Razorpay payment ID and subscription status — never your card or bank details.
Data the app reads from your device (with your explicit permission):
- SMS messages (READ_SMS, RECEIVE_SMS) — used only to detect bank transaction messages. Parsing happens entirely on your phone. See section 5 below for full disclosure.
- Notifications from other apps (Notification Listener) — used only to detect transaction notifications from payment apps like GPay and PhonePe. See section 5 below.
- Push notification token (Expo Push Token) — a device-specific identifier we use to deliver budget alerts, bill reminders, and weekly digests. No personal data is sent to Expo or Google.
Data we collect automatically:
- Usage analytics — anonymised feature usage events (e.g., “user opened Budgets tab”) via PostHog. No transaction amounts, categories, descriptions, or balances are included.
- Crash reports — error logs via Sentry to help us fix bugs. Stack traces only; no financial data.
- Approximate device info — device model, OS version, app version. Used for compatibility and debugging.
4. How we use your data
- To provide, maintain, and improve the Trakio app.
- To detect bank transactions from your SMS or notifications and surface them for you to review and confirm.
- To process your subscription payment and manage your account.
- To send you the push notifications you opted into (budget alerts, bill reminders, weekly summaries, marketing announcements).
- To diagnose bugs and improve app stability.
We do not use your financial data for advertising, profiling, sale to third parties, or training AI models.
5. SMS & notification permissions (Android)
This section is required by Google Play's SMS & Notification Listener policies. We disclose this in full so you can make an informed decision.
5.1 — Why we ask for SMS permission
The core feature of Trakio is auto-detecting bank transactions so you don't have to manually log them. Banks in India and similar markets send SMS notifications for every UPI, card, and account transaction. By reading these SMS messages, the app extracts the amount, merchant, and reference number and presents them for your review.
5.2 — What we read
The app reads SMS messages from your inbox only when:
- You granted READ_SMS and RECEIVE_SMS permissions explicitly during onboarding.
- The sender is a known bank or payment service alphanumeric ID (e.g. AD-HDFCBK, VK-SBIUPI). Personal phone numbers and promotional senders are filtered out before any parsing.
- The message contains transaction keywords like “debited”, “credited”, “Rs.”, “Sent”.
5.3 — What leaves your device
The raw SMS text never leaves your phone unless and until you tap “Confirm” on a detected transaction. When you confirm, only the parsed fields are saved to our servers:
- Amount (e.g. ₹340)
- Merchant or description (e.g. “Swiggy”)
- Date (e.g. 2026-05-23)
- Transaction reference (e.g. UPI ref number) if present, used to prevent duplicates
- The original SMS body, encrypted at rest, stored only for dedup-comparison and audit. Not used for anything else.
If you dismiss a detected transaction, nothing about it is sent to our servers — the dismissal is tracked locally on your phone only.
5.4 — Notification Listener access
For payment apps that don't use SMS (GPay, PhonePe in-app confirmations), Trakio can read the notification content of those specific transactional notifications to detect transactions in the same way. The Notification Listener service ignores all non-financial apps (we filter by package name and notification content). This permission can be revoked from Settings → Apps → Special access → Notification Access at any time.
5.5 — Compliance with Google Play's SMS & Notification Listener Policy
- SMS/Notification access is requested only for the core auto-detection feature.
- The app provides full functionality (manual transaction entry, budgets, goals, loans, reports) without these permissions. They are optional and can be skipped during onboarding.
- No SMS content, sender, or metadata is sold or shared with any third party.
- You can revoke either permission at any time from Android Settings → Apps → Trakio → Permissions.
6. Push notifications
If you opt in to push notifications during onboarding or from Settings, the app registers an Expo Push Token (a per-device identifier issued by Expo, a popular React Native service) and stores it against your account on our servers. Our backend uses this token to send:
- Welcome message after first sign-in.
- Budget alerts when your spending crosses 75%, 90%, or 100% of a category budget.
- Bill / EMI reminders 1, 3, and 7 days before a recorded loan payment is due.
- Weekly digest Monday mornings summarising the previous week.
- Marketing announcements for new features (only if you keep the “Marketing” toggle on).
Push delivery goes through Expo's push relay (governed by Expo's privacy policy) and ultimately Google's FCM. Notification payloads contain only the visible title, body, and a non-sensitive type tag (e.g. “budget_alert”). No raw amounts, account numbers, or balances are included in the payload itself — they are computed on our server and rendered as the body text only.
You can turn off any individual notification type from Settings → Notifications, or revoke the system-level push permission from Android Settings → Apps → Trakio → Permissions.
7. Where your data lives
- On your phone — pending transactions awaiting review, your preferences cache, encrypted authentication tokens, and dedup state. Stored in app-private storage (other apps cannot access).
- Supabase — database and authentication hosting, servers located in Asia Pacific (Sydney, Australia). All connections use TLS. Row-Level Security ensures each user can only access their own rows.
- Cloudflare Workers — our backend API and push notification delivery. Globally distributed; no persistent storage on Cloudflare.
- Razorpay — payment processing for subscriptions. India-based, governed by Razorpay's privacy policy and PCI-DSS standards.
- PostHog — anonymised product analytics. EU servers.
- Sentry — crash and error reporting.
- Expo Push Service — push token registration. We share only your device's push token (no personal data).
- Google Firebase Cloud Messaging — the final delivery hop for push notifications, mandated by Android.
We do not sell, rent, or trade your personal data with any third party.
8. Data retention
9. Security
- All network traffic uses TLS 1.2+ encryption.
- Locally stored sensitive data (auth tokens, pending transactions, dedup state) is encrypted using Android EncryptedSharedPreferences / iOS Keychain APIs.
- Supabase enforces Row-Level Security so a request authenticated as user A can never read user B's data.
- We follow the principle of least privilege. The push notification backend uses a service-role key with scoped access.
- No financial data is sent in push notification payloads beyond what is necessary to display the message.
10. Your rights
Regardless of where you live, you have the right to:
- Access — request a copy of the data we hold about you.
- Correction — update or correct your data within the app.
- Deletion — delete your account and all associated data at any time from Settings → Delete Account.
- Portability — export your data (PDF report feature; CSV export available in paid tiers).
- Object — opt out of marketing notifications from Settings → Notifications.
- Withdraw consent — revoke any Android permission from system Settings at any time.
To exercise any of these rights, contact us at support@trakio.co.in. We will respond within 30 days.