Privacy Policy

1. Introduction

This Privacy Policy explains how Nders Studio ("we," "our," or "us") collects, uses, discloses, and protects your personal information when you use the My Pocket Ledger mobile application ("Service," "App"). We are committed to protecting your privacy and ensuring the security of your personal and financial data.

2. Information We Collect

2.1 Personal Information

We collect the following types of personal information:

Account Information:

• Email address (required for account creation)
• Display name or full name
• Password (stored securely using Firebase Authentication)
• Profile preferences and settings

Authentication Data:

• Firebase user ID and authentication tokens
• Google account information when using Google Sign-In (email, profile picture, basic profile data)
• Apple account information when using Apple Sign-In (email, name, secure authentication tokens)
• Device-specific authentication tokens for secure access

2.2 Financial Information

We collect and store your financial data to provide our service:

Transaction Data:

• Transaction descriptions, amounts, and dates
• Income and expense categories
• Vendor or source information
• Custom transaction notes and metadata
• Transaction attachments or receipts (if provided)

Budget Information:

• Budget amounts and categories
• Budget periods and tracking preferences
• Spending targets and goals
• Budget performance data

Analytics Data:

• Spending patterns and trends
• Category-wise expenditure analysis
• Monthly and yearly financial summaries
• Custom report parameters

2.3 Technical Information

We automatically collect certain technical information:

Device Information:

• Device type, model, and operating system
• App version and build number
• Device identifiers (for analytics and crash reporting)
• Screen resolution and device capabilities
• Network connection type (Wi-Fi, cellular)

Usage Information:

• Feature usage patterns and frequency
• Screen views and user interactions
• Session duration and frequency
• Performance metrics and crash reports
• Error logs and diagnostic information

2.4 Payment Information

Subscription Data:

• Subscription status (free, premium monthly, premium yearly)
• Billing periods and renewal dates
• We receive subscription status, product IDs, renewal dates, and purchase confirmations from Apple/Google. We do not receive or store full payment-method details.
• Native app store subscription identifiers (Apple App Store/Google Play Store)

Payment Processing:

• All payment information is processed securely by Apple App Store and Google Play Store
• We receive only confirmation of successful payments
• Payment methods are stored securely by the app stores, not on our servers

2.5 AI Processing Data

When you use our AI-powered transaction parsing features:

Input Data:

• Natural language text you provide for transaction parsing
• Transaction descriptions sent to Google Gemini for categorization
• AI usage patterns and frequency

Processing Notes:

• AI processing is performed in real-time
• Your transaction data is sent securely to Google Gemini API
• We send the text you submit to Google Gemini solely to return a result. We do not permit Gemini to use your data to train its models. Processing is subject to Google's privacy terms, and we do not retain this text beyond what's necessary to deliver the feature.
• AI processing is subject to usage limits based on your subscription

3. How We Use Your Information

3.1 Core Service Functionality

We use your information to:

• Create and maintain your user account
• Store and sync your financial transactions and budgets
• Provide real-time data synchronization across your devices
• Enable offline functionality with local data storage
• Process subscription payments and manage billing
• Provide AI-powered transaction parsing and categorization

3.2 Service Improvement

We use anonymized and aggregated data to:

• Analyze app usage patterns to improve user experience
• Identify and fix bugs and performance issues
• Develop new features based on user behavior
• Optimize app performance and loading times
• Monitor service reliability and uptime

3.3 Communication

We may use your email address to:

• Send important service announcements and updates
• Notify you of changes to our Terms of Service or Privacy Policy
• Provide customer support and respond to your inquiries
• Send subscription-related notifications (billing, renewals, cancellations)
• Deliver security alerts and account notifications

3.4 Legal and Security

We may use your information to:

• Comply with legal obligations and law enforcement requests
• Protect our rights, property, and safety
• Prevent fraud, abuse, and security threats
• Enforce our Terms of Service
• Resolve disputes and investigate violations

4. Data Storage and Security

4.1 Data Storage Infrastructure

Your data is stored securely using industry-leading providers:

Cloud Storage:

• Primary database: Google Firebase Firestore
• Authentication: Firebase Authentication
• Data encryption: AES-256 encryption at rest and TLS 1.2+ encryption in transit
• Geographic location: Data centers in the United States
• Backup and redundancy: Automated daily backups with geographic distribution

Local Storage:

• Primary: MMKV (high-performance, encrypted storage)
• Fallback: AsyncStorage (React Native standard)
• Encryption: All local data is encrypted using device security features
• Synchronization: Automatic sync with cloud storage when online

4.2 Security Measures

We implement comprehensive security measures:

Technical Safeguards:

• Encryption in transit (TLS 1.2+) and at rest (e.g., AES-256)
• Secure authentication using industry-standard protocols
• Regular security audits and penetration testing
• Automated threat detection and monitoring
• Secure coding practices and regular updates

Access Controls:

• Multi-factor authentication for administrative access
• Role-based access control for our team members
• Regular access reviews and permission audits
• Secure development and deployment processes

Data Protection:

• Data minimization: We collect only necessary information
• Privacy by design: Built-in privacy protections
• Regular data cleanup and archival procedures
• Secure deletion of data upon account termination

4.3 Data Retention Policies

We retain your data according to the following schedule:

Active Accounts:

• Transaction and budget data: Retained while your account is active
• Usage analytics: Retained for up to 2 years for service improvement
• Authentication logs: Retained for 1 year for security purposes

Deleted Accounts:

• Personal data: Deleted within 30 days of account deletion
• Anonymized analytics: May be retained indefinitely
• Legal requirements: Some data may be retained longer if required by law
• Backup systems: Data removed from backups within 90 days

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share your information with trusted third-party providers:

Firebase/Google Cloud:

• Purpose: Authentication, database, and cloud infrastructure
• Data shared: Account information, financial data, usage analytics
• Privacy: Subject to Google's privacy policy and data processing agreements
• Location: Primarily United States data centers

Apple App Store / Google Play Store:

• Purpose: In-app purchase processing and subscription management
• Data shared: Email address, subscription status, payment confirmations
• Privacy: Subject to Apple's and Google's privacy policies and security standards
• Payment data: Your payment information goes directly to the app stores, not through our servers

RevenueCat Subscription Management:

• Purpose: Account-based subscription management and receipt validation
• Data shared: Email address, subscription status, purchase receipts, device identifiers
• Data usage: Analytics for subscription insights, app functionality for entitlements
• Privacy Policy: https://www.revenuecat.com/privacy

Vercel Cloud Infrastructure:

• Purpose: Secure API processing for email delivery and AI transaction parsing
• Data shared: Email addresses for welcome emails, transaction descriptions for AI categorization
• Security: Data encrypted in transit (HTTPS/TLS) and at rest (AES-256)
• Privacy Policy: https://vercel.com/privacy

Third-Party Privacy Policies:

• Firebase & Crashlytics Privacy: https://firebase.google.com/support/privacy
• Google Privacy: https://policies.google.com/privacy
• Apple Privacy: https://www.apple.com/legal/privacy/
• Google Play Payments/Subscriptions: https://payments.google.com/termsOfService

Google AI (Gemini):

• Purpose: AI-powered transaction parsing and categorization
• Data shared: Transaction descriptions and natural language input (temporary processing only)
• Privacy: Data is processed in real-time and not stored by Google
• Usage: Only when you explicitly use AI features

5.2 Analytics and Performance Monitoring

Crash Reporting:

• We use Firebase Crashlytics for app stability monitoring
• Crash reports may include device information and app state
• No personal financial data is included in crash reports

Performance Analytics:

• Firebase Analytics for app usage patterns
• Data is anonymized and aggregated
• Helps us improve app performance and user experience

5.3 Legal Disclosure Requirements

We may disclose your information when required by law:

• Legal process (court orders, subpoenas, warrants)
• Government investigations and regulatory compliance
• Protection of our rights and property
• Public safety and security concerns
• Prevention of fraud and illegal activities

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets:

• Your data may be transferred to the acquiring entity
• You will be notified 30 days before any such transfer
• The same privacy protections will continue to apply
• You may delete your account before the transfer if you choose

6. Your Rights and Choices

6.1 Account Control

You have the following rights regarding your account:

Account Management:

• View and update your profile information at any time
• Change your password and authentication settings
• Manage notification preferences
• Export your financial data in CSV format
• Delete your account and all associated data

Data Access:

• Access all your personal data stored in the app
• Download a copy of your transaction and budget data
• View your subscription and billing history
• Review your AI usage statistics and limits

6.2 Privacy Settings

Data Processing Controls:

• Opt out of AI-powered transaction parsing
• Control data sync settings (online/offline preferences)
• Manage notification preferences
• Choose what data to include in exports

Marketing Communications:

• Opt out of promotional emails (service emails will continue)
• Manage in-app promotional messages
• Control push notifications for non-essential features

6.3 Data Correction and Deletion

Correction Rights:

• Correct any inaccurate personal information
• Update your transaction and budget data
• Modify categorization and preferences
• Request correction of automatically processed data

Deletion Rights:

• Delete individual transactions, budgets, or categories
• Request deletion of specific data types
• Delete your entire account and all associated data
• Request removal from our marketing communications

6.4 International Users' Rights

Depending on your location, you may have additional rights:

European Users (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

California Users (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of sale of personal information
• Right to non-discrimination for exercising privacy rights

7. Children's Privacy

7.1 Age Restrictions

• Our Service is not intended for children under 13 years of age
• We do not knowingly collect personal information from children under 13
• If you are under 18, you must have parental consent to use our Service
• Parents can request deletion of their child's account if created without permission

7.2 Parental Controls

• Parents can monitor their child's use of financial apps
• We recommend parental supervision for users under 18
• Educational use should be supervised by parents or guardians
• Family sharing features may be added in future updates

7.3 Child Data Protection

If we become aware that we have collected personal information from a child under 13:

• We will delete such information immediately
• We will not use such information for any purpose
• We will notify parents if we become aware of unauthorized use
• We will take steps to prevent future unauthorized use

8. International Data Transfers

8.1 Cross-Border Data Flow

Your information may be transferred to and processed in countries other than your own:

• Primary data processing occurs in the United States (Firebase/Google Cloud)
• Payment processing occurs through Apple App Store and Google Play Store infrastructure
• AI processing occurs in Google's global infrastructure
• We ensure adequate protection regardless of location

8.2 Transfer Safeguards

We use appropriate safeguards for international transfers:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions where applicable
• Binding Corporate Rules for intra-group transfers
• Industry-standard encryption and security measures

8.3 Data Localization

• Some countries may require local data storage
• We comply with applicable data localization requirements
• Users in certain regions may have options for local data storage
• We will notify users of any changes to data location policies

9. Cookies and Similar Technologies

9.1 Mobile App Technologies

Our mobile app uses similar technologies to cookies:

Local Storage:

• User preferences and settings
• Authentication tokens and session management
• Cached data for offline functionality
• Performance optimization data

Analytics Identifiers:

• Firebase Analytics identifiers
• Crash reporting identifiers
• Performance monitoring identifiers
• These can be reset through device settings

9.2 Third-Party Technologies

Firebase Services:

• Authentication tokens
• Analytics and performance monitoring
• Crash reporting and diagnostics
• Push notification tokens

App Store Services:

• Purchase receipt identifiers (temporary)
• Subscription status tracking
• Platform security identifiers

9.3 Managing Technologies

You can control these technologies through:

• App settings and preferences
• Device privacy settings
• Operating system controls
• Account management options within the app

10. Data Breach Notification

10.1 Our Response Process

In the event of a data breach:

• Immediate containment and investigation
• Assessment of affected data and users
• Notification to relevant authorities within 72 hours (where required)
• User notification within 72 hours if personal data is affected
• Remediation steps and security improvements

10.2 User Notification

We will notify you of breaches that may affect your data through:

• In-app notifications
• Email alerts to your registered address
• Updates on our website or support channels
• Specific instructions for protecting your account

10.3 Prevention Measures

We continuously improve our security through:

• Regular security audits and assessments
• Employee security training
• Advanced threat detection systems
• Incident response planning and testing
• Third-party security certifications

11. Privacy Policy Updates

11.1 Change Notification Process

We may update this Privacy Policy periodically:

• Material changes will be notified 30 days in advance
• Non-material changes may be posted immediately
• Continued use constitutes acceptance of changes
• Previous versions available upon request

11.2 Types of Changes

Material Changes:

• Changes to data collection practices
• New third-party data sharing arrangements
• Significant changes to your rights
• Changes to data retention periods

Non-Material Changes:

• Clarifications and formatting improvements
• Contact information updates
• Legal reference updates
• Minor policy clarifications

11.3 Version Control

• All policy versions are dated and tracked
• Change history available upon request
• Clear documentation of what changed between versions
• Archive of previous versions maintained

12. Special Considerations

12.1 Financial Data Sensitivity

We recognize the sensitive nature of financial information:

• Enhanced security measures for financial data
• Limited access to financial information within our organization
• Regular audits of financial data handling procedures
• Compliance with financial data protection standards

12.2 AI and Automated Processing

AI Processing Transparency:

• AI processing is clearly marked in the app
• Users can opt out of AI features
• AI decisions can be reviewed and corrected manually
• We do not make fully automated decisions about your finances

Machine Learning:

• We may use anonymized data to improve AI models
• Personal data is not used for training purposes
• AI improvements benefit all users while maintaining privacy

12.3 Offline Data Protection

Local Data Security:

• All offline data is encrypted
• Local storage is protected by device security
• Data sync is secure and authenticated
• Offline cache is automatically purged after 180 days of inactivity

13. Regional Privacy Rights

13.1 European Economic Area (EEA) Users

Under GDPR, you have specific rights:

• Legal basis for processing: Primarily legitimate interest and contract performance
• Data Protection Officer: Available through our support system
• Supervisory authority: You can contact your local data protection authority
• Cross-border data protection: We use SCCs and adequacy decisions

13.2 United Kingdom Users

UK GDPR provides similar rights to EU users:

• Same rights as EEA users under UK GDPR
• ICO (Information Commissioner's Office) as supervisory authority
• Adequate protection for data transfers
• Post-Brexit data protection compliance

13.3 California Users

Under CCPA and CPRA:

• Personal information categories: As detailed in Section 2
• Business purpose: Service provision and improvement
• Third parties: As listed in Section 5
• Sale of personal information: We do not sell personal information
• Sensitive personal information: Financial data is considered sensitive

13.4 Other Jurisdictions

We comply with privacy laws in other jurisdictions:

• Australia (Privacy Act)
• Canada (PIPEDA)
• Brazil (LGPD)
• Other applicable national and regional laws

14. Contact Information and Requests

14.2 Data Subject Requests

To exercise your privacy rights:

1. Use the in-app "Privacy Rights" section in settings
2. Submit requests through the feedback system
3. Clearly identify yourself and specify your request
4. We will verify your identity before processing requests
5. Response within 30 days (or as required by applicable law)

14.3 Complaints Process

If you have privacy concerns:

1. Contact us first through our support system
2. We will investigate and respond promptly
3. If unsatisfied, you may contact relevant data protection authorities
4. We are committed to resolving privacy issues cooperatively

15. Effective Date and Jurisdiction

15.1 Effective Date

This Privacy Policy is effective as of September 15, 2025, and applies to all information collected from that date forward.

15.2 Governing Law

This Privacy Policy is governed by:

• Laws of Nigeria (primary jurisdiction)
• Applicable international privacy laws
• Regional privacy regulations where you are located
• Industry-specific privacy requirements

15.3 Conflict Resolution

In case of conflicts between different privacy requirements:

• The most protective standard will generally apply
• Regional laws take precedence in their jurisdictions
• We will notify users of any conflicts and their resolution