Privacy Policy
Last updated: April 25, 2026
1. The Truth Matrix
We believe a privacy policy should be an audit table, not a wall of prose. Below is the complete list of every surface where the app or this website touches your data — including sensitive surfaces that stay entirely on your device. If a surface isn't in this table, it doesn't exist. Every row here is verifiable against our open-source release artifacts.
| Surface | What we collect | Where it goes | Retention |
|---|---|---|---|
| App — normal use | Nothing | Nowhere | N/A |
| App — "Share diagnostic logs" (only if you tap Send) | PII-scrubbed app logs you choose to attach (≤50 KB), plus device model and app version | Cloudflare Worker → Resend → our support inbox | 90 days, then deleted |
| App — AI model download | Nothing identifying. The R2 fallback strips IP at the Cloudflare edge before logging. | HuggingFace (primary) or our Cloudflare R2 mirror (fallback) | Standard CDN access logs (rotated within 24 hours) |
| App — P2P sync (Premium, opt-in) | Encrypted vault contents over your local Wi-Fi, device-to-device only | Your other device. Never our servers — we have none. | N/A — we never see it |
| App — bank SMS read (Android, opt-in) | Bank transaction SMS body and sender ID, parsed by an on-device model into structured transactions. Non-bank SMS are filtered out by sender pattern before any read. | Stays on your device. Never transmitted off-device. Enforced by the CI grep audit described in §11. | Until you clear app data or revoke the SMS permission |
| App — bank notification capture (Android, opt-in) | Notification text from financial apps you explicitly add to the tracked-apps list (e.g., bank push notifications). Other notifications are ignored. | Stays on your device. Never transmitted off-device. | Until you clear app data or revoke notification access |
| App — iOS Shortcut SMS intake (opt-in, user-configured) | SMS body and sender forwarded by a Shortcuts automation you set up yourself. Apple does not give third-party apps direct SMS access — only the Shortcut you authorise can hand a message to PocketVault. | Buffered in an App Group container on your device, drained into the encrypted local database. Never transmitted off-device. | Buffer drained on next app launch; transaction row retained per the standard import retention |
| App — iOS Shortcut buffer overflow counter | An integer count of how many SMS were dropped because the buffer filled before the app could drain it (no SMS content — just the count). | App Group UserDefaults on your device only. | Cleared when you dismiss the overflow notice in the app |
| App — receipt capture (opt-in, when available) | The receipt image or file you provide, the OCR text extracted from it, and the structured fields derived locally. | Stays on your device. Never transmitted off-device. | Until you delete the receipt or clear app data |
| App — on-device LLM inference | The prompts and outputs of the local language model — your chat queries, imported text being parsed, and the model's responses. The model file itself was downloaded once (see "AI model download" row above). | Stays on your device. Local model runtime only — no cloud AI services are contacted. | Per-session — prompts are not persisted beyond the current chat or import flow |
| Website — page views | Cloudflare Web Analytics: cookieless, aggregate page views and country, no cross-site tracking, no fingerprint | Cloudflare Analytics dashboard | 6 months, aggregate only |
| Website — /feedback form (only if you submit) | Only what you type. An optional reply-to email if you choose to provide one. | Cloudflare Worker → Resend → our support inbox | 90 days, then deleted |
| Website — /roadmap vote (only if you vote) | A salted SHA-256 hash of your IP address. The salt rotates every 24 hours and the raw IP is never written to our database. | Cloudflare D1 (vote tally) | Until the tally is reset for that feature |
| Website — newsletter (only if you subscribe) | The email address you provide. No tracking pixels. No click tracking. Plaintext + HTML, both unwrapped. | Cloudflare D1 + Resend (sending) | Until you unsubscribe — the row is hard-deleted, not flagged |
The app's outbound surface, in one sentence: HuggingFace model downloads, our R2 fallback mirror, optionally-attached scrubbed logs, and user-initiated LAN P2P sync. Nothing else, ever.
2. What We Never Collect — From Anyone, Anywhere
Across the app and this website, we do not collect, transmit, or have any access to:
- Your financial accounts, balances, or transaction history
- Bank credentials, passwords, or authentication tokens
- Budgets, spending categories, or financial goals
- AI chat conversations, prompts, or model responses
- Your name, profile photo, location, contacts, calendar, or device identifiers
- Behavioural telemetry: which buttons you tap, which screens you visit, how long you spend
- Crash reports or stack traces (you may opt to attach scrubbed logs to a feedback submission, but that's it)
There is no account required to use the app — you never create a username or profile with us. The app works fully offline.
3. On-Device AI Processing
PocketVault's AI features (transaction categorisation, natural language queries, forecasting) run entirely on your device using local language models — Gemma, Qwen, or Apple Foundation Models on iOS 26+. Your prompts, financial context, and model responses are never sent to external servers — no cloud AI services (OpenAI, Google, Anthropic, etc.) are used.
Models themselves are downloaded once from HuggingFace (or our R2 mirror as fallback). After download they live on-device and the network is never touched for inference.
4. Data Stored on Your Device
All user data is stored locally in an AES-256 encrypted SQLCipher database on your device. The encryption key is stored in the platform's secure enclave (Keychain on iOS/macOS, KeyStore on Android, DPAPI on Windows) and is never transmitted. Because this data resides solely on your device, you maintain full control over it. Uninstalling the app or clearing its data permanently deletes all records.
5. P2P Sync
The Premium plan's sync feature uses direct device-to-device communication over your local Wi-Fi network, secured by an ECDH key exchange between your own devices. Data travels directly between your devices — it never passes through our servers, because we don't have servers.
6. Diagnostic Logs (Opt-In, Per-Submission)
If you contact us through the app's "Share diagnostic logs" flow, you can optionally attach recent application logs to help us reproduce a bug. Before they leave your device, those logs are PII-scrubbed — emails, phone numbers, and file paths are stripped — and truncated to 50 KB. The app shows you exactly what will be sent, and you can decline the log attachment entirely while still sending the message. Attached logs are deleted from our inbox within 90 days.
7. Website Analytics
This website (pocketvault.finance) uses Cloudflare Web Analytics — a cookieless, server-side measurement system that counts aggregate page views without cookies, fingerprints, cross-site tracking, or any per-visitor identifiers. We see "this page got 412 views from Germany this week" and that's all. We do not add Google Analytics, Plausible, Mixpanel, or any other analytics tool.
The website also uses your browser's timezone setting (via the standard Intl API) to display pricing in your local currency. This detection happens entirely in your browser; no location data is sent to any server.
8. /feedback, /roadmap, and Newsletter (All Opt-In)
The website offers three optional ways to share input with us:
- /feedback — a public form. We see only what you type. An optional reply-to email is yours to provide or omit. Submissions are protected by Cloudflare Turnstile (a cookieless CAPTCHA) and rate-limited per IP, but the IP is not stored alongside your message.
- /roadmap — vote on candidate features. To prevent ballot-stuffing without tracking voters, we hash your IP with a daily-rotating salt before storing it. The raw IP never touches our database, and the salt rotates every 24 hours so cross-day correlation is impossible. Vote tallies are public.
- Newsletter — opt-in via double confirmation. We send at most one email per month. There are no tracking pixels and no click tracking. Unsubscribing hard-deletes your row immediately.
9. Children's Privacy
PocketVault is not directed at children under the age of 13. Because we collect no personal information at all, this is inherently satisfied. If you believe a child has provided data through the app or website, please contact us and we will take appropriate steps.
10. Your Rights and Control
Because your data lives on your device, you have complete control at all times:
- Access: All your data is viewable within the app.
- Deletion: Clear all data from the app settings, or uninstall the app entirely.
- Portability: Export your financial data in standard formats from within the app.
- Newsletter: Click the unsubscribe link in any email — your row is deleted, not flagged.
- Feedback / diagnostic logs: Email privacy@pocketvault.finance referencing the date of your submission and we will delete it ahead of the 90-day schedule.
11. How We Enforce This Policy in Code
To keep this policy from becoming an aspirational document, our release pipeline grep-scans
the built APK and IPA artifacts for forbidden SDK domains
(googleapis.com, firebase, crashlytics,
sentry.io, amplitude, mixpanel, posthog,
segment.com) and fails the build on any match. The "no telemetry" promise is
enforced by CI, not just by intention.
12. Changes to This Policy
If we ever change this policy, we'll update the "Last updated" date at the top of this page and announce the change in the next changelog entry and newsletter. Any change that adds a new row to the truth matrix above will be called out explicitly.
13. Contact
Questions about privacy? Email us at privacy@pocketvault.finance.