Privacy Policy
Ut Finance is built around a simple principle: your financial life is yours. The app is architected to be local-first by default — your transactions, budgets, and balances live on your device in a local database. Nothing is synced to a server unless you explicitly use a feature that requires it.
That said, several features — receipt scanning, the AI assistant, shared wallets, subscriptions — do involve data leaving your device. This policy explains exactly what is sent, where it goes, and why. If something isn't clear, reach out directly.
This policy is designed to comply with global data protection standards, including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and the United Kingdom, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents, and the Philippine Data Privacy Act of 2012 (RA 10173). Your use of Ut Finance is also subject to our Terms of Service.
1. Data That Stays on Your Device
The following data is stored exclusively in a local SQLite database on your device and is never sent to my servers or any third party unless you initiate a feature that specifically requires it:
- All personal financial transactions (expenses, income, transfers)
- Wallet balances and account details
- Budget plans, spending categories, and goal progress
- Shopping lists and planned purchases
- Receipt images queued for OCR (stored locally pending processing)
- AI chat conversation history (stored on-device)
- Guardian financial health scores and alerts
- Scheduled transaction records
Your financial history is not uploaded to my infrastructure as part of normal app operation. The server does not hold a copy of your transaction ledger.
2. Receipt Scanning & OCR Processing
Receipt scanning is the most data-intensive feature in the app. When you scan a receipt, the following happens:
What is sent to Google Gemini
The raw receipt image file (JPEG, PNG, or WebP) is transmitted to the Google Gemini API for processing. Before any image leaves your device, all EXIF metadata is stripped — including GPS coordinates, camera model, and capture timestamps. Only the image pixels are transmitted. The OCR prompt asks Gemini to attempt extraction of a broad set of fields — however, not all of them are used by the app.
Fields actively used by the app
The following are extracted, stored in your local receipt record, and carried across to the expense entry:
- Merchant name
- Transaction date
- Total amount and currency
- Individual line items — product names, quantities, and prices
- Merchant address (stored as the transaction location — extracted from the receipt text, not from your device's GPS)
- Invoice or receipt number
Confidence scores per field are also extracted and stored locally. They are used to flag low-confidence entries for your review but are not transferred to the expense record.
The app only extracts the fields listed above. It does not extract additional receipt details such as cashier names, phone numbers, tax IDs, payment methods, and the like.
The app does not extract or process card numbers, bank account numbers, or any other payment credential from receipts.
What Gemini returns
Gemini returns a structured JSON object containing only the extracted fields. These are stored locally as part of your expense record. No additional fields are requested or returned.
Batch OCR
When you queue multiple receipts for batch processing, images are stored locally on your device first (in an app-managed directory). They are uploaded to the Google Gemini Batch API when processing begins — either immediately when a connection is available, or deferred to WiFi (WiFi-only mode is on by default). The batch job is tracked by a job ID, and results are downloaded when processing completes. Uploaded input images are stored in Google Gemini's file storage and expire automatically per Google's file storage TTL policy (approximately 48 hours according to Google's Batch API documentation). The app does not explicitly retain input images after processing. Local queue images are deleted once you save or dismiss the receipt. If receipts sit unprocessed for 7 days, the app sends a reminder notification.
Images shared from other apps
On both Android and iOS, you can share images directly from other apps — such as Photos, Messages, Files, or your gallery — into Ut using your device's share sheet. These images are handled exactly like camera-captured receipts: EXIF metadata is stripped, only the image pixels are transmitted to Google Gemini for OCR, and the image is not retained after processing. You must initiate this action; the app does not automatically import images from your device.
Data retention by Google
Ut Finance does not retain receipt images after processing is complete. Google's data retention practices for the Gemini paid API tier are governed by Google's own terms. Under the paid API tier, Google does not use submitted data to train its models. For details, refer to the Google Gemini API Terms of Service.
3. AI Assistant & Financial DNA
The AI assistant answers questions about your finances, generates plans, and can take actions in the app on your behalf. To do this, it requires context about your financial situation. The following data is sent to Google Gemini as part of AI assistant queries:
Financial context sent with each query
- Financial DNA snapshot: A structured summary derived from your transaction history, including net worth, monthly income and expense averages, spending breakdown by category, budget utilisation, goal progress, income patterns, and detected anomalies. This is a synthesised behavioural fingerprint — not a raw transaction dump.
- Guardian health data: Current financial health score, runway estimate, spending behaviour status, and active alerts.
- Budget and goal state: Active budgets with current spend vs. limit, active goals with progress and deadlines.
- Wallet and currency context: Wallet names, balances, and currency information needed to answer questions accurately.
When raw transactions are retrieved
For queries that ask for specific transactions (e.g. "show me my last 10 food expenses"), the AI may request individual records via built-in data lookup tools. When requested, up to 100 transaction records may be retrieved and sent in a follow-up prompt. Each record contains: date, amount, category, description, wallet name, and currency. Transaction IDs are included for reference but do not expose any bank account or card details.
Conversation context
Your chat history is stored locally in an on-device SQLite database. If you enable Sync Across My Devices, chat messages are synchronized between your own devices via an encrypted Firestore message queue. Messages persist for up to 30 days to ensure offline devices can still receive them, after which they are automatically deleted by Firestore TTL. If you reference a previous conversation ("we talked about this last week"), the assistant may include up to 8 recent messages from your local history in the query. These messages are compacted before transmission: filler phrases are stripped, older messages beyond the recent 8 are summarized, and each message is capped at 500 characters.
Your first name (derived from your display name) may be included in AI prompts for conversational personalization.
When you ask about a specific transaction, individual receipt line-item data (product names, quantities, and prices) may be sent to Gemini alongside the transaction summary.
AI-initiated actions
The assistant can suggest and execute actions in the app on your behalf, including: creating or modifying budgets, logging expenses or income, transferring funds between wallets, creating or updating goals, creating categories, managing scheduled transactions, updating shopping lists, and updating your personal context (life notes). All state-changing actions require explicit user approval before they are carried out. Read-only queries (analysis, forecasts, summaries) do not require approval.
Personal context and life notes
You may choose to share personal context with the AI assistant — such as your profession, hobbies, or life milestones — to improve personalization. These "life notes" are stored locally and may be included in prompts sent to the Google Gemini API alongside your Financial DNA snapshot. They are never used to train models and are only shared with Gemini when you engage with the chat feature. You can edit or delete life notes at any time in Settings.
4. Guardian Emotional Posture System
The Guardian can detect when you are going through a difficult life event and adjust its communication tone to be more empathetic and less confrontational. This is an opt-in feature controlled in Settings → Privacy → Guardian Consent.
How it works
The system analyses three signal sources to infer emotional context:
- Chat messages you send to the AI assistant
- Expense descriptions from transactions you log
- Spending patterns computed from your local transaction history
Two-tier privacy model
The system uses a local pre-filter to classify signals by sensitivity before deciding where they are processed:
| Signal Type | Examples | Processing | Retention |
|---|---|---|---|
| High-sensitivity | Death, cancer diagnosis, abuse, bankruptcy, eviction, suicide | On-device only | Zero — never leaves your phone |
| Medium-sensitivity | "Rough breakup", "stressed", "feeling down", therapy visits | Gemini API | 55 days (abuse monitoring only) |
| Routine | "How much did I spend on coffee?", grocery shopping | Ignored | Not processed |
| Spending patterns | Medical spending spikes, funeral home payments, late-night impulses | On-device only | Zero — deterministic math on local SQLite |
What stays on your device
- High-sensitivity chat messages are processed by a local keyword-based extractor. They are never transmitted to any server.
- Spending pattern analysis runs entirely on-device. It compares your recent spending to historical medians using local SQLite queries. No transaction amounts, dates, or merchant details leave your device.
- Posture state (empathy level, duration, expiry) is stored in your local database.
- Audit logs are anonymized: timestamps are rounded to week boundaries, no source labels are stored, and they are automatically purged after 30 days.
What goes to Google Gemini API
- Medium-sensitivity chat messages that the local extractor cannot interpret (e.g., "Things have been dark lately") may be sent to the Gemini API for nuanced analysis. The raw message text is transmitted. Google retains API inputs for up to 55 days for abuse monitoring. This data is not used to train models.
- Expense description batches (3 non-routine descriptions at a time) may be sent to Gemini for pattern detection. Only the text strings are transmitted — not amounts, dates, categories, or wallet information. Example batch: "Funeral Home Services", "Dr. Smith Office", "CVS Pharmacy".
Full transaction records are never sent. Google never sees how much you spent, when you spent it, which wallet you used, or your account balance. Only anonymised description snippets and medium-sensitivity chat messages are transmitted.
Consent and control
The feature is disabled by default. You must explicitly opt in via Settings → Privacy → Guardian Consent. You can:
- Enable or disable posture detection entirely
- Toggle individual signal sources (chat parsing, description scanning)
- Set a duration cap (30, 90, or 180 days) for how long a gentle posture can persist
- Withdraw consent at any time — all posture data is reset to baseline immediately
5. Location Data
Ut Finance handles location in two distinct ways:
- Receipt-derived address (automatic): When scanning a receipt, the merchant's address as printed on the receipt may be extracted by the OCR process and stored with the expense. This does not involve your device's GPS. See Section 2 for details on what is sent to Gemini.
- Device GPS (optional, manual only): If you grant the optional location permission, you may choose to tag an expense with your current GPS coordinates or by selecting a location on a map. This is always a user-initiated action — the app does not track your location in the background. GPS-tagged location data is stored locally with the transaction and is not transmitted to my servers.
GPS coordinates you have tagged on transactions are included in encrypted local backups and in backend-mediated backups to Google Drive.
When you search for a location by name or view a map to tag a transaction, map tiles are loaded from OpenStreetMap and geocoding (converting place names to coordinates) is handled by Nominatim. Location search queries are sent to these services over HTTPS. GPS coordinates and search terms are not linked to your identity when transmitted to OpenStreetMap or Nominatim.
6. Account Metadata & Cloud Services
| Service | Data Processed | Purpose |
|---|---|---|
| Firebase Auth | User ID, sign-in method | Authentication |
| Cloud Firestore | User ID, subscription state, scan credit balance, shared wallet collaboration records | Entitlement management; shared wallet sync |
| Firebase Storage | Receipt images attached to shared wallets (7-day sync window, then deleted) | Shared wallet file sync |
| Firebase Analytics | Feature usage events (e.g. receipt scan initiated, budget created) — consent required. Transaction amounts and user-defined goal names are explicitly excluded from all events. | Usage analytics; improving the app |
| Firebase Crashlytics | Crash reports, stack traces, runtime errors. Crash context may incidentally include financial data strings from app state at time of crash. | Stability monitoring and bug fixing |
| RevenueCat | User ID, subscription tier, purchase receipt from Google Play | Subscription and entitlement management |
| Google AdMob | Advertising ID, ad impressions and interactions | Ad delivery for free-tier users. A consent form is shown before the Advertising ID is accessed for users in the EEA/UK. To opt out of personalised ads, go to Settings → Google → Ads → "Opt out of Ads Personalisation" on Android, or reset your Advertising ID at any time from the same menu. |
| Google Gemini API | Receipt images (EXIF-stripped); financial context summaries; AI assistant prompts. See Sections 2 and 3. | OCR processing; AI features |
| Firebase Cloud Messaging | Device token | Push notification delivery for budget alerts and bill reminders |
| Firebase Remote Config | Feature flags and kill switches | Remote feature toggling and app configuration |
| Firebase App Check | Device integrity tokens | Preventing abuse of backend APIs via Play Integrity (Android) and DeviceCheck (iOS) |
Firebase Analytics and Crashlytics collection are disabled by default. You may enable them in Settings → Privacy → Help Improve the App.
7. Shared Wallets
Shared Wallets are an explicitly opt-in, collaborative feature. The app uses a bridge-only architecture for shared wallets:
- Wallet metadata (name, currency, member list, roles) is stored in Firestore and is visible to all collaborators.
- Individual expenses and income remain on each collaborator's device. They are synced between devices via encrypted inbox messages, not stored as shared Firestore documents.
- Wallet-to-wallet transfers are stored locally on the device that created them. They are not synced to Firestore and are not visible to collaborators.
- When you create or join a shared wallet, your display name is visible to other members. Email addresses are not exposed to collaborators — invitations use QR codes or temporary pairing codes instead.
Receipt images or attachments added to a shared wallet are temporarily stored in Firebase Storage for a 7-day synchronisation window, giving all authorised collaborators time to download the file locally. The cloud copy is automatically deleted after this period. Shared wallet data is only accessible to verified collaborators within that wallet.
8. Personal Multi-Device Sync
You can sync your financial data across your own devices (for example, from your phone to your tablet). This is a same-user feature that is completely separate from Shared Wallets.
When enabled, changes you make on one device — expenses, income, wallets, transfers, budgets, goals, scheduled transactions, due-date reminders, buy lists, AI chat messages, and settings — are queued in an encrypted Firestore message queue under your user ID. These messages are transient: they are automatically deleted after 30 days or immediately after being processed by your other devices. No other user can access this queue. You can disable this feature at any time in Settings.
9. Referral Program
Ut Finance offers a referral program that allows you to invite others and earn rewards. When you participate, the following data is processed:
- Your user ID is used to generate a unique referral code.
- Referral status, slots remaining, and reward preferences are stored in Firestore and on the Ut backend.
- When you redeem a code or check waitlist status, your user ID and the referral code are sent to the Ut backend for validation.
Referral data is retained while your account is active and deleted when you delete your account.
10. Cross-Border Data Transfers
Under various data protection regulations (such as the GDPR and the Philippine Data Privacy Act of 2012), we are required to disclose when personal data is transferred to entities or infrastructure outside your home country or jurisdiction.
The following third-party services used by Ut Finance operate on infrastructure based primarily in the United States:
- Google Gemini API — receipt images and AI context are processed on Google's US-based infrastructure
- Firebase (Auth, Firestore, Storage, Analytics, Crashlytics, App Check) — project data may reside in Google's default US region
- RevenueCat — subscription and purchase data processed in the US
- Google AdMob — advertising identifiers processed on Google's global infrastructure
- Ut Backend — bug reports, referral data, and subscription webhooks are processed on Google Cloud Run infrastructure in the United States
- OpenStreetMap / Nominatim — location search queries may be processed by OpenStreetMap's global infrastructure
There is no local data residency in place for these services. By using features that require these services, you acknowledge that your data will be transferred to and processed in jurisdictions outside your home country (including the United States). For EEA and UK users, these transfers are covered by the data processing agreements and Standard Contractual Clauses (SCCs) or other recognized safeguards of each provider listed above.
11. App Permissions
The following device permissions may be requested by the app:
| Permission | Required? | Purpose |
|---|---|---|
| Internet | Required | AI features, shared wallets, subscription checks |
| Camera | Optional | Receipt scanning. Only accessed when you actively open the scanner. |
| Storage / Media | Optional | Loading existing photos from your gallery for receipt scanning |
| Location (Fine / Coarse) | Optional | GPS expense tagging. Never used in the background. |
| Biometric | Optional | App lock / biometric unlock. Biometric data never leaves your device. |
| Notifications | Optional | Budget alerts, bill reminders, Guardian warnings |
| Exact Alarm | Optional | Scheduled reminders at precise times |
| Foreground Service | Required | Background OCR queue processing while the app is active |
| Billing | Required | In-app subscription purchases via Google Play |
Biometric authentication: If you enable app lock, Ut uses your device's biometric hardware (Face ID or fingerprint) via the operating system's local authentication APIs. The app only receives a pass/fail result. Your biometric data is never accessed, stored, or transmitted by Ut.
Home screen widgets: On Android and iOS, optional home screen widgets display a limited financial summary (such as Safe to Spend and upcoming bill counts). This data is written to device storage accessible by the widget extension (SharedPreferences on Android, App Group UserDefaults on iOS). Widgets do not transmit data to external services.
The app also registers a daily background check (guardian_periodic_check) that analyzes your
financial health using only on-device data. No information is transmitted during this check.
12. Website Waitlist Data
If you submit your email on the Ut Finance website, I collect that email address for beta invitations. Form processing is handled by Netlify. I retain this data until you unsubscribe, request deletion, or it is no longer needed for beta communications. I do not share this email with third parties beyond what is required to operate the mailing list.
13. Bug Reporting
If you submit a bug report through the in-app dialog, the following information is collected:
- Your user ID, email address (optional), and subscription tier
- A description of the issue (provided by you)
- Device metadata: platform (Android/iOS) and app version
- An optional screenshot of your current screen, which is uploaded to Firebase Storage and linked to the report
Bug reports are sent to the Ut backend and stored in Firestore for triage. If you provide an email address, it may be used to follow up on the issue. Bug report data is retained while your account is active and deleted when you delete your account. You are never required to submit a bug report.
14. Data Retention
- Local financial data: Retained on your device indefinitely until you delete it or uninstall the app.
- Receipt queue images: Deleted locally when you save or dismiss a receipt. If receipts sit unprocessed for 7 days, the app sends a reminder notification.
- Shared wallet cloud data: Retained while you are an active participant. Deleted upon account deletion or wallet removal.
- Receipt images in shared wallets: 7-day cloud TTL, then automatically deleted.
- Account metadata (Firestore): Retained while your account is active. Deleted immediately upon account deletion.
- Google Drive backups: Encrypted with AES-256-GCM using a key stored in your device's secure enclave. Because these reside in your personal Google Drive, they remain under your control and persist until you manually delete them from your Drive.
- Crash logs (Crashlytics): Retained for 90 days per Firebase's default retention policy.
- Analytics events: Retained per Firebase Analytics default (up to 14 months). Transaction amounts and goal names are never included.
- Gemini API processing: Ut Finance does not retain prompts or images after the API response is received. Google's Gemini API retains inputs for up to 55 days for abuse monitoring only. This data is not used to train models. High-sensitivity posture signals are processed on-device and never transmitted.
- Guardian posture audit logs: Anonymised week-bucketed logs are retained locally for 30 days, then automatically purged.
- Bug reports: Retained while your account is active. Deleted upon account deletion.
- Personal sync queue messages (Firestore): 30-day TTL, then automatically deleted by Firestore.
- Referral data: Retained while your account is active. Deleted upon account deletion.
- Data imported from other apps (e.g., MoneyPlus): Retained locally under the same terms as manually entered data.
15. Your Privacy Rights (GDPR, CCPA, and DPA)
Depending on your location, you may have rights under the GDPR (for EEA/UK residents), CCPA/CPRA (for California residents), or the Philippine Data Privacy Act of 2012 (RA 10173). These rights include:
- Right to be Informed: You have the right to know what personal data is collected, how it is used, and with whom it is shared. This policy is the primary disclosure document.
- Right to Access: You may request a summary of the personal data we hold about you. For in-app data, you have direct access via the app at all times. For administrative metadata (Firestore), you may request this by contacting us directly.
- Right to Correction / Rectification: You may request correction of inaccurate data held in cloud systems. In-app data can be edited directly within the app.
- Right to Erasure (Right to be Forgotten) / Deletion: Use the "Delete Account" feature in app settings. This immediately and irreversibly deletes your Firebase Auth record, Firestore profile and all subcollections (including personal sync queue, shared wallet memberships, bug reports, and referral data), Google Drive backups, and invitations. Your local database is wiped at the same time. There is no 30-day grace period. For beta email signups, contact us directly to be removed.
- Right to Object / Opt-Out: You may opt out of Firebase Analytics and Crashlytics collection in app settings. You may opt out of AdMob personalized ads via your device's advertising settings or the in-app consent preferences.
- Right to Data Portability: In-app data can be exported via the app's export feature. For cloud-held administrative data, contact us to arrange a structured export.
- Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances (e.g., while a dispute about accuracy is resolved).
- Right to Withdraw Consent: Where the processing of your data is based on your consent, you have the right to withdraw that consent at any time.
- Right to Non-Discriminrimination: We will not discriminate against you in pricing, service quality, or availability for exercising any of your privacy rights.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (such as a Data Protection Authority in the EU, or the National Privacy Commission in the Philippines).
Automated decision-making: The AI assistant generates personalized insights and recommendations based on your financial data. These are advisory only and do not constitute legally binding decisions. You may disregard or modify any recommendation.
To exercise any of these rights, contact us at the address below. We will respond within the timelines required under the applicable regulations (typically within 30 days).
16. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the appropriate supervisory authorities (such as the Philippine National Privacy Commission or relevant European Data Protection Authorities) and affected users in accordance with applicable laws (typically within 72 hours of becoming aware of the breach).
17. Data Protection Officer
For questions about this privacy policy, data protection practices, or to exercise your rights as a data subject, contact the Data Protection Officer at support@utfinance.xyz.
18. Children's Privacy
Ut Finance is not directed at children under the age of 13. I do not knowingly collect personal data from children under 13. If you are under 13, please do not use this app or provide any personal information.
The app requires users to confirm they are 13 years of age or older during onboarding.
If you are a parent or guardian and believe your child under 13 has created an account or provided personal information, please contact me at the address in Section 14 and I will promptly delete that data from cloud systems.
19. Contact
Questions about this policy, data deletion requests, or concerns about how your data is handled can be sent directly to the Data Protection Officer at:
I take privacy questions seriously and will respond personally.
20. California Residents — Your Privacy Rights
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to opt out of the "sale" or "sharing" of their personal information for interest-based advertising.
To exercise this right:
- In the app: Go to Settings → Data, Backup & Privacy → Consent Record → Manage Consent → Advertising Preferences
- Via Google: Visit Google's Ad Settings to manage personalized ads across apps that use Google AdMob
- Device-level: On Android, go to Settings → Google → Ads → "Opt out of Ads Personalisation." On iOS, go to Settings → Privacy & Security → Tracking, and disable tracking for Ut Finance.
We do not sell your personal information. We share limited device identifiers (such as advertising IDs) with Google AdMob solely to deliver and measure ads. This sharing may constitute "sharing" under California law, and you may opt out at any time.