Privacy Policy
Ut Finance is built around a simple principle: your financial life is yours. The app is architected to be local-first by default — your transactions, budgets, and balances live on your device in a local database. Nothing is synced to a server unless you explicitly use a feature that requires it.
That said, several features — receipt scanning, the AI assistant, shared wallets, subscriptions — do involve data leaving your device. This policy explains exactly what is sent, where it goes, and why. If something isn't clear, reach out directly.
This policy is written in accordance with the Philippine Data Privacy Act of 2012 (RA 10173) and with transparency expectations aligned to GDPR.
1. Data That Stays on Your Device
The following data is stored exclusively in a local SQLite database on your device and is never sent to my servers or any third party unless you initiate a feature that specifically requires it:
- All personal financial transactions (expenses, income, transfers)
- Wallet balances and account details
- Budget plans, spending categories, and goal progress
- Shopping lists and planned purchases
- Receipt images queued for OCR (stored locally pending processing)
- AI chat conversation history (stored on-device)
- Guardian financial health scores and alerts
- Scheduled transaction records
Your financial history is not uploaded to my infrastructure as part of normal app operation. The server does not hold a copy of your transaction ledger.
2. Receipt Scanning & OCR Processing
Receipt scanning is the most data-intensive feature in the app. When you scan a receipt, the following happens:
What is sent to Google Gemini
The raw receipt image file (JPEG, PNG, or WebP) is transmitted to the Google Gemini API for processing. The image may contain any information printed on the receipt. The OCR prompt asks Gemini to attempt extraction of a broad set of fields — however, not all of them are used by the app.
Fields actively used by the app
The following are extracted, stored in your local receipt record, and carried across to the expense entry:
- Merchant name
- Transaction date
- Total amount and currency
- Individual line items — product names, quantities, and prices
- Merchant address (stored as the transaction location — extracted from the receipt text, not from your device's GPS)
- Invoice or receipt number
Confidence scores per field are also extracted and stored locally. They are used to flag low-confidence entries for your review but are not transferred to the expense record.
Fields extracted but not currently used
The current OCR prompt also requests the following fields. Gemini extracts them and they are temporarily held in the local queue entry (as part of a JSON blob in the on-device SQLite database) while the receipt is pending your review:
- Cashier or server name
- Merchant phone number
- Merchant tax identification number
- Payment method type
- Tip or gratuity amount
These fields are not displayed in the app, not used in any calculation, and not carried into the expense entry. When you confirm or discard the receipt — or after the 7-day queue TTL — the queue entry is deleted from the local database entirely. These fields do not persist in long-term storage.
Data minimisation note: Requesting data from a processing service that the app does not use is inconsistent with the data minimisation principle under the DPA. These unused fields are under review for removal from the OCR prompt in a future update. In the meantime, they are extracted by Gemini as part of the image processing request, held temporarily on-device only, and serve no active function in the app.
The app does not extract or process card numbers, bank account numbers, or any other payment credential from receipts.
What Gemini returns
Gemini returns a structured JSON object containing the extracted fields. The used fields are stored locally as part of your expense record. The unused fields (cashier name, phone, tax ID, payment method, tip) are stored in the local receipt record only and are not surfaced anywhere in the app.
Batch OCR
When you queue multiple receipts for batch processing, images are stored locally on your device first (in an app-managed directory). They are uploaded to the Google Gemini Batch API when processing begins — either immediately when a connection is available, or deferred to WiFi (WiFi-only mode is on by default). The batch job is tracked by a job ID, and results are downloaded when processing completes. Local queue images are deleted once saved to your expense record or after a 7-day TTL.
Data retention by Google
Ut Finance does not retain receipt images after processing is complete. Google's data retention practices for the Gemini paid API tier are governed by Google's own terms. Under the paid API tier, Google does not use submitted data to train its models. For details, refer to the Google Gemini API Terms of Service.
3. AI Assistant & Financial DNA
The AI assistant answers questions about your finances, generates plans, and can take actions in the app on your behalf. To do this, it requires context about your financial situation. The following data is sent to Google Gemini as part of AI assistant queries:
Financial context sent with each query
- Financial DNA snapshot: A structured summary derived from your transaction history, including net worth, monthly income and expense averages, spending breakdown by category, budget utilisation, goal progress, income patterns, and detected anomalies. This is a synthesised behavioural fingerprint — not a raw transaction dump.
- Guardian health data: Current financial health score, runway estimate, spending behaviour status, and active alerts.
- Budget and goal state: Active budgets with current spend vs. limit, active goals with progress and deadlines.
- Wallet and currency context: Wallet names, balances, and currency information needed to answer questions accurately.
When raw transactions are included
For certain queries (e.g. "show me my last 10 food expenses"), up to 100 individual transaction records may be included in the prompt. Each record contains: date, amount, category, description, wallet name, and currency. Transaction IDs are included for reference but do not expose any bank account or card details.
Conversation context
Your chat history is stored locally. If you reference a previous conversation ("we talked about this last week"), the assistant may retrieve relevant past messages from your local history to provide continuity. This past-conversation context is also sent to Gemini as part of the query.
AI-initiated actions
The assistant can suggest and execute actions in the app — such as creating a budget or logging an expense — but all state-changing actions require explicit user approval before they are carried out. Read-only queries (analysis, forecasts, summaries) do not require approval.
4. Location Data
Ut Finance handles location in two distinct ways:
- Receipt-derived address (automatic): When scanning a receipt, the merchant's address as printed on the receipt may be extracted by the OCR process and stored with the expense. This does not involve your device's GPS. See Section 2 for details on what is sent to Gemini.
- Device GPS (optional, manual only): If you grant the optional location permission, you may choose to tag an expense with your current GPS coordinates or by selecting a location on a map. This is always a user-initiated action — the app does not track your location in the background. GPS-tagged location data is stored locally with the transaction and is not transmitted to my servers.
5. Account Metadata & Cloud Services
| Service | Data Processed | Purpose |
|---|---|---|
| Firebase Auth | User ID, sign-in method | Authentication |
| Cloud Firestore | User ID, subscription state, scan credit balance, shared wallet collaboration records | Entitlement management; shared wallet sync |
| Firebase Storage | Receipt images attached to shared wallets (7-day sync window, then deleted) | Shared wallet file sync |
| Firebase Analytics | Feature usage events (e.g. receipt scan initiated, budget created) — consent required | Usage analytics; improving the app |
| Firebase Crashlytics | Crash reports, stack traces, runtime errors. Crash context may incidentally include financial data strings from app state at time of crash. | Stability monitoring and bug fixing |
| RevenueCat | User ID, subscription tier, purchase receipt from Google Play | Subscription and entitlement management |
| Google AdMob | Advertising ID, ad impressions and interactions | Ad delivery for free-tier users |
| Google Gemini API | Receipt images; financial context summaries; AI assistant prompts. See Sections 2 and 3. | OCR processing; AI features |
Firebase Analytics and Crashlytics collection can be toggled in app settings. Crashlytics is enabled by default to support stability during beta. You may disable it in Settings → Privacy.
6. Shared Wallets
Shared Wallets are an explicitly opt-in, collaborative feature. When you participate in a shared wallet, the following data is processed in Firestore to enable multi-user synchronisation:
- Shared wallet balance and transaction records
- Participant roles (owner, editor, viewer) and User IDs
- Sync metadata (timestamps, operation logs)
Receipt images or attachments added to a shared wallet are temporarily stored in Firebase Storage for a 7-day synchronisation window, giving all authorised collaborators time to download the file locally. The cloud copy is automatically deleted after this period. Shared wallet data is only accessible to verified collaborators within that wallet.
7. Cross-Border Data Transfers
Under the Philippine Data Privacy Act of 2012, I am required to disclose when personal data is transferred to entities or infrastructure outside the Philippines.
The following third-party services used by Ut Finance operate on infrastructure based primarily in the United States:
- Google Gemini API — receipt images and AI context are processed on Google's US-based infrastructure
- Firebase (Auth, Firestore, Storage, Analytics, Crashlytics) — project data may reside in Google's default US region
- RevenueCat — subscription and purchase data processed in the US
- Google AdMob — advertising identifiers processed on Google's global infrastructure
There is no Philippines-specific or APAC-specific data residency in place for these services. By using features that require these services, you acknowledge that your data will be transferred to and processed in jurisdictions outside the Philippines. These transfers are covered by the data processing agreements and standard contractual terms of each provider listed above.
8. App Permissions
The following device permissions may be requested by the app:
| Permission | Required? | Purpose |
|---|---|---|
| Internet | Required | AI features, shared wallets, subscription checks |
| Camera | Optional | Receipt scanning. Only accessed when you actively open the scanner. |
| Storage / Media | Optional | Loading existing photos from your gallery for receipt scanning |
| Location (Fine / Coarse) | Optional | GPS expense tagging. Never used in the background. |
| Biometric | Optional | App lock / biometric unlock. Biometric data never leaves your device. |
| Notifications | Optional | Budget alerts, bill reminders, Guardian warnings |
| Exact Alarm | Optional | Scheduled reminders at precise times |
| Foreground Service | Required | Background OCR queue processing while the app is active |
| Billing | Required | In-app subscription purchases via Google Play |
9. Website Waitlist Data
If you submit your email on the Ut Finance website, I collect that email address for beta invitations. Form processing is handled by Netlify. I retain this data until you unsubscribe, request deletion, or it is no longer needed for beta communications. I do not share this email with third parties beyond what is required to operate the mailing list.
10. Data Retention
- Local financial data: Retained on your device indefinitely until you delete it or uninstall the app.
- Receipt queue images: Deleted locally upon saving to an expense record, or after a 7-day TTL.
- Shared wallet cloud data: Retained while you are an active participant. Deleted upon account deletion or wallet removal.
- Receipt images in shared wallets: 7-day cloud TTL, then automatically deleted.
- Account metadata (Firestore): Retained while your account is active. Deleted upon account deletion request.
- Crash logs (Crashlytics): Retained for 90 days per Firebase's default retention policy.
- Analytics events: Retained per Firebase Analytics default (up to 14 months).
- Gemini API processing: Ut Finance does not retain prompts or images after the API response is received. Google's own retention practices apply.
11. Your Rights Under the Data Privacy Act of 2012
As a data subject under RA 10173, you have the following rights:
- Right to be Informed: You have the right to know what personal data is collected, how it is used, and with whom it is shared. This policy is the primary disclosure document.
- Right to Access: You may request a summary of the personal data I hold about you. For in-app data, you have direct access via the app at all times. For administrative metadata (Firestore), you may request this by contacting me directly.
- Right to Correction: You may request correction of inaccurate data held in cloud systems. In-app data can be edited directly within the app.
- Right to Erasure (Right to be Forgotten): Use the "Delete Account" feature in app settings. This triggers deletion of your administrative metadata and shared-wallet participation records from the cloud. You will receive instructions to clear your local database. For beta email signups, contact me directly to be removed.
- Right to Object: You may opt out of Firebase Analytics and Crashlytics collection in app settings. You may opt out of AdMob personalised ads via your device's advertising settings.
- Right to Data Portability: In-app data can be exported via the app's export feature. For cloud-held administrative data, contact me to arrange a structured export.
To exercise any of these rights, contact me at the address below. I will respond within a reasonable period consistent with DPA requirements.
12. Contact
Questions about this policy, data deletion requests, or concerns about how your data is handled can be sent directly to:
I take privacy questions seriously and will respond personally.