← Back to home

Privacy
Policy

Effective date: 28 May 2026

This Privacy Policy explains how MoneyMind ("MoneyMind", "we", "us", or "our") collects, uses, stores, discloses, and protects information when you use the MoneyMind personal expense-tracking application (the "Service"). By creating an account or using the Service, you acknowledge that you have read and understood this Policy.

MoneyMind is operated as an individual undertaking based in India. The Service is offered to users worldwide but is designed primarily for users in India and is provided in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and applicable Google API Services policies.

1. Information we collect

1.1 Account information. When you sign up, we collect the email address you register with and an authentication credential. Authentication is handled by Supabase Auth; we do not store passwords in plain text.

1.2 Transaction data you enter. When you record an income, expense, or savings entry, we store the amount, transaction date, type, category, and any description you choose to provide.

1.3 Gmail data (only if you connect Gmail). If you choose to connect a Gmail account, we collect:

  • an OAuth refresh token issued by Google;
  • the email address associated with the connected Gmail account;
  • from messages sent by a defined list of bank and payment-app senders (HDFC, ICICI, Axis, SBI, Kotak, IndusInd, Yes Bank, RBL, Federal Bank, IDFC First, Paytm, PhonePe, and Deutsche Bank), the transaction amount, transaction date, a short text snippet identifying the transaction, and the parsed merchant or counterparty.

We do not store the full body of any email. We do not access messages that do not originate from the sender list above.

1.4 Technical information. Our hosting and infrastructure providers (described in Section 4) automatically receive technical information when you use the Service, including IP address, browser type, device information, and request timestamps. This information is used to operate and secure the Service.

2. How we use your information

We use the information described above only for the following purposes:

  • to provide and operate the Service, including recording, displaying, and categorising your transactions;
  • to import bank and payment notifications from your Gmail inbox if you have connected Gmail;
  • to compute and display personal financial insights such as totals, averages, category breakdowns, and budget progress;
  • to authenticate you, secure your account, and detect or prevent abuse;
  • to communicate with you about the Service, including in response to your requests.

We do not use your information to serve advertising. We do not sell your information. We do not use your information to train machine-learning models.

3. Google Limited Use disclosure

MoneyMind's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy , including the Limited Use requirements.

In particular, we confirm that data received from Google APIs is:

  • used only to provide and improve user-facing features of the Service that are prominent in the application's user interface, namely the import of transaction notifications from your inbox;
  • not transferred to others except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you;
  • not used or transferred for serving advertisements, including retargeting, personalised, or interest-based advertising;
  • not read by any human except (a) with your explicit consent for specific messages, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data is aggregated and de-identified.

The Google API scope requested is https://www.googleapis.com/auth/gmail.readonly (and userinfo.email for account identification). Although this scope grants technical access to your full mailbox, MoneyMind queries only messages whose sender matches the bank and payment-app list set out in Section 1.3.

4. Third-party service providers

We use the following service providers ("Processors") to operate the Service. Each acts under contractual obligations consistent with this Policy:

  • Supabase, Inc. — hosts the database, authentication service, and serverless edge functions in which your data is stored and processed. Supabase's privacy practices are governed by its own privacy policy.
  • Vercel Inc. — hosts and serves the web application interface. Vercel may collect technical request logs as part of providing the hosting service.
  • Google LLC — provides Gmail OAuth and the Gmail API used by the inbox-import feature, only when you have connected Gmail.

5. Data storage and security

Your transaction data and any Gmail refresh tokens are stored in our Supabase database. The gmail_tokens, transactions, budgets, and pending_imports tables are protected by row-level security policies that restrict every read and write operation to the authenticated user who owns the row. Refresh tokens are read only by server-side edge functions using a privileged service-role key and are never transmitted to your browser.

All communication between your browser, our servers, and Google's servers is conducted over HTTPS. Data stored with our infrastructure providers is encrypted at rest at the storage layer in accordance with their standard practices.

No method of transmission or storage is completely secure. While we apply reasonable safeguards consistent with the sensitivity of the data, we cannot guarantee absolute security.

6. Data retention

We retain your information for as long as your account remains active and while it is needed to provide the Service. If you request deletion of your account, we will delete your personal data from our active systems within thirty (30) days of the request, save for information we are required to retain to comply with legal obligations or to resolve disputes.

Gmail refresh tokens are deleted from our database immediately when you disconnect Gmail or delete your account, and the corresponding grant is revoked with Google as described in Section 8.

7. Your rights under the DPDP Act

If you are a Data Principal in India, you have the following rights in respect of your personal data:

  • the right to obtain a summary of the personal data we hold about you and the processing activities undertaken;
  • the right to correction, completion, updation, and erasure of your personal data;
  • the right of grievance redressal through the channel set out in Section 12;
  • the right to nominate another individual to exercise these rights in the event of your death or incapacity;
  • the right to withdraw your consent at any time, by disconnecting Gmail in the application or by deleting your account as described in Section 8.

Where applicable to non-Indian users under other data-protection regimes (such as the GDPR), equivalent rights of access, rectification, erasure, restriction, portability, and objection may be exercised through the same channel.

8. Disconnecting Gmail and deleting your account

Disconnecting Gmail. You may disconnect Gmail at any time from the Settings page of the application. When you do so, MoneyMind makes a request to Google's OAuth token revocation endpoint (https://oauth2.googleapis.com/revoke) to invalidate the grant with Google, and then removes the stored refresh token from our database. Your previously imported transactions remain in your account until you delete them.

Account deletion. To delete your account and have your personal data erased, send a request from your registered email address to skv1226@gmail.com with the subject line "Account deletion request". We will action the request within thirty (30) days and confirm completion by email.

9. Cookies and local storage

The application uses browser local storage to maintain your authenticated session, provided by Supabase Auth. We do not use third-party advertising cookies, analytics trackers, or fingerprinting technologies.

10. Children's privacy

The Service is not directed to, and is not intended for, children under the age of eighteen. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact the Grievance Officer named in Section 12 and we will take prompt steps to delete the information.

11. International data transfers

The Processors named in Section 4 operate infrastructure outside India. By using the Service, you acknowledge that your personal data may be stored and processed in jurisdictions outside India, subject to the safeguards maintained by those Processors and to the requirements of the DPDP Act and any other applicable law.

12. Grievance Officer and contact

In accordance with the DPDP Act and applicable rules, the Grievance Officer for matters relating to this Policy and your personal data is:

Grievance Officer, MoneyMind
Email: skv1226@gmail.com
Response time: within seven (7) working days of receipt.

For any other privacy or data-protection question, write to skv1226@gmail.com.

13. Changes to this Policy

We may revise this Policy from time to time. The "Effective date" at the top of this page reflects the date of the most recent revision. Material changes will be brought to your attention by email to the address registered to your account, or by a notice within the application, before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.