Privacy Policy

FinAmigo is a personal finance dashboard built on an offline-first principle — your financial data lives on your device, encrypted, under your control. This Privacy Policy explains what data FinAmigo collects, how it is used, what is shared, and what your rights are.

FinAmigo is operated by AmigolLabs. By using the app, you agree to the practices described here.

1. Data We Collect and Why

FinAmigo collects only what is necessary to provide your personal finance dashboard. No data is collected without a clear purpose tied to a feature you use.

1a. Financial Transaction Data

• Transaction records — date, amount, merchant, category, account type — imported from bank PDFs, CSV exports, Gmail bank statements, or SMS bank alerts.
• Bank account names and types (savings, credit card) derived from your imported statements.
• Your FinAmigo Score, spending summaries, and category tags generated from your transactions.

All transaction data is stored locally on your device in an AES-256 encrypted SQLite database (SQLCipher). It is never uploaded to FinAmigo's or AmigolLabs' servers.

1b. Gmail Access

• If you connect Gmail via Google Sign-In, FinAmigo requests read-only access (gmail.readonly scope) solely to search for bank statement emails and download PDF/CSV attachments.
• Email parsing and PDF extraction happen entirely on your device. The raw email content and attachment contents are processed locally and are not transmitted to our servers.
• Only the OAuth token (not your Gmail password) is stored, in your device's secure keystore.
• You can revoke Gmail access at any time from Google's account settings at myaccount.google.com/permissions.
• FinAmigo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Gmail data is used solely to import your bank statements and is not used for advertising, profiling, or shared with third parties.

1c. SMS Messages (Android Only)

• On Android, FinAmigo can read incoming SMS messages to detect bank transaction alerts (e.g. spend alerts from HDFC, ICICI, SBI).
• SMS parsing runs entirely on your device. Only the transaction data extracted from the alert is saved — the raw SMS body is never stored or transmitted.
• This feature is only enabled for Pro or Max subscribers, and only after you grant the SMS permission.
• You can revoke the SMS permission at any time from Android Settings → Apps → FinAmigo → Permissions.

1d. AI Tagger — Gemini API (Pro / Max)

• When you use the AI Tagger feature (available on Pro and Max tiers), transaction descriptions are sent to Google's Gemini API to automatically categorize them.
• Only the transaction description text is sent — no account numbers, names, email content, or sensitive identifiers are included in these requests.
• Data sent to the Gemini API is subject to Google's Gemini API Terms of Service.

1e. Subscription and Purchase Data

• FinAmigo uses RevenueCat to manage in-app subscriptions on Google Play and the Apple App Store.
• RevenueCat receives your purchase receipt, subscription status, and an anonymous app user ID to verify entitlements. Your payment card details are never seen by FinAmigo or RevenueCat — those are handled entirely by Google Play or Apple.
• RevenueCat's privacy policy is available at revenuecat.com/privacy.

1f. App Preferences and Credentials

• App settings such as your name, sync preferences, and theme choice are stored locally in SharedPreferences on your device.
• Sensitive credentials such as your Gmail OAuth token and optional Gemini API key are stored in your device's secure keystore (Android Keystore / iOS Keychain) using flutter_secure_storage.

2. What We Do Not Collect

• We do not collect, store, or transmit your raw financial transactions, bank balances, or statement files to any FinAmigo or AmigolLabs server.
• We do not use third-party analytics SDKs (no Firebase Analytics, Mixpanel, Amplitude, or similar).
• We do not use third-party crash reporting SDKs (no Sentry, Crashlytics, or similar).
• We do not sell, rent, or trade any user data with advertisers or data brokers.
• We do not read SMS messages for any purpose other than detecting bank transaction alerts.

3. How We Use Information

• To parse, store, and display your financial transactions on your device.
• To calculate your FinAmigo Score and generate spending insights locally.
• To authenticate your identity with biometric lock and protect app access.
• To verify your subscription status via RevenueCat and unlock premium features.
• To automatically categorize transactions using Gemini AI when you opt in (Pro / Max).

4. Third-Party Services

FinAmigo integrates with the following third-party services. Each operates under its own privacy policy:

• Google Sign-In — OAuth authentication for Gmail access. Google Privacy Policy
• Google Gemini API — AI transaction categorization (Pro / Max only). Gemini API Terms
• RevenueCat — Subscription management. RevenueCat Privacy Policy
• Google Play / Apple App Store — Payment processing for subscriptions. Their respective privacy policies apply to payment transactions.

5. Security

• Encrypted database: All transaction data is stored in a SQLCipher-encrypted SQLite database on your device.
• Secure credential storage: OAuth tokens and API keys are stored using your OS secure keystore (Android Keystore / iOS Keychain), not in plain SharedPreferences.
• Biometric lock: The app requires fingerprint, Face ID, or PIN authentication every time it is opened.
• Encrypted SharedPreferences: App settings are encrypted with AES-256-GCM before being written to SharedPreferences.

No security measure is absolute. We recommend keeping your device OS and FinAmigo up to date.

6. Data Retention and Deletion

Your data lives on your device. If you want to delete everything, go to Settings → Sign Out inside the app. This permanently deletes all transactions, settings, stored credentials, and cached data from your device.

Uninstalling the app will also remove all locally stored data. Because we do not store your financial data on servers, we are unable to recover it once deleted.

RevenueCat retains subscription records as required for billing purposes. To request deletion of RevenueCat data, contact us at admin@amigolabs.in and we will relay the request.

7. Children

FinAmigo is intended for users aged 13 and above and is designed for personal financial management. We do not knowingly collect personal information from children under 13. If you believe a child has used the app, contact us at admin@amigolabs.in.

8. Your Rights

• Access & export: Use Settings → Export Data to CSV to export all your transactions at any time.
• Delete: Use Settings → Sign Out to permanently delete all data from your device.
• Revoke permissions: You can revoke Gmail or SMS permissions from your device settings at any time. The app will continue to work for manual PDF/CSV imports.
• Correct data: Transaction data can be edited directly inside the app.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will show a revised "Last updated" date at the top. For material changes, we will notify you through the app or via the email associated with your subscription where available.

10. Applicable Law and Your Rights Under the DPDP Act

FinAmigo is operated from India and this Privacy Policy is governed by Indian law, including the Digital Personal Data Protection Act, 2023 (DPDP Act). As a data principal under the DPDP Act, you have the right to:

• Access information about personal data processed about you.
• Correct inaccurate or incomplete personal data.
• Erase your personal data (see Section 6 above — since data is stored on-device, uninstalling or using Sign Out achieves this).
• Nominate another person to exercise these rights on your behalf.

To exercise any of these rights, contact us at admin@amigolabs.in.

11. Contact Us

For privacy questions, data requests, or concerns, contact us at admin@amigolabs.in.