Privacy Policy
This Privacy Policy applies to the Spend Guard mobile application (Android), developed and operated by Itera Labs. It explains what data we collect, how we use it, and your rights, in line with Kenya's Data Protection Act, 2019.
1. Data We Collect
We only collect data you provide or that is necessary for the app to function:
- Account information: Your name and email address when you register.
- Financial records: Spending and income entries you create - amounts, categories, dates, and optional notes. These are synced to our servers so your data persists across sessions.
- Financial profile: Income type, budget cycle, currency preference, and spending priorities you set during onboarding or profile setup.
- Push notification token: A device token (via Firebase Cloud Messaging on Android) used only to deliver budget alerts and reminders you opt into. This token is never shared with advertisers or third-party marketers.
- Security preferences: Whether you have enabled biometric login (fingerprint / Face ID) or a PIN lock. These preferences are stored only on your device and are never transmitted to our servers.
2. How We Use Your Data
- Sync your records across sessions and deliver the core app experience.
- Preserve records created while offline and sync them automatically when connectivity is restored.
- Generate spending insights, analytics, and budget summaries.
- Send push notifications for budget limits and reminders (only if permitted).
- Authenticate your identity securely via email + OTP.
- Protect your session with inactivity locks and PIN / biometric verification.
- Diagnose crashes and stability issues using anonymised crash reports (Firebase Crashlytics).
- Improve app features based on aggregated, anonymised usage patterns.
We do not sell, rent, or share your personal financial data with advertisers or data brokers.
3. Data Storage & Security
Your financial records are protected at every layer:
- Encryption in transit: All communication between the app and our servers uses HTTPS/TLS. No financial data travels in plain text.
- Encryption at rest: Sensitive fields (amounts, notes, categories) stored in our database are encrypted at the application layer before being written to disk. Passwords are never stored in plain text - only a one-way bcrypt hash is kept.
- Offline data: Records saved while your device is offline are persisted in encrypted local storage and automatically synced to the server when connectivity is restored, without data loss.
- Device security: Security preferences (PIN hash, biometric flag) are stored locally on your device only and are never sent to our servers. Too many incorrect PIN attempts automatically signs you out to protect your account.
4. Third-Party Services
- Firebase Cloud Messaging (FCM): Used to deliver push notifications on Android. Your device token is registered with our backend solely to route notifications to your device. Google's Privacy Policy applies to this service.
- Firebase Crashlytics: Used to record anonymous crash reports and stability diagnostics when the app encounters an unexpected error. Crash reports may include a pseudonymous user identifier (your internal account ID) and device state at the time of the crash. No financial record content is included in crash reports. Google's Privacy Policy applies to this service.
We do not integrate any advertising SDKs, analytics SDKs that sell data, or social login providers.
5. Data Retention
We retain your data for as long as your account is active. If you request account deletion, all personal data and financial records associated with your account will be permanently deleted within 30 days. Anonymised aggregate statistics (e.g. total number of records) may be retained for internal analytics.
6. Your Rights (Kenya Data Protection Act, 2019)
- Access: Request a copy of the personal data we hold about you.
- Correction: Update your name and financial profile inside the app at any time.
- Deletion: Request full deletion of your account and all associated data.
- Withdraw consent: Disable push notifications at any time via app or device settings.
- Complaint: Lodge a complaint with Kenya's Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
7. Children
Spend Guard is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately and we will delete the data.
8. Changes to This Policy
We may update this policy when the app adds new features or data practices change. The effective date at the top of this page will be updated. For significant changes, we will notify you via a push notification or in-app prompt.
9. Contact & Data Requests
For access requests, deletion requests, or privacy questions:
This policy applies exclusively to the Spend Guard mobile application. For the Itera Labs website privacy policy, see /privacy.