Privacy Policy

Last updated: 2026. WealthS is designed so your financial data has nowhere to leak to.

In short: your money data lives on your device. We don't run ads, we don't sell data, and we don't embed third-party trackers. The only personal data we store on a server is what's needed to let you split expenses with other people — and even then, your contacts' numbers are blinded before they reach us.

1. Data that stays on your device

Your financial ledger — accounts, balances, transactions, investments, commodities, real estate, loans, categories and notes — is stored in a local database on your device. It is never uploaded to our servers. The app works fully offline. If you uninstall the app without making a backup, this data is gone.

2. Data we store on a server (Splits only)

If — and only if — you choose to use Splits to share expenses with other people, you sign in with your phone number (one-time password). For that feature we store:

  • Your own profile: your name and phone number, which you provide at sign-in.
  • The shared split data itself: groups, expenses, shares and settlements needed to sync between the people in a group.

The phone numbers and names of other people you add to a split are not stored in readable form on our server. They are converted to a one-way cryptographic hash (a "blinded token") on your device before any sync, so the server can match people without ever holding their plaintext contact details. Plaintext names and numbers of your contacts stay only on your own device.

3. What we do not collect

  • No advertising identifiers, no ad networks, no behavioural tracking SDKs.
  • No selling or renting of personal data to anyone.
  • No access to your bank logins. Broker import (below) uses your own API key.

4. Broker connection (optional)

If you connect Zerodha Kite to import your portfolio, you provide your own Kite API key and secret. These credentials and the resulting access token are stored on your device (in the platform's secure storage on mobile, or your browser's storage on web). The exchange and portfolio fetches happen directly between your device and the broker. We do not store your broker credentials or portfolio on our servers.

5. Service providers

To deliver Splits sync and sign-in we use:

  • Supabase — database, authentication and real-time sync hosting for the Splits data described above.
  • Twilio — to deliver the one-time password (OTP) SMS for phone sign-in.

These providers process only the data necessary for those functions.

For optional live-price features the app may also query the following keyless public market-data endpoints, sending only the symbol or code that you have stored on your device (no account, no cookies, no personal data):

  • open.er-api.com — currency exchange rates (currency codes).
  • api.gold-api.com and Yahoo Finance (query1.finance.yahoo.com) — gold and silver spot prices (symbols XAU, XAG) and stock / non-INR mutual-fund prices (tickers).
  • AMFI India (amfiindia.com) and api.mfapi.in — Indian mutual-fund NAVs (numeric scheme codes).

These calls send only the symbol / code plus standard HTTP headers; we do not attach any cookies, auth tokens, device identifiers, or other personal data.

If you choose to back up to Dropbox (see §7), the app communicates directly with Dropbox using your account. We do not see or store your Dropbox credentials. If you connect Zerodha Kite (see §4), the app communicates directly with Kite using your API key. We do not see or store your broker credentials.

6. Notifications

With your permission, the app sends notifications — for example a chit-fund payment due, a bond maturity, or activity in a split group. You can revoke this permission at any time in your device settings.

7. Backups

You can create an encrypted backup of your local ledger and either save it to your own Dropbox (under the app folder /Apps/WealthS/backups/) or hand it to your device's share sheet to send wherever you like (email, file storage, AirDrop, etc.). The backup file itself is end-to-end encrypted with XChaCha20-Poly1305 before it leaves your device.

The 32-byte symmetric encryption key is per-user, generated server-side on first use, and stored on Supabase under your account (table user_backup_keys, RLS-locked to your auth.uid()). This server-escrowed-key model means that signing in with the same phone number on a new device lets you restore an old backup without you having to remember a password. The trade-off: we (and Supabase) hold the key; you alone hold the encrypted data file. Neither party alone can read a backup.

If you'd rather not have the key escrowed, simply don't use the Backup feature — the rest of the app does not depend on it. When you delete your account (§8), the backup key is removed and any existing backup files become permanently undecryptable.

8. Your choices & rights

  • Use the entire core app without ever creating an account.
  • Sign out at any time from Settings → PROFILE → Sign out. Sign-out does not delete your data; you can sign back in with the same phone number to restore it.
  • Delete the app to remove the on-device ledger.
  • Permanently delete your account and all server-side data — see §9 below.

9. Account deletion

If you signed in to use Splits, you can permanently delete your WealthS account, your server-side Splits data and your Dropbox-backup encryption key — at any time.

9a. In-app deletion (the primary path)

  1. Open WealthS on the device where you are signed in.
  2. Go to Settings → DANGER ZONE → Delete account.
  3. Read the warning, then wait the 8-second confirmation timer.
  4. Tap Delete account.

What this does, in order: (1) erases all of your data on that device — accounts, transactions, splits, holdings, any connected broker / Dropbox credentials, and locally-cached settings; (2) on our servers, deletes your profile, every Splits group you own and its contents, your shares in other people's groups, your settlements, your comments, your recurring expense templates, your friend rows, your registered devices, your push tokens, your backup encryption key, and finally your authentication record; (3) signs you out and returns the app to first-launch state.

This action is irreversible. There is no undo, no recovery, no grace period.

9b. Web-only deletion (if you cannot install or open the app)

If you cannot reach the in-app flow — for example you have lost the device, uninstalled the app or never installed it but were added to a Splits group by someone else — email wealths@singlemonkey.com with the subject line "Delete my WealthS account" and include:

  • The phone number you used to sign in (in international format, e.g. +919876543210).
  • A brief note confirming that you want your account permanently deleted.

We will verify the request by sending an OTP to the phone number provided, and on confirmation will run the same server-side deletion described in §9a. Requests are processed within 7 calendar days (typically within 24 hours).

9c. What is deleted vs. retained

Deleted: everything in §9a above plus any encrypted backup files we can reach (only the encryption key, which is held server-side, is automatically deleted; backup files live in your own Dropbox or wherever you saved them and must be deleted by you).

Retained, on a best-effort basis, for legal compliance only: minimal log entries (timestamp + redacted phone hash) of the deletion request itself, kept for up to 90 days for fraud prevention and audit purposes. These records contain no financial data.

10. Data retention

  • Local on-device data — retained until you delete the app, sign in with a different phone number (which prompts a destructive-confirm wipe), or use the in-app account-deletion flow.
  • Splits server-side data — retained until you delete your account (§9). There is no automatic expiry; we minimise instead.
  • OTP delivery records — held by Twilio per their retention policy (typically < 30 days).
  • Backup files — held in your Dropbox or wherever you saved them. We do not have a copy and cannot delete them on your behalf.
  • Backup encryption keys — held on Supabase, deleted with your account.

11. Children

WealthS is not directed at children under 13 (or the minimum age in your jurisdiction) and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us at wealths@singlemonkey.com and we will delete it.

12. Your rights under India's DPDP Act 2023

If you are a resident of India, the Digital Personal Data Protection Act 2023 ("DPDP Act") gives you certain rights with respect to your personal data. WealthS acts as a "Data Fiduciary" for the limited personal data described in this policy (your phone number and display name; your contacts in hashed form; the Splits content you produce). You can:

  • Request access to a summary of personal data we hold about you.
  • Request correction of inaccurate data (display name + phone can be updated in Settings; for other data, contact us).
  • Request deletion of your data (see §9).
  • Nominate another person to exercise these rights in the event of your death or incapacity — write to us.
  • File a complaint with the Data Protection Board of India if you believe your rights have been violated.

We will respond to verified requests within 7 calendar days. The grievance officer for DPDP-related queries is reachable at wealths@singlemonkey.com.

13. Changes

We may update this policy as the app evolves. Material changes will be reflected here with a new "last updated" date at the top.

14. Contact

Questions about privacy? Email wealths@singlemonkey.com.