Privacy Policy

Last update: June 13, 2026  ·  App version: Beta (TestFlight)

1. Introduction

ZenPense is a calm, all-in-one personal finance companion for iPhone. This Privacy Policy explains what personal data we collect when you use the ZenPense app and website, how we use it, who we share it with, and the choices you have.

ZenPense is operated by Yash Chaudhary ("we", "us", "our"). By using the app or website, you agree to the practices described in this policy.

Your privacy is a design decision, not an afterthought. ZenPense is built so your financial life stays yours.

2. Definitions

Personal Data means any information that can identify you as an individual.

Financial Data means the transactions, accounts, budgets, goals, and net-worth entries you create inside ZenPense.

Usage Data means data collected automatically — such as device model, app version, and feature interactions — generated by your use of the app.

Cloud Sync means the optional beta feature that stores supported Financial Data on Supabase's servers so it can be restored or accessed across devices when the feature is available.

ZenAI means the AI-powered financial assistant inside the app.

Data Controller means the person who determines how Personal Data is processed. For this policy, that is Yash Chaudhary.

Sub-processor / Service Provider means a third party that processes data on our behalf.

3. Information we collect

Information you provide

ZenPense only collects what you deliberately give it:

• Email address, display name, and profile photo — when you create an account using email/password, Sign in with Apple, or Google Sign-In; or when you submit an early-access request on our website.
• Financial Data (transactions, accounts, budgets, savings goals, net-worth entries) — when you add or import entries inside the app. Stored locally on your device first; synced to our servers only if you opt in.
• Imported statements (CSV / PDF) — parsed locally on-device. No copy is sent to our servers.
• Email receipt content — when receipt forwarding is enabled for your beta account and you forward a receipt to your personal ZenPense alias (see Section 3 below).

Automatically collected data

Firebase Analytics (Google) collects anonymized usage events — screen visits, feature interactions, session duration, device model, OS version, app version, and country (derived from IP; raw IP is not stored). This helps us understand how the app is used and improve it. You can opt out in Settings → Privacy → Usage Analytics.

Firebase Crashlytics (Google) collects technical crash reports — stack traces, thread state, device model, OS version, and build number. No financial data or personally identifiable information is included. You can opt out in Settings → Privacy → Crash Reports.

Email alias processing

For beta accounts and builds where receipt forwarding is enabled, ZenPense assigns a private email alias (e.g. you@receipts.zenpense.app). When you forward a receipt:

• The email is routed by Resend to a Supabase Edge Function via a secured webhook.
• The Edge Function parses the email body in memory to extract the merchant name, amount, currency, and date. A SHA-256 fingerprint is stored for de-duplication.
• The raw email is never stored in our database. Extracted transaction data is added as a pending import for your review, along with a short excerpt (up to 180 characters) of the email line it was parsed from.

ZenAI processing

When Cloud AI is enabled, before each request the app builds a structured spending summary from your local SwiftData store. This includes: account nicknames and balances, up to 100 recent transactions (merchant name, amount, category, date — covering approximately the last 90 days), active budgets, savings goals, and subscriptions.

Explicitly excluded from this summary: account numbers, card numbers, free-text notes, and any other field that might contain personally identifying information.

This summary and your question are sent to a Supabase Edge Function which forwards them to Groq's API for inference. Groq's response is returned to your device. We do not log your AI queries or responses on our servers beyond what Groq processes in real time.

ZenAI Cloud is strictly opt-in. You must explicitly enable "Cloud AI insights" in Settings → Privacy before any data leaves your device for AI processing.

Exchange rate data

ZenPense fetches live currency rates from a third-party FX provider to power multi-currency support. These requests contain no personal data.

Premium subscription data

Subscriptions are processed entirely through Apple's App Store via StoreKit 2. We never receive, store, or process your payment card details.

4. How we use your data

We use the data described above only for the following purposes:

1. To provide the app's core features (expense tracking, budgets, net worth, subscriptions).
2. To sync supported Financial Data across devices, if you opt in to beta Cloud Sync.
3. To process email receipts into pending transaction imports via your alias, when that beta feature is enabled.
4. To power ZenAI spending insights, if you enable Cloud AI.
5. To diagnose crashes and improve app stability (Crashlytics).
6. To understand feature usage and improve the app (Firebase Analytics).
7. To send TestFlight invites and launch notifications to early-access subscribers.
8. To authenticate your account (Firebase Auth).
9. To attempt to send beta login alerts when a new device is detected; delivery is not guaranteed.

5. Third-party services

ZenPense uses the following sub-processors, each under a data-processing agreement:

• Supabase — beta cloud sync storage and Edge Function processing (receipt forwarding, ZenAI relay). Privacy policy
• Firebase Auth (Google) — account creation, sign-in, and session tokens. Privacy policy
• Firebase Analytics (Google) — anonymized usage events; no financial data. Privacy policy
• Firebase Crashlytics (Google) — technical crash reports; no financial data. Privacy policy
• Groq — AI inference for ZenAI; receives a structured spending summary (no account/card numbers), only when Cloud AI is enabled by you. Privacy policy
• Resend — inbound email routing; routes forwarded receipts to our Edge Function via webhook. Privacy policy
• Apple App Store (StoreKit 2) — Premium subscription billing; we never see payment details. Privacy policy
• FX data provider — live currency exchange rates; no personal data is shared. Named in Settings.

We do not use advertising SDKs, tracking pixels, or behavioural advertising of any kind. No third party receives your data for marketing purposes.

6. Data sharing & disclosure

We share your data only in these narrow circumstances:

• With sub-processors listed above — strictly for the purposes described and under data-processing agreements.
• To comply with law — if required by a valid legal process (court order, government request). We will notify you unless prohibited by law.
• To protect safety — if we have a good-faith belief that disclosure is necessary to prevent imminent harm or fraud.
• In a business transfer — if ZenPense is acquired or merges with another entity, your data may transfer. We will notify you in advance and your rights under this policy will be maintained.

7. Storage & security

On-device storage. All Financial Data is stored locally on your iPhone using SwiftData, encrypted at rest by iOS when the device is locked, and sandboxed to the ZenPense app.

Cloud storage (opt-in beta). If you sign in and enable sync, supported data is encrypted in transit (TLS) and stored in Supabase's managed PostgreSQL infrastructure, isolated per-account. Sync coverage and timing may vary during beta.

App-level security. ZenPense includes Face ID / Touch ID app lock, an automatic privacy shield that hides balances when you switch apps, and two-factor authentication for email/password accounts. New-device login emails are a beta convenience and may not always arrive.

Breach notification. In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware, in compliance with GDPR Article 33 and applicable law.

8. Retention of data

• Financial Data — retained until you delete individual entries or delete your account.
• Email receipt content — permanently discarded after parsing; only the extracted transaction (and up to 180 characters from the parsed line in notes) is stored.
• ZenAI queries & responses — not stored on our servers; processed in real time and returned to your device only.
• Authentication data — retained until account deletion; session tokens expire automatically after inactivity.
• Firebase Analytics events — up to 14 months, per Google's default Analytics retention policy.
• Firebase Crashlytics reports — 90 days, per Crashlytics' default retention policy.
• Early-access email addresses — retained until you unsubscribe or request deletion.

When you delete your account (Settings → Account → Delete Account), all data associated with your account is permanently removed from our servers within 30 days. On-device data is removed immediately when you delete the app.

9. Guest mode

You can use ZenPense entirely without creating an account. In guest mode, all Financial Data stays exclusively on your device — nothing is ever uploaded to our servers. Crash reports and analytics are still collected unless you disable them in Settings → Privacy. ZenAI Cloud and beta receipt forwarding are not available without a signed-in account.

10. Your rights — all users

Regardless of where you live, you always have the right to:

1. Access your data — export a complete copy of your Financial Data as JSON or CSV from Settings → Data → Export, at any time.
2. Delete your data — delete individual transactions, or permanently delete your account from Settings → Account → Delete Account.
3. Opt out of analytics — disable Firebase Analytics at any time in Settings → Privacy → Usage Analytics.
4. Opt out of crash reporting — disable Crashlytics at any time in Settings → Privacy → Crash Reports.
5. Opt out of ZenAI — disable Cloud AI at any time in Settings → Privacy → ZenAI.
6. Opt out of early-access emails — use the unsubscribe link in any email, or contact us at privacy@zenpense.app.

11. Your data protection rights under GDPR (EU & UK)

If you are located in the European Union or United Kingdom, the GDPR and UK GDPR give you the following additional rights. Contact us at privacy@zenpense.app to exercise any of them:

1. Right of access — receive a copy of all personal data we hold about you.
2. Right to rectification — correct inaccurate or incomplete data.
3. Right to erasure ("right to be forgotten") — request deletion of your personal data where there is no overriding legal basis to retain it.
4. Right to data portability — receive your data in a structured, machine-readable format.
5. Right to restriction of processing — ask us to pause processing your data in certain circumstances.
6. Right to object — object to processing based on legitimate interests (e.g. analytics).
7. Right to withdraw consent — where processing is based on consent (e.g. ZenAI, cloud sync), you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all valid requests within 30 days. If you are dissatisfied, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national Data Protection Authority in the EU).

12. Your data protection rights under CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) entitles you to:

1. Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
2. Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions.
3. Right to opt-out of sale — ZenPense does not sell personal information. This right is noted here for completeness; it does not apply.
4. Right to non-discrimination — you will not be discriminated against for exercising any of these rights.

To exercise your CCPA rights, contact us at privacy@zenpense.app. We will respond within 45 days.

13. Your data protection rights under DPDP (India)

Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), users in India have the following rights:

1. Right to access — request a summary of personal data we process and the third parties with whom it has been shared.
2. Right to correction & erasure — request correction of inaccurate data, or erasure of data no longer needed for its original purpose.
3. Right to grievance redressal — raise a complaint with our Grievance Officer and receive a response within the prescribed timeframe.
4. Right to nominate — nominate another person to exercise your rights on your behalf in the event of your death or incapacity.

14. Children's privacy

ZenPense is rated 13+ on the App Store. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has created an account or provided personal information, please contact us at privacy@zenpense.app and we will delete the data promptly.

15. International data transfers

ZenPense is operated globally. Your data may be transferred to and processed in countries other than your own — including the United States and countries where Supabase, Google, Groq, and Resend operate infrastructure.

For users in the EU and UK, transfers to countries not deemed adequate by the European Commission are protected by Standard Contractual Clauses (SCCs) included in our data-processing agreements with each sub-processor. You may request a copy by contacting us.

16. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last update" date at the top of this page and display an in-app notice the next time you open ZenPense. For changes that materially affect how we process personal data, we will seek fresh consent where required by law.

Continued use of the app after changes are posted constitutes acceptance of the revised policy.

17. Contact us

Privacy questions, data requests, or anything else — we read everything and respond personally.

• Privacy & data requests: privacy@zenpense.app
• General: hello@zenpense.app
• Security disclosures: security@zenpense.app

If you submitted an early-access request and want your email removed, email us with the subject "Remove my email" and we will act within 24 hours.