Truthy SystemsTruthy Systems
v2.0
PocketBudget: AI Money ManagerPocketBudget: AI Money Manager·android

PocketBudget: AI Money Manager — Privacy Policy

How we handle your personal data when you use PocketBudget: AI Money Manager.

Last updated: June 17, 2026Effective: June 15, 2026
01

PocketBudget: AI Money Manager Privacy Policy

A.  Introduction


This Privacy Policy is published by Truthy Systems Ltd, a software company incorporated in Uganda. It governs how we collect, use, store, and protect your personal data when you use PocketBudget, our personal finance management application for Android and iOS.

PocketBudget helps Ugandan users track income and expenses, set budgets, manage debts, and gain AI-powered financial insights. This policy explains every data practice we follow in delivering that service.

By downloading or using PocketBudget you accept this policy. If you do not accept it, please uninstall the app and contact us to delete your data.


B.  Data We Collect


B1 — Information you provide

  • Full name and email address — collected when you create your PocketBudget account via Google Sign-In or email registration.

  • Profile photo — collected if you sign in with Google and your Google account has a profile picture; you may remove it at any time in Settings.

  • Financial account names and balances — entered manually when you add a bank account, mobile money wallet, or savings account to the app.

  • Income records — entered manually or parsed from your SMS inbox when you grant SMS read permission.

  • Expense records and categories — entered manually or detected from SMS transaction notifications.

  • Budget limits per category — set by you in the Budgets screen.

  • Debt and IOU entries — contact names and amounts you enter in the Personal Ledger feature.

  • Scheduled bill entries — bill name, amount, recurrence, and due date you enter in the Runway Planner.

  • Customer support messages — any information you send us by email or through in-app feedback.


B2 — Information collected automatically

  • Device identifier and model — collected at app launch for crash reporting and to associate your session with your account.

  • Operating system version — collected for compatibility diagnostics via Firebase Crashlytics.

  • App usage events — screens visited, features used, and session duration, collected via Firebase Analytics to improve the product.

  • Crash logs and stack traces — collected automatically when the app crashes, via Firebase Crashlytics.

  • Advertising identifier (Android Ad ID / iOS IDFA) — collected by Google AdMob to serve contextually relevant advertisements. You can reset or disable this in your device settings.

  • Firebase Cloud Messaging token — generated automatically to enable push notifications for bill due-date reminders and financial alerts.

  • IP address — collected by Firebase when your device communicates with our backend; used for security monitoring only.


B3 — SMS data

PocketBudget requests permission to read your device SMS inbox to detect mobile money and bank transaction notifications. We read SMS messages locally on your device. We extract only the transaction amount, date, description, and sender code. We do not upload raw SMS message text to our servers. Extracted financial data is uploaded to your personal Firestore document, which is accessible only to you.

You can revoke SMS permission at any time in your device Settings. The app continues to function without it; you will need to enter transactions manually.


C.  How We Use Your Data


Purpose

Data used

Legal basis

Service delivery — displaying your accounts, transactions, budgets, debts, and runway forecast within the app

Account names, balances, income, expenses, budgets, debt entries, scheduled bills

Performance of contract

Account management — creating and maintaining your user profile, authenticating your identity

Name, email address, profile photo, Firebase UID

Performance of contract

SMS transaction parsing — automatically categorising mobile money and bank SMS messages into your transaction history

Locally read SMS content; extracted amounts, dates, and descriptions only

Consent (SMS permission granted by you)

AI financial insights — generating cash-flow forecasts, wealth protection projections, and fee optimisation recommendations

Your aggregated transaction history and account balances — never raw personal identifiers

Legitimate interest (product functionality)

Security and fraud prevention — detecting unusual access patterns and protecting your account

IP address, device identifier, session events

Legitimate interest

Push notifications — sending bill due-date reminders and budget alerts

FCM token, scheduled bill dates, budget thresholds

Consent (notification permission granted by you)

Advertising — displaying in-app adverts through Google AdMob

Advertising ID, approximate location derived from IP

Consent (you may opt out via device settings)

Analytics and product improvement — understanding how features are used to prioritise development

Anonymised usage events and crash logs

Legitimate interest

Customer support — responding to queries, diagnosing reported issues

Name, email, messages you send us, relevant transaction data with your explicit consent

Performance of contract

Legal compliance — meeting obligations under Ugandan law including the Data Protection and Privacy Act 2019

As required by law — typically account and transaction records

Legal obligation


D.  Data Sharing


We share your data only with the service providers listed below. Each provider is bound by a data processing agreement. We share the minimum data necessary for each service to function.


Provider

Data shared

Purpose

Their policy

Google Firebase (Auth, Firestore, Cloud Functions, Storage, FCM)

Name, email, UID, all financial records you create

Authentication, database, serverless functions, file storage, push notifications

firebase.google.com/support/privacy

Google Firebase Analytics

Anonymised usage events, session data, device model, OS version

Product analytics and improvement

policies.google.com/privacy

Google Firebase Crashlytics

Crash logs, stack traces, device identifier, OS version

Crash diagnosis and stability monitoring

firebase.google.com/support/privacy

Google AdMob

Advertising ID, approximate location, ad interaction events

Serving in-app advertisements

policies.google.com/technologies/ads

Google (Gemini AI API)

Aggregated financial summaries — no names or identifiers are sent

Generating AI-powered insights and recommendations

policies.google.com/privacy





We do not sell, rent, or trade your personal data to any third party for marketing purposes.


E.  Data Retention


We keep your data only as long as necessary for the stated purpose or as required by Ugandan law. The table below states exact retention periods.


Data category

Retention period

Reason / legal basis

Account profile (name, email, photo)

Until you delete your account, then 30 days

Required for app functionality; 30-day grace period allows account recovery

Financial transactions (income, expenses)

7 years from the date of each transaction

Uganda Revenue Authority record-keeping requirement for financial data

Budget and debt records

3 years after last update, or until account deletion

User reference and financial continuity

Scheduled bills and runway data

Until deleted by you or account deletion

Active service data; no minimum retention required

SMS-extracted transaction data

Same as financial transactions — 7 years

Treated as transaction records under Ugandan law

Crash logs (Crashlytics)

90 days from collection

Sufficient window for diagnosing and resolving stability issues

Analytics events (Firebase)

14 months (Google default)

Trend analysis; we do not extend beyond Google default

Customer support correspondence

2 years from resolution of the query

Reference for repeat issues and quality assurance

Advertising identifiers (AdMob)

Until you reset or disable via device settings

Controlled by you at device level

Backups

30 days rolling backup retention in Firebase

Disaster recovery; purged on the 31st day automatically


When you delete your account, we initiate deletion of your Firestore data within 24 hours. Backups containing your data are purged within 30 days. Some anonymised, aggregated data derived from your usage may persist in analytics systems; it cannot be linked back to you.


F.  Your Rights


Under the Uganda Data Protection and Privacy Act 2019, and where applicable the EU General Data Protection Regulation (GDPR), you have the following rights. We respond to all requests within 30 days.


Right

What it means

How to exercise it

Access

Request a copy of all personal data we hold about you

Email privacy@truthysystems.com with subject "Data Access Request"

Rectification

Correct inaccurate or incomplete data

Edit your profile in-app under Settings > Profile, or email us

Erasure (Right to be forgotten)

Request deletion of all your personal data

Visit: 

https://truthysystems.com/data-deletion?product=com.truthysystems.pocketbudget

Data portability

Receive your data in a machine-readable format (JSON)

Email privacy@truthysystems.com with subject "Data Export Request"

Withdraw consent

Withdraw SMS or notification permissions at any time without affecting your right to use the app

Revoke in device Settings > Apps > PocketBudget > Permissions

Object to processing

Object to processing based on legitimate interest, including analytics

Email privacy@truthysystems.com with subject "Objection to Processing"

Lodge a complaint

Complain to the national data protection authority

National Information Technology Authority — Uganda (NITA-U)

www.nita.go.ug


G.  Security


We implement the following technical and organisational measures to protect your data:


  • Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2 or higher.

  • Encryption at rest: All data stored in Firebase Firestore and Firebase Storage is encrypted at rest using AES-256 by Google.

  • Authentication: Firebase Authentication manages user sessions. We support Google Sign-In (OAuth 2.0) and email-password authentication with secure password hashing.

  • Database access rules: Firestore Security Rules enforce that each user can only read and write their own data. No cross-user data access is possible at the database level.

  • API security: All Firebase Cloud Functions require authenticated Firebase ID tokens. Unauthenticated requests are rejected.

  • SMS data handling: SMS content is processed locally on your device. Only extracted financial figures — not raw message text — are uploaded.

  • Least privilege: Our engineering team accesses production data only through audited Firebase console access with multi-factor authentication enabled.

  • Dependency monitoring: We monitor our Flutter and npm dependencies for known vulnerabilities and apply security patches within 14 days of disclosure.


Breach notification

Despite these measures, no system is 100% secure. If we discover a data breach that is likely to result in a risk to your rights or freedoms, we will notify you and the relevant authorities within 72 hours of becoming aware of it. We will contact you at the email address registered to your account.


H.  Contact Information


For all privacy queries, data requests, or concerns, contact our Data Protection Officer:


Contact detail

Value

Privacy email

privacy@truthysystems.com

Company name

Truthy Systems Ltd

Physical address

Kampala, Uganda

Country of incorporation

Uganda

Response time

We respond within 30 days of receiving your request


I.  Cookies and Tracking (Web)


PocketBudget is primarily a mobile application and does not use cookies in the core app. If you access any Truthy Systems web interface (such as the admin panel or data deletion portal), the following cookies may be set:


Cookie name

Type

Purpose

Duration

__session

Essential

Firebase Authentication session management

Session (cleared on browser close)

ga, ga_*

Analytics

Google Analytics — anonymised usage measurement

14 months

_fbp

Analytics

Firebase performance monitoring on web

90 days


You can disable non-essential cookies via your browser settings. Disabling analytics cookies does not affect your ability to use any Truthy Systems web interface.


J.  Children's Privacy


PocketBudget is not directed at children under 13 years of age. We do not knowingly collect personal data from users under 13.

If you are a parent or guardian and believe your child under 13 has created an account, contact us at privacy@truthysystems.com and we will delete the account and all associated data within 72 hours.

Users between 13 and 17 may use PocketBudget with parental knowledge. We recommend that parents review this policy with teenage users.


K.  Changes to This Policy


We review this policy at least annually and whenever we make significant changes to how we process data. When we make material changes, we will:

  • Display a prominent in-app notification banner at least 30 days before the change takes effect.

  • Send an email notification to your registered email address.

  • Update the "Effective Date" at the top of this document and increment the version number.


Minor changes — such as correcting typographical errors or updating contact details — may be made without advance notice but will always be reflected in an updated version number.

Continued use of PocketBudget after the effective date of any updated policy constitutes your acceptance of the updated policy.

You may always request the previous version of this policy by emailing privacy@truthysystems.com.



02

Your rights

You have the following rights regarding your personal data. To exercise any of them, use the data deletion form on this page or contact us at privacy@truthysystems.com.

Data typePurpose
Right to access (Art. 15)Obtain a copy of all personal data we hold about you.
Right to rectification (Art. 16)Correct inaccurate or incomplete data.
Right to erasure (Art. 17)Request deletion of your data where there is no overriding legal basis for retention.
Right to restriction (Art. 18)Restrict processing while accuracy or legitimacy is contested.
Right to portability (Art. 20)Receive your data in a structured, machine-readable format.
Right to object (Art. 21)Object to processing based on legitimate interests or direct marketing.
Right to withdraw consentWithdraw any previously given consent at any time, without affecting prior processing.
We will respond to all verifiable requests within 30 days. In complex cases we may extend this by a further 60 days, and will notify you accordingly. There is no charge for exercising your rights.
03

Contact us

For any privacy-related questions, complaints, or to exercise your rights, contact our Privacy Team:

Organisation

Truthy Systems

Country

Uganda

If you are unsatisfied with our response, you have the right to lodge a complaint with the National Information Technology Authority — Uganda (NITA-U) or, for EU residents, your local data protection supervisory authority.

Privacy questions

Contact our privacy team for any queries about how we handle your data.

privacy@truthysystems.com

Terms of Service

Review the terms that govern your use of Truthy Systems products.

Read Terms of Service

Data deletion

Request deletion, export, or correction of your personal data.