PocketBudget: AI Money Manager Privacy Policy
A. Introduction
This Privacy Policy is published by Truthy Systems Ltd, a software company incorporated in Uganda. It governs how we collect, use, store, and protect your personal data when you use PocketBudget, our personal finance management application for Android and iOS.
PocketBudget helps Ugandan users track income and expenses, set budgets, manage debts, and gain AI-powered financial insights. This policy explains every data practice we follow in delivering that service.
By downloading or using PocketBudget you accept this policy. If you do not accept it, please uninstall the app and contact us to delete your data.
B. Data We Collect
B1 — Information you provide
Full name and email address — collected when you create your PocketBudget account via Google Sign-In or email registration.
Profile photo — collected if you sign in with Google and your Google account has a profile picture; you may remove it at any time in Settings.
Financial account names and balances — entered manually when you add a bank account, mobile money wallet, or savings account to the app.
Income records — entered manually or parsed from your SMS inbox when you grant SMS read permission.
Expense records and categories — entered manually or detected from SMS transaction notifications.
Budget limits per category — set by you in the Budgets screen.
Debt and IOU entries — contact names and amounts you enter in the Personal Ledger feature.
Scheduled bill entries — bill name, amount, recurrence, and due date you enter in the Runway Planner.
Customer support messages — any information you send us by email or through in-app feedback.
B2 — Information collected automatically
Device identifier and model — collected at app launch for crash reporting and to associate your session with your account.
Operating system version — collected for compatibility diagnostics via Firebase Crashlytics.
App usage events — screens visited, features used, and session duration, collected via Firebase Analytics to improve the product.
Crash logs and stack traces — collected automatically when the app crashes, via Firebase Crashlytics.
Advertising identifier (Android Ad ID / iOS IDFA) — collected by Google AdMob to serve contextually relevant advertisements. You can reset or disable this in your device settings.
Firebase Cloud Messaging token — generated automatically to enable push notifications for bill due-date reminders and financial alerts.
IP address — collected by Firebase when your device communicates with our backend; used for security monitoring only.
B3 — SMS data
PocketBudget requests permission to read your device SMS inbox to detect mobile money and bank transaction notifications. We read SMS messages locally on your device. We extract only the transaction amount, date, description, and sender code. We do not upload raw SMS message text to our servers. Extracted financial data is uploaded to your personal Firestore document, which is accessible only to you.
You can revoke SMS permission at any time in your device Settings. The app continues to function without it; you will need to enter transactions manually. |
C. How We Use Your Data
Purpose | Data used | Legal basis |
|---|---|---|
Service delivery — displaying your accounts, transactions, budgets, debts, and runway forecast within the app | Account names, balances, income, expenses, budgets, debt entries, scheduled bills | Performance of contract |
Account management — creating and maintaining your user profile, authenticating your identity | Name, email address, profile photo, Firebase UID | Performance of contract |
SMS transaction parsing — automatically categorising mobile money and bank SMS messages into your transaction history | Locally read SMS content; extracted amounts, dates, and descriptions only | Consent (SMS permission granted by you) |
AI financial insights — generating cash-flow forecasts, wealth protection projections, and fee optimisation recommendations | Your aggregated transaction history and account balances — never raw personal identifiers | Legitimate interest (product functionality) |
Security and fraud prevention — detecting unusual access patterns and protecting your account | IP address, device identifier, session events | Legitimate interest |
Push notifications — sending bill due-date reminders and budget alerts | FCM token, scheduled bill dates, budget thresholds | Consent (notification permission granted by you) |
Advertising — displaying in-app adverts through Google AdMob | Advertising ID, approximate location derived from IP | Consent (you may opt out via device settings) |
Analytics and product improvement — understanding how features are used to prioritise development | Anonymised usage events and crash logs | Legitimate interest |
Customer support — responding to queries, diagnosing reported issues | Name, email, messages you send us, relevant transaction data with your explicit consent | Performance of contract |
Legal compliance — meeting obligations under Ugandan law including the Data Protection and Privacy Act 2019 | As required by law — typically account and transaction records | Legal obligation |
D. Data Sharing
We share your data only with the service providers listed below. Each provider is bound by a data processing agreement. We share the minimum data necessary for each service to function.
Provider | Data shared | Purpose | Their policy |
|---|---|---|---|
Google Firebase (Auth, Firestore, Cloud Functions, Storage, FCM) | Name, email, UID, all financial records you create | Authentication, database, serverless functions, file storage, push notifications | |
Google Firebase Analytics | Anonymised usage events, session data, device model, OS version | Product analytics and improvement | |
Google Firebase Crashlytics | Crash logs, stack traces, device identifier, OS version | Crash diagnosis and stability monitoring | |
Google AdMob | Advertising ID, approximate location, ad interaction events | Serving in-app advertisements | |
Google (Gemini AI API) | Aggregated financial summaries — no names or identifiers are sent | Generating AI-powered insights and recommendations | |
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
E. Data Retention
We keep your data only as long as necessary for the stated purpose or as required by Ugandan law. The table below states exact retention periods.
Data category | Retention period | Reason / legal basis |
|---|---|---|
Account profile (name, email, photo) | Until you delete your account, then 30 days | Required for app functionality; 30-day grace period allows account recovery |
Financial transactions (income, expenses) | 7 years from the date of each transaction | Uganda Revenue Authority record-keeping requirement for financial data |
Budget and debt records | 3 years after last update, or until account deletion | User reference and financial continuity |
Scheduled bills and runway data | Until deleted by you or account deletion | Active service data; no minimum retention required |
SMS-extracted transaction data | Same as financial transactions — 7 years | Treated as transaction records under Ugandan law |
Crash logs (Crashlytics) | 90 days from collection | Sufficient window for diagnosing and resolving stability issues |
Analytics events (Firebase) | 14 months (Google default) | Trend analysis; we do not extend beyond Google default |
Customer support correspondence | 2 years from resolution of the query | Reference for repeat issues and quality assurance |
Advertising identifiers (AdMob) | Until you reset or disable via device settings | Controlled by you at device level |
Backups | 30 days rolling backup retention in Firebase | Disaster recovery; purged on the 31st day automatically |
When you delete your account, we initiate deletion of your Firestore data within 24 hours. Backups containing your data are purged within 30 days. Some anonymised, aggregated data derived from your usage may persist in analytics systems; it cannot be linked back to you.
F. Your Rights
Under the Uganda Data Protection and Privacy Act 2019, and where applicable the EU General Data Protection Regulation (GDPR), you have the following rights. We respond to all requests within 30 days.
Right | What it means | How to exercise it |
|---|---|---|
Access | Request a copy of all personal data we hold about you | Email privacy@truthysystems.com with subject "Data Access Request" |
Rectification | Correct inaccurate or incomplete data | Edit your profile in-app under Settings > Profile, or email us |
Erasure (Right to be forgotten) | Request deletion of all your personal data | Visit: https://truthysystems.com/data-deletion?product=com.truthysystems.pocketbudget |
Data portability | Receive your data in a machine-readable format (JSON) | Email privacy@truthysystems.com with subject "Data Export Request" |
Withdraw consent | Withdraw SMS or notification permissions at any time without affecting your right to use the app | Revoke in device Settings > Apps > PocketBudget > Permissions |
Object to processing | Object to processing based on legitimate interest, including analytics | Email privacy@truthysystems.com with subject "Objection to Processing" |
Lodge a complaint | Complain to the national data protection authority | National Information Technology Authority — Uganda (NITA-U) |
G. Security
We implement the following technical and organisational measures to protect your data:
Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2 or higher.
Encryption at rest: All data stored in Firebase Firestore and Firebase Storage is encrypted at rest using AES-256 by Google.
Authentication: Firebase Authentication manages user sessions. We support Google Sign-In (OAuth 2.0) and email-password authentication with secure password hashing.
Database access rules: Firestore Security Rules enforce that each user can only read and write their own data. No cross-user data access is possible at the database level.
API security: All Firebase Cloud Functions require authenticated Firebase ID tokens. Unauthenticated requests are rejected.
SMS data handling: SMS content is processed locally on your device. Only extracted financial figures — not raw message text — are uploaded.
Least privilege: Our engineering team accesses production data only through audited Firebase console access with multi-factor authentication enabled.
Dependency monitoring: We monitor our Flutter and npm dependencies for known vulnerabilities and apply security patches within 14 days of disclosure.
Breach notification
Despite these measures, no system is 100% secure. If we discover a data breach that is likely to result in a risk to your rights or freedoms, we will notify you and the relevant authorities within 72 hours of becoming aware of it. We will contact you at the email address registered to your account.
H. Contact Information
For all privacy queries, data requests, or concerns, contact our Data Protection Officer:
Contact detail | Value |
|---|---|
Privacy email | |
Company name | Truthy Systems Ltd |
Physical address | Kampala, Uganda |
Country of incorporation | Uganda |
Response time | We respond within 30 days of receiving your request |
I. Cookies and Tracking (Web)
PocketBudget is primarily a mobile application and does not use cookies in the core app. If you access any Truthy Systems web interface (such as the admin panel or data deletion portal), the following cookies may be set:
Cookie name | Type | Purpose | Duration |
|---|---|---|---|
__session | Essential | Firebase Authentication session management | Session (cleared on browser close) |
ga, ga_* | Analytics | Google Analytics — anonymised usage measurement | 14 months |
_fbp | Analytics | Firebase performance monitoring on web | 90 days |
You can disable non-essential cookies via your browser settings. Disabling analytics cookies does not affect your ability to use any Truthy Systems web interface.
J. Children's Privacy
PocketBudget is not directed at children under 13 years of age. We do not knowingly collect personal data from users under 13.
If you are a parent or guardian and believe your child under 13 has created an account, contact us at privacy@truthysystems.com and we will delete the account and all associated data within 72 hours.
Users between 13 and 17 may use PocketBudget with parental knowledge. We recommend that parents review this policy with teenage users.
K. Changes to This Policy
We review this policy at least annually and whenever we make significant changes to how we process data. When we make material changes, we will:
Display a prominent in-app notification banner at least 30 days before the change takes effect.
Send an email notification to your registered email address.
Update the "Effective Date" at the top of this document and increment the version number.
Minor changes — such as correcting typographical errors or updating contact details — may be made without advance notice but will always be reflected in an updated version number.
Continued use of PocketBudget after the effective date of any updated policy constitutes your acceptance of the updated policy.
You may always request the previous version of this policy by emailing privacy@truthysystems.com.
Your rights
You have the following rights regarding your personal data. To exercise any of them, use the data deletion form on this page or contact us at privacy@truthysystems.com.
| Data type | Purpose |
|---|---|
| Right to access (Art. 15) | Obtain a copy of all personal data we hold about you. |
| Right to rectification (Art. 16) | Correct inaccurate or incomplete data. |
| Right to erasure (Art. 17) | Request deletion of your data where there is no overriding legal basis for retention. |
| Right to restriction (Art. 18) | Restrict processing while accuracy or legitimacy is contested. |
| Right to portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Right to object (Art. 21) | Object to processing based on legitimate interests or direct marketing. |
| Right to withdraw consent | Withdraw any previously given consent at any time, without affecting prior processing. |
Contact us
For any privacy-related questions, complaints, or to exercise your rights, contact our Privacy Team:
Organisation
Truthy Systems
Country
Uganda
Privacy email
privacy@truthysystems.comWebsite
https://truthysystems.comIf you are unsatisfied with our response, you have the right to lodge a complaint with the National Information Technology Authority — Uganda (NITA-U) or, for EU residents, your local data protection supervisory authority.
Privacy questions
Contact our privacy team for any queries about how we handle your data.
Terms of Service
Review the terms that govern your use of Truthy Systems products.
Data deletion
Request deletion, export, or correction of your personal data.
