Privacy Policy

Last updated: March 22, 2026

What we collect

• Phone number — used solely for OTP authentication. Not shared with third parties.
• Profile information — optional name and email address for account customisation.
• SMS text — processed by our self-hosted LLM to classify transactions. SMS content is never stored, or logged to external services.
• Merchant rules — user-defined category mappings for specific merchants.

Data storage

Kharcha stores minimal data server-side:

• Phone number (for authentication)
• Optional name and email
• Custom merchant category rules

Transaction data is stored only on your device. Raw SMS text is never stored, or logged. The server classifies SMS in real-time and returns the result.

Third-party services

• Twilio — delivers OTP SMS messages. Subject to Twilio’s Privacy Policy.
• Ollama — LLM inference. SMS text is processed on our servers and never stored.
• Exchange rate APIs — used for currency conversion. No personal data is stored.

Security

• JWT-based authentication with 24-hour token expiry
• OTP codes are single-use with 10-minute expiry
• Rate limiting on all endpoints
• Security headers on all responses

Data retention

Your data is retained until you delete your account. Dedup cache entries expire in 5 minutes; OTP codes expire in 10 minutes.

Data deletion

Delete your account at any time from the app’s Settings page. Deletion is immediate, permanent, and irreversible. Transaction data on your device can be cleared by uninstalling the app.

Contact

For questions, email lovlinthakkar99@gmail.com.