Privacy Policy

Last updated: 14 May 2026 · Aligned with India's Digital Personal Data Protection Act, 2023.

Short version: We don't have your bank login. We don't see your balance. We parse your bank SMS and receipts on your device. Your data never leaves your phone — we don't operate any servers that store it, and we don't offer or perform any kind of cloud backup, sync, or upload.

Scope of this Policy
Data we process — and where
Sources of data
Purposes & lawful basis
Whom we share data with
Retention
Your rights under the DPDP Act
Security
Cookies on this website
Children
Changes to this Policy
How to reach our privacy team

1. Scope of this Policy

This policy describes how UPI Tracker Technologies Pvt. Ltd. ("we", "us") handles personal data in connection with the UPI Tracker mobile application and this website. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we act as the Data Fiduciary; you are the Data Principal.

2. Data we process — and where

2.1 On your device only — always

The following is processed on your device and never transmitted to us:

Transaction details parsed from bank SMS — amount, date, time, merchant or VPA, bank account masked tail, UTR.
Receipts you scan or pick from your gallery, and the OCR output (amount, merchant, date, narration).
Categories, narrations, rules, and budgets you create.
Saved merchants and pinned items.
Mandate metadata observed in SMS or notifications (debit amount, cadence, next-debit date).
Your language preference, theme preference, and app PIN.

2.2 We do not operate cloud storage

UPI Tracker has no “cloud backup”, no account sync, and no server that stores your financial data. There is no cloud feature you can turn on. If you uninstall the app or switch phones, the data is gone unless you have exported it (see Section 2.4) and saved that export somewhere yourself.

2.3 Anonymous diagnostics (only if you opt in)

If you explicitly turn on anonymous diagnostics from Privacy & Security settings, we may receive non-identifying crash reports and feature-usage counters. These never include any transaction data, merchant data, narration text, receipt image, OCR output, or SMS content. You can turn this off at any time. It is off by default.

2.4 Export

You can export your data to CSV or JSON files at any time from Profile → Privacy & Security → Export your data. The export is generated on your device and shared via your phone’s standard share sheet — we never see it.

2.5 What we never process

Bank usernames or passwords.
OTPs or net-banking credentials.
Bank account balance, account number (we only see the masked tail in the SMS).
The contents of your SMS inbox, beyond messages identified as bank or UPI transaction notices.
Your contacts, location, or microphone.

3. Sources of data

We receive data from these sources:

You, when you manually add expenses, write narrations, edit categories, set budgets, scan receipts, or create rules.
Your device, which makes bank SMS messages available to the app via OS permissions you grant.
Your camera or gallery, when you choose to scan or import a receipt.
App stores (Apple App Store, Google Play), for install events and store-side anonymous metrics, governed by their respective policies.

4. Purposes & lawful basis

Under the DPDP Act, we process personal data on the following bases:

Your consent — for camera, SMS, photos, notifications, and optional anonymous diagnostics.
Performance of the Service — minimum data needed to deliver the features you use.
Legal compliance — where applicable laws require us to retain or disclose data.

We do not sell your data. We do not share it with advertisers. We do not share it with banks, lenders, insurers, brokers, or aggregators. Because your data never reaches our servers in the first place, there is in practice nothing to share.

The only limited cases where data could be involved in a disclosure:

Anonymous diagnostics (opt-in only): aggregate, non-identifying crash and usage data may be processed via standard cloud infrastructure providers under strict data-processing agreements.
Legal disclosures when required by an order from a court or authorised government agency in India, after we have reviewed the request for validity. In practice we will have no transaction data to disclose.

6. Retention

Data on your device is retained for as long as you keep the app installed. You can delete individual records, export everything, or wipe all data from Profile → Privacy & Security → Delete account & data. Uninstalling the app deletes all stored data.

Anonymous diagnostic events, if you have opted in, are retained for up to 13 months in aggregate form.

7. Your rights under the DPDP Act

You have the right to:

Access a summary of the personal data we hold about you.
Correct, complete, or update your data, or request that we erase it.
Withdraw consent for any optional processing at any time, with effect from withdrawal.
Grievance redressal — raise a complaint with our Data Protection Officer (below). If unresolved, you may approach the Data Protection Board of India.
Nominate another individual to exercise your rights in the event of your death or incapacity.

8. Security

Your data is stored locally in encrypted app storage protected by your device’s OS sandbox and, optionally, an app PIN or biometric unlock (Face ID / Touch ID / fingerprint). Because we hold no server-side copy, there is no remote breach surface for your financial data.

Diagnostics, if you opt in, are transmitted over TLS 1.3 and never include personal financial content.

9. Cookies on this website

This marketing website (upitracker.in) uses only a single first-party preference cookie (upi.theme) to remember whether you prefer the light or dark theme. We do not run third-party trackers, advertising pixels, or session-replay tools on this site.

10. Children

UPI Tracker is not intended for children under 18. We do not knowingly collect data from anyone under that age. If you believe a child has provided data to us, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified to you in-app and via email if we have one on file. The "Last updated" date at the top will always reflect the current version.

12. How to reach our privacy team

Data Protection Officer
Email: dpo@upitracker.in
Privacy team: privacy@upitracker.in

UPI Tracker Technologies Pvt. Ltd.
Bengaluru, Karnataka, India