Privacy Policy

Last updated: 22 April 2026

mooney is a personal expense tracker. This page explains what the app collects, how we use it, and who else processes it on our behalf. It applies to the mooney mobile application (package com.octyn.mooney) published on Google Play. "We", "us", and "mooney" refer to Octyn, the entity that operates this app. Questions? admin@octyn.co.

In short: your expenses, receipts, SMS content, and voice recordings are processed on your device. We only send data to our servers when you explicitly choose to — signing in, enabling cloud backup, or using voice entry (which transcribes speech to text on our behalf).

1. Data that stays on your device

The following is stored in an encrypted local database on your phone and is never sent anywhere unless you turn on cloud backup or sign in:

Expenses, budgets, splits, and subscriptions you enter.
Categories and custom labels you create.
Receipt images you capture with the camera — discarded after the on-device OCR step reads the amount and date.
Bank and payment notification text we parse locally to detect transactions (see §3). Raw notification content is never uploaded.

2. Data you choose to share with us

If you sign in, or turn on cloud backup, we collect the minimum needed to provide those features:

Email address — for one-time-password sign-in.
Google account email and display name — only if you use "Continue with Google". We do not see your password.
Encrypted backup of your expense data — uploaded to our cloud storage and accessible only to you. You can delete it from the app's Settings screen at any time.
Subscription status — whether you have an active Mooney Premium subscription. Payment details (card, UPI, etc.) are handled entirely by Google Play and never reach us.

3. Device permissions we ask for

Permission	Why
Camera	To photograph paper receipts. Images are processed on-device by Google ML Kit to extract text; they are not uploaded and are discarded after extraction unless you explicitly keep them.
Microphone	To record voice when you use voice entry. The audio is sent over an encrypted channel to our transcription provider (see §4) and deleted after transcription. Transcripts are used to extract the expense you described, then discarded.
Notification listener access	To read bank and payment notifications from a small allow-list of known apps (GPay, PhonePe, Paytm, Amazon, ICICI, HDFC, SBI, Axis, Kotak, WhatsApp Pay). Amount and merchant are extracted on your device. The raw content is not uploaded, stored server-side, or shared. Notifications from other apps are ignored. You can revoke this permission any time in Android settings.
Network / Internet	Required for voice transcription, sign-in, and cloud backup.
Post notifications	So the app can alert you about budget breaches, subscription renewals, and detected transactions awaiting confirmation. No notification content leaves your device.

4. Third parties who process data on our behalf

We use the following sub-processors. Each is bound by a data-processing agreement and only receives the data listed.

Provider	What they process	Purpose
Supabase (US / EU)	Your email address, authentication tokens, and the encrypted backup file you create.	Sign-in and cloud backup storage.
Deepgram (US)	Short audio clips (your voice when using voice entry).	Speech-to-text transcription. Audio is not retained for training.
Groq, Cerebras, OpenRouter (US)	The transcribed text of what you said — not the audio.	Parsing your instruction into a structured expense entry.
PostHog (US)	Anonymous product events (e.g., "expense_added"), a random device identifier, and — only after you sign in — your Supabase user ID.	Understanding feature usage so we can improve the app. The content of your expenses is never sent.
RevenueCat (US)	A stable anonymous user ID and your subscription status.	Managing trial and subscription entitlements across devices.
Google Play Billing	Payment details, billing address, purchase receipts.	Processing in-app subscription payments. Governed by Google's own privacy policy.
Google ML Kit (on-device)	Receipt images, at the moment of OCR, on your phone only.	Extracting text from receipts. No data leaves your device.

5. What we do not do

We do not sell your personal information, ever.
We do not share your data with advertisers, data brokers, or marketing networks.
We do not use your expense history to train AI models.
We do not read SMS or notifications outside the allow-listed finance apps, and we do not upload those notifications.
We do not track your location.
We do not access your contacts, calendar, photos, or files beyond those you explicitly share with the app.

6. Security

Local data is stored in Hive, an on-device key-value database, and is not accessible to other apps on a non-rooted device. Data in transit uses HTTPS / TLS 1.2+. Server-side backups live in a per-user folder readable only by the authenticated owner, enforced by row-level security. Third-party API keys live exclusively on our backend; the mobile app never carries provider secrets.

7. Your rights

Depending on where you live (GDPR in the EEA/UK, DPDP Act in India, CCPA in California, LGPD in Brazil, etc.) you have the right to access, export, correct, or delete your personal data. You can exercise most of these in-app:

Export — Settings → "Export data" produces a JSON file of everything on your device.
Delete your cloud backup — Settings → "Delete cloud backup".
Delete your account entirely — email admin@octyn.co from the address associated with your account. We remove your account and cloud data within 30 days and confirm in writing.
Withdraw consent — sign out or uninstall at any time. Uninstalling clears all locally stored data.

8. Data retention

Local data persists until you delete it in-app or uninstall mooney. Cloud backups are retained until you delete them or close your account. Authentication logs are retained by our auth provider for up to 90 days for security and abuse prevention. Anonymous analytics events are retained for 12 months and then aggregated.

9. Children

mooney is not directed at children under 13 (or under 16 in parts of the EU). We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact admin@octyn.co and we will delete it.

10. International transfers

Our sub-processors are primarily in the United States. If you are in the EEA, the UK, or India, your data may be transferred to and processed in those countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for these transfers.

11. Changes to this policy

We will update this page if our practices change. The "Last updated" date at the top always reflects the most recent revision. For material changes — e.g., a new sub-processor with access to your data — we will also notify you in-app before the change takes effect.

12. Contact

Data controller: Octyn
Email: admin@octyn.co
Address: Guwahati, Assam, India