Privacy Policy

Effective 18 April 2026 · Last updated 18 April 2026 · Version 2.0

Moneytrak ("Moneytrak", "we", "our", "us") operates moneytrak.in (the "Service"). This Privacy Policy explains what information we collect, how we use it, and your rights under the Digital Personal Data Protection Act 2023 (DPDP 2023) and the Information Technology Act 2000.

1. The short version

• Moneytrak is zero-knowledge cloud. Your financial data is encrypted on your device with a key derived from your master password, and only the ciphertext is uploaded to our cloud. We see only opaque ciphertext — never the plaintext.
• You can sign in from any device (phone, laptop, tablet) using your email + master password + optional 2FA; the vault is pushed to that device and decrypted locally.
• We do not sell, rent, share, or access your financial information. Ever.
• We do not embed Google Analytics, Meta pixels, or third-party ad trackers.
• You can export or delete all your data at any time with one click.

2. What we collect

2.1 Information you provide

• Account data — name, email, mobile number, city. Used to authenticate you and deliver support.
• Financial data — transactions, assets, liabilities, goals, budgets. Encrypted on your device before it is uploaded to our cloud. We can prove the ciphertext is intact but we cannot read its contents.
• Payment data — processed by Razorpay (PCI-DSS Level 1). We store only the order ID, amount, and plan — never card numbers.

2.2 Information collected automatically

• Access logs — IP address, user-agent, timestamp of requests. Used for security (rate-limiting, fraud detection) and retained for 90 days.
• Device identifiers — a random session ID to keep you logged in. Not linked to advertising IDs.

2.3 What we don't collect

• We never ask for bank / broker credentials or OAuth tokens.
• We do not track cross-site behaviour, browsing history, or contact lists.
• We do not buy data from third-party brokers or data aggregators.

3. How we use your information

• To provide and maintain the Service (authentication, backup, sync).
• To respond to your support requests at support@moneytrak.in.
• To prevent fraud, abuse, and protect the integrity of the Service.
• To send service-related emails (billing receipts, security alerts) — never marketing without your explicit consent.

4. Lawful basis (DPDP 2023)

We process personal data under the legitimate-use grounds of contractual necessity (to deliver the Service you signed up for), legal compliance (tax, anti-money-laundering), and your explicit consent (for optional features like cloud backup or marketing emails).

5. Data residency & transfers

All personal data is stored within India (India). We do not transfer personal data outside India except where legally required. Encrypted backups of your vault are stored in India; ciphertext only.

6. Retention

• Account data: kept while your account is active and for up to 12 months after deletion (for tax / audit compliance).
• Access logs: 90 days.
• Encrypted vault backups: kept while your subscription is active. On deletion, purged within 30 days.
• Payment records: 7 years (required by Indian tax law).

7. Your rights

Under DPDP 2023 you have the right to:

• Access a copy of all personal data we hold about you.
• Correct inaccurate data.
• Erase your data (subject to lawful retention periods).
• Port your data to another provider in a machine-readable format.
• Withdraw consent for any optional processing at any time.
• Raise a complaint via support@moneytrak.in, and appeal to the Data Protection Board of India.

To exercise any right, email support@moneytrak.in. We respond within 24–48 hours, including weekends and public holidays.

You can also request account deletion directly (DPDP-compliant 90-day cooling-off window) or recover a locked vault using your single-use recovery codes.

8. Security

We use industry-standard safeguards: TLS 1.3 in transit, AES-256-GCM at rest, PBKDF2 (250,000 rounds) for key derivation. Our team members cannot access user vault contents — the cryptography makes it technically impossible by design.

9. Children's privacy

Moneytrak is not directed to children under 18. We do not knowingly collect data from minors without verifiable parental consent.

10. Changes to this policy

We will notify you by email (to the address on file) at least 14 days before any material change takes effect.

11. Contact

Questions or data requests? Write to support@moneytrak.in — our only official channel. We respond within 24–48 hours, including weekends and public holidays. All data is stored within India.