Privacy Policy

1. Information We Collect

1.1 Information You Provide

When you create an account, we collect:

• Email address: Used for account creation and communication
• Display name: Your chosen name for the account
• Profile photo: Optional, if provided via Google or Apple Sign-In
• Password: Encrypted and stored securely (for email/password accounts)

1.2 Information Stored Locally

The following data is stored only on your device and never transmitted to our servers:

• Financial transactions and amounts
• Account balances and details
• Budget information
• Categories and tags
• All personal financial data

1.3 Automatically Collected Information

We may collect:

• Device information: App version, device type, operating system
• Usage analytics: Feature usage patterns (no financial data)
• Error logs: Technical diagnostics for app improvement

1.4 Device Permissions

To provide core functionality, Pebbles requests the following device permissions. All data accessed through these permissions is stored locally on your device and is never transmitted to our servers or any third party.

• Camera: Allows you to take photos of receipts, bills, and invoices directly within the app. These photos are attached to your transactions as proof of purchase and are stored only on your device.
• Photos & Media: Enables you to select existing receipt images from your device's photo gallery to attach to transactions. We only access images you explicitly choose through the file picker.
• Storage: Used to save transaction receipts and export your financial data. All files are stored locally on your device in the app's private storage.
• Internet: Required for user authentication, AI-powered features (for authenticated users), and currency exchange rate updates. Your financial transaction data is never transmitted over the internet.

Privacy Guarantee: Receipt photos, transaction images, and all financial data accessed through these permissions remain on your device. They are stored in encrypted local storage and are never uploaded to our servers, shared with third parties, or used for any purpose other than displaying them within the app.

2. How We Use Your Information

We use the collected information to:

• Provide and maintain authentication services
• Send service-related communications (email verification, password reset)
• Improve app functionality and user experience
• Provide AI-powered features (for authenticated users)
• Enforce usage limits and prevent abuse
• Comply with legal obligations

3. Data Storage and Security

3.1 Local Storage

All your financial data is stored locally on your device using encrypted storage. This data is never transmitted to our servers or any third party.

3.2 Cloud Storage

Authentication data (email, name, profile photo) is stored securely and is:

• Encrypted in transit and at rest
• Protected by industry-standard security infrastructure
• Subject to regular security audits

3.3 Security Measures

We implement industry-standard security measures:

• End-to-end encryption for data in transit
• Secure password hashing (for email/password accounts)
• App verification to prevent unauthorized access
• Regular security updates and patches

4. Third-Party Services

We use the following third-party services:

• Supabase: Authentication and cloud functions
• Google Sign-In: Optional authentication method
• Apple Sign-In: Optional authentication method (iOS only)
• AI Services: AI-powered features (for authenticated users)

These services have their own privacy policies. We encourage you to review them.

5. AI Features and Data Processing

When you use AI-powered features:

• Prompts are sent to AI services for processing
• We do not include personally identifiable financial data in prompts
• AI interactions are rate-limited
• Usage metrics may be logged for monitoring

6. Data Sharing and Disclosure

We do NOT sell, trade, or rent your personal information. We may share information only in these cases:

• With your consent: When you explicitly agree to share
• Legal requirements: When required by law or legal process
• Service providers: Third-party services that help us operate the app
• Business transfers: In case of merger, acquisition, or sale of assets

7. Your Rights and Choices

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct your information
• Deletion: Request deletion of your account and data
• Export: Export your local financial data at any time
• Opt-out: Use the app without creating an account

8. Children's Privacy

Pebbles is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.

9. Data Retention

We retain your personal information for as long as your account is active. When you delete your account:

• Authentication data is deleted from our servers
• Local data remains on your device until you uninstall the app
• Logs and analytics may be retained for up to 90 days

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Updating the "Last Updated" date
• Sending an email notification (for significant changes)
• Displaying an in-app notice

12. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we don't sell data)
• Right to non-discrimination for exercising privacy rights

13. GDPR Compliance (EU Users)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing