Privacy Policy

Last updated: April 2026
Effective date: April 2026

Rasa Money is a personal finance management application. We handle sensitive financial information and take that responsibility seriously. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have over your data. We have written this policy to be readable - not just legally complete.

1. Data We Collect

We collect only the data necessary to provide, maintain, and improve the Service. We do not sell your data to third parties.

Account and Identity Data

When you register an account, we collect:

  • Email address - used as your primary login identifier and for account communications.
  • First and last name - used to personalize your experience.
  • Password - stored as a one-way bcrypt hash. We never store your raw password and cannot read it.
  • Phone number (optional) - used for OTP verification if you choose phone-based authentication.
  • Date of birth (optional) - used for profile personalization.
  • Gender (optional) - used for profile personalization.
  • Country - used to set your default timezone and locale during onboarding.

Google OAuth Data

If you sign in with Google, we receive from Google:

  • A unique Google subject ID (google_sub) - used to link your Google account to your Rasa Money account.
  • Your Google email address - used to match or create your local account.
  • Your Google display name - used to pre-fill your profile fields.
  • Optional profile extras (date of birth, gender, country) from the Google People API - used only to pre-populate empty profile fields and only if you have not already provided them.

Financial Data

The core of what Rasa Money stores on your behalf:

  • Account records - name, type, currency, balance, initial balance, and optional bank name and card number.
  • Card numbers (optional) - stored as plain text strings if you choose to enter them. We recommend entering only partial card numbers (e.g., last 4 digits) for reference purposes. We do not process or validate card numbers and they are not used for any payment processing.
  • Transaction records - amount, type (income, expense, transfer), category, date, notes, tracking number, cheque number, and associated account references.
  • Budget records - name, currency, spending limit, period, scope (accounts and categories), and status.
  • Category records - name, type, icon, color, and hierarchy.
  • Exchange rate snapshots - the exchange rate at the time of each transaction, sourced from our rate provider and stored for historical accuracy.

Settings and Preferences

We store your application preferences:

  • Timezone selection.
  • Base currency preference.
  • Display locale (e.g., English, Farsi).
  • Preferred date format.
  • Fiscal month start day.

Session and Authentication Data

To manage your login sessions, we store:

  • Refresh tokens - used to maintain your logged-in session. Stored securely and revoked on logout.
  • OTP verification records - temporary codes used for email/phone verification and password reset. Codes expire and are marked used after verification.
  • Password reset request records - stored to track the lifecycle of a reset request from initiation through completion.

Technical and Usage Data

We may collect limited technical data to operate and improve the Service:

  • IP address - used for security monitoring and fraud prevention.
  • Browser type and version - used for compatibility and debugging.
  • Error logs and diagnostic data - used to identify and fix bugs. These logs do not contain your Financial Data.

2. How We Use Your Data

We use your data exclusively to operate and improve Rasa Money. We do not use your Financial Data for advertising, profiling, or any purpose unrelated to providing the Service.

  • To provide the Service - processing your transactions, computing account balances, applying exchange rates, generating budget status, and rendering your dashboard.
  • To authenticate you - verifying your identity on login, managing your session via refresh tokens, and securing sensitive operations with password re-verification.
  • To communicate with you - sending OTP verification codes, password reset emails, early access notifications, and important account or billing communications. We do not send marketing emails without your explicit consent.
  • To retrieve and cache exchange rates - fetching rate data from our third-party provider on your behalf and storing rate snapshots at transaction time for historical accuracy.
  • To protect the Service and your account - detecting unauthorized access, preventing abuse, and enforcing our Terms of Service.
  • To improve the Service - analyzing anonymized, aggregated usage patterns to identify areas for improvement. Individual Financial Data is never used for this purpose.
  • To comply with legal obligations - retaining records as required by applicable law and responding to lawful requests from authorities.

3. Data Sharing and Third Parties

We do not sell, rent, or share your personal or Financial Data with third parties for their own commercial purposes. Data is shared only in the following limited circumstances:

  • Exchange rate provider (ExchangeRate-API) - we send your base currency code to this provider to retrieve rate data. No personal or Financial Data is shared with this provider.
  • Google LLC - if you use Google sign-in, authentication is handled by Google. We receive only the profile data described in Section 1. Your Financial Data is never shared with Google.
  • Infrastructure and hosting providers - our servers and databases may be operated on third-party cloud infrastructure. These providers are contractually bound to process data only on our behalf and are prohibited from using your data for their own purposes.
  • Legal and regulatory requests - we may disclose data if required to do so by law, court order, or governmental authority. Where legally permitted, we will notify you before complying with such requests.
  • Business transfers - in the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you in advance and you will have the right to delete your account before the transfer completes.
  • Family plan members - on the Family plan, certain financial data (shared budgets, categories, and the household dashboard) is visible to other members of your family group. You control which members are invited and have access to per-member visibility settings.

4. Data Security

We implement technical and organizational measures to protect your data against unauthorized access, loss, or disclosure.

  • Encryption in transit - all data transmitted between your device and our servers is encrypted using TLS (HTTPS). We do not permit unencrypted connections.
  • Encryption at rest - your data is encrypted at rest on our storage infrastructure.
  • Password hashing - passwords are hashed using bcrypt with a strong cost factor before storage. We cannot read or recover your password.
  • Token security - access tokens are short-lived JWTs. Refresh tokens are stored and revoked on logout, and can be invalidated remotely.
  • Sensitive action gates - high-risk operations (data export, financial reset, account deletion) require password re-verification and multi-step typed confirmation, reducing the risk of accidental or unauthorized execution.
  • OTP expiry - verification codes expire automatically and are single-use. Expired and used codes cannot be reused.
  • We never store your raw password and have no mechanism to retrieve it. If you lose your password, you must go through the password reset flow.
  • In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law, within the timeframes required.

5. Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • Your account is immediately deactivated. Your email and phone number are obfuscated and you are logged out of all sessions.
  • Your Financial Data (accounts, transactions, budgets, categories) is scheduled for permanent deletion within our standard data lifecycle process.
  • Backups - your data may remain in encrypted system backups for a limited period after deletion. These backups are not accessible for active use and are destroyed on their normal rotation schedule.
  • We may retain certain data for longer periods where required by law, to resolve disputes, or to enforce our agreements.
  • OTP and verification records - expired verification codes are retained for a short period for security audit purposes and then permanently deleted.
  • Anonymized and aggregated data - we may retain statistical data derived from your usage that cannot be used to identify you, for the purpose of product improvement.

6. Your Rights and Choices

You have the following rights over your personal data. To exercise any of these rights, you can use the tools available in your account settings or contact us directly.

  • Right to access - you can view your complete profile, settings, and all Financial Data at any time from within the application.
  • Right to rectification - you can update your profile information, settings, and Financial Data at any time from your account settings.
  • Right to data portability - you can export all of your data as a downloadable archive at any time from your account settings. No restrictions apply.
  • Right to erasure - you can permanently delete your account and all associated data from your account settings. Deletion is immediate, permanent, and cannot be undone.
  • Right to reset - you can delete all of your Financial Data (accounts, transactions, budgets, categories) while preserving your account identity and settings.
  • Right to unlink Google - if your account is linked to Google, you can unlink it by deleting your account. Relinking requires creating a new account.
  • Right to opt out of communications - you can unsubscribe from non-essential email communications at any time via the unsubscribe link in any email we send.
  • If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection law, you may have additional rights including the right to object to processing, restrict processing, and lodge a complaint with your local supervisory authority.

7. Cookies and Local Storage

Rasa Money uses minimal client-side storage to operate the application. We do not use third-party advertising cookies or tracking pixels.

  • Session storage - your access token is stored in session storage to maintain your authenticated session. This is cleared when you close your browser tab.
  • Local storage - your refresh token may be stored in local storage if you select "Remember me" at login, allowing your session to persist across browser sessions.
  • Cookies - your user profile data may be stored in a cookie for application state purposes. This cookie does not contain your Financial Data.
  • We do not use tracking cookies, advertising pixels, or third-party analytics cookies that follow you across other websites.
  • You can clear session storage, local storage, and cookies at any time using your browser settings. Doing so will log you out of the Service.

8. Children's Privacy

Rasa Money is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a user is under 18, we will delete their account and associated data promptly. If you believe a child has created an account, please contact us at [email protected].

9. International Data Transfers

Rasa Money may store and process your data in data centers located outside your country of residence. Where data is transferred internationally, we implement appropriate safeguards - including standard contractual clauses or equivalent mechanisms - to ensure your data receives an adequate level of protection consistent with this Privacy Policy and applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. We encourage you to review this Policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy inquiries within 5 business days. For formal data subject requests, we will respond within the timeframe required by applicable law (typically 30 days).

✦ Start Today — It's Free

Your money deserves clarity
in every currency.

Join freelancers, expats, and globally-minded individuals
who finally have a clear, complete picture of their finances.

Start for Free →