Legal

Privacy Policy

Effective date: April 24, 2026 · Last updated: April 24, 2026

1. Who We Are

Mudra Manager: Budget Tracker ("Mudra Manager," "the App," "we," "us," or "our") is a personal finance application developed and published by Aloke Tewary, an individual developer based in India. This Privacy Policy explains how we handle information in connection with the App (available on Google Play) and this website (mudramanager.com).

By installing, accessing, or using the App or visiting this website, you acknowledge that you have read and understood this Privacy Policy.

2. Our Core Privacy Principle

TL;DR — Mudra Manager is a local-first application. We do not operate servers, do not create user accounts, and do not collect, transmit, store, or process your personal or financial data on any remote system.

Data storageDevice only

EncryptionAES-256

Cloud serversNone

User accountsNone

3. Information Stored on Your Device

All data created or processed by the App resides exclusively on your device's local storage using the Isar database engine. This includes:

Transaction records (amounts, dates, merchants, categories, notes, descriptions)
Account information (account names, types, balances, last 4 digits of account numbers)
Budgets, savings goals, trip expenses, and split records
Categories, tags, and user preferences
SMS/notification message bodies processed for transaction detection
Gamification data (achievements, streaks, XP, levels)
Plugin preferences and marketplace selections
App settings (theme, language, tone, notification preferences)

We never have access to this data. It is not transmitted to us or any third party. We have no technical means to retrieve, view, or recover your data.

4. Sensitive Data & Encryption

4.1 Encrypted Fields

The following data is encrypted at rest using AES-256 field-level encryption before being stored in the local database:

SMS/notification message bodies — may contain bank account numbers, transaction amounts, UPI references, and merchant information
Merchant/payee names extracted from SMS messages
Transaction descriptions — user-entered notes that may contain sensitive information

4.2 Encryption Key Management

The 256-bit AES encryption key is generated once on first launch and stored in the Android Keystore (hardware-backed secure storage). The key:

Never leaves the device's secure hardware enclave
Is not accessible to other applications or to us
Is bound to the device — it cannot be extracted or transferred
Is lost if the App is uninstalled (encrypted data becomes permanently unreadable)

4.3 Graceful Degradation

If the Android Keystore is unavailable (rare hardware/OS issue), the App continues to function normally but without field-level encryption. Data is still protected by Android's app-private storage sandbox.

5. Permissions We Request

The App requests only the permissions necessary for its functionality. All permissions are optional and revocable at any time through your device's Settings.

Permission	Purpose	Required?
Notification Access (NotificationListenerService)	Read bank SMS and RCS notifications to automatically detect and create transactions. Messages are processed entirely on-device and never transmitted.	Optional
Storage / Media	Export financial reports (Excel, PDF) and backup files to your device storage.	Optional
Biometric (Fingerprint / Face)	Secure app access via biometric authentication. Biometric data is handled entirely by Android's BiometricPrompt API — we never access or store biometric templates.	Optional
Internet	Fetch currency exchange rates (the only network call the App makes). See Section 6.	Optional
Notifications	Display local notifications (budget alerts, bill reminders, spending insights). All generated on-device.	Optional

5.1 SMS/Notification Processing Details

When Notification Access is granted:

The App's background service (NotificationListenerService) intercepts notifications from messaging apps (SMS, Google Messages, Samsung Messages)
Messages are filtered on-device to identify bank/financial transaction notifications
Non-financial messages (OTPs, promotions, personal messages) are discarded immediately and never stored
Financial messages are parsed locally using bank-specific and generic parsers to extract transaction data
The original message body is encrypted (AES-256) before storage
Last 4 digits of account numbers may be used for automatic account matching
No message content is ever transmitted off your device

6. Network Communications

Mudra Manager makes one type of network call:

Currency exchange rates — periodic requests to fetch current exchange rates for multi-currency conversion. These requests contain no personal data, no device identifiers, and no financial information. Only the currency pair is sent.

All other App functionality operates entirely offline with zero network dependency.

7. Third-Party Services

7.1 Google Play Billing / RevenueCat

If you purchase the optional Pro upgrade, the transaction is processed entirely by Google Play's billing system. RevenueCat SDK manages subscription state. These services may collect:

Purchase transaction IDs and subscription status
Google Play account information (as per Google's privacy policy)

We do not receive or store your payment method details (credit card, UPI, etc.). We receive only a purchase verification token to unlock Pro features. See RevenueCat Privacy Policy → and Google Privacy Policy →

7.2 Google Play Store

The App is distributed via Google Play, which may collect device information, crash reports, and usage statistics as per Google's policies. We have access to aggregated, anonymized analytics through the Google Play Console (install counts, crash rates by device model, country-level distribution). This data does not identify individual users.

7.3 No Other Third-Party SDKs

The App does not include any analytics SDKs, advertising SDKs, crash reporting SDKs, or social media SDKs. There is no Firebase, no Google Analytics, no Facebook SDK, no AppsFlyer, no Mixpanel, or any similar service.

8. This Website

This website (mudramanager.com) is a static site. It:

Does not use cookies, tracking pixels, or analytics services
Does not collect personal information
Does not use contact forms (support is via direct email)
Loads fonts from Google Fonts and icons from cdnjs (Font Awesome), which may log standard web server access data (IP address, browser type) per their respective privacy policies

9. Data Retention & Deletion

Your data persists on your device for as long as the App is installed
To delete all data: Use Settings → Clear All Data within the App, or uninstall the App. Both actions permanently and irreversibly destroy all local data including the encryption key
We cannot delete your data because we never have access to it. There is nothing on our end to delete
Exported files (Excel, PDF, backup files) saved to your device storage persist independently of the App and must be deleted manually
Backup files contain encrypted fields. If restored on a different device, encrypted fields will be unreadable (the encryption key is device-bound)

10. Data Portability

You can export your complete financial data at any time in the following formats:

Excel (.xlsx) — full transaction history with categories, accounts, and amounts
PDF — formatted financial reports
Encrypted backup — full App state for restore on the same device

There is no data lock-in. Your data is always accessible and exportable.

11. Children's Privacy

The App is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect or process data from children. Since all data is local and we have no user accounts, we have no means to identify the age of any user. If you are a parent or guardian and believe your child is using the App, please note that all data is local to the device and can be deleted by uninstalling the App.

12. International Users

The App is available globally through Google Play. Since all data processing occurs locally on your device:

No cross-border data transfer occurs (your data never leaves your device)
The App complies with data localization requirements by design — data is stored where you are
GDPR (EU), DPDPA (India), CCPA (California), LGPD (Brazil), and similar data protection regulations are satisfied by our zero-collection architecture

13. Compliance with Indian Law

13.1 Digital Personal Data Protection Act, 2023 (DPDPA)

Under the DPDPA, Mudra Manager's position is as follows:

We do not act as a "Data Fiduciary" as defined under the DPDPA because we do not determine the purpose and means of processing personal data — all processing occurs locally on your device under your control
We do not collect, store, or process personal data on any system we operate
No consent mechanism is required from us because no personal data flows to us. Device-level permissions (notification access, storage) are governed by Android's permission framework
Your rights under the DPDPA (access, correction, erasure, portability) are exercisable directly through the App's built-in features

13.2 Information Technology Act, 2000

The App implements reasonable security practices (AES-256 encryption, Android Keystore) as contemplated under Section 43A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures) Rules, 2011.

14. Security Measures

AES-256 field-level encryption for sensitive data (SMS bodies, merchant names, transaction descriptions)
Encryption keys stored in Android Keystore (hardware-backed)
App-private storage sandbox (inaccessible to other apps without root access)
Optional biometric/PIN lock for App access
Guest mode to hide financial amounts when sharing your screen
No remote access, no cloud sync, no server-side storage

While we implement strong security measures, no system is perfectly secure. Physical access to an unlocked, rooted device could potentially expose local data. We recommend keeping your device updated, using a screen lock, and enabling the App's biometric/PIN protection.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in the App's functionality or applicable law. Changes will be:

Posted on this page with an updated "Last updated" date
Noted in the App's changelog (What's New) for significant changes
Effective immediately upon posting unless otherwise stated

Your continued use of the App after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

16. Contact

For privacy-related questions, concerns, or requests:

Aloke Tewary
Email: support@mudramanager.com →
Website: mudramanager.com

We aim to respond to all privacy inquiries within 30 days.