Skip to main content
Legal · privacy

Privacy Policy — TrackSpends

Last updated 2026-04-29

This Privacy Policy describes how Primakor Ventures Private Limited (“Primakor”, “we”, “us”, “our”) collects, uses, stores, and shares information when you use the TrackSpends mobile application (the “App”). By using the App you agree to the practices described in this Policy. If you do not agree, please do not install or use the App.

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Digital Personal Data Protection Act, 2023 (“DPDPA”), and applicable Apple App Store and Google Play requirements.

1. Who we are

Primakor Ventures Private Limited A company incorporated in India. Apple Developer Team ID: RTVN65NG7Z App Store Bundle ID: com.primakor.expensemanager Contact: mayank@primakor.com

For DPDPA purposes, Primakor is the Data Fiduciary. You are the Data Principal.

2. What the App is

TrackSpends helps you track personal expenses by reading transactional emails (such as bank, credit-card, and merchant receipts) from your Gmail inbox and turning them into a categorised expense list, dashboards, and budgets stored locally on your device. The App also offers a Demo Mode that uses sample data and does not require any account or email access.

3. Data we collect

We collect only what is necessary to deliver the App’s features. Categories below correspond to the Apple App Store Privacy Nutrition Label.

3.1 Information you provide

  • Google account identifier and email address — only when you tap “Add Account” and complete Google Sign-In. We receive your Google account’s email address and an OAuth access token to read your inbox.
  • Manual expenses you create — amount, description, and category for any expense you add by hand.
  • Budgets you create — monthly budget amounts you set per category.
  • Preferences — settings such as notification preferences, sync preferences, and the categories you have configured for “Self Transfer” classification.
  • Apple ID identifier (only if you tap “Sign in with Apple” on iOS) — a stable opaque identifier generated by Apple when you sign in. We store it on your device only and use it to recognise your TrackSpends account across app launches. Optionally, your name and email address if you choose to share them during sign-in (Apple lets you hide your real email behind a private relay address). None of this is transmitted to a Primakor server (we do not operate one). You can revoke this credential and delete the associated account at any time via Settings → Account → “Delete TrackSpends account”.

3.2 Information accessed via Gmail

When you grant Gmail access, the App reads transactional email metadata and content on-device to extract expense details. Specifically:

  • Email subject lines
  • Email sender addresses
  • The text body of emails identified as transactional (e.g., bank statements, payment receipts)
  • Email IDs and thread IDs (used internally to avoid re-processing the same email)

We use the read-only Gmail scope (gmail.readonly). We do not send, delete, modify, or organise your emails.

3.3 Information generated on your device

  • Extracted transaction details (merchant, amount, date, category, reasoning)
  • Sync history and timestamps
  • Local app analytics (e.g., last-sync time) — stored locally; not transmitted to us

3.4 What we do NOT collect

  • We do not collect your phone number, postal address, government ID, payment-card numbers, bank-account numbers, or biometric data.
  • We do not collect emails that are not transactional.
  • We do not collect data from any other app, your contacts, your location, your photos, or your device’s microphone/camera.
  • We do not operate analytics, advertising SDKs, or crash-reporting services that transmit personal data off-device.

3.5 Children

The App is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact mayank@primakor.com and we will delete it.

4. How we use your data

We use the data described above to:

  1. Sign you in to your Google account and read transactional emails on your behalf.
  2. Send limited email content (see §5) to OpenAI to categorise expenses and generate semantic embeddings used for de-duplication and similarity search.
  3. Display your expenses, budgets, charts, and insights inside the App.
  4. Save your preferences and categorisation results so the App works offline.
  5. Diagnose and fix bugs you report (only if you contact us with logs you choose to share).

We do not use your data for advertising, profiling for marketing purposes, or selling to third parties.

5. Third-party AI processing (OpenAI)

To categorise your transactions automatically, the App uses OpenAI as a third-party AI processor. This processing only occurs after you tap “I Understand & Agree” on the in-app “Data & Privacy” consent screen shown immediately after you connect your Gmail account.

5.1 What we send to OpenAI

For each transactional email being categorised:

  • The email subject line
  • The email sender address
  • The transaction details extracted from the email body (typically a few lines containing the amount, merchant, and date)

We do not send the full email body, attachments, your contact list, or any data from non-transactional emails.

5.2 What OpenAI does with it

OpenAI processes the request and returns a category (e.g., FOOD, TRAVEL, HEALTH) and a short reasoning string. OpenAI’s Privacy Policy applies to data we send them. Under our API agreement, OpenAI does not use this data to train its models.

5.3 Logging and retention

The App calls OpenAI’s chat-completions endpoint with the API parameter store: false on every request. As a result, the prompts the App sends and the responses OpenAI returns are not retained in Primakor’s OpenAI organisation logs and are not viewable by any Primakor employee, contractor, or API user through the OpenAI dashboard. We have no internal mechanism to retrieve, browse, replay, or audit the content of your categorisation requests after they complete.

Independent of our application-level configuration, OpenAI applies its own retention rules to API traffic. As described in OpenAI’s API Data Controls documentation and Privacy Policy:

  • No training. OpenAI does not use API inputs or outputs to train or improve its models.
  • Up to 30 days for abuse monitoring. OpenAI may retain API inputs and outputs for up to 30 days for the sole purpose of detecting and preventing misuse of the API. After that period the data is deleted, unless OpenAI is legally required to retain it for longer.
  • No routine human access. OpenAI personnel do not review API request or response content in the ordinary course of operating the service; access is limited to investigations of suspected abuse or where required by law.

We do not negotiate, modify, or supplement these OpenAI-side controls beyond what is published in their documentation.

You can revoke consent at any time in Settings → Privacy → Revoke Consent. After revocation:

  • Future syncs will stop sending data to OpenAI.
  • Your existing categorised data on the device is preserved.
  • You can re-grant consent later, which restores AI categorisation for future syncs.

6. Where data is stored

  • On your device. Expenses, budgets, sync history, OpenAI categorisation results, your Apple ID identifier (if you signed in with Apple), and preferences are stored locally in an encrypted SQLite database and the operating system’s preferences store. They never leave your device except as described in §5 and §7.
  • Google’s servers. Your emails remain in Gmail and are governed by Google’s privacy policy.
  • OpenAI’s servers. Only the limited fields described in §5.1, and only after you grant consent.
  • Apple’s servers. If you tap “Sign in with Apple”, your authentication is performed by Apple’s identity service and is governed by Apple’s privacy policy. We receive only the opaque identifier and (optionally, on first sign-in) the name and email you choose to share. We do not transmit any of that to a Primakor server.
  • Our servers. We do not operate any application backend for TrackSpends. We do not receive, store, or process your expenses, emails, or account data on our servers.

7. Sharing and disclosure

We share data only as follows:

  • With OpenAI, for AI categorisation, after your explicit in-app consent (see §5).
  • With Google, indirectly, through your authenticated Gmail API requests (Google is the source, not the recipient of your expense data).
  • With Apple, indirectly, when you choose Sign in with Apple. Apple authenticates you and returns an identifier; we do not transmit any expense data, emails, or other personal information to Apple.
  • As required by law — if compelled by a valid Indian legal order, court process, or government request, we may produce whatever limited data we hold (which, for most users, is none beyond support correspondence).
  • In a business transition — if Primakor is acquired or merges with another entity, this Policy will continue to apply, and you will be notified of any material change.

We do not sell your personal data, share it with advertisers or data brokers, or use it for cross-context behavioural advertising.

8. Data retention

  • On your device: data is retained until you clear it via Settings → Clear All Data, delete your TrackSpends account via Settings → Account → Delete TrackSpends account, uninstall the App, or reset your device.
  • In transit to OpenAI: the request payload is held only for the duration of the API call and per OpenAI’s retention controls described in their policy.
  • In support correspondence: if you email us, we retain the email for up to 24 months for reference.

9. Your rights

Under DPDPA 2023, the IT Rules, and other applicable laws, you have the right to:

  • Access the personal data we hold about you.
  • Correction of inaccurate or incomplete personal data.
  • Erasure — delete all on-device data via Settings → Clear All Data; if you signed in with Apple, also delete your TrackSpends account and revoke the Apple credential via Settings → Account → Delete TrackSpends account. Contact us to delete any support correspondence.
  • Withdraw consent for AI processing at any time via Settings → Privacy → Revoke Consent.
  • Disconnect Google by removing the Gmail account from Settings → Connected Gmail Accounts and revoking the App’s access at https://myaccount.google.com/permissions.
  • Disconnect Apple by signing out from Settings → Account → Sign out, or by removing TrackSpends under iOS Settings → Apple ID → Sign-In & Security → Apps Using Apple ID.
  • Grievance redressal — contact our Grievance Officer named in §13 below.

To exercise any right, email mayank@primakor.com with the subject line “Privacy Request — TrackSpends”. We will respond within 30 days.

10. Security

  • All in-app database storage uses platform-encrypted storage (iOS Data Protection / Android Keystore-protected).
  • All network calls (Gmail API, OpenAI API, Apple authentication) use HTTPS/TLS.
  • OAuth tokens and Apple ID credentials are stored in the operating system’s secure keychain.
  • We do not log or store your OAuth tokens, Apple ID identifier, email content, or transaction text on any Primakor server.

No method of electronic storage is 100% secure. Despite our reasonable safeguards, we cannot guarantee absolute security.

11. International transfers

OpenAI, Google, and Apple operate servers outside India. By granting consent on the in-app screen, by using the Gmail integration, or by using Sign in with Apple, you understand that limited data described above will be processed on infrastructure outside India under those providers’ standard contractual safeguards.

12. Google API Services User Data Policy disclosure

TrackSpends’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Gmail data only to provide the App’s expense-tracking features visible to you.
  • We do not transfer Gmail data to third parties except (a) OpenAI, only as necessary to provide the categorisation feature you have explicitly consented to, and (b) where required for legal or security purposes.
  • We do not use Gmail data for advertising.
  • Humans do not read your Gmail data, except (i) with your explicit consent for support, (ii) for security investigations, or (iii) where required by law.

You can review and revoke the App’s access at https://myaccount.google.com/permissions.

13. Grievance Officer (India)

In accordance with the IT Rules, the Grievance Officer for TrackSpends is:

Name: Mayank Gupta Email: mayank@primakor.com Address: Primakor Ventures Private Limited, India Response timeline: Acknowledgement within 48 hours; resolution within 15 days.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected in an updated “Effective date” at the top and, where appropriate, communicated via an in-app notice before they take effect. Continued use of the App after the new effective date constitutes acceptance.

15. Contact

Questions, concerns, or requests: mayank@primakor.com

Primakor Ventures Private Limited India