Spendkar
Spendkar
Money, on your side
Privacy Policy

Your data, your terms.

Effective: 26 April 2026Last updated: 26 April 2026

1. Overview

Spendkar (“we”, “our”, “us”) is operated by Nexbit Global Technologies. This Privacy Policy explains what information we collect when you use the Spendkar mobile application, marketing website, and supporting services (collectively, the “Service”), how we use it, and the rights you have over it.

By using the Service you agree to this policy. If you don't, please don't use the Service. We comply with India's Digital Personal Data Protection Act, 2023 (DPDP) and applicable IT Rules.

2. Information we collect

We collect only what we need to make the product work:

  • Account info: email address, password (hashed), authentication tokens.
  • Profile (optional): display name, phone number, profile picture, UPI handle.
  • Bank-account metadata: bank name, account type, last 4 digits of account number, account nickname.
  • Transactions: amount, date, type, category, merchant name, description, transaction reference. These are entered by you, parsed from a SMS you paste, or extracted from a statement PDF you upload.
  • Closing balances: as derived from imported statements.
  • Device & log data: device model, OS version, app version, IP address (truncated), crash logs. Used solely for debugging.

3. What we never collect

We will never collect or store any of the following:

  • PDF statement files — they are processed in memory and deleted; only the parsed transactions are kept.
  • PDF passwords — used at parse time only, never persisted.
  • Full account numbers, IFSC codes, PAN, or Aadhaar numbers.
  • Bank login credentials. Spendkar does not connect to any bank API on your behalf.
  • Card numbers (full or partial), CVVs, expiries, or OTPs.
  • Biometric data, contacts, photos (other than the profile picture you choose), SMS inbox, location, or call history.
  • Behavioural tracker data — no Google Analytics, no Meta SDK, no Mixpanel, no Hotjar.

4. How we use information

Your information is used strictly to power the features you see:

  • Showing dashboards, analytics, charts, budgets, and predictions calculated from your transactions.
  • Categorising transactions and detecting duplicates via UPI reference IDs.
  • Sending account-related emails (sign-in, password reset, security alerts).
  • Diagnosing crashes and product issues.
  • Complying with legal obligations when validly required.

We do not sell your data, share it for advertising, profile you for outside purposes, or use your transactions to train third-party AI models.

5. Sharing & disclosure

We do not sell, rent, or trade your personal information. We share information only in these limited cases:

  • Infrastructure providers — cloud hosting, transactional email, error monitoring. They process data on our instructions only and cannot use it independently.
  • Legal compliance — when required by a valid order from an Indian authority of competent jurisdiction.
  • Business transfers — in the unlikely event of a merger or acquisition, your data would transfer under terms at least as protective as this policy.

6. Retention & deletion

We retain your data only as long as your account exists. When you delete your account from within the app, all your personal data — transactions, accounts, budgets, profile — is permanently removed from our active database within 30 days, and from encrypted backups within a further 60 days.

Anonymised, aggregated metrics that cannot identify you (e.g., total transactions processed across all users) may be kept indefinitely for product analytics.

7. Security

  • All traffic is over HTTPS with TLS 1.2 or higher.
  • Passwords are hashed with bcrypt; we never see the plaintext.
  • Authentication uses short-lived JWT tokens.
  • The database is isolated per-user — no client request can read another user’s data.
  • Access to production systems is restricted to a small set of engineers, audited and 2FA-protected.
  • We follow industry-standard hardening and dependency scanning.

No system is 100% secure. If you suspect a breach, please email us immediately.

8. Your rights (DPDP Act 2023)

Under the DPDP Act 2023 you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correct — fix any inaccuracy directly in the app, or by emailing us.
  • Erase — delete your account and all associated data, any time, from within the app (Settings → Delete account).
  • Withdraw consent — for any processing that depends on it.
  • Grievance — escalate any concern to our grievance officer (contact below).

We will respond to verified requests within 30 days.

9. Children’s privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, please email us and we will delete it.

10. International transfers

Your data is processed and stored on infrastructure located in India. We do not transfer personal data outside India for processing. If we ever need to, we will update this policy and obtain explicit consent where the law requires it.

11. Changes to this policy

We may update this policy as the product evolves. The “Last updated” date at the top of this page reflects the most recent change. For material changes, we will notify you in-app or by email at least 14 days before the change takes effect.

12. Contact & grievance officer

For any privacy question, request, or grievance, contact:

Grievance officer
support@spendkar.com

Address: Nexbit Global Technologies, India. We respond within 48 hours on working days.

© 2026 Nexbit Global Technologies · This policy was last reviewed on 26 April 2026.