Privacy Policy

MARK (Money App Re-invented, Kinda)

Effective Date: February 12, 2026

Last Updated: February 12, 2026

1. Introduction

Welcome to MARK (Money App Re-invented, Kinda), a voice-enabled expense tracking application for mobile devices. This privacy policy describes how we collect, use, store, and protect your personal data.

Service Provider: Chinmoy Dutta (Individual Developer)
Contact Email: dattatechom@gmail.com
Jurisdiction: India
Compliance: Digital Personal Data Protection Act (DPDP Act), 2023

By using MARK, you consent to the processing of your personal data as described in this Privacy Policy. This policy applies to all users who download and use the MARK mobile application.

Important Note: MARK follows a local-first, privacy-preserving architecture. Your financial data is stored primarily on your device and never transmitted to our servers. Optional cloud backup is fully under your control via your personal Google Drive.

2. Information We Collect

We collect only the minimum information necessary to provide our expense tracking services. Here's a comprehensive breakdown:

A. Account Information

What We Collect:

Email address (from Google Sign-In)
Display name
Profile photo URL
Firebase Authentication UID (unique identifier)

Purpose: User authentication, identification, and account management.

Storage: Managed by Firebase Authentication (Google LLC).

Legal Basis: Consent (required for creating an account).

B. Financial Data (Local-First Storage)

What We Collect:

Expense and income transactions (amount, currency, date, time)
Categories, merchants, tags, and descriptions
Budget settings and recurring transaction rules
Debt tracking information (borrowed/lent amounts)
ML classification metadata (confidence scores, classification sources)
Raw voice transcription text (when using voice input)

Storage:

Primary: Encrypted SQLite database on your device
Backup (Optional): Your personal Google Drive (user-controlled, requires explicit consent)

Purpose: Core expense tracking functionality, analytics, budgeting, and reporting.

Legal Basis: Consent (necessary for providing the service).

Important: We DO NOT store your financial data on our servers. It remains on your device or your personal cloud storage only.

C. Voice Recordings

What We Collect: Temporary audio recordings when you use voice input for expense logging.

Processing Methods:

Offline Mode (Default):
- Audio processed entirely on-device using Whisper model
- No data leaves your device
- Deleted immediately after transcription
Online Mode (Opt-in):
- Audio sent to Google Gemini API via Firebase Cloud Function
- Processed on Google's servers in Asia region (Mumbai/Delhi/Singapore)
- Deleted immediately after API response (typically within 1-2 seconds)
- Data Locality: Your voice data is processed in India or nearby Asian data centers, never leaving the region

Retention: Deleted immediately after transcription completes. We do NOT store voice recordings permanently.

Purpose: Voice-to-text conversion for expense logging.

Legal Basis: Explicit consent (you choose offline or online mode).

D. Device Information

What We Collect:

Device model and type
Battery status (for animation optimization)
Network connectivity status (Wi-Fi, mobile data, offline)
Operating system version

Purpose: App optimization, selecting appropriate ML models, enabling/disabling battery-intensive features.

Legal Basis: Legitimate interest (necessary for app functionality).

E. Advertising Data (Google AdMob)

What We Collect:

Google Advertising ID
Ad interaction events (views, clicks, completions)
IP address (collected by Google AdMob)

Managed By: Google LLC (AdMob service)

Purpose: Serving rewarded video ads that allow you to earn credits for premium features.

Legal Basis: Consent (you choose to watch ads to earn credits).

Privacy Policy: Google Privacy Policy

F. Push Notification Tokens

What We Collect: Firebase Cloud Messaging (FCM) device tokens.

Purpose: Sending push notifications for trial reminders and important updates.

Storage: Managed by Firebase Messaging (Google LLC).

Legal Basis: Consent (you can disable notifications in device settings).

3. How We Use Your Information

We use the collected information for the following purposes:

Authentication: Verify your identity and manage your account using Firebase Auth
Core Functionality: Store, organize, and analyze your financial transactions
Voice Processing: Convert voice commands into expense entries
Analytics: Generate spending insights, monthly reports, and budget tracking
Notifications: Send trial reminders and important app updates
Monetization: Display rewarded video ads (AdMob) to earn credits
App Optimization: Select appropriate ML models and optimize battery usage based on device capabilities
Backup & Sync: Optional backup to your personal Google Drive (requires explicit consent)

We DO NOT:

Sell your personal data to third parties
Use your financial data for targeted advertising
Share your data with data brokers
Store your financial data on our servers
Track your location

4. Legal Basis for Processing (DPDP Act 2023)

Under India's Digital Personal Data Protection Act (DPDP Act), 2023, we process your personal data based on the following legal grounds:

Data Type	Legal Basis	Description
Account Information	Consent	Required for account creation and authentication
Financial Data	Consent	Necessary to provide expense tracking service
Voice Recordings	Explicit Consent	You choose offline or online voice processing mode
Device Information	Legitimate Interest	Necessary for app functionality and optimization
Advertising Data	Consent	You choose to watch ads to earn credits
FCM Tokens	Consent	Can be disabled in device settings

Consent Management: You can withdraw consent at any time by:

Disabling voice features (Settings → Voice)
Disabling notifications (Device Settings → Notifications)
Deleting Google Drive backup (Settings → Backup)
Deleting your account (Settings → Account → Delete Account)
Uninstalling the app (complete data removal from device)

5. Data Storage & Security

We take data security seriously and implement industry-standard measures to protect your information.

Storage Architecture

Local-First: Your financial data is primarily stored on your device using encrypted SQLite database (Drift ORM)
Optional Cloud Backup: You can enable backup to your personal Google Drive (fully user-controlled)
Firebase Services: Only used for authentication and push notifications (no financial data stored)

Security Measures

Encryption at Rest: SQLite database encrypted using industry-standard algorithms
Encryption in Transit: All network communications use HTTPS/TLS encryption
Access Controls: Only authenticated users can access their own data
Data Isolation: Each user's data is completely isolated from other users
Secure Authentication: Firebase Authentication with Google Sign-In (OAuth 2.0)
No Server-Side Storage: We don't maintain centralized servers with user financial data

Data Location

Financial Data: Your device (and optionally, your Google Drive)
Authentication: Firebase servers (Asia-South1 region - Mumbai, India)
Voice Processing (Online Mode): Google Gemini servers in Asia region (Mumbai/Delhi/Singapore)
Cloud Functions: Firebase Cloud Functions (Asia-South1 / Mumbai region)

Important: While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the security of your device and Google account credentials.

6. Third-Party Services

MARK integrates with the following third-party services. Each service has its own privacy policy that governs how they handle your data:

Service	Purpose	Data Shared	Location	Privacy Policy
Firebase Authentication	User authentication	Email, name, photo, UID	Asia-South1 (Mumbai)	Firebase Privacy
Google Gemini API	Voice transcription (online mode)	Audio recordings (temporary)	Asia region (Mumbai/Singapore)	Google Privacy
Google Drive API	Optional backup	Financial data (user-controlled)	User's Google account region	Google Privacy
Google AdMob	Rewarded video ads	Ad ID, IP address, interactions	Multi-region (optimized for Asia)	AdMob Privacy
Firebase Messaging	Push notifications	FCM token, device info	Asia-South1 (Mumbai)	Firebase Privacy
Firebase Cloud Functions	API proxy (no data storage)	Request data (not stored)	Asia-South1 (Mumbai)	Firebase Privacy
Google Sign-In	OAuth authentication	Email, name, photo	Asia-South1 (Mumbai)	Google Privacy

Data Locality for Indian Users: For users in India, all voice transcription using online mode is processed in Google's Asia region data centers (Mumbai, Delhi, or Singapore). Your audio data does not leave Asia, ensuring compliance with data residency preferences. You can still opt for offline mode to process all voice data entirely on your device without any network transfer.

We are not responsible for the privacy practices of third-party services. Please review their privacy policies independently.

7. Your Rights (Data Principal Rights - DPDP Act 2023)

Under India's Digital Personal Data Protection Act (DPDP Act), 2023, you have the following rights regarding your personal data:

Right to Access

What it means: You can request a copy of all personal data we hold about you.

How to exercise: Settings → Export Data → CSV Export. This generates a machine-readable CSV file with all your expenses, income, budgets, and metadata.

Right to Correction

What it means: You can correct inaccurate or incomplete personal data.

How to exercise: Edit transactions, categories, budgets directly within the app. Changes are saved immediately.

Right to Erasure

What it means: You can request deletion of your personal data.

How to exercise:

In-App Deletion (Fastest): Settings → Account → Delete Account (irreversible, immediate)
Web-Based Request: Fill out our Data Deletion Request Form
Email Request: Contact dattatechom@gmail.com with subject "Data Deletion Request"

What gets deleted:

Your Firebase Authentication account
All local database records on your device
Google Drive backup (if enabled)
All associated metadata and transaction history

⚠️ Important: Account deletion is permanent and irreversible. Export your data first if you want to keep records. Learn more about data deletion →

Right to Data Portability

What it means: You can export your data in a machine-readable format.

How to exercise: Settings → Export Data → CSV Export. The CSV file can be imported into other apps or spreadsheets.

Right to Withdraw Consent

What it means: You can withdraw consent for data processing at any time.

How to exercise:

Voice Features: Settings → Voice → Disable Voice Input
Push Notifications: Device Settings → Apps → MARK → Notifications → Disable
Google Drive Backup: Settings → Backup → Disable Auto-Backup / Delete Backup
AdMob: Don't watch ads (credits won't be earned)
Complete Withdrawal: Delete your account (Settings → Account → Delete Account)

Right to Grievance Redressal

What it means: You can file a complaint if you believe your data rights have been violated.

How to exercise: Contact our Grievance Redressal Officer at dattatechom@gmail.com (see Section 12 for details).

Right to Nominate

What it means: You can nominate another individual to exercise your rights in the event of death or incapacity (as per DPDP Act).

How to exercise: Contact us at dattatechom@gmail.com to register a nominee.

Response Time: We will respond to your rights requests within 48 hours and resolve issues within 7 business days, as required by the DPDP Act.

8. Data Retention & Deletion

Retention Periods

Data Type	Retention Period	Reason
Account Data	While account is active	Required for authentication
Financial Data	While account is active	Core app functionality
Voice Recordings	< 1 minute (immediate deletion)	Only needed for transcription
FCM Tokens	60 days (auto-refresh)	Push notification infrastructure
Device Information	Session duration only	Not stored persistently
AdMob Data	Managed by Google	Subject to Google's policies

Inactive Account Policy (DPDP Act Requirement)

As required by the DPDP Act, we cannot store personal data for more than 1 year of user inactivity:

Inactivity Threshold: 365 days without opening the app
Warning Notice: You'll receive an email notification that your account will be deleted in 48 hours
Grace Period: 48 hours to log in and prevent deletion
Automatic Deletion: If no action taken, all data is permanently deleted

Account Deletion Process

When you delete your account (Settings → Account → Delete Account):

Confirmation Dialog: You must confirm the irreversible action
Immediate Deletion: All data is deleted instantly, including:
- Firebase Authentication account
- Local SQLite database
- Google Drive backup files (if enabled)
- FCM tokens (invalidated)
- All transaction history and metadata
Confirmation Email: You'll receive an email confirming account deletion
No Recovery: Deleted data cannot be recovered

Exceptions (Legal Requirements)

In rare cases, we may be legally required to retain certain data:

Tax Compliance: If requested by Indian tax authorities (Income Tax Department)
Law Enforcement: If ordered by a court or law enforcement agency
Dispute Resolution: If data is subject to ongoing legal proceedings

In such cases, only the minimum necessary data will be retained, and you will be notified if legally permissible.

9. Children's Privacy

Age Requirement

MARK is intended for users 18 years or older. We do not knowingly collect personal data from individuals under 18 years of age.

Why 18 Years?

India's DPDP Act sets the age of consent for data processing at 18 years (not 13 as in some other jurisdictions)
Financial apps require legal capacity to enter contracts
Expense tracking involves managing personal finances, which is typically an adult activity

Parental Notice

If you are a parent or guardian and believe your child under 18 has provided personal data to MARK:

Contact us immediately at dattatechom@gmail.com
Provide the child's email address (if known)
We will delete the account and all associated data within 48 hours of verification

Verification

We do not currently implement age verification mechanisms at registration. Users are expected to comply with the 18+ age requirement. Future versions may include age verification for enhanced compliance.

10. International Users

While MARK is primarily designed for Indian users and complies with India's DPDP Act 2023, we also respect the privacy rights of users in other jurisdictions.

For Users in the European Union (GDPR)

If you are located in the EU, you have additional rights under the General Data Protection Regulation (GDPR):

Right to Object: You can object to data processing based on legitimate interests
Right to Restrict Processing: You can request temporary restriction of processing
Right to Lodge a Complaint: You can file a complaint with your local Data Protection Authority
Data Controller: Chinmoy Dutta is the data controller for EU users
Legal Basis: Consent and legitimate interest (app functionality)

For Users in California (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request disclosure of personal information collected (Settings → Export Data)
Right to Delete: Request deletion of personal information (Settings → Delete Account)
Right to Opt-Out: We do not sell personal information, so opt-out is not applicable
Non-Discrimination: We will not discriminate against you for exercising your rights

Data Transfers

Your data processing locations depend on your geographic location and selected features:

Indian Users: All data processed in India (Mumbai) or nearby Asian data centers (Delhi, Singapore)
Firebase Services: Asia-South1 region (Mumbai, India) for authentication, messaging, and cloud functions
Google Gemini (Online Mode): Asia region (Mumbai/Singapore) for Indian users; regional processing for international users
Your Google Drive: Depends on your Google account settings (typically your account's home region)

No Trans-Border Data Transfers for Indian Users: If you are located in India and use online voice features, your audio data is processed entirely within Asia. We do not transfer Indian user data to US or European servers.

These regional processing arrangements ensure faster performance and data residency compliance. By using MARK, you consent to these processing locations.

11. Changes to Privacy Policy

How We Update This Policy

We may update this Privacy Policy from time to time to reflect:

Changes in our data practices
New features or services
Legal or regulatory requirements
User feedback and best practices

Notification of Changes

When we make material changes to this Privacy Policy, we will notify you through:

In-App Notification: A banner or dialog in the app highlighting changes
Email: Notification to your registered email address
This Page: Updated "Last Updated" date at the top of this page

Your Continued Use

By continuing to use MARK after changes to this Privacy Policy, you accept the updated terms. If you do not agree with the changes, you may delete your account.

Material Changes Requiring Consent

If changes involve new data collection or processing that requires consent (under DPDP Act), we will explicitly ask for your consent before implementing such changes. You can decline consent, though this may limit certain features.

Version History

Current Version: 1.0 (February 12, 2026)

12. Grievance Redressal Officer (DPDP Act Requirement)

As required by India's Digital Personal Data Protection Act (DPDP Act), 2023, we have appointed a Grievance Redressal Officer to address your data privacy concerns.

Grievance Officer Details

Name: Chinmoy Dutta
Email: dattatechom@gmail.com
Response Time: Within 48 hours of receiving complaint
Resolution Time: Within 7 business days

How to File a Complaint

Email Us: Send an email to dattatechom@gmail.com with:
- Your registered email address
- Subject line: "Privacy Complaint - [Brief Description]"
- Detailed description of the issue
- Supporting documents (if any)
Acknowledgment: You'll receive an acknowledgment email within 48 hours with a ticket number
Investigation: We will investigate your complaint thoroughly
Resolution: You'll receive a resolution within 7 business days

Types of Complaints We Handle

Unauthorized data access or breach
Inability to exercise data rights (access, deletion, correction)
Concerns about data processing practices
Questions about consent management
Third-party data sharing concerns
General privacy policy questions

Escalation

If you are not satisfied with our resolution, you have the right to escalate your complaint to:

Data Protection Board of India
Website: https://dpb.gov.in (when operational)
Note: The Data Protection Board of India is expected to be fully operational by May 2027.

13. Contact Us

If you have any questions, concerns, or feedback about this Privacy Policy or our data practices, please contact us:

Developer Contact

Name: Chinmoy Dutta
Email: dattatechom@gmail.com
Response Time: Within 48 hours

What You Can Contact Us About

Privacy policy questions or clarifications
Exercising your data rights (access, deletion, correction)
Data security concerns
Account deletion requests
Consent management questions
Third-party service concerns
Feedback on our privacy practices
Reporting a data breach or security vulnerability

Support

For general app support (not privacy-related), please also email dattatechom@gmail.com with "Support Request" in the subject line.

Security Vulnerability Reporting

If you discover a security vulnerability in MARK, please report it responsibly:

Email: dattatechom@gmail.com with subject "SECURITY VULNERABILITY"
Do not publicly disclose the vulnerability until we've had a chance to address it
We will respond within 48 hours and work to resolve critical issues promptly