Privacy Policy
Short version: UPI Tracker is built by Ascentspark Software Pvt. Ltd. We don't have your bank login and we never see your balance. Your transactions and receipts are parsed on your device by default. If - and only if - you switch on optional cloud backup, your data is synced in encrypted form so you can restore it on a new phone; otherwise nothing leaves your device. We don't sell your data and we don't run ads on it.
Contents
1. Who we are
UPI Tracker is owned and operated by Ascentspark Software Pvt. Ltd. ("Ascentspark", "we", "us", "our"), a company incorporated in India with its registered office in Kolkata, West Bengal. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), Ascentspark is the Data Fiduciary and you are the Data Principal.
For general queries write to info@ascentspark.com; for support or technical difficulties write to support@ascentspark.com; for privacy and data-protection matters write to our Grievance Officer at grievance@ascentspark.com (see Section 15).
2. Scope of this Policy
This Policy describes how we handle personal data in connection with the UPI Tracker mobile application (the "App") and this website (upitracker.com). It applies whether you use the App fully on-device or choose to enable the optional cloud features described in Section 4.
3. Data we process - and where
3.1 On your device by default
The following is processed on your device and, unless you enable cloud backup, never transmitted to us:
- Transaction details parsed from bank SMS - amount, date, time, merchant or VPA, masked account tail, UTR.
- Receipts you scan or pick from your gallery, and the OCR output (amount, merchant, date, narration).
- Categories, narrations, rules, and budgets you create.
- Saved merchants and pinned items.
- Mandate metadata observed in SMS or notifications (debit amount, cadence, next-debit date).
- Your language preference, theme preference, and app PIN.
3.2 Account data (only if you create an account)
Cloud backup and multi-device sync require a lightweight account. If you create one, we process the identifier you sign up with (such as an email address) and basic, non-financial settings needed to run the service. You can use the App without an account, fully on-device.
3.3 What we never process
- Bank usernames, passwords, OTPs, or net-banking credentials.
- Your account balance or full account number (we only ever see the masked tail in an SMS).
- The contents of your SMS inbox, beyond messages identified as bank or UPI transaction notices.
- Your contacts, precise location, or microphone.
4. Optional cloud backup & sync
Cloud backup and sync are off by default and entirely your choice. When you turn them on from Profile → Privacy & Security, a copy of the data you choose to back up is uploaded to our cloud infrastructure so you can restore it or use the App across devices.
- Encryption. Backed-up data is encrypted in transit (TLS) and at rest on our infrastructure.
- Control. You can turn sync off, delete your cloud backup, or delete your account at any time. Doing so removes the server-side copy.
- No backup, no upload. If you never enable it, no transaction, receipt, narration, or mandate data is sent to us at all.
You can also export your data to CSV or JSON from Profile → Privacy & Security → Export your data. The export is generated on your device and shared via your phone's standard share sheet - we never see it.
5. Sources of data
- You, when you add expenses, write narrations, edit categories, set budgets, scan receipts, create rules, or sign up for cloud backup.
- Your device, which makes bank SMS available to the App via OS permissions you grant.
- Your camera or gallery, when you choose to scan or import a receipt.
- App stores (Apple App Store, Google Play), for install events and store-side anonymous metrics, governed by their own policies.
6. Purposes & lawful basis
Under the DPDP Act, we process personal data on the following bases:
- Your consent - for camera, SMS, photos, notifications, optional cloud backup, and optional anonymous diagnostics. You may withdraw consent at any time.
- Performance of the service you requested - the minimum data needed to deliver the features you use, including running cloud backup once you enable it.
- Legal compliance - where applicable law requires us to retain or disclose data.
7. Sharing & sub-processors
We do not sell your data, share it with advertisers, or share it with banks, lenders, insurers, brokers, or aggregators. We engage a small number of sub-processors strictly to operate the service, each under a data-processing agreement:
- App stores (Apple, Google) - handle all payments and subscriptions. We do not process card details ourselves.
- Cloud infrastructure providers - host the optional cloud backup/sync, on a need-to-operate basis. Relevant only if you enable cloud backup.
- Crash & diagnostics providers - process anonymous, opt-in crash and usage reports that never include transaction data, merchant data, narration text, receipt images, OCR output, or SMS content.
We may also disclose data where required by a valid order from a court or authorised government agency in India, after reviewing the request for validity.
8. Retention
Data on your device is retained for as long as the App is installed; uninstalling deletes it. If you enable cloud backup, your server-side copy is retained until you delete the backup or your account, after which it is deleted within a reasonable period from active systems and shortly thereafter from backups. Anonymous diagnostic events, if you opt in, are retained in aggregate for up to 13 months.
9. Your rights under the DPDP Act
As a Data Principal, you have the right to:
- Access a summary of the personal data we hold about you.
- Correct, complete, or update your data, or request that we erase it.
- Withdraw consent for any optional processing at any time, with effect from withdrawal.
- Grievance redressal - raise a complaint with our Grievance Officer (Section 15). If unresolved, you may approach the Data Protection Board of India.
- Nominate another individual to exercise your rights in the event of your death or incapacity.
10. Security
On your device, data is stored in encrypted app storage protected by your device's OS sandbox and, optionally, an app PIN or biometric unlock (Face ID / Touch ID / fingerprint). Optional cloud backups are encrypted in transit (TLS) and at rest. We apply access controls, least-privilege practices, and regular review to our infrastructure. No system is perfectly secure, but if you never enable cloud backup there is no server-side copy of your financial data to breach.
11. International users
UPI Tracker is built for India and the UPI network. If you access the App or website from outside India, you do so on your own initiative. As a courtesy to all users - including those in the EU/UK or California - we honour the core rights to access, correction, and deletion of your data; contact our Grievance Officer to exercise them. Where you are protected by GDPR or CCPA/CPRA and those laws apply, we will give effect to the rights they grant.
12. Cookies on this website
This marketing website uses only a single first-party preference cookie (upi.theme) to remember whether you prefer the light or dark theme, plus your language choice. We do not run third-party trackers, advertising pixels, or session-replay tools on this site.
13. Children
UPI Tracker is not intended for children under 18. We do not knowingly collect data from anyone under that age. If you believe a child has provided data to us, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to you in-app and via email if we have one on file. The "Last updated" date above always reflects the current version.
15. How to reach us
General: info@ascentspark.com
Support / technical: support@ascentspark.com
Grievance Officer (privacy & data protection): grievance@ascentspark.com
Ascentspark Software Pvt. Ltd.
Kolkata, West Bengal, India