Privacy Policy

Last updated: March 23, 2026

Vento ("we," "our," or "us") is built on a fundamental belief: your financial data belongs to you. This document explains exactly what data we collect, what stays on your device, and why — with full transparency.

Our Core Architecture

Vento follows a "local-first" architecture. All your financial data — transactions, budgets, goals, categories, accounts, subscriptions — is stored in a local SQLite database on your device. Our servers handle only authentication, subscription management, and feature limit enforcement. We architecturally cannot see your expenses, income, or financial activity.

1. Data Stored Locally on Your Device

The following data is stored only on your device in a SQLite database and MMKV key-value store. We never transmit, access, or process this data:

Data What It Includes Why
Transactions Amount, type, category, description, date, tags, account, recurring flag Core expense/income tracking
Accounts Name, type (bank/cash/credit/wallet/investment), balance, currency, color, icon Financial container management
Budgets Name, category IDs, amount limit, period (weekly/monthly/yearly), spent amount, alerts Spending limit tracking
Goals Name, target amount, current amount, monthly intent, target date, status Savings goal progress
Categories & Tags Custom category names, colors, icons, tag labels Organize your spending
Subscriptions Service name, amount, billing cycle, next due date, reminder preferences Recurring bill tracking
Preferences Currency, date format, theme, language, notification settings, financial month start App personalization

All analytics computations (monthly totals, category breakdowns, spending trends, heatmaps) are performed entirely on your device. No financial data ever leaves your phone unless you explicitly enable cloud backup.

2. Data Stored on Our Servers

We store the minimum data necessary to provide authentication, manage subscriptions, and enforce feature limits. Here is exactly what our servers hold:

2.1 Authentication Data

What we receive from Google/Apple Sign-In:

  • User ID (UUID) — a unique identifier assigned by our system
  • Email address — from your Google or Apple account
  • Display name — from Google (full name) or Apple (first + last name, if you share it)
  • Avatar URL — profile picture URL from Google (Apple does not provide one)
  • Provider metadata — OAuth provider information (e.g., provider name, sign-in method)
  • Created at / Last sign-in at — timestamps for account lifecycle

Why: To authenticate your identity, associate your device with your account, and restore premium status across device changes. We do not store passwords — authentication is delegated entirely to Google or Apple.

2.2 Subscription & Purchase Data

  • Product ID & tier — which plan you purchased (monthly, yearly, lifetime)
  • Provider transaction ID — from Apple, Google Play, or Dodo Payments
  • Purchase token — Google Play's stable subscription identifier (used for renewal tracking)
  • Status — active, expired, cancelled, or grace period
  • Price & currency — amount paid
  • Purchase date, expiry date
  • Receipt data — the full purchase receipt from Apple/Google (used for server-side verification)

Why: To verify that your purchase is legitimate, grant you premium access, handle renewals, and prevent fraud. We never see your credit card or banking details — those are handled entirely by Apple, Google, or Dodo Payments.

2.3 Feature Usage Counts

  • Feature name (e.g., "accounts", "active_budgets", "custom_tags")
  • Usage count — how many of each feature you've created

Why: Free-tier users have limits (e.g., 3 accounts, 1 budget, 3 goals). We enforce these server-side to prevent bypassing. These counts contain no content — only numbers (e.g., "this user has 2 accounts"). We cannot see account names, balances, or any details.

2.4 Subscription Event Log

  • Event type — purchase completed, subscription renewed, cancelled, expired, refunded
  • Provider — Apple, Google, or Dodo
  • Timestamp
  • Provider event ID

Why: An audit trail to resolve billing disputes, process refunds, and debug subscription issues. This log is retained even if your account is deleted (with user_id set to null) for financial compliance.

3. Data We Never Collect

To be unambiguously clear, our servers never receive, store, or process:

Your expense or income amounts
Merchant or payee names
Account balances or names
Budget amounts or category details
Goal names or savings progress
Transaction descriptions or notes
Your Google Drive backup data
Location or GPS data
Contacts, photos, or files
Credit card or bank credentials

We do not use invasive analytics. Vento does not use Google Analytics, Mixpanel, Segment, Amplitude, Facebook SDK, or any advertising SDKs. Firebase Analytics is explicitly disabled in our configuration. We do not collect screen recordings, tap events, keystrokes, or any personally identifiable usage data.

We use PostHog solely for anonymous, aggregated product analytics — such as app opens and subscription events — to understand install trends and improve the product. PostHog runs in anonymous mode: no personal identifiers, no user profiles, no behavioral tracking. You cannot be identified from this data.

4. Anonymous Product Analytics

To understand basic product health (install trends, retention, subscription events), we use PostHog in anonymous mode. Here is exactly what this means:

App opened (anonymous count only)
Subscription created / cancelled (anonymous)
No user profiles or identifiers
No screen recordings or tap events
No personal data or financial data sent
No behavioral tracking or session replay

PostHog receives only anonymous, aggregated event counts. You cannot be individually identified from this data. This helps us understand how many people use Vento and where we're losing users, so we can build a better product.

5. Third-Party Services

We use a limited set of third-party services, each for a specific purpose. Here's exactly who they are and what data they receive:

Service Data They Receive Purpose
Supabase Email, name, user ID, OAuth metadata, subscription records, feature usage counts Authentication database & backend infrastructure
Google Sign-In OAuth ID token (your Google email, name, profile picture) Account sign-in on Android & iOS
Apple Sign-In OAuth ID token (email, optional name) Account sign-in on iOS
Google Play Purchase tokens, subscription IDs, payment status Android in-app purchase verification
Apple App Store Transaction IDs, receipts, subscription status iOS in-app purchase verification
Dodo Payments User ID (in metadata), email, product ID, payment status, amount Web-based subscription payment processing
Sentry Crash stack traces, device model, OS version, app version Crash reporting & error monitoring
PostHog Anonymous event counts (app opens, subscription events) — no user IDs, no PII Anonymous product analytics (install & retention trends)
Resend Email address, name, waitlist position Transactional emails (early access confirmation)
Google Drive AES-256 encrypted backup file (unreadable without your key) Optional user-initiated cloud backup

None of these services receive your financial transaction data. Google Drive receives only an encrypted backup file that neither Google nor we can read.

6. Cloud Backup & Sync

Cloud backup is entirely optional and disabled by default. When you enable it:

  • Your financial data is encrypted on your device using AES-256 encryption before upload.
  • The encrypted file is uploaded directly to your personal Google Drive — not to our servers.
  • The encryption key is derived on-device. We never see, store, or transmit the key.
  • We cannot decrypt your backup. Google cannot decrypt your backup. Only your device with your credentials can.
  • You can also export unencrypted JSON or CSV files locally on your device for your own use.

7. Crash Reporting (Sentry)

We use Sentry to monitor app stability. When the app crashes or encounters an error, the following may be sent:

  • Error stack trace — the code path that caused the crash
  • Device information — model (e.g., "iPhone 15"), OS version (e.g., "iOS 18.2"), app version
  • Network errors — failed API call details (URL, status code — no request bodies)
  • Breadcrumbs — navigation events (e.g., "user opened Budget screen") without any financial content

Sentry crash data is retained for 90 days and then automatically deleted. Sentry does not receive your financial data, transaction amounts, or any content you enter into the app.

8. Referral Program & Fraud Prevention

If you participate in our referral program, we collect limited data to prevent abuse:

  • Referral code — a unique code generated for your account (format: K-XXXXXX)
  • Device hash — a one-way SHA-256 hash of your device ID, salted so as to be irreversible. We cannot determine your actual device ID from this hash.
  • IP address — recorded at the time of referral redemption only
  • Referral status — pending, qualified, or rejected

Why we collect this: To prevent self-referral abuse, multi-account exploitation, and automated fraud. The device hash and IP address are used solely for fraud detection and are not shared with any third party. The device hash is deleted when you delete your account.

9. Early Access Waitlist

If you sign up for early access on our website, we store:

  • Email address (required)
  • Name (optional, if provided)
  • Platform preference (optional — iOS, Android, or both)
  • Referral code — auto-generated for sharing
  • Referred by — if you arrived via someone else's referral link
  • Position — your place in the queue
  • Sign-up timestamp

Why: To manage the waitlist queue, send you an invite when it's your turn, and track referral-based priority. We send exactly one confirmation email via Resend. We do not send marketing emails or share your email with third parties. Early access sign-ups are rate limited to 5 per email per minute to prevent abuse.

10. App Permissions

Vento requests the following device permissions:

Permission Platform Why
Internet Android & iOS Required for authentication, premium verification, cloud backup, and crash reporting
In-App Billing Android Required to process premium subscription purchases through Google Play
Notifications Android 13+ Local notifications for budget alerts, subscription reminders, and goal updates. All notifications are generated locally — we do not send push notifications from our servers

We do not request access to your camera, microphone, contacts, photos, location, or any other sensitive permissions.

11. Data Retention & Deletion

What happens when you delete your account:

When you request account deletion, we run a cascade delete that removes:

  1. Your authentication record (email, name, avatar, OAuth metadata)
  2. All entitlements and premium access records
  3. All purchase and subscription records
  4. Feature usage counts
  5. Referral codes and referral records
  6. Device fingerprint hashes
  7. Early access waitlist entry (if any)

What is retained after deletion:

  • Subscription event logs — the user_id field is set to null (anonymized), but the event record is retained for financial compliance and dispute resolution.
  • Sentry crash data — retained for up to 90 days, then deleted.

Local data:

Since your financial data lives on your device, deleting your account does not delete local data. You must uninstall the app or use the in-app data wipe option to remove local data. Google Drive backups must be deleted manually from your Google Drive.

12. Your Rights

  • Access: You can request a copy of all data we store about you by emailing us.
  • Export: You can export your local financial data as CSV or JSON at any time from within the app (Premium feature).
  • Deletion: You can delete your account through the app, which triggers a cascade delete of all server-side data.
  • Portability: Your data is stored in an open SQLite format. You own it completely.
  • Correction: Since we only store your email and display name from OAuth, changes to your Google/Apple account will be reflected on next sign-in.
  • Opt-out: You can use Vento in guest mode (no account) for a fully offline, zero-server experience.

13. Children's Privacy

Vento is not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we discover that a child under the applicable age has created an account, we will delete it immediately.

14. International Rights (GDPR & CCPA)

GDPR (EU/UK)

  • Lawful basis: We process your data based on (a) your consent (account creation), (b) contractual necessity (subscription management), and (c) legitimate interest (fraud prevention, crash reporting).
  • Data minimization: We collect only what is strictly necessary for each purpose as described above.
  • Right to erasure: Account deletion removes all personally identifiable data. Financial data on your device is under your control.
  • Data processing location: Our backend runs on Cloudflare Workers (globally distributed edge network). Supabase database is hosted in the cloud. Data may be processed in jurisdictions outside the EEA.

CCPA (California)

  • We do not sell personal information. We never have and never will.
  • We do not share personal information for targeted advertising.
  • You have the right to know what data we collect (see above), request deletion, and opt out of any future sale (which will never occur).

15. Changes to This Policy

We may update this policy when we add new features or services. Material changes will be communicated via in-app notification or email. The "Last Updated" date at the top indicates when the latest revisions took effect. We encourage you to review this page periodically.

16. Contact Us

If you have questions about this privacy policy, want to exercise your rights, or need to report a privacy concern, please reach out:

support@vento.money

We aim to respond within 48 hours.