Privacy Policy

Pocket, made by Shinka, is a personal finance and analytics dashboard for indie developers and creators: budgets, savings goals, a calendar, multi-currency tracking, trip and event “projects”, an AI finance assistant, and read-only analytics from the platforms you connect. Because Pocket handles financial information, this policy is deliberately specific about what is collected and where it goes.

What we store on our backend

The following is stored in Supabase (our hosted database and authentication provider), locked to your account by row-level security:

• Account and profile, your email, password (hashed by Supabase Auth), your name, and preferences such as theme, currency, time zone, display name, avatar, and your onboarding answers (for example an income goal and primary focus).
• Financial data, your budget categories and entries (amounts, dates, notes, currency), savings goals, and calendar events. This is sensitive personal information and we treat it that way.
• Projects, trip and event budgets including expenses with the locations you add, accommodation and flight details (including any confirmation codes you enter), participants, and itineraries.
• AI conversations, your chats with the Pocket AI assistant and a snapshot of the financial figures used as context, so you can pick up where you left off.
• Connection tokens, if you link a platform, its access tokens are stored encrypted in your account. If you add your own Claude API key, it is stored encrypted too.

What stays only on your device

Some data never reaches our server. Your login session is kept in local secure storage. Receipt and expense photos stay on your device as local file references and are not uploaded. Several project extras, such as a trip journal, packing lists, emergency contacts, templates, and a settlement tracker, are stored locally as well.

When your data goes to another company

These transfers happen only because of a feature you choose to use:

• Anthropic (Claude), when you use the AI assistant, Pocket sends, from your device, a prompt containing your name, currency, monthly income, monthly expenses, net balance, goal progress, the names of your connected platforms, and your recent chat messages to api.anthropic.com, authenticated with your own Claude API key. This is governed by Anthropic’s privacy policy. If you don’t add a key or use the assistant, nothing is sent.
• Platforms you connect, if you link YouTube (Google), Instagram (Meta), TikTok, Stripe, or RevenueCat, Pocket uses your stored token to call that service directly from your device and read your own analytics or revenue. Each request is governed by that provider’s own policy. You can disconnect a platform at any time to stop this.
• Utility services, for trip features the app may query OpenStreetMap (location search), Open-Meteo (weather by coordinates you provide), an exchange-rate service, and map tiles. These receive only the query or coordinates needed, never your account details.

What we do not do

• No analytics SDKs (no Firebase, PostHog, Amplitude, Segment, Mixpanel).
• No crash-reporting SDKs (no Sentry).
• No advertising, no ad identifier, and no cross-app tracking.
• No push notifications and no push tokens (reminders are generated on your device from your own data).
• We never sell or rent your personal or financial information.

Permissions

Pocket asks for Camera and Photos access only so you can attach a receipt or photo to an expense (those images stay on your device). It can use Face ID to lock the app if you enable that. Pocket does not request location, microphone, contacts, or notification permissions.

Payments

Pocket is free to use. The Stripe and RevenueCat connections exist to show your creator revenue, they are not used to charge you, and Pocket never sees your customers’ payment details.

Children

Pocket is a financial tool intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect information from anyone under 18.

Your rights and choices

You can view and edit your data in the app, disconnect any platform to revoke its token, and remove your Claude API key at any time. You can request a copy of your data or deletion of your account and everything tied to it by emailing shinkayoubi@gmail.com. Depending on where you live, you may have rights under the GDPR, UK GDPR, CCPA and CPRA, PIPEDA, or Quebec’s Law 25, including access, correction, portability, and erasure. Your data may be processed in Canada and the United States, and, for features you connect, wherever those providers operate.

Security

Passwords are hashed, connection tokens and your Claude API key are stored encrypted, row-level security isolates your data from other accounts, and all traffic uses HTTPS. You can add a Face ID lock for an extra layer. Please don’t put sensitive details into a profile photo or display name.

Changes to this policy

If our data practices change, we’ll update this page and the “last updated” date above, and note material changes in the app’s release notes.

Contact

Privacy questions or data requests: shinkayoubi@gmail.com.