Skip to content
All privacy policies

The short version

  • Account required: No
  • Data collected: None
  • Ads: No
  • Analytics: None
  • Third-party SDKs: None
  • Data sold: Never
  • Cloud backup: Opt-in, to your own iCloud or Google Drive
  • Network calls: exchange rates, version check, weather (opt-in), City Guide downloads, Trip Sync (opt-in)

Where your data lives

Everything you enter into Safra (trips, expenses, budgets, receipts, documents, travel companions) is stored in a database on your device. Only on your device. There is no account and no Safra server storing your information.

Cloud backup

The optional backup feature is disabled by default. On iOS you back up to your personal iCloud account; on other platforms to your personal Google Drive AppData folder. Your data is sent to your personal cloud account, not ours, and can be deleted at any time.

Exchange rates

The app fetches rates from thesafra.com/api/rates. The request contains only a currency code and a timestamp. No user data, device identifiers, or trip information is included.

On-device AI

The optional AI feature for categorization and insights runs exclusively on compatible iPhones using Apple's Foundation Models. No data is sent to Apple or to us.

Weather correlation

This feature is disabled by default. It requests only a country's approximate geographic coordinates (a fixed central point, not your GPS location) and the trip's date range from thesafra.com.

City guides

PDFs download from guides.thesafra.com with only the file path in the request. No user data or analytics are transmitted.

Nearby share

Device-to-device transfers happen over Bluetooth and local Wi-Fi, without the internet or any server involvement.

Trip sync (optional)

Your trip data is encrypted on your device before it is sent. The encryption key exists only on devices that have scanned the invite link. The relay server at appsync.thesafra.com stores only a session identifier (a random code, not linked to any identity) and encrypted payloads. Sessions expire after 90 days of inactivity.

Settlement public link (optional)

Settlement data is encrypted on your device and uploads only the encrypted blob; the encryption key travels in the URL fragment only. Links expire in seven days by default and can be revoked at any time.

Receipt scanning (OCR)

The receipt image is never uploaded. No data leaves your device during scanning, which uses Apple's Vision framework or ML Kit.

Report a problem (optional)

When you choose to submit a report, you see exactly what will be included: your message, the app version, the operating system version, and optionally a truncated technical error log. Submissions are anonymous, with no personal data unless you include it voluntarily.

Notifications

Budget alerts and daily recaps are scheduled locally on your device and are not delivered through any external push notification service.

Location

Location access is requested only when you tap the location field and only while the app is in use. You can skip it entirely; it is always optional.

Photos and documents

Receipt photos and documents are stored locally on your device. We cannot see them.

Analytics and crash reporting

Safra has no analytics, no automatic crash reporting service, no heatmaps, no session recording, and no A/B testing.

Advertising

There are no ads in Safra. There is no advertising SDK.

Children

Safra is rated 4+ on the App Store. We do not knowingly collect any information from anyone, including children.

Changes to this policy

If anything described here ever changes, we will update this page and change the date at the top.

Contact

contact@nexudo.tech