← Back

Privacy Policy

Last updated: May 22, 2026

1. Introduction

This Privacy Policy explains how Odit ("the Service") collects, uses, stores, and safeguards your information, with particular attention to the SMS banking data that powers the Service. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address;
  • Account credentials (passwords are hashed and never stored in plain text);
  • Social login profile data (if you sign up via Google or GitHub);
  • Your consent status and timestamps for these Terms and Privacy Policy.

2.2 SMS Data

The core of the Service involves reading SMS messages from your Android device and syncing them to our servers. The app applies on-device filtering before any data is transmitted, so personal messages never leave your phone (see Section 3). Syncing happens automatically — both in real time as new messages arrive and via a recurring background worker — and you can preview and deselect individual senders before each upload. For each synced message, we collect:

  • Raw message content: The full text body of each SMS;
  • Message metadata: Sender address (phone number or short code), contact name, timestamp, message direction, thread ID, and read status;
  • Extracted financial data: For messages from recognized banking addresses only — transaction type, amounts, fees, balances, currency, and sender/receiver identifiers parsed from the message.

Important: Messages from Ethiopian phone numbers (09/07/+251 prefixes) are always excluded on-device and never transmitted to our servers. Only messages from non-personal sources — such as bank short codes, service alerts, and institutional senders — are synced. Only messages from recognized banking addresses are processed for financial data extraction on our servers.

2.3 Device Information

When you connect a device, we collect:

  • A unique device identifier (UUID generated by the app, not your hardware ID);
  • Device name (as you label it);
  • The association timestamp.

2.4 Automatically Collected Information

When you access the web dashboard, we may collect:

  • IP address, browser type, and pages visited;
  • Device information (operating system, screen size);
  • Session cookies for authentication.

2.5 Receipt Images (Optional)

The Android app includes an optional receipt scanner that uses your device camera to capture paper receipts. Text recognition runs on-device using Google ML Kit; the recognized text never leaves your phone unless you proceed to AI-assisted categorization.

If your plan includes AI receipt extraction, choosing to extract a captured receipt uploads the receipt image and its on-device OCR text to our servers for parsing (amount, merchant, line items, suggested category). Receipt extraction is a per-capture user action; receipts are never uploaded automatically. On the free plan, captured receipts remain entirely on-device.

3. SMS Filtering — Privacy by Default

The Odit Android app applies strict on-device filtering before any SMS data is transmitted to our servers. Personal messages never leave your phone.

3.1 What Is Excluded

Messages from Ethiopian phone numbers are always excluded from the sync. Messages from senders matching the following patterns are filtered out on-device and never leave your phone:

  • Numbers starting with 09 or 07 (Ethiopian mobile prefixes);
  • Numbers starting with +251 (Ethiopia country code, including +25109 and +25107).

In addition to personal numbers, the following are always discarded on-device before any upload:

  • Drafts, outbox, failed, and queued messages — only delivered inbound and sent messages are eligible;
  • Group conversations — any thread ID with more than one recipient is excluded entirely;
  • Concatenated recipient blobs — digit-only sender fields longer than a valid international phone number, which some Android OEMs leak into the SMS table from group MMS.

This means only messages from non-personal sources — such as bank short codes, service alerts, and institutional senders — are synced. Personal SMS conversations between Ethiopian phone numbers never reach our servers.

3.2 What Is Synced

Only messages from non-personal senders pass through the filter. This includes:

  • Messages from banking short codes (e.g. CBE, Telebirr, BOA, Awash Bank, Dashen Bank, Zemen Bank);
  • Messages from service providers and institutional senders;
  • System notifications and alerts from non-phone-number addresses.

Of the synced messages, only those from recognized banking addresses are processed for financial data extraction. All other synced messages are stored but not parsed.

Before each sync, the app shows you a preview of which senders it intends to upload and lets you deselect individual senders. Deselected senders are excluded from the upload alongside the on-device filters above; this choice is remembered for future syncs.

3.3 Trade-off

If a banking institution sends messages from a standard Ethiopian phone number rather than a short code, those messages will be excluded by the filter and will not appear in your dashboard. This is an intentional privacy-first design choice.

3.4 Android Permissions Used

The Odit Android app declares the following permissions. Most are requested at install time; the asterisked ones require a runtime prompt that you must approve:

  • READ_SMS*: read inbox messages for parsing and sync (subject to the filters in this Section);
  • READ_CONTACTS*: resolve a sender phone number to a display name so transactions show recognizable counterparties — looked up per-sender, never bulk-uploaded;
  • POST_NOTIFICATIONS* (Android 13+): show sync status, new-transaction summaries, and recurring-payment reminders;
  • CAMERA*: capture receipts in the optional receipt scanner (see §2.5);
  • USE_BIOMETRIC: back the optional biometric app lock (see Section 6);
  • INTERNET, ACCESS_NETWORK_STATE: communicate with the Odit API and check connectivity before sync;
  • FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC: run the upload worker reliably while the user is aware of it;
  • RECEIVE_BOOT_COMPLETED: re-arm the recurring background sync after device reboot.

4. How We Use Your Information

We use the information we collect to:

  • Parse and extract financial transaction data from your banking SMS;
  • Detect and categorize transactions, identify wallets, and track balances;
  • Provide the web dashboard, analytics, and financial insights;
  • Deduplicate messages across device resyncs and device changes;
  • Improve our SMS parsing patterns and accuracy;
  • Send technical notices, updates, and support messages;
  • Detect, prevent, and address technical issues and security incidents;
  • Comply with legal obligations.

5. Sharing of Your Information

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or SMS data to third parties.

5.2 Third-Party Service Providers

We use the following named third-party processors to operate the Service. Each processor receives only the data described and is contractually or by terms-of-use bound to use it solely for the stated purpose:

  • Firebase Crashlytics (Google): receives Android crash reports — stack traces, app/OS version, and device model. Crash payloads do not include SMS content, financial data, or your message body.
  • Firebase Analytics (Google): receives anonymous Android usage events (screens visited, feature taps). The Android advertising ID is explicitly stripped from the manifest. No SMS content or extracted financial data is forwarded to Analytics.
  • Axiom: receives server-side application logs for debugging and operational telemetry. Logs are scrubbed of message bodies and extracted financial details and contain only operational signals (request paths, latency, error codes).
  • Telegram (operator alerts): when an account-deletion event occurs we post a short alert to an internal Telegram channel containing the triggering user's email, session IP, and request context. This is used only to detect abuse and verify completed deletions.
  • Cloud hosting and CDN providers: the web dashboard, API, and database are hosted on commercial cloud infrastructure. These providers process data in transit and at rest under standard cloud-provider terms.
  • Google and GitHub: if you choose social login, the respective provider authenticates you and returns the profile data listed in Section 2.1.

5.3 Legal Requirements

We may disclose your information if required by law or in response to valid legal process (e.g. a court order or government agency request).

5.4 Business Transfers

If Odit is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6. Data Security

We implement technical and organizational security measures to protect your data, including:

  • Encrypted data transmission (TLS) between your device and our servers;
  • Hashed and salted password storage;
  • Access controls and authentication on all API endpoints;
  • Rate limiting and abuse detection;
  • Optional biometric app lock on the Android app — when enabled, unlocking the app requires fingerprint or device biometric authentication. This gates access to the locally cached SMS preview and dashboard data; it does not affect server-side authentication.

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data: Retained until you delete your account;
  • SMS data: Only non-personal messages (those not filtered out by the rules in Section 3) and their extracted financial data are stored, retained until you delete your account;
  • Session cookies: Retained for the duration of the session, up to 90 days;
  • Operational telemetry and logs: Server logs (held in Axiom) and mobile crash reports (held in Firebase Crashlytics) are retained for up to 90 days for debugging and security purposes. These contain operational signals (request paths, latency, error codes, stack traces) — not message bodies, not extracted financial data, and not contact information.

When you request account deletion (in the Android app or on the web dashboard), your account is scheduled for deletion with a 30-day grace period. During the grace period:

  • Your sessions are signed out and the account is unreachable from any client;
  • Your data remains intact on our servers but is not processed for new syncs;
  • Signing back in with the same credentials cancels the pending deletion and restores access automatically — no support request required.

After 30 days, a daily purge job hard-deletes the account row, every device owned by it, all synced SMS data (parsed messages, raw export batches, extracted financial data), wallets, participants, goals, recurring transactions, manual entries, categories, category rules, notifications, and authentication sessions. Anonymous, scrubbed telemetry already emitted to third-party log processors persists for the remainder of their retention window described above, after which it is purged automatically.

8. Your Privacy Rights

You have the right to:

  • Access: Request a copy of the personal and financial data we hold about you;
  • Correction: Request correction of inaccurate information;
  • Deletion: Request deletion of your account and all associated data;
  • Data scope: Personal messages are always filtered on-device and never reach our servers;
  • Portability: Request export of your data in a standard format;
  • Withdraw consent: Stop using the Service and request account deletion at any time.

To exercise these rights, please contact us through our support channels.

9. Cookies and Tracking

We use session cookies for authentication and user preferences. We may use analytics tools to understand how the Service is used. You can configure your browser to refuse cookies, though some features of the Service may not function properly without them.

10. Third-Party Links

The Service may contain links to third-party websites. We have no control over and assume no responsibility for the content or privacy practices of those sites.

11. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect information from children under 13. If you become aware that a child has provided us with personal information, please contact us.

12. International Data Transfers

Your information may be transferred to and stored on servers outside your country of residence. We take reasonable steps to ensure your data is treated securely and in accordance with this policy regardless of where it is processed.

13. Changes to This Privacy Policy

We may update this policy from time to time. When we make material changes, we will notify you through the Service and update the "Last updated" date. Material changes to how your SMS data is handled will require you to re-accept the updated policy before continuing to use the Service.

14. Contact Us

If you have any questions about this Privacy Policy, please contact us through our support channels.

← Back to Login