The short version
- Account required: No
- Data collected: None
- Ads: No
- Analytics: None
- Third-party SDKs: None
- Data sold: Never
- Cloud backup: Opt-in, to your own iCloud or Google Drive
- Network calls: exchange rates, version check, weather (opt-in), City Guide downloads, Trip Sync (opt-in)
Where your data lives
Everything you enter into Safra (trips, expenses, budgets, receipts, documents, travel companions) is stored in a database on your device. Only on your device. There is no account and no Safra server storing your information.
Cloud backup
The optional backup feature is disabled by default. On iOS you back up to your personal iCloud account; on other platforms to your personal Google Drive AppData folder. Your data is sent to your personal cloud account, not ours, and can be deleted at any time.
Exchange rates
The app fetches rates from thesafra.com/api/rates. The request contains only a currency code and a timestamp. No user data, device identifiers, or trip information is included.
On-device AI
The optional AI feature for categorization and insights runs exclusively on compatible iPhones using Apple's Foundation Models. No data is sent to Apple or to us.
Weather correlation
This feature is disabled by default. It requests only a country's approximate geographic coordinates (a fixed central point, not your GPS location) and the trip's date range from thesafra.com.
City guides
PDFs download from guides.thesafra.com with only the file path in the request. No user data or analytics are transmitted.
Nearby share
Device-to-device transfers happen over Bluetooth and local Wi-Fi, without the internet or any server involvement.
Trip sync (optional)
Your trip data is encrypted on your device before it is sent. The encryption key exists only on devices that have scanned the invite link. The relay server at appsync.thesafra.com stores only a session identifier (a random code, not linked to any identity) and encrypted payloads. Sessions expire after 90 days of inactivity.
Settlement public link (optional)
Settlement data is encrypted on your device and uploads only the encrypted blob; the encryption key travels in the URL fragment only. Links expire in seven days by default and can be revoked at any time.
Receipt scanning (OCR)
The receipt image is never uploaded. No data leaves your device during scanning, which uses Apple's Vision framework or ML Kit.
Report a problem (optional)
When you choose to submit a report, you see exactly what will be included: your message, the app version, the operating system version, and optionally a truncated technical error log. Submissions are anonymous, with no personal data unless you include it voluntarily.
Notifications
Budget alerts and daily recaps are scheduled locally on your device and are not delivered through any external push notification service.
Location
Location access is requested only when you tap the location field and only while the app is in use. You can skip it entirely; it is always optional.
Photos and documents
Receipt photos and documents are stored locally on your device. We cannot see them.
Analytics and crash reporting
Safra has no analytics, no automatic crash reporting service, no heatmaps, no session recording, and no A/B testing.
Advertising
There are no ads in Safra. There is no advertising SDK.
Children
Safra is rated 4+ on the App Store. We do not knowingly collect any information from anyone, including children.
Changes to this policy
If anything described here ever changes, we will update this page and change the date at the top.
Contact
contact@nexudo.tech