Skip to main content

Privacy Policy

Last updated: 28 May 2026

1. Who we are

Novira is a solo-developed personal finance Progressive Web App. It is not a company, not a registered financial institution, and not affiliated with any bank. Questions and requests go to ragava22005@gmail.com.

2. What we collect

Only what's needed to run the features you actually use:

  • Account data — your email, an optional display name, an optional avatar, and (if you sign in with Google) the OAuth identifier Google returns.
  • Financial data you enter — transactions (amount, description, category, payment method, date, notes, currency, tags), accounts and wallets, recurring templates, buckets, savings goals, trips, and your own categorization rules.
  • Location data — if you attach a place to a transaction we store its name, address, latitude and longitude. If you grant your browser's geolocation permission, your approximate location is sent to map providers to bias place search toward you.
  • Receipt images — if you use receipt scanning, the photo is stored in a private Supabase Storage bucket scoped to your account.
  • Collaboration data — friendships, group memberships, and expense splits are visible to the other people you share them with.
  • Push subscription — if you enable notifications, your browser's push endpoint and encryption keys.
  • Edit history — when you edit or delete a transaction, the previous values are recorded so the change can be audited or undone.
  • Operational metadata — anonymous Web Vitals via Vercel Analytics and standard server request logs at Vercel.

3. What we don't collect

No bank-account linking or Plaid-style aggregation. No payment card data — Novira is free, with no in-app purchases. No advertising identifiers, no third-party analytics beyond Vercel's Web Vitals, no cross-site tracking, no data sale.

4. Sub-processors

Novira runs on top of these services. Each receives only what's needed for its function:

  • Supabase — primary backend (PostgreSQL, Auth, Storage, Realtime). Holds essentially all data described above. Privacy.
  • Vercel — hosting, scheduled cron jobs, Web Vitals and Speed Insights. Sees request logs and aggregate performance metrics. Privacy.
  • Anthropic (Claude) — server-side only. Receives your uploaded receipt image when you scan a receipt, and aggregated transaction summaries when you use Insights chat or generate a monthly or yearly recap. Rate-limited (30 receipt scans, 3 insights chats, 10 recaps per day per account). Privacy.
  • Google — Maps and Places APIs for geocoding transaction locations; Google OAuth if you choose “Continue with Google”, in which case Google receives your sign-in event and basic profile info. Privacy.
  • Mapbox — alternative map rendering and geocoding. Privacy.
  • Photon (Komoot) — open-source fallback geocoder used when other providers fail. Privacy.
  • ExchangeRate API — currency conversion. Only currency codes are sent, no personal data. Terms.
  • Web Push gateways — your browser's chosen push service (FCM, Mozilla, or Apple) receives notification payloads only if you enable push notifications.

5. Cookies and on-device storage

Novira stores small amounts of data on your device to keep you signed in and to remember your preferences:

  • Cookies — Supabase session cookies (required for sign-in) and a sidebar state cookie.
  • Local Storage — onboarding state, privacy mode toggle, recently used locations, PWA install dismissal, last-seen feature announcement, recent search queries.
  • Session Storage — short-lived UI flags (toast triggers, swipe-gesture hint).
  • IndexedDB — only the novira-share-target store, used when you share a receipt image to the app from your OS share sheet.
  • Service Worker cache — static assets and Supabase responses cached for offline use; cleared automatically on each new app version.

6. Permissions we may ask for

Camera (to photograph a receipt), geolocation (to bias place search toward where you are), and notifications (for push alerts). Each is opt-in and requested only when you trigger the feature that needs it. You can revoke any of them in your browser's site settings.

7. How we use your data

To run the app for you — show your transactions, render charts, sync across your devices, send the notifications you asked for, and answer the AI prompts you trigger. No profiling, no advertising, no resale.

8. Sharing with other users

If you split an expense, add someone as a friend, or join a group, the relevant transaction or balance data is visible to the other people in that group or split. You decide what to share and with whom.

9. Retention and deletion

Your data is kept while your account is active. You can delete your account at any time from Settings. Deletion purges your transactions, splits, recurring templates, group memberships, friendships, edit history, profile, profile picture, uploaded receipt images, and the auth row itself.

10. Your rights

If you're in the EEA, UK, California, or another region with privacy laws, you have rights including:

  • Access — see what we hold about you. Most of it is already visible in the app; export it from Settings as CSV, PDF, or ICS.
  • Rectification — edit any record in-app.
  • Erasure — delete your account from Settings (subject to the limitation above), or email us.
  • Portability — the export feature provides machine-readable copies.
  • Restriction and objection — email us if you'd like processing limited.
  • Withdraw consent — turn off any optional permission (notifications, geolocation, camera) in your browser.

11. International transfers

Our sub-processors (Supabase, Vercel, Anthropic, Google, Mapbox, etc.) operate in regions that may include the United States and the European Union. Using Novira involves your data being transferred to and processed in those regions.

12. Security

Data is encrypted in transit (HTTPS, HSTS) and at rest using Supabase defaults. Row-level security isolates each account's data. A strict Content-Security-Policy is enforced. These are reasonable engineering measures, not a guarantee against every possible attack.

13. Children

Novira is not directed to children under 13 (or under 16 in the EEA and UK). If you're below that age, please don't create an account.

14. Changes to this policy

Material changes are surfaced in the app via the “What's new” announcement and reflected in the “Last updated” date at the top of this page.

15. Contact

Email ragava22005@gmail.com for any privacy question, data request, or concern.

© 2026 Novira. All rights reserved.