Privacy Policy

The Short Version

Your asset names, payment amounts, locations, photos, and notes are encrypted on your iPhone before they ever leave it. The encryption key lives only on your device (and in your private iCloud Keychain, which is itself end-to-end encrypted by Apple). The developer of Aksaty, Firebase/Google, and anyone who gains access to our servers — including via a subpoena — can only see opaque ciphertext. They cannot read your data. Even we cannot read your data.

The detailed explanation is in the "End-to-End Encryption" section below.

Information We Collect

Aksaty collects only the information you provide directly:

• Account information: email address and display name when you register (plaintext — used to sign you in)
• Asset data: names, payment amounts, schedules, locations, photos, notes you enter — encrypted on your device before being saved; the developer never sees the actual content
• Usage data: anonymous analytics to improve the app (no personally identifiable information)
• Device data: device type and OS version for technical support

We do not collect payment card numbers, national ID numbers, or any sensitive financial credentials.

How We Use Your Info

Your information is used solely to:

• Provide and personalize the Aksaty service
• Send payment reminders you have opted into
• Improve app performance and fix bugs
• Respond to your support requests

We never sell your personal data to third parties.

End-to-End Encryption (v1.1.0 and later)

Aksaty cannot read your asset names, payment amounts, locations, photos, or notes. Starting with version 1.1.0, every piece of personal content you enter is encrypted with AES-256-GCM on your device using a key that only your device holds. Firebase, the developer, and anyone served a subpoena receive only opaque encrypted bytes — not the underlying data. There is no back door and no master key on our side.

How the encryption key is managed: the first time you open Aksaty 1.1.0 a fresh 256-bit master key is generated on your device. The key is stored in the iOS Keychain (Apple's hardware-backed secure storage), and synced to your iCloud Keychain so it follows you to your other Apple devices automatically. iCloud Keychain is itself end-to-end encrypted by Apple — Apple cannot read it either. The key is never transmitted to our servers, never logged, and never stored outside of your Apple ecosystem.

What this means in practice:

• If you forget your Aksaty login password, you can reset it normally — your data stays encrypted and accessible after the new sign-in.
• If you sign in on a new iPhone with the same Apple ID, your data unlocks automatically through iCloud Keychain.
• If you uninstall and reinstall the app on the same Apple ID, your data is automatically re-readable.
• If you sign in on a device that doesn't share your iCloud Keychain (different Apple ID, or iCloud Keychain disabled), the existing encrypted data on that account cannot be read on that device. New entries on the new device get a fresh key.
• If you lose access to your Apple ID entirely, your previously-encrypted data is permanently unrecoverable. This is the inherent trade-off of true privacy: there is no back door, not even for us.

What is still visible to Firebase / the developer: only your account UID, document timestamps, the number of assets you own, and storage size. The actual content of every asset, payment, location, photo, and note is opaque ciphertext — completely unreadable without your device-local key.

Data Storage

When you sign in, your asset and payment data is stored in your personal cloud account powered by Firebase (Google Cloud). The content is end-to-end encrypted on your device before being sent — Firebase only receives ciphertext. Transport itself uses HTTPS, and Firebase additionally encrypts data at rest, but those layers are secondary to the client-side E2EE described above.

OCR contract scanning: when you use the contract scan feature, the photo is sent to our processing server only at the moment of the scan and deleted immediately after the payment schedule is extracted. The extracted schedule is encrypted on your device before it's saved.

AI market-price estimates: the asset name and location you enter are sent to our pricing service for the duration of a single request and are not retained server-side. The result is encrypted on your device before it's saved.

Crash reporting: crash and performance data is collected via Sentry. We do not include user content in crash reports — only stack traces and device diagnostics.

Data Sharing

We do not share your personal data with third parties except:

• Service providers who help us operate the app (e.g., Firebase by Google) under strict data processing agreements
• When required by law or to protect legal rights
• With your explicit consent

We do not share your asset or financial data with real-estate companies, banks, or advertisers.

Your Rights

You have several rights regarding your personal data:

• Access the data we hold about you
• Correct inaccurate data
• Delete your account and all associated data
• Export your data at any time
• Opt out of analytics

Data Retention

We retain your account data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days.

Security

We implement multiple layers of security, with end-to-end encryption as the strongest:

• Client-side AES-256-GCM encryption of all user content before it leaves your device (1.1.0 and later) — see "End-to-End Encryption" above
• iCloud Keychain (Apple-managed, end-to-end encrypted) for the master encryption key
• HTTPS for all data transmission
• Firebase security rules limiting access to the authenticated owner
• Encryption at rest on Firebase servers (a secondary layer — our client-side E2EE means the data is already ciphertext before Firebase touches it)
• Regular security reviews

No method of electronic storage is 100% secure. The strongest protection in our stack is the client-side encryption — we cannot decrypt your content even when compelled by court order, because the key never leaves your device.

Children's Privacy

Aksaty is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

Changes to Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email.