Who Operates Pocketsaurus
Pocketsaurus is operated by an individual sole proprietor based in Indonesia. The service is offered globally; this policy applies to all users regardless of where you are based.
Our Philosophy
We only store and collect what's necessary to give you the best experience on Pocketsaurus. We don't go beyond this to figure out your address, gender, age, income level, or anything else that isn't directly needed to help you manage your finances.
We will never sell your personal information to third parties. We will never sell your data to advertisers. Your financial data is yours.
What We Collect
We collect only what's required to provide the service:
- Account information — your name and email address, used for authentication and communication about your account.
- Financial data you enter — transactions, accounts, budgets, savings goals, and investment holdings that you manually add to the app.
- Payment metadata — for paid plans, our payment processor returns a transaction ID, status, and amount; we never see your card or banking details.
- Usage data — basic analytics like page views and feature usage to improve the product. We do not track you across other websites.
- Audit log — sensitive actions (login, password reset, account deletion) are recorded for security review. Audit entries are retained even after account deletion, with your user ID nulled — see Data Retention below.
What We Don't Collect
- Your bank login credentials — we never ask for or store your banking passwords.
- Your card number, CVV, or banking details — these go directly to our payment processor.
- Your physical address, phone number, date of birth, or government ID.
- Your gender, age, income level, or demographic information.
- Browsing history outside of Pocketsaurus.
Data Security
- Encryption at rest — all data is encrypted at rest using AES-256 encryption at the infrastructure level.
- Encryption in transit — all connections use TLS/HTTPS. We enforce HSTS headers.
- Password security — passwords are hashed using bcrypt with a high cost factor. We never store plaintext passwords.
- Multi-factor authentication — optional TOTP-based MFA is available to protect your account.
- Session management — sessions expire after 1 hour of inactivity. JWT tokens are signed and verified on every request.
- Rate limiting — login, registration, and password-reset endpoints are rate-limited to prevent abuse.
Third-Party Services (Subprocessors)
We use a limited number of third-party services to operate. None of them have access to your financial data beyond what is described:
- Neon (database hosting) — your account, financial, and audit data is stored here, encrypted at rest. Region: Asia-Pacific.
- Vercel (application hosting) — serves the app and runs server-side code.
- Resend (transactional email) — sends password reset emails, household invites, and billing receipts. Receives your email address and the email body only.
- Midtrans (payments — Indonesia) — handles subscription payments for Indonesian users. We never see your card details.
- Stripe and Adyen (payments — international, planned) — when we open paid plans to users outside Indonesia, payments will be processed via Stripe and later Adyen. This policy will be updated before either is enabled.
- Yahoo Finance / Bibit — public market data for investment tracking. We send only ticker symbols; no personal data leaves our systems.
- Open Exchange Rates — currency conversion rates. No personal data is shared.
Cookies
We use cookies strictly for authentication (a signed JWT session token). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
Data Retention & Deletion
We retain your data for as long as your account is active. Your financial history is kept so you can access historical reports, trends, and analysis.
You can delete your account from Settings → Danger Zone. When you do, in a single transaction we permanently delete your transactions, accounts, budgets, savings goals, investments, recurring rules, categories, tags, household memberships, payment records, and personal information. Households where you were the sole member are deleted along with their pending invites.
For security and regulatory compliance, audit log entries (records of sensitive actions like logins and password changes) are retained, with your user ID set to null so the entries cannot be linked back to you.
Account deletion is irreversible. After deletion, the email address you used can be re-registered.
Your Rights
Under Indonesia's Personal Data Protection Law (UU No. 27 of 2022) and equivalent laws in your jurisdiction (including GDPR for EU users and CCPA for California residents), you have the right to:
- Access — export all your data at any time from Settings (CSV / JSON).
- Correction — edit or update any of your financial data within the app.
- Deletion — permanently delete your account and all associated data (Settings → Danger Zone).
- Portability — your data export is in standard, machine-readable formats.
- Object / withdraw consent — by deleting your account, you withdraw all consent for further processing.
- Lodge a complaint — if you believe we've mishandled your data, you can complain to your local data protection authority.
To exercise any right that isn't available in-app, email privacy@pocketsaurus.com and we will respond within 30 days.
International Data Transfers
Our infrastructure (Neon, Vercel, Resend) operates outside Indonesia. By using Pocketsaurus you consent to the transfer of your data to these jurisdictions for the purposes of providing the service. All providers are bound by data processing terms and use industry-standard security measures.
Children's Privacy
Pocketsaurus is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this privacy policy from time to time. If we make material changes (for example, adding a new subprocessor or changing how we handle data), we will notify you via email or through the app at least 14 days before the change takes effect. Your continued use of Pocketsaurus after that constitutes acceptance of the updated policy.