Privacy Policy
We take your privacy seriously. Here's exactly what we collect, why, and how we protect it.
1. Information We Collect
When you use BachatAI, we collect:
- Your name, email address, and profile picture when you sign in with Google
- Financial transaction data extracted from your bank notification emails (amount, merchant name, transaction type, date, and available balance where present)
- Spending categories, budget goals, and savings targets you set manually in the app
- Usage data about how you interact with the app, for improving the service
- Device information for troubleshooting and security purposes
We do not collect bank credentials, UPI PINs, internet banking passwords, or any payment instrument details.
2. Google Account & Gmail Data Access
BachatAI requests read-only access to your Gmail account (gmail.readonly scope) solely to identify and extract bank transaction notifications. Here is exactly how this works:
- What we access: We search your Gmail inbox for emails containing bank transaction keywords (such as "debited", "credited", "transaction"). We then identify the sender address of your bank's notification emails and fetch only emails from that specific sender.
- What we extract: Our AI processing extracts structured transaction data — amount, merchant or description, transaction type, date, and account balance where available.
- What we store: Only the extracted transaction data points listed above. We store these in your secure account on our servers so they can be displayed in the app.
- What we do NOT retain: Raw email body, email subject lines, and email content are temporarily stored only for the duration of AI extraction processing. They are permanently deleted from our servers immediately after extraction completes and are never retained beyond that step.
- Deletion of email content: The full email content fetched from Gmail is deleted from our servers immediately after the AI extraction step is complete, typically within seconds of retrieval.
- OAuth token storage: The OAuth refresh token that authorises our access to your Gmail is stored in encrypted form using AES-256 encryption. It is never stored or logged in plain text.
- No sharing of Gmail data: Your Gmail data and the information derived from it are never sold, rented, shared with advertisers, or transferred to any third party except our AI processing service provider (used solely to perform the extraction), which is bound by strict confidentiality obligations.
- No use for advertising: Gmail data is used only to provide the BachatAI transaction tracking service. It is never used for serving advertisements or for any purpose unrelated to the core app functionality.
BachatAI's use and transfer of information received from Google APIs to any other application will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
3. How We Use Your Information
We use the data we collect to:
- Automatically track and display your bank transactions in the app
- Generate AI-powered spending insights, budget recommendations, and savings analysis
- Allow you to categorise transactions into budgets, payments, and savings
- Send account-related notifications and product updates (you can opt out at any time)
- Diagnose technical issues and improve app performance
- Comply with applicable Indian laws and regulations
4. Data Storage and Security
Your data is stored on secure servers, encrypted in transit and encrypted at rest using industry-standard encryption. Gmail OAuth tokens are encrypted using AES-256-GCM before being stored. We implement industry-standard security measures including access controls, audit logging, and regular security reviews.
Raw email content retrieved from Gmail is temporarily stored in our secure database solely to facilitate AI extraction processing. It is permanently deleted immediately after the extraction step completes and is never retained in long-term storage.
5. Data Sharing
We do not sell or rent your personal data. We may share data only in these limited circumstances:
- AI processing provider: Email content is temporarily sent to our AI API provider solely to extract transaction data. This provider is contractually prohibited from using the data for any other purpose.
- Infrastructure providers: Trusted cloud and hosting providers who store and process data on our behalf under strict confidentiality agreements.
- Legal requirements: If required by Indian law, court order, or regulatory authority.
We never share your Gmail data, transaction history, or financial information with advertisers, data brokers, or any unaffiliated third party for commercial purposes.
6. Revoking Gmail Access
You can revoke BachatAI's access to your Gmail at any time by visiting your Google Account permissions page at myaccount.google.com/permissions, finding BachatAI in the list, and clicking Remove Access.
After revocation, we will delete your stored OAuth tokens within 24 hours. Previously extracted transaction data will remain in your account unless you also delete your BachatAI account.
7. Your Rights
You may access, correct, export, or delete your data at any time. To delete your account and all associated data (including extracted transactions), email tech@bachatai.com with the subject "Delete My Account". We process requests within 7 business days.
8. Cookies
We use minimal cookies for session management and analytics only. No advertising or tracking cookies are used.
9. Children's Privacy
BachatAI is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or in-app notice at least 7 days before they take effect. Continued use of the app after changes constitutes acceptance of the updated policy.
11. Contact
Questions about this policy or your data? Email us at tech@bachatai.com. We aim to respond within 48 hours.
Last updated: June 2026