MagicWallet is a personal finance management application developed and operated by Sanas Digital Solutions ("we", "our", "us"), a company incorporated in India. Our registered contact address is available in the Contact section below.
This Privacy Policy explains what personal data we collect when you use the MagicWallet mobile application (Android), progressive web app (PWA), or any related services (collectively, the "Service"), why we collect it, how it is stored and protected, and what rights you have over it.
By downloading, installing, or using MagicWallet, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service and contact us to request deletion of any data held.
We collect the minimum data necessary to provide the Service. The table below describes each category, the specific data points, why we need them, and the legal basis under which we process them.
| Category | Data Points | Purpose | Legal Basis (DPDP / GDPR) |
|---|---|---|---|
| Account & Identity | Email address, display name, profile photo (optional) | Account creation, authentication, and personalised greeting | Consent · Contract performance |
| Financial Records | Income entries, expense entries, loan/debt details, investment holdings, budget amounts, savings goals, bill schedules | Core app functionality — tracking, reporting, and insights | Contract performance · Consent |
| Device & Technical | Device model, OS version, app version, crash logs, anonymous usage events | Crash diagnostics, performance monitoring, feature improvement | Legitimate interest · Consent |
| Subscription & Billing | Google Play purchase token, subscription tier, renewal date | Pro plan validation and entitlement management | Contract performance |
| Support Communications | Email content, attachments, correspondence history | Responding to support requests and resolving disputes | Legitimate interest · Legal obligation |
Data you do not provide stays on your device. If you use MagicWallet in offline / local-only mode without signing in, none of your financial records are transmitted to our servers.
MagicWallet is architected around a local-first principle. Your data is yours, on your device, by default.
Row-Level Security (RLS). When cloud sync is enabled, your data is protected by database-level Row-Level Security policies. This means our backend enforces, at the database layer, that each authenticated user can only read and write their own rows. No application-level code can accidentally expose one user's data to another. Even Sanas Digital Solutions engineers cannot query your financial records in plain text without explicit, logged, and audited access.
| Storage Mode | Where data is stored | Who can access | How to activate / deactivate |
|---|---|---|---|
| Local only (default) | Device SQLite database | You only (device owner) | Default — no action needed |
| Cloud sync (optional) | Supabase / AWS ap-south-1 (Mumbai) | You only, via RLS-enforced auth tokens | Sign in → auto-enabled. Settings → disable anytime |
Data stored in cloud sync is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption managed by AWS. Backups are retained for 7 days and are subject to the same RLS policies.
We implement industry-standard technical and organisational security measures appropriate to the sensitivity of personal financial data.
While we apply strong safeguards, no system is impenetrable. We encourage you to use a strong, unique password for your MagicWallet account and to enable device-level security (PIN, pattern, or biometrics) to protect local data.
We process your data only for the purposes described below. We do not use your financial data to build advertising profiles, and we do not share it with advertisers.
We do not share your personal data except in the limited circumstances below. All third-party processors are bound by Data Processing Agreements (DPAs) and are required to process data only for the purposes we specify.
| Recipient | Data Shared | Purpose | Location |
|---|---|---|---|
| Supabase (cloud infrastructure) | Account data, financial records (cloud sync users only) | Database hosting, authentication, storage | AWS ap-south-1 (Mumbai, India) |
| Google Play Billing | Purchase token, subscription status | Subscription validation | Google servers (Google LLC, USA) |
| Crash analytics provider (e.g. Firebase Crashlytics) | Anonymised crash logs, device OS/version | Crash reporting and stability monitoring | Google LLC, USA (SCCs in place) |
| AI inference provider (Phase 2, opt-in only) | Anonymised transaction descriptions | Smart categorisation and spending insights | Subject to provider DPA — disclosed at point of consent |
| Legal & regulatory authorities | As required by applicable law | Compliance with court orders, DPDPB orders, law enforcement requests | India / jurisdiction of request |
We will challenge overly broad government data requests and notify you to the extent permitted by law when we receive such a request relating to your data.
We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by applicable law.
| Data Type | Retention Period | Notes |
|---|---|---|
| Local device data | Until you uninstall the app or clear app data | Entirely under your control; we have no access |
| Cloud sync — financial records | Active account lifetime + 30 days post-deletion request | 30-day grace period allows account recovery; hard-deleted thereafter |
| Account / identity data | Active account lifetime + 30 days | Deleted with account; email retained for 90 days in suppression list only |
| Crash logs & diagnostics | 90 days | Anonymised aggregates retained indefinitely for trend analysis |
| Support emails | 3 years from resolution | Retained for dispute resolution and legal compliance |
| Subscription / billing records | 7 years | Required under Indian financial record-keeping law |
| Free plan transaction history | 3 months (rolling) | Older records are automatically purged for free tier users |
When you request deletion of your account, we will delete or anonymise all personal data within 30 days, except where retention is required by law (e.g. billing records) or where data has already been anonymised.
You have the following rights regarding your personal data. These rights apply to all users and are exercisable free of charge. We will respond within 30 days of receiving a verifiable request.
To exercise any right, email our Grievance Officer at privacy@magikwallet.com with the subject line "Data Rights Request — [Right Type]". We may ask you to verify your identity before processing the request.
MagicWallet complies with the Digital Personal Data Protection (DPDP) Act, 2023 and its implementing rules as notified by the Government of India. Sanas Digital Solutions is the Data Fiduciary for all personal data processed through the Service.
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) applies to your personal data. Sanas Digital Solutions acts as the Data Controller.
Lawful bases for processing. We rely on the following legal bases under GDPR Article 6:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Art. 6(1)(b) — Contract performance |
| Storing and syncing your financial records | Art. 6(1)(b) — Contract performance |
| Crash analytics and performance monitoring | Art. 6(1)(f) — Legitimate interest (service stability) |
| AI-powered insights (opt-in) | Art. 6(1)(a) — Explicit consent |
| Marketing communications (if applicable) | Art. 6(1)(a) — Consent |
| Legal compliance and dispute resolution | Art. 6(1)(c) — Legal obligation |
International transfers. Where your data is transferred outside the EEA (e.g. to Google LLC in the USA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on the UK International Data Transfer Agreement (IDTA) for UK transfers. Our primary cloud infrastructure (Supabase/AWS Mumbai) is located within India.
Data Protection Officer. We do not currently meet the threshold requiring a mandatory DPO under GDPR Article 37. As our user base grows into the EEA, we will appoint a DPO if required. In the meantime, all GDPR-related enquiries should be directed to privacy@magikwallet.com.
Right to lodge a complaint. EEA users may lodge a complaint with their local data protection supervisory authority (e.g. the Irish DPC, CNIL, BfDI, etc.). UK users may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
MagicWallet is not directed at children under the age of 18 years. We do not knowingly collect personal data from anyone under 18.
In accordance with Section 9 of the DPDP Act 2023, before processing any personal data of a child, we will obtain verifiable consent from the child's parent or lawful guardian. We will also ensure that no processing of a child's data is undertaken that is detrimental to the child's well-being, involves tracking or behavioural monitoring of children, or targets advertising at children.
If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact us immediately at privacy@magikwallet.com. We will promptly delete such data upon verification.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
When we make material changes — changes that significantly affect your rights or how we process your data — we will notify you by:
For non-material changes (e.g. clarifications, formatting, contact updates), we will update this page without additional notice. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
We maintain an archive of prior versions of this policy, available on request at privacy@magikwallet.com.
For any questions, concerns, or requests related to this Privacy Policy or the exercise of your rights, please contact our designated Grievance Officer:
We aim to resolve all privacy-related complaints within 30 days. Complex requests may take up to 60 days, in which case we will notify you of the extension and the reason.
This Privacy Policy was prepared in compliance with the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU) 2016/679, and the UK GDPR as retained in domestic law by the Data Protection Act 2018. It should be read alongside our Terms of Use. © 2026 Sanas Digital Solutions. All rights reserved.