Written in plain English, not legalese. The short version lives right below — the rest is the full detail you'll want if you care, or if a regulator asks.
Duitful is a personal finance application operated by an independent developer based in Malaysia ("Duitful", "we", "us", or "our"). Duitful is distributed as a progressive web app at duitful.app/app and as native apps on the Apple App Store and Google Play Store.
For any privacy question, including requests under the Personal Data Protection Act 2010 (Malaysia) or any other applicable law, email hello@duitful.app. A human reads every message.
Because the things we don't do are central to how Duitful is built, it's easier to list them first.
All the data that makes Duitful useful to you lives in local storage on the device where you use it:
This data is written to the browser's localStorage (or the equivalent storage inside the native app shell). It is encrypted at rest using AES-GCM with a 256-bit key derived from your passcode via PBKDF2 (250,000 iterations, SHA-256). We do not know your passcode; we do not have a copy of the derived key; we cannot decrypt your data.
If you forget your passcode, your data is not recoverable. This is a deliberate trade-off for genuine end-to-end privacy. We recommend writing your passcode down somewhere safe, or using Pro's encrypted backup export if you want a portable recovery copy.
Duitful writes the following keys to your browser's local storage:
duit-tracker.enc — the encrypted blob containing your records.duit-tracker.v1 — a legacy plain-text store used only once during migration to the encrypted store, then cleared.duit-tracker.referrer and duit-tracker.promo — optional referral / promo codes if you followed a link, kept for 30 days.duit-tracker.fx — cached foreign-exchange rates, up to 24 hours.duit-tracker.privacy — whether you have "blur balances" mode turned on.duit-tracker.install-dismissed-at — the timestamp when you dismissed the "install as an app" prompt, so we don't show it again for a while.The only situations in which personal data leaves your device and reaches us or our vendors are these:
Pro can be purchased through Billplz, a Malaysian payment gateway. To start a checkout, we send Billplz your email address, the name you enter at checkout, the amount (RM 19.90 or the discounted amount if a code applies), a product reference (duitful_pro), and — if you arrived via a referral link — an 8-character referral code derived from the referrer's email.
Billplz then collects your bank or card details directly on their hosted checkout page. We never see those details. When Billplz notifies us that a payment has completed, our server receives the bill identifier, the paid state, the amount, and the email you provided.
We then issue you a Pro licence (see 4.3 below) and send it to the email address you provided. Our Vercel serverless function writes a short audit record of each purchase event (bill identifier, paid state, amount, email, any discount code used) to its execution log, so we can diagnose payment issues. These logs are kept by Vercel for a limited period (generally up to 30 days) and are not used for marketing, profiling, or any other purpose.
In-app purchases are processed entirely by Apple (App Store) or Google (Play Store). Duitful does not receive your payment details or see your Apple ID / Google account. Those stores operate under their own privacy policies, which you accepted when you set up your device. Purchase receipts are validated locally using each store's standard SDK.
Once payment is confirmed, we generate a Pro licence. It is a short signed token, using ECDSA on the P-256 curve. The payload contains: a subject identifier (your Billplz bill ID, or a complimentary code for free licences), the email address you provided at checkout, the product code (duitful_pro), the referral code if any, the issue timestamp, and — when applicable — the discount source. The token is verified on your device with a public key built into the app. It contains no device identifier, no IP address, no location.
If you email hello@duitful.app for support, feedback, or a bug report, the contents of your email, your email address, and any information you choose to include reach the operator directly. Inbound mail is forwarded through Cloudflare Email Routing to a personal inbox. We keep support correspondence for as long as needed to resolve the conversation and a reasonable period afterwards for reference; you can ask us to delete it at any time.
The public website at duitful.app is served by GitHub Pages. When you visit, GitHub's servers receive standard HTTP request metadata — IP address, user-agent, referrer, requested path — which GitHub retains as part of its own operations under its own privacy policy. We don't operate our own web-access logging on top of that, and we don't receive or analyse those logs.
Our Pro-checkout endpoints are hosted on Vercel. When you hit those endpoints, Vercel retains similar request metadata for operational and security purposes, as described in Vercel's own privacy policy.
Running a finance app on the modern internet involves a small number of service providers. Here is the complete list, what they see, and why we use them.
| Vendor | Role | What they see |
|---|---|---|
| Billplz | Payment processor for web Pro checkout. | Your name, email, payment amount, bank/card details entered on their own checkout page. |
| Apple App Store | In-app purchase billing on iOS/iPadOS. | Whatever Apple handles as part of any App Store transaction. Governed by Apple's privacy policy. |
| Google Play | In-app purchase billing on Android. | Whatever Google handles as part of any Play Store transaction. Governed by Google's privacy policy. |
| Resend | Sends transactional email — your Pro licence receipt and internal sale notifications. | The email address we send to, and the contents of those transactional emails. |
| Cloudflare Email Routing | Forwards mail sent to hello@duitful.app to the operator's inbox. |
Standard email metadata and message bodies, in transit. |
| Vercel | Hosts the Pro-checkout serverless functions. | Request metadata (IP, user-agent, referrer) for endpoints under /api/. |
| GitHub Pages | Hosts the public website and the web version of the app. | Standard web-server request metadata (IP, user-agent, referrer). |
| Google Fonts | Serves the Fraunces, Inter, and JetBrains Mono typefaces. | Your IP address, as part of the normal request for a CSS file and font files, during the first page load. |
| unpkg (optional fallback only) | Delivers the Tesseract.js OCR library if the bundled local copy is unavailable. | Your IP address, as part of a standard script request. Content of receipts is never sent anywhere — OCR runs on your device. |
We do not add or remove vendors casually. Any change here will be reflected in this policy and in the changelog.
On Android only, Duitful can optionally use the Notification Listener permission to auto-capture bank and e-wallet transaction alerts. We take this permission seriously because it's one of the most sensitive a user can grant.
Duitful is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
Under the Personal Data Protection Act 2010 (Malaysia) and equivalent laws in other jurisdictions (for example the GDPR in the EU/UK, or the PDPA in Singapore), you have the right to:
To exercise any of these rights, email hello@duitful.app. Because most of your data is on your own device and not accessible to us, requests about that data are usually answered by pointing you at the in-app export or reset tools.
Duitful is built in Malaysia for Malaysian users, but the app works anywhere and some of our vendors operate worldwide. If you use the app from outside Malaysia, the data that does leave your device (your email for a Pro purchase, and any mail you send us) will be processed in the regions where our vendors operate — including the United States for Vercel, Resend, and Cloudflare, and Malaysia for Billplz. By using the service, you consent to this transfer where required by law.
No system is perfectly secure, but the design of Duitful is intentionally pessimistic. Your financial data is encrypted on-device with AES-GCM before it is ever written to storage, using a key derived from your passcode through 250,000 PBKDF2 iterations. Because the key never leaves your device, a theoretical breach of any Duitful-operated system would not expose your records.
If we ever discover a security issue that affects users, we will post details on this website and notify affected users by email where possible.
When this policy changes, we update the "last updated" date at the top and add an entry to the changelog. Material changes — anything that meaningfully affects what happens to your data — will be summarised in the changelog entry. Continuing to use Duitful after a change means you accept the updated policy.
Questions, complaints, data requests, or just a hello — all go to the same address: