Written in plain English, not legalese. The short version lives right below — the rest is the full detail you'll want if you care, or if a regulator asks.
Duitful is a personal finance application operated by an independent developer based in Malaysia ("Duitful", "we", "us", or "our"). Duitful is distributed as a progressive web app at duitful.app/app and as native apps on the Apple App Store and Google Play Store.
For any privacy question, including requests under the Personal Data Protection Act 2010 (Malaysia) or any other applicable law, email [email protected]. A human reads every message.
Because the things we don't do are central to how Duitful is built, it's easier to list them first.
All the data that makes Duitful useful to you lives in local storage on the device where you use it:
This data is written to the browser's localStorage (or the equivalent storage inside the native app shell). It is encrypted at rest using AES-GCM with a 256-bit key derived from your passcode via PBKDF2 (250,000 iterations, SHA-256). We do not know your passcode; we do not have a copy of the derived key; we cannot decrypt your data.
If you forget your passcode, your data is not recoverable — not even if you have a Google Drive backup, because the backup is encrypted with the same passcode. This is a deliberate trade-off for genuine end-to-end privacy. We recommend writing your passcode down somewhere safe, and using Pro's Google Drive sync or CSV export so you have a portable copy of the encrypted data itself.
Duitful writes the following keys to your browser's local storage:
duit-tracker.enc — the encrypted blob containing your records.duit-tracker.v1 — a legacy plain-text store used only once during migration to the encrypted store, then cleared.duit-tracker.referrer and duit-tracker.promo — optional referral / promo codes if you followed a link, kept for 30 days.duit-tracker.fx — cached foreign-exchange rates, up to 24 hours.duit-tracker.privacy — whether you have "blur balances" mode turned on.duit-tracker.install-dismissed-at — the timestamp when you dismissed the "install as an app" prompt, so we don't show it again for a while.duit-tracker.drive — only present if you have connected Google Drive sync (Pro). Holds the OAuth access token Google issued to your browser, the Drive file identifier of your backup, your Google account email (so the in-app status line can show which account is connected), and the timestamp of the last successful sync. Removed when you disconnect Drive sync.The only situations in which personal data leaves your device and reaches us or our vendors are these:
Pro can be purchased through Billplz, a Malaysian payment gateway. To start a checkout, we send Billplz your email address, the name you enter at checkout, the amount (RM 19.90 or the discounted amount if a code applies), a product reference (duitful_pro), and — if you arrived via a referral link — an 8-character referral code derived from the referrer's email.
Billplz then collects your bank or card details directly on their hosted checkout page. We never see those details. When Billplz notifies us that a payment has completed, our server receives the bill identifier, the paid state, the amount, and the email you provided.
We then issue you a Pro licence (see 4.3 below) and send it to the email address you provided. Our Vercel serverless function writes a short audit record of each purchase event (bill identifier, paid state, amount, email, any discount code used) to its execution log, so we can diagnose payment issues. These logs are kept by Vercel for a limited period (generally up to 30 days) and are not used for marketing, profiling, or any other purpose.
In-app purchases are processed entirely by Apple (App Store) or Google (Play Store). Duitful does not receive your payment details or see your Apple ID / Google account. Those stores operate under their own privacy policies, which you accepted when you set up your device. Purchase receipts are validated locally using each store's standard SDK.
Once payment is confirmed, we generate a Pro licence. It is a short signed token, using ECDSA on the P-256 curve. The payload contains: a subject identifier (your Billplz bill ID, or a complimentary code for free licences), the email address you provided at checkout, the product code (duitful_pro), the referral code if any, the issue timestamp, and — when applicable — the discount source. The token is verified on your device with a public key built into the app. It contains no device identifier, no IP address, no location.
If you email [email protected] for support, feedback, or a bug report, the contents of your email, your email address, and any information you choose to include reach the operator directly. Inbound mail is forwarded through Cloudflare Email Routing to a personal inbox. We keep support correspondence for as long as needed to resolve the conversation and a reasonable period afterwards for reference; you can ask us to delete it at any time.
Pro includes an optional encrypted-backup feature that uses your own Google Drive as the storage destination. The feature is off by default; turning it on requires you to sign in with a Google account and grant Duitful permission to access only its hidden application data folder on Drive (the drive.appdata OAuth scope). Duitful cannot see, list, read, or modify any other file in your Drive — only the single backup file it writes for itself.
When sync runs, your device:
Two consequences follow from this design:
What we record on your device when sync is enabled is listed in the local-storage keys table above (duit-tracker.drive). It does not include your passcode, your derived key, or any of your transaction data — only the OAuth token issued to your browser, the Drive file identifier, the Google account email, and the timestamp of the last sync.
You can disconnect Google Drive sync at any time from the in-app Cloud backup card. Disconnecting clears the OAuth token from your device and stops further uploads. The encrypted file already in your Drive is left where it is — you can delete it directly from Google's Drive > Settings > Manage apps screen, which also revokes Duitful's Drive permission.
Your interactions with Google through this feature are governed by Google's Privacy Policy and Terms. Storage of the backup file counts against the Google Drive quota of the account you connect.
The public website at duitful.app is served by GitHub Pages. When you visit, GitHub's servers receive standard HTTP request metadata — IP address, user-agent, referrer, requested path — which GitHub retains as part of its own operations under its own privacy policy. We don't operate our own web-access logging on top of that, and we don't receive or analyse those logs.
Our Pro-checkout endpoints are hosted on Vercel. When you hit those endpoints, Vercel retains similar request metadata for operational and security purposes, as described in Vercel's own privacy policy.
Running a finance app on the modern internet involves a small number of service providers. Here is the complete list, what they see, and why we use them.
| Vendor | Role | What they see |
|---|---|---|
| Billplz | Payment processor for web Pro checkout. | Your name, email, payment amount, bank/card details entered on their own checkout page. |
| Apple App Store | In-app purchase billing on iOS/iPadOS. | Whatever Apple handles as part of any App Store transaction. Governed by Apple's privacy policy. |
| Google Play | In-app purchase billing on Android. | Whatever Google handles as part of any Play Store transaction. Governed by Google's privacy policy. |
| Resend | Sends transactional email — your Pro licence receipt and internal sale notifications. | The email address we send to, and the contents of those transactional emails. |
| Cloudflare Email Routing | Forwards mail sent to [email protected] to the operator's inbox. |
Standard email metadata and message bodies, in transit. |
| Vercel | Hosts the Pro-checkout serverless functions. | Request metadata (IP, user-agent, referrer) for endpoints under /api/. |
| GitHub Pages | Hosts the public website and the web version of the app. | Standard web-server request metadata (IP, user-agent, referrer). |
| Google Drive & Google Identity | Hosts Pro's optional encrypted backup in your own Drive (hidden app folder). Used only if you connect Drive sync. | Your Google account email, the OAuth grant for the drive.appdata scope, and an encrypted blob Google cannot read without your passcode. |
| Google Fonts | Serves the Fraunces, Inter, and JetBrains Mono typefaces. | Your IP address, as part of the normal request for a CSS file and font files, during the first page load. |
| unpkg (optional fallback only) | Delivers the Tesseract.js OCR library if the bundled local copy is unavailable. | Your IP address, as part of a standard script request. Content of receipts is never sent anywhere — OCR runs on your device. |
We do not add or remove vendors casually. Any change here will be reflected in this policy and in the changelog.
On Android only, Duitful can optionally use the Notification Listener permission to auto-capture bank and e-wallet transaction alerts. We take this permission seriously because it's one of the most sensitive a user can grant.
Duitful is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
You have rights over how your personal data is handled. The exact list depends on where you live, but Duitful applies the most protective regime everywhere — if your country's law gives you a stronger right, you get it.
Under the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR, you have the following rights:
For users in the EU, EEA, or UK, the legal basis for each kind of processing is:
| Processing | Legal basis |
|---|---|
| Issuing your Pro licence after payment | Performance of a contract — Art. 6(1)(b) |
| Sending the licence email via Resend | Performance of a contract — Art. 6(1)(b) |
| Storing payment audit logs on Vercel | Legitimate interest — Art. 6(1)(f): fraud prevention and dispute resolution |
| Responding to your support email | Legitimate interest at your request — Art. 6(1)(f) |
| Pro's optional Google Drive backup | Your explicit consent — Art. 6(1)(a) (you turn it on; withdraw any time) |
We do not rely on the "legitimate interest" basis for any processing other than the rows above, and we do not perform any direct-marketing processing.
You have the rights of access, correction, and withdrawal of consent under the Personal Data Protection Act 2010. The supervisory authority is the Personal Data Protection Department of Malaysia.
You have rights of access and correction under Singapore's Personal Data Protection Act. The supervisory authority is the Personal Data Protection Commission (PDPC).
You have rights to know what categories of personal information we collect (see Section 4), to delete it, to opt out of "sale" or "sharing" of personal information (we do neither), and to non-discrimination for exercising your rights. We do not engage in cross-context behavioural advertising.
Email [email protected] with the subject "Privacy request" and the right you want to exercise. We respond within 30 days (sooner where required by law). There is no fee for exercising your rights.
Because nearly all your data lives on your own device and is unreadable to us, most requests are answered by pointing you at the in-app CSV export, encrypted backup, or Reset all data tools — those give you the rights of access, portability, and erasure faster than we can.
Duitful is built in Malaysia, but the app works anywhere and some of our vendors operate worldwide. If you use Duitful from outside Malaysia, the small amount of data that does leave your device (your email for a Pro purchase, and any mail you send us) is processed in the regions where our vendors operate — primarily the United States (Vercel, Resend, Cloudflare) and Malaysia (Billplz).
For users in the EU, EEA, or UK, transfers of personal data to countries outside those regions rely on appropriate safeguards under GDPR Chapter V. Specifically:
By using the service, you consent to these transfers where consent is the lawful basis. You can withdraw consent and stop further transfers at any time by deleting the app and emailing us to request removal of any remaining records (see Section 9).
No system is perfectly secure, but the design of Duitful is intentionally pessimistic. Your financial data is encrypted on-device with AES-GCM before it is ever written to storage, using a key derived from your passcode through 250,000 PBKDF2 iterations. Because the key never leaves your device, a theoretical breach of any Duitful-operated system would not expose your records.
If we ever discover a security issue that affects users, we will post details on this website and notify affected users by email where possible.
When this policy changes, we update the "last updated" date at the top and add an entry to the changelog. Material changes — anything that meaningfully affects what happens to your data — will be summarised in the changelog entry. Continuing to use Duitful after a change means you accept the updated policy.
Questions, complaints, data requests, or just a hello — all go to the same address: