Privacy Policy

How JABBA handles your data

Last updated: December 28, 2024

1. Introduction

Welcome to JABBA ("Just Another Budgeting App"). This Privacy Policy explains how Helix Data Solutions Limited ("we," "us," or "our"), a company registered in New Zealand, collects, uses, discloses, and protects your personal information when you use our mobile application.

We are committed to protecting your privacy and ensuring the security of your financial data. JABBA is designed with a "local-first" philosophy, meaning your financial information stays on your device unless you explicitly choose to enable cloud sync features.

Key Point: Your financial transaction data is stored locally on your device and is never uploaded to our servers. Only anonymized metadata is used for optional cloud features.

2. Information We Collect

2.1 Information You Provide

  • Email Address: Used for account authentication and important service communications.
  • Financial Data: Transaction details, account balances, and commitment information you enter or import. This data is stored locally on your device.
  • Preferences: App settings and customization choices.

2.2 Information Collected Automatically

  • Device Information: Device type, operating system version, and unique device identifiers (for multi-device sync functionality).
  • Usage Data: App feature usage patterns to improve the service (no financial data is included).
  • Subscription Status: Information about your trial period or subscription for feature access management.

2.3 Information We Do NOT Collect

  • Bank account login credentials
  • Credit card numbers or payment details (handled by Apple)
  • Social Security numbers or government IDs
  • Precise location data

3. How We Use Your Information

We use your information for the following purposes:

  • Account Authentication: To verify your identity and secure your account using email-based verification codes.
  • Service Provision: To provide budgeting, commitment tracking, and financial management features.
  • Multi-Device Sync: To synchronize your data across your devices when you enable this optional feature.
  • AI-Powered Features: To provide repayment strategy recommendations and CSV field detection (using only anonymized data).
  • Subscription Management: To manage your trial period and subscription status.
  • Service Improvement: To understand how users interact with JABBA and improve our features.
  • Communication: To send important service updates and respond to support requests.

4. AI Features & Data Processing

JABBA includes AI-powered features to enhance your budgeting experience. We take special care to protect your privacy when using these features.

4.1 AI Repayment Strategy

When you request AI-generated repayment strategies, we send only:

  • Anonymized amounts (e.g., commitment values)
  • Categories (e.g., "subscription," "loan," "utility")
  • Due dates and frequencies
  • Priority classifications you've set

We never send personal identifiers, account numbers, merchant names, or transaction descriptions to our AI service.

4.2 CSV Field Detection

When importing bank statements, AI analyzes the structure of your CSV file to automatically detect columns. Only the column headers and a small sample of anonymized data patterns are processed to identify field types (date, amount, description, balance).

4.3 AI Service Provider

Our AI features are powered by Anthropic's Claude API, accessed through Cloudflare AI Gateway. Both providers maintain strict data protection standards. AI processing is stateless - no financial data is retained by our AI providers after processing your request.

Your Control: AI features are optional. If you prefer not to use AI-powered features, you can manually configure your repayment priorities and CSV column mappings.

5. Data Storage & Security

5.1 Local-First Architecture

JABBA is built with a local-first approach:

  • On-Device Storage: All your financial data (transactions, balances, commitments) is stored locally on your device using Apple's SwiftData framework with SQLite encryption.
  • Your Device is the Source of Truth: Even when sync is enabled, your device maintains the authoritative copy of your data.

5.2 Cloud Sync (Optional)

If you enable multi-device sync:

  • End-to-End Encryption: Your financial data is encrypted on your device before being uploaded. We cannot read your encrypted data.
  • Sync Metadata: We store minimal metadata (device registry, sync timestamps) to coordinate synchronization.
  • Encrypted Blobs: Your encrypted data is stored in Cloudflare R2 storage with industry-standard security.

5.3 Security Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Secure email-based authentication (no passwords to steal)
  • Device-level encryption using iOS Keychain
  • Regular security audits and updates

6. Data Retention

We retain your data according to the following policies:

  • Active Account: Your data is retained as long as your account remains active.
  • Account Deletion: When you delete your account or data, we retain it for 6 months in case you wish to return to the app. After this period, all data is permanently deleted.
  • Sync Metadata: Device registration and sync metadata are deleted when you remove a device or delete your account.
  • AI Request Logs: AI feature usage logs (containing no financial data) are retained for 30 days for debugging purposes, then deleted.

Immediate Deletion: If you require immediate and permanent deletion of your data without the 6-month retention period, please contact us at jabba@oneway.co.nz.

7. Third-Party Services

We use the following third-party services to provide JABBA:

7.1 Cloudflare

  • Workers: Serverless computing for our API
  • D1: Database for sync metadata (not financial data)
  • R2: Object storage for encrypted sync blobs
  • AI Gateway: Secure routing to AI services

Cloudflare's privacy policy: cloudflare.com/privacypolicy

7.2 Anthropic (Claude AI)

Powers our AI features with anonymized data only. Anthropic's privacy policy: anthropic.com/privacy

7.3 Apple

Handles all subscription payments and provides the App Store distribution platform. We do not receive or store your payment information. Apple's privacy policy: apple.com/legal/privacy

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation:

8.1 Right to Access

You have the right to request a copy of the personal data we hold about you. Since most of your data is stored locally on your device, you already have direct access to it within the app.

8.2 Right to Rectification

You can correct any inaccurate personal data directly within the app, or request that we correct data held in our systems.

8.3 Right to Erasure ("Right to be Forgotten")

You can delete your account and all associated data at any time through the app's settings. You may also request immediate erasure by contacting us.

8.4 Right to Data Portability

You can export your financial data from the app in standard formats for use in other applications.

8.5 Right to Restrict Processing

You can request that we limit the processing of your personal data in certain circumstances.

8.6 Right to Object

You can object to processing of your personal data for certain purposes, including direct marketing (which we do not engage in).

8.7 Rights Related to Automated Decision-Making

Our AI features provide recommendations only and do not make automated decisions that have legal or similarly significant effects on you. You always have the final say on your financial decisions.

8.8 Legal Basis for Processing

We process your data based on:

  • Contract Performance: To provide the JABBA service you've signed up for
  • Legitimate Interests: To improve our service and prevent fraud
  • Consent: For optional features like AI recommendations (you can opt out)

8.9 Data Protection Officer

For GDPR-related inquiries, contact us at jabba@oneway.co.nz.

9. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act:

9.1 Right to Know

You have the right to know what personal information we collect, use, disclose, and sell. This Privacy Policy serves as our disclosure. We do not sell personal information.

9.2 Right to Delete

You can request deletion of your personal information. Use the account deletion feature in the app or contact us directly.

9.3 Right to Opt-Out of Sale

We do not sell your personal information. We have never sold personal information and have no plans to do so.

9.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. You will receive equal service and pricing regardless of whether you exercise these rights.

9.5 Categories of Personal Information Collected

In the past 12 months, we have collected:

  • Identifiers: Email address, device identifiers
  • Commercial Information: Subscription and transaction history within the app
  • Internet Activity: App usage patterns

9.6 Exercising Your Rights

To exercise your CCPA rights, contact us at jabba@oneway.co.nz. We will respond within 45 days.

10. Children's Privacy

JABBA is a financial management application suitable for users of all ages. However, we recommend that minors use the app under parental guidance, especially for financial planning features.

We do not knowingly collect personal information from children under 13 without parental consent. If you believe we have collected information from a child without appropriate consent, please contact us immediately.

11. International Data Transfers

Helix Data Solutions Limited is based in New Zealand. Our infrastructure providers (Cloudflare) operate globally. When you use JABBA:

  • Your local device data remains on your device in your country
  • If you enable sync, encrypted data may be stored in data centers in various countries
  • AI processing may occur in the United States (via Cloudflare and Anthropic)

We ensure that any international transfers comply with applicable data protection laws, including through standard contractual clauses where required.

New Zealand has been recognized by the European Commission as providing an adequate level of data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

When we make material changes:

  • We will update the "Last Updated" date at the top of this policy
  • We will notify you through the app or via email
  • For significant changes affecting your rights, we will seek your consent before continuing to process your data under the new terms

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Helix Data Solutions Limited
New Zealand

Email: jabba@oneway.co.nz

We aim to respond to all inquiries within 5 business days.