Overview
Nami: Spending Tracker ("we", "our", or "us") is a personal finance app that helps you understand your spending by analysing bank statements using AI. This policy explains what data we collect, how we use it, which third parties we share it with, and your rights.
Last updated: 28 April 2026
AI At a glance — AI data processing
- What we share: the transaction data inside any bank statement (PDF or CSV) you choose to upload — dates, merchant names, amounts, and surrounding statement text.
- Who it goes to: Google's Gemini AI, used to extract and categorise your transactions and to generate the spending insights you see in the app.
- Retention: Google does not retain your statement data after processing and does not use it to train AI models.
- Your control: the first time you upload a statement, Nami asks for your explicit consent before sending anything. You can delete all your data at any time from Profile → Privacy & Data → Delete Account.
The full breakdown is in the AI Processing section below.
Data We Collect
- Email address — used to create and manage your account. Provided either when you sign up with email and password, or returned to us by Apple or Google when you choose Sign in with Apple or Sign in with Google.
- Account identifier — a unique opaque user ID is created for your account. This is the only identifier we use to associate analytics events with your account.
- Bank statement content — when you upload a PDF or CSV bank statement, the content of that file is sent to Google's Gemini AI service to extract and categorise your transactions. You will be asked for your consent before this occurs.
- Financial transaction data — the transactions extracted from your statements are stored securely in your account.
- Subscription status — if you purchase a subscription, RevenueCat records your purchase and renewal status against an anonymous user ID so we can unlock paid features. Apple processes the payment itself; we never see your card details.
We do not collect your phone number, location, contacts, photo library, or payment card information. If you sign in with Apple or Google, those providers may pass your name and profile picture to the app during the sign-in handshake, but Nami does not retain or transmit your name or profile picture beyond that initial response.
How You Sign In
Nami offers three sign-in methods. You choose which one to use:
- Email and password — handled by Supabase Auth. Your password is never seen by us in plain text; Supabase stores a salted hash.
- Sign in with Apple — Apple authenticates you and returns an identity token plus your email (which may be a private relay address you control) and, on first sign-in only, your name. Nami exchanges the identity token for a Supabase session. Apple's relay address means you can revoke our access at any time from your Apple ID settings without losing access to your account on our side.
- Sign in with Google — Google authenticates you via the official Google Sign-In iOS SDK and returns an identity token, your email address, and your Google account ID. Nami exchanges the identity token for a Supabase session. See the Google Privacy Policy for how Google handles your account.
Whichever method you choose, the only piece of identity data we retain on our backend is your email address and an opaque Supabase user ID.
How We Use Your Data
- To provide the core features of the app (transaction summaries, insights, categorisation).
- To securely store your transactions so they persist across sessions.
- To generate AI-powered spending insights via Google Gemini AI.
We do not use your data for advertising, profiling, or any purpose beyond app functionality.
Third-Party AI Processing — Google Gemini
Nami uses Google's Gemini AI to read and extract transactions from the bank statements you upload, and to generate the spending insights and category breakdowns you see in the app. Here is exactly what happens:
- What data is sent: The full text content of your uploaded bank statement (PDF or CSV) — including transaction dates, merchant names, amounts, and any surrounding statement text. When you ask Nami a question through the in-app assistant ("Ask Nami"), your question and the relevant transaction context are also sent so the assistant can answer.
- Who it is sent to: Google LLC, via the Gemini API, proxied through our secure server. Your device never communicates directly with Google.
- Purpose: To extract transaction descriptions, amounts, dates, and categories from your statement, and to generate the personalised spending insights, category summaries, and assistant answers Nami shows you.
- Retention: Google does not store your statement data after processing and does not use it to train AI models. We only retain the extracted transaction records in your account so they appear when you reopen the app.
- Your consent: You are shown an explicit consent prompt the first time you upload a statement, explaining this processing. You must agree before any data is sent. You can review the same disclosure at any time from Profile → Privacy & Data → AI processing.
- Your right to delete: You can delete every transaction Nami has extracted, along with your account, at any time from Profile → Privacy & Data → Delete Account. Deletion is permanent and removes your data from our servers.
Google's data processing provides equivalent privacy protections as required by applicable laws. For more information, see the Google Privacy Policy.
Other Third-Party Services
- Supabase — secure cloud database and authentication. Your data is stored in Supabase and protected by Row Level Security, meaning only you can access your own data. Supabase Privacy Policy
- Apple — Sign in with Apple — used only when you choose this sign-in method. Apple returns an identity token (and on first sign-in, your name and email) which we exchange for a Supabase session. Apple Privacy Policy
- Google Sign-In — used only when you choose to Sign in with Google. Google's iOS SDK handles the OAuth flow and returns an identity token, your email, and your Google account ID, which we exchange for a Supabase session. This is a separate service from the Gemini AI integration described above and uses a different Google product. Google Privacy Policy
- RevenueCat — used to manage in-app subscription purchases. RevenueCat receives an anonymous user ID and your purchase events from Apple's StoreKit; it does not see your name, email, or transaction data. RevenueCat Privacy Policy
- PostHog — used for anonymous product analytics (app opens, feature usage, sign-in method). Events are tagged with your opaque Supabase user ID only — never your email, name, or any financial data. PostHog Privacy Policy
Data Storage & Security
Your data is stored in Supabase (EU region) with Row Level Security enforced — meaning no other user can access your data. All data is transmitted over HTTPS. The Gemini API key is stored server-side and never included in the app binary.
Data Retention & Deletion
Your data is retained for as long as you have an account. You can delete your account at any time from the Profile tab inside the app. Deleting your account permanently removes all your data from our servers and cannot be undone.
Your Rights
You have the right to:
- Access the data we hold about you.
- Delete your account and all associated data at any time, directly in the app.
- Withdraw consent for AI processing by not uploading statements.
- Contact us with any privacy-related questions.
Children's Privacy
Nami is not directed at children under 13. We do not knowingly collect data from children.
Changes to This Policy
We may update this policy from time to time. Any changes will be reflected on this page with an updated date. Continued use of the app after changes constitutes acceptance of the updated policy.
Contact
If you have any questions about this privacy policy, please contact us at:
contact@meliolabs.io