Kaya Open web app
Legal

Privacy Policy

Last updated: 2026-06-14. Kaya is a product of lahbacana. Contact: support@lahbacana.com.

This policy explains exactly what Kaya stores, why, with whom it is shared, and how to delete it. We keep it short and concrete. "We" means the Kaya service, operated by lahbacana.

1. What Kaya stores

Account data

  • Email address — used to sign you in, send password resets, and send Kaya-to-you notifications. Never sold.
  • Display name — shown next to expenses you log.
  • Password hash — bcrypt; we never store your plain password.
  • Subscription status — if paid plans are active, the tier, provider (Apple), and renewal date, used for entitlement checks only. Kaya is currently free for everyone (see the Terms).

Financial data you give us

  • Expenses — every transaction you log (date, amount, currency, merchant, category, account, optional note).
  • Accounts — names and types of the payment methods you configure, plus any account aliases (bank-side text that maps to a Kaya account).
  • Receipts and statements you upload — image or PDF files, retained for as long as the linked expense exists, stored on Render's persistent disk.
  • Bank statement uploads — parsed into expense rows; the original file is retained alongside the linked expenses.

Logs and analytics

  • Errors and crash reports — sent to Sentry, from our servers and the Kaya app. Includes the stack trace, app version, and your user ID; we set send_default_pii=false and do not include personal data. You can turn off app crash reporting in Settings, Privacy, "Don't report errors."
  • Product analytics — anonymized usage events (which screens you visit and actions you take, such as expense_created), sent to PostHog (US region) and keyed by your user ID. No expense amounts, merchants, receipt or statement contents, or message text are ever sent as analytics. You can turn this off in Settings, Privacy, "Don't track my usage."
  • Server logs — request lines (path, status, latency, user ID), retained for 30 days.

What Kaya does NOT store

  • Your Apple ID, Apple Pay card numbers, or any payment method numbers. Kaya only sees the merchant and amount that an Apple Shortcut posts.
  • Bank account numbers, online-banking passwords, or OAuth tokens to your bank. Kaya does not connect to banks directly.
  • Raw email body content beyond a short preview, after the message has been processed.
  • Voice recordings. They are transcribed on the fly and the audio is discarded.

2. Why Kaya stores it

To run the service you asked for: capture expenses, let you query and reconcile them, and send the notifications you opted into. We do not sell, rent, or share your data with advertisers.

3. Where data is processed

  • Render (US-East) — application server and database. See render.com/privacy.
  • Google Gemini API — your note text, voice transcription, or receipt image is sent to Gemini to parse it into structured expense data. Google does not use API content to train its models (Gemini API terms), and requests are not retained after the response.
  • OpenAI (Whisper) — when you capture by voice, audio is transcribed via Whisper and not retained after the response.
  • Telegram — if you use the optional Telegram bot, your messages pass through Telegram's servers under Telegram's privacy policy.
  • Sentry and PostHog — error tracking and anonymized analytics, as described above.
  • Apple App Store / StoreKit — if you ever purchase a subscription, Apple handles all payment data and Kaya receives only the subscription state.

4. Data retention and deletion

  • Expense rows live until you delete them. Soft-deleted rows go to Trash and can be restored for 30 days, after which they are permanently removed.
  • Inbound email events are retained 30 days for skipped events and 90 days for events that became expenses.
  • To delete everything — Settings, Account, Delete account. This irreversibly removes your user, every expense, every uploaded file, and every linked record. We do not retain backups beyond 30 days, so within 30 days of deletion all traces are gone.

5. Children

Kaya is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we will delete the account.

6. Your rights

You can request a copy of your data (Settings, Export) or deletion at any time. We respond to GDPR and CCPA requests within 30 days.

7. Changes to this policy

Material changes will be announced in-app at least 30 days before they take effect. Continued use after that date constitutes acceptance.

8. Contact

support@lahbacana.com.

Privacy Policy · Terms of Service · Support