Private by construction.

Nala is an expense journal that works offline and syncs to your account in the cloud. We don't sell your data, we don't run ads, and we don't build a profile of you. The only features that send data outside Nala's own systems are the AI input and receipt scanner, which use OpenAI — covered in detail below.

Your ledger — entries, notes, receipts, spaces, categories — is stored in two places:

• On your device, so the app works offline. You can add, edit, and read entries without a network connection. (AI features require connectivity.)
• In the cloud, tied to your account, so your ledger stays in sync across your devices and survives losing a phone. We use Google Firebase (Firestore and Firebase Authentication) hosted in the United States. Data is encrypted in transit (TLS) and at rest.

Because Firebase is the backend, Google processes this data on our behalf under its standard data processing terms. Access inside Nala is limited to the small number of engineers who need it to operate the service — for example, to investigate a bug you've reported or to respond to a legal request. We don't browse your ledger for any other reason.

• Account email — so we can sign you in and send service emails.
• Your ledger data — the entries you create are stored under your account as described above.
• Crash and diagnostic reports — if you opt in via iOS settings, Apple forwards anonymized crash traces to us to fix bugs. You can turn this off in Settings → Privacy → Analytics.
• Purchase receipts — handled by Apple. We receive only what Apple returns to verify your subscription status.

Two features send data off your device: the natural-language entry input and the receipt scanner. Both are processed by OpenAI via their API.

• AI input— the text you type (e.g. “12 tacos + horchata yesterday”) is sent to OpenAI so it can be parsed into a structured entry.
• Receipt scanner — the receipt image you capture is sent to OpenAI for text extraction and line-item parsing. The parsed result is saved with the entry; the original image is stored alongside it in your ledger.

Under OpenAI's API terms, inputs and outputs are not used to train their models, and they retain API data for up to 30 days for abuse monitoring before deletion. Transport is encrypted (TLS). No other identifiers about you are sent with these requests.

• No advertising. No ad networks. No tracking pixels.
• No selling or renting your data to anyone, ever.
• No “partners” mining your ledger. Our infrastructure providers (see below) store and process data on our behalf — they don't use it for their own purposes.
• No profiling across apps or websites. We don't use the IDFA.

• Apple — app distribution, payments, push notifications, and (if you opt in) anonymized crash analytics.
• Google Firebase(US) — hosts your account and ledger on our behalf. Subject to Google's Firebase privacy and security terms.
• OpenAI— processes AI input text and receipt images as described above. Subject to OpenAI's privacy policy.
• Email delivery provider — used only to send you transactional mail (beta invite, receipts).

Each processes data only as needed to provide the service and under contract. We do not share your ledger with anyone else.

Nala is not directed to children under 13, and we don't knowingly collect information from them.

You can export everything at any time — CSV, JSON, or a bound PDF — from inside the app. You can delete your account at any time; this removes your ledger and your account record from our servers. Deleting the app also removes the local copy on your device. If you'd rather we handle it for you, or if you want a copy of everything we have on you, write to hello@nala.app.

If this policy changes in a way that affects you, we'll tell you in the app before it takes effect. The “Updated” date at the top of this page always reflects the current version.

Questions, concerns, or a request about your data: hello@nala.app.