Privacy Policy

What We Collect

Hisab collects only what is necessary to provide you with a personal finance management experience. This includes:

• Google account information — your name, email address, and profile photo, obtained at sign-in via Google OAuth.
• Financial data you enter — transactions, account balances, budgets, savings goals, investment holdings, and manual assets you create within the app.
• Preferences — your selected currency, custom categories, and transaction categorisation rules.

We do not collect anything beyond what you explicitly provide.

Bank Statement Processing

When you upload a bank statement PDF, Hisab processes it server-side to extract your transactions. Here is exactly what happens:

• The PDF is parsed in memory on the server. The original file is never written to permanent storage.
• Extracted transactions are encrypted before being written to the database.
• SHA-256 hashing is used to detect and discard duplicate transactions across multiple uploads of the same statement.
• We never ask for, see, or store your online banking username or password.

What We Don't Collect

The following data is never collected by Hisab:

• Bank credentials, PINs, or passwords of any kind.
• Payment card numbers, CVVs, or any payment instrument details.
• Device identifiers, advertising IDs, or hardware fingerprints.
• Location data, contact lists, or call logs.
• Behavioural analytics, event tracking, heatmaps, or session recordings.
• Third-party tracking cookies. The only cookies Hisab sets are session cookies required for authentication.

Third-Party Services

Hisab uses a minimal set of third-party services:

• Google — used solely for authentication (OAuth 2.0). We receive your name, email, and profile photo. No other Google services are used.
• Yahoo Finance — used to fetch market prices for investment holdings. Only ticker symbols (e.g., AAPL, GOOGL) are sent in these requests. No user data is transmitted.

There are no advertising networks, analytics platforms, or data broker integrations of any kind. Your financial data is never sold or shared with third parties.

Data Security

We take reasonable technical measures to protect your data:

• Sensitive fields — account names, transaction amounts, descriptions, and investment holdings — are encrypted at rest in the database.
• The database runs on a private PostgreSQL server that is not publicly accessible.
• All communication between your browser and Hisab's servers is encrypted over HTTPS/TLS.
• Authentication is session-based. Sessions are invalidated when you sign out.

While we implement strong safeguards, no system is completely immune to security incidents. We encourage you to use a strong, unique Google account password and enable two-factor authentication on your Google account.

Your Rights

You have full control over your data in Hisab:

• Export — you can download a CSV export of your transactions and other data at any time from the Settings page.
• Deletion — you can request deletion of your account and all associated data by contacting us at hisab@servolix.com. Deletion is irreversible and takes effect within 30 days.
• Inquiry — you may contact us at hisab@servolix.com to ask what data is stored about you.

Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Islamic Republic of Pakistan. In particular:

• The Prevention of Electronic Crimes Act 2016 (PECA) establishes obligations around data protection and electronic privacy in Pakistan that Hisab aims to honour.
• Pakistan's forthcoming Personal Data Protection Bill, once enacted, will be complied with to the extent applicable to a service of this nature.

Any disputes arising from this policy shall be subject to the jurisdiction of courts in Pakistan.