HumDono is a personal finance app for individuals, with optional partner sharing. It is built and operated by Alok Bhalke, a UK-based Indian developer, as a personal project alongside a small number of paying users (family, friends, and a few external supporters at ₹600 / £5 per year).

To make HumDono work, we have to store your financial data. We treat that responsibility seriously. This page explains in honest detail what we collect, why, and what control you have over it.

Three things we will never do: sell your data, share it with advertisers, or read it for anything other than running the service you signed up for.

HumDono is operated by Alok Bhalke, an individual sole-trader based in the United Kingdom. There is no company — it is one person running a side project on weekends.

For all data, privacy, and grievance queries, contact: vaayusahas@gmail.com.

Under UK GDPR and EU GDPR, Alok Bhalke is the Data Controller for the personal data you give us. Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), Alok Bhalke is the Data Fiduciary.

We process your personal data under the following lawful bases:

• Performance of a contract (Article 6(1)(b)) — most of the data you enter (income, expenses, savings, etc.) is processed so we can provide the service you signed up for. Without this data, the app cannot work.
• Legitimate interest (Article 6(1)(f)) — anonymous analytics (Vercel Analytics, no cookies, no personal identifiers) and basic security logging.
• Consent (Article 6(1)(a)) — for any optional features that go beyond core service (none currently exist, but if we add any, we will ask for explicit consent first).

We do notrely on consent as the legal basis for core financial data — because we believe it's confusing to ask "do you consent to us storing the data you literally typed in?". Instead, by signing up and using HumDono, you enter a contract with us, and your data is processed under that contract.

We only collect what we need to run the service.

You give us directly

• Name and email address (from your Google account when you sign in)
• Profile photo URL (from your Google account, only if available)
• Partner's display name (only if you choose to invite a partner; this is just a label, no link to that person until they sign up themselves)
• Financial data you enter — income, expenses, savings goals, investments, EMIs, tax details, cash/bank balances, trade journal entries
• Currency settings — your preferred home currency and exchange rates (if you set these in Settings)

From bank statement imports

• When you upload a bank statement PDF, the file is parsed entirely in your browser. The PDF itself is never uploaded to our servers. Only the extracted transactions you choose to save are stored — and those follow the same rules as data you type in directly.

Collected automatically

• Authentication metadata from Google (last sign-in time, IP)
• Anonymous analytics via Vercel Analytics — page views, country, device type. No personal identifiers, no cross-site tracking, no cookies. Vercel's privacy policy
• Server logs — standard request logs (timestamp, route, response code) retained for up to 30 days for debugging and security

What we do not collect

• Bank account credentials or passwords (we never ask for these)
• Bank API tokens (we do not integrate with Open Banking; PDF parsing is browser-side only)
• PAN, Aadhaar, NI Number, or other government identifiers
• Your contacts, location, or browsing history
• Cookies for advertising or tracking

The data is used for one thing: to show you and (if you invite them) your partner an accurate financial dashboard. Specifically:

• Storing and retrieving your finance entries
• Calculating sums, charts, AI insights, and currency conversions from your own data
• Authenticating you and linking you to your household when a partner invites you (or vice versa)
• Sending occasional service emails (account changes, security alerts) — never marketing

Aggregate, anonymous insights from analytics may be used to understand which features are popular. Nothing identifying you is shared externally.

You and your partner only.If and only if you choose to link a partner via the 6-digit invite code, both of you can read and edit the same household's data. Other HumDono users cannot see your data, even if they have your email or phone number — Firestore security rules enforce this at the database level.

Service providers we use (acting as Data Processors on our behalf, bound by their own privacy obligations):

• Google Firebase (Authentication + Firestore database) — stores your data in the asia-south1 region (Mumbai, India)
• Google (Sign-In) — handles authentication when you sign in with your Google account
• Vercel Inc. (web hosting and anonymous analytics)
• Anthropic (only if you use the "AI advisor" feature; insights are generated from aggregated, anonymised summaries of your data — never raw transactions)

We do not share data with advertisers, data brokers, marketing partners, or any third party for commercial purposes.

HumDono is operated from the UK, but your data is stored on Google Firebase servers in India (asia-south1, Mumbai). For users in the UK, EU, or other regions, this is an international transfer of personal data outside your home jurisdiction.

We rely on the following safeguards for these transfers:

• Google's Standard Contractual Clauses (SCCs) — Google Cloud's default data processing terms include EU-Commission-approved SCCs which apply to UK and EU personal data transferred to India.
• Encryption in transit and at rest — all data is encrypted using TLS 1.3 in transit and AES-256 at rest, reducing risk during the transfer.
• Access control — Firestore security rules enforce that only household members can read household data, regardless of where the database physically lives.

If you are not comfortable with your data being stored in India, do not sign up for HumDono. We do not currently offer a UK-only or EU-only storage option.

• Location: Google Cloud, asia-south1 (Mumbai, India)
• Encryption in transit: TLS 1.3
• Encryption at rest: AES-256 (Google Cloud default)
• Access control: Firestore Security Rules enforce that only members of your household can read its data
• Authentication: Handled by Google; we do not store your password

An honest note:Like all server-side databases, Firebase is technically capable of accessing stored data. We do not currently offer end-to-end encryption (where only your device holds the keys). If E2E becomes important to our users, we'll consider building it. Bank statement PDF parsing, however, is already browser-side — your PDF never leaves your device.

While your account is active, we keep your data so the dashboard works.

• If you delete your account: we erase all your personal and financial data within 30 days. You can trigger this yourself from inside the app (Settings → Account → Delete account). Anonymous aggregate analytics may persist beyond this.
• Backups: automated backups roll over within 90 days
• Legal exceptions: if law requires retention (rare; for example, fraud investigations), we keep only what's legally required and inform you when permitted

If you are in the UK or EU, you have the following rights under UK GDPR and EU GDPR:

• Right of access (Article 15) — request a copy of your data. You can export this yourself from Settings → Account → Export my data, anytime.
• Right to rectification (Article 16) — correct inaccurate data. Most data can be edited directly in the app.
• Right to erasure / "right to be forgotten" (Article 17) — delete your data. Available in Settings → Account → Delete account.
• Right to restrict processing (Article 18) — limit how we use your data. Email us if this applies.
• Right to data portability (Article 20) — receive your data in a machine-readable format (JSON). Export My Data does exactly this.
• Right to object (Article 21) — object to processing under legitimate interest (anonymous analytics). Email us if you wish to opt out.
• Right to withdraw consent — for anything we process under consent, you can withdraw at any time. Deleting your account effectively withdraws all consents.
• Right to lodge a complaint — if you believe we have mishandled your data, you can complain to your local supervisory authority:
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your national Data Protection Authority — list at edpb.europa.eu

We aim to respond to all rights requests within 30 days (as required by GDPR). For complex requests we may extend by a further 60 days, with notice.

If you are a resident of India, you have the following rights under the Digital Personal Data Protection Act, 2023:

• Right to access your data (Export My Data in Settings)
• Right to correction of inaccurate data (edit in the app)
• Right to erasure (Delete Account in Settings)
• Right to portability (Export My Data provides JSON)
• Right to withdraw consent (delete account terminates all consents)
• Right to lodge a grievance with our Grievance Officer (see Contact below)
• Right to escalate unresolved grievances to the Data Protection Board of India

We respond within 30 days as required by DPDP Act.

HumDono is intended for users aged 18 and older. We do not knowingly collect data from minors. If you believe a child has signed up, contact us and we'll erase the account.

HumDono offers optional paid access at ₹600 / £5 per year. Payment is handled manually via UPI (India) or PayPal (UK/global) — we do not store your payment information. PayPal and your UPI provider are the Data Controllers for your payment data, governed by their own privacy policies.

If you pay for HumDono and later delete your account, paid access is also revoked. We do not refund partial year usage.

If we make material changes, we'll notify you by email and update the "Last updated" date at the top of this page. Continued use after the update constitutes acceptance.

Data & Privacy queries:
vaayusahas@gmail.com

Grievance Officer (DPDP Act, India):
Alok Bhalke
United Kingdom
vaayusahas@gmail.com

Data Controller (UK / EU GDPR):
Alok Bhalke
United Kingdom
vaayusahas@gmail.com

We respond within 30 days. If unresolved:

• UK users: complain to the ICO at ico.org.uk
• EU users: complain to your national Data Protection Authority
• India users: escalate to the Data Protection Board of India