Privacy Policy

1. Overview

WalletAI ("the Software") is an open-source, self-hosted personal finance automation system. It is designed to run entirely on infrastructure you own and control. This Privacy Policy explains how data flows within the Software and what data the Software processes during normal operation.

The developers of WalletAI do not operate any central servers, cloud services, or data collection infrastructure. All data processed by WalletAI resides exclusively on your own deployment environment.

2. Data We (the Software) Process

When you deploy and use WalletAI, the following categories of data are processed and stored on your infrastructure:

2.1 Financial Transaction Data

• Transaction amounts and currencies
• Merchant names and descriptions
• Transaction dates and times
• Bank names and account types (debit/credit)
• AI-generated categories and subcategories

2.2 Bank Statement Data

• PDF e-statement files uploaded by you (stored in your filesystem)
• Parsed transaction records extracted from statements
• Statement metadata (bank, month, upload date)

2.3 Email Data

• Bank notification email subjects and body text (processed by n8n on your server)
• Email metadata (sender, received date) used to identify transaction notifications
• Emails are not stored persistently; only extracted transaction data is saved

2.4 Authentication Data

• Google OAuth profile information: name, email address, profile picture URL, Google ID
• JWT authentication tokens (stored in browser memory, not persistent)
• No passwords are collected or stored; authentication is exclusively via Google SSO

3. Third-Party Services You Configure

WalletAI integrates with third-party services that you configure. Your use of these services is subject to their respective privacy policies:

3.1 Google Gmail API

WalletAI uses the Gmail API (via n8n) to read bank notification emails from your Gmail account. This requires you to grant OAuth access. Data accessed through Gmail is processed locally on your server and never transmitted to WalletAI developers.

3.2 Google Gemini AI API

Transaction data (merchant names and amounts) is sent to Google's Gemini API for AI categorization. This means merchant names from your transactions are sent to Google's servers to process your categorization requests. Please review Google's Privacy Policy for how they handle API request data.

3.3 Google OAuth (Authentication)

User authentication uses Google OAuth 2.0. Basic profile information (name, email, profile picture) is retrieved from Google and stored in your PostgreSQL database.

4. Data Storage and Security

All data is stored in a PostgreSQL database running on your own server infrastructure. You are responsible for securing your deployment, including:

• Database access controls and credentials
• Server security and firewall configuration
• SSL/TLS certificate management via nginx
• Regular backups of your PostgreSQL database
• Keeping Docker images and dependencies updated

5. Data Retention

WalletAI does not automatically delete any data. Transaction records, statements, and user accounts persist in your database until you manually delete them. You can delete data directly through the application UI or via database access.

6. Data Sharing

Because WalletAI is self-hosted, your data is not shared with the WalletAI developers or any third party, except:

• Google Gemini API: Merchant names are sent for AI categorization as described above
• Google OAuth: OAuth tokens are exchanged with Google for authentication

No financial data is ever sold, rented, or shared for advertising purposes.

7. Your Rights

Since you self-host WalletAI, you have complete control over your data. You can:

• Access all data via the dashboard or directly through the database
• Delete individual transactions, statements, or your entire account
• Export data at any time by querying your PostgreSQL database
• Shut down the service and delete all data from your server
• Revoke Gmail and Google OAuth access from your Google Account settings

8. Children's Privacy

WalletAI is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be reflected in the repository's changelog and this document's "Last updated" date. Continued use of the Software after changes constitutes acceptance of the updated policy.

10. Contact

For questions about this Privacy Policy or the Software's data practices, please open an issue on the GitHub repository.