Privacy Policy — Vavilon Finance

Contents

1. Who We Are 2. What Data We Process 3. Where Data is Stored 4. Arkad AI Assistant and AI Import 5. Third-Party Data (Loan Clients) 6. Subscription and Payments 7. User Rights 8. Regional Compliance 9. Children and Minors 10. Policy Changes 11. Contact

1. Who We Are

Vavilon is a personal finance app for iOS and macOS. Developer: individual developer registered in the Republic of Kazakhstan. Contact: support@getvavilon.app.

We build a tool for personal financial tracking. We are not a bank, financial institution or investment advisor.

2. What Data We Process

2.1 Data You Enter

Financial records: accounts, transactions, loans, assets, goals
Names, phone numbers and emails of third parties (in the Loans section only)
App settings: currency, language, biometrics

 Core principle: all financial data is stored exclusively on your device in an encrypted SwiftData database. We have no access to it. We do not sync data to our cloud. We do not create user accounts.
    

2.2 Data We Do NOT Collect

User names and identity
Email addresses and phone numbers of users
Geolocation
Behavioral analytics (no Firebase, Amplitude, Mixpanel)
Advertising identifiers (IDFA)
Data about other apps on your device

2.3 Technical Data

When using the AI assistant, our proxy server receives: your device IP address (not stored), an anonymized financial context (no names or amounts, structure only), and the request version. Logs are not kept longer than 24 hours.

3. Where Data is Stored

Data Type	Where Stored	Who Has Access
Financial records	User's device (SwiftData)	User only
Loan client data	User's device (encrypted)	User only
Subscription settings	Apple StoreKit / App Store	Apple + user
AI requests (RU/BY users)	GigaChat, Sberbank servers in Russia	Sberbank (anonymized)
AI requests (other regions)	Anthropic API via proxy in Georgia	Anthropic (anonymized)

4. Arkad AI Assistant and AI Import

 Arkad is an AI assistant. His advice is for informational purposes only and does not constitute financial, investment or legal advice. 

4.1 Data Anonymization

Before sending a request to the AI system, all personal data is automatically removed on your device (Redaction Layer). The AI receives only an anonymous structure: expense categories, percentage ratios and financial metrics — without names or exact amounts.

4.2 Regional Routing

RU · BY Requests are processed by GigaChat (Sberbank, servers in Russia). Compliant with Federal Law No. 152-FZ.
KZ · UZ · KG · AZ Requests are processed by Claude API (Anthropic, USA) via a secure proxy.
EU · US · Other Requests are processed by Claude API (Anthropic, USA) via a secure proxy.

4.3 What AI Never Receives

User names and third-party names
Exact transaction amounts
Account and card details
Contact information

4.4 AI Providers

Anthropic Privacy Policy: anthropic.com/privacy

GigaChat (Sberbank) Privacy Policy: developers.sber.ru

4.5 AI Bank Statement Recognition (PDF)

The "AI Import" feature allows recognition of bank statements in PDF format from unknown banks. Before sending data to the AI system, the statement is automatically anonymized on your device:

Card numbers replaced with "****"
Phone numbers replaced with "***"
Full names replaced with "[NAME]"
Email addresses replaced with "[EMAIL]"

The anonymized text (no more than 6,000 characters) is sent to the AI provider using the same routing rules as Arkad requests: GigaChat for RU/BY users, Claude API for other regions.

 AI Import limits:
 Free — 3 free recognitions (total)
 Premium — 10 recognitions per month (resets on the 1st)
    

Bank statements from known banks (Halyk, Sberbank, T-Bank and others) are recognized locally on your device without sending data to AI systems.

5. Third-Party Data (Loan Clients)

The Loans section allows storing contact information of people you have lent to or borrowed from: names, phone numbers, emails.

      This data is stored only on your device in encrypted form. It never leaves your device and is never shared with us or third parties. You are responsible for obtaining consent from these individuals to store their data in your app, as required by your local law.
    

6. Subscription and Payments

All payments are processed exclusively through the Apple App Store (StoreKit). We never receive or store bank card, payment system or financial account data.

Refund matters are governed by Apple's policy: support.apple.com.

7. User Rights

Data Deletion

Since all data is stored on your device, you have full control over deletion: Settings → Delete All Data, or simply delete the app from your device.

Data Export

The export feature (Premium) allows you to export all data in CSV format.

For EU Users (GDPR)

Right of access — all data is accessible within the app
Right to erasure — implemented via the reset function
Right to portability — implemented via CSV export
Right to object — for AI processing questions: support@getvavilon.app

For Russian Users (Federal Law No. 152-FZ)

Personal data of users from Russia is processed only on their device or via GigaChat (servers in Russia). AI requests to foreign systems are not made for users with RU/BY region.

8. Regional Compliance

Region	Law	Status
🇷🇺 Russia	Federal Law No. 152-FZ	✓ Device only + GigaChat (Russia)
🇧🇾 Belarus	Personal Data Law	✓ Device only + GigaChat
🇰🇿 Kazakhstan	Personal Data Law	✓ Device only
🇺🇿 🇰🇬 🇦🇿 Central Asia	Local laws	✓ Device only
🇪🇺 European Union	GDPR	✓ Anonymization + data subject rights
🇺🇸 United States	CCPA (California)	✓ No sale of data

9. Children and Minors

Vavilon is intended for users 17 years and older (App Store age rating: 17+). We do not intentionally collect data from minors. If you become aware that a minor is using the app, please contact us.

10. Policy Changes

When we make material changes to this Privacy Policy, we will notify users through an app update. The date of the last change is always shown in the document header. Continued use of the app after changes constitutes acceptance of the new version.

11. Contact

For privacy questions: support@getvavilon.app

We respond within 72 hours.