Untouched is a personal finance tracker operated by True Mark Technologies Private Limited, incorporated in India, with its registered address at Tower E-201, Emaar Palm Hills, Sector 77, Gurugram, 122001 (“we”, “us”, “our”).
This policy explains what personal data we collect, why we collect it, how it is protected, and what rights you have over it. It applies to our web app at untouched.money and our iOS app.
Questions? Write to us at [email protected].
01
What Untouched does
Untouched helps you know how much money is left each month after your fixed commitments. You manually log your daily expenses. The app does the math and shows you one number — your pocket money.
We do not connect to your bank. We do not read your SMS, UPI history, or any external account. Every rupee you see in the app was entered by you.
02
How we collect consent
When you create an account, you agree to this Privacy Policy and our Terms of Use by completing the signup process. Your continued use of the app after any policy update — for which we will give you at least 7 days' notice — constitutes acceptance of the revised policy.
You can withdraw your consent at any time by deleting your account (Settings → Delete Account). Withdrawal of consent means we can no longer provide the service, as your data is necessary to operate the app.
03
Data we collect
We collect only what is needed to run the app.
Account data
| Data | How stored | Purpose |
|---|---|---|
| Name | Plain text | Personalise the app |
| Email address | Encrypted + hashed | Login, OTP verification, display in app |
| Phone number | Encrypted | WhatsApp OTP; alerts (opt-in only) |
Financial data — all encrypted
Everything below is stored as an encrypted blob, locked with a key derived from your password. We cannot read your financial data without your authenticated session — not even with direct database access.
- Income sources (name, amount, type)
- Monthly commitments: EMIs, rent, investments, family transfers, subscriptions
- Daily expenses (amount, category, payment mode, date)
- Credit card cycle data (spends per billing cycle)
- Category budgets
Device data
Push notification token (iOS via Firebase Cloud Messaging) — stored only if you grant notification permission on your device.
04
How we use your data
We use your data only for the purposes stated here — not for advertising, credit scoring, or anything else.
| Data | Used for |
|---|---|
| Name, email | Account access, OTP login, in-app display |
| Phone number | WhatsApp OTP verification; alerts (opt-in only) |
| Financial data | Calculating pocket money; dashboard, monthly and yearly views |
| Razorpay subscription ID | Verifying Pro status; renewals and cancellations |
| Push token | Log reminders, morning brief, threshold alerts |
05
Payments
Pro subscriptions are processed by Razorpay. When you subscribe, a Razorpay subscription ID is created and stored on our servers. No card numbers, UPI handles, or bank details are ever stored on our servers.
If you have an active Pro subscription and delete your account, the subscription is cancelled with Razorpay immediately. Razorpay may retain its own transaction records per their policy and applicable law.
06
Storage & security
- Per-user encryption: All financial data is encrypted with a Data Encryption Key (DEK) unique to your account, locked by a key derived from your password. Your recovery phrase can also unlock the DEK — like your password, it is never stored by us.
- Account data encryption: Your email and phone number are encrypted server-side. Email is additionally hashed for secure login lookups.
- Passwords: Hashed using bcrypt. Never stored in plain text.
- Transport: All communication uses HTTPS (TLS).
- Login: OTP-based only (email or WhatsApp). No password is transmitted after account creation.
Your data is hosted on Prisma Data Platform (db.prisma.io). All connections are encrypted in transit.
08
How long we keep it
- Active account: Your data is stored for as long as you use the app.
- Account deletion: When you delete your account, all your data — profile, financial records, subscription, alert settings, and device tokens — is permanently deleted from our database immediately. This cannot be undone.
- Analytics: GA4 data is anonymous, cannot be linked to you, and is retained per Google's standard settings.
09
Your rights
Under India's Digital Personal Data Protection Act 2023 (DPDP Act), you have the following rights:
| Right | How to exercise |
|---|---|
| Access | All your data is visible in the app at any time |
| Correction | Edit any entry directly in the app |
| Erasure | Settings → Delete Account |
| Withdraw consent | Delete your account (this ends the service) |
| Opt out of WhatsApp | Settings → Alerts → toggle off |
| Opt out of push notifications | Device Settings → Notifications → Untouched |
| Portability | Email [email protected] to request a data export |
| Grievance | See Contact & grievances below |
10
Cookies & analytics
We use Google Analytics (GA4) to understand how the app is used. No name, email, phone, or financial data is sent to GA4. Events are anonymous and aggregated — standard page views and feature interactions only.
We do not use advertising cookies. We do not track you across other websites.
11
Children
Untouched is open to anyone who earns and wants to track their money. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us at [email protected] and we will delete it immediately.
12
Changes to this policy
If we make material changes, we will notify you by email or via an in-app notice at least 7 days before changes take effect. The “last updated” date at the top of this page reflects the most recent version.
13
Contact & grievances
If you have a complaint about how your data is handled, contact our Grievance Officer:
Name: Pavitra Mehta
Email: [email protected]
Address: True Mark Technologies Private Limited, Tower E-201, Emaar Palm Hills, Sector 77, Gurugram, 122001, India
We will acknowledge your complaint within 48 hours and resolve it within 30 days. If you are not satisfied with our response, you may approach the Data Protection Board of India.