Privacy Policy
Effective date: June 21, 2026
Your family's financial information is deeply personal. This policy explains what Unyt can see, what stays encrypted, and the limited cases in which another service processes your data.
The short version
- We do not sell your personal data or use your financial data for advertising.
- Sensitive item details and durable document files are encrypted on your device before they are stored.
- Unyt's servers still see the limited metadata needed to run the product, such as item IDs, ownership, visibility, type, status, and sharing permissions.
- If you choose document extraction, a temporary readable copy is processed by Unyt and our AI provider. Manual entry remains available.
- You decide which items to share. Unyt cannot recover encrypted details if you lose both your master password and recovery key.
Who we are
Unyt is provided by CRAFTFIN TECHNOLOGY LABS PVT LTD, Bengaluru, Karnataka, India. We are the Data Fiduciary for the personal data we process to provide Unyt.
Privacy questions, rights requests, and grievances can be sent to support@unyt.money.
What data we handle
Account and family information
- Name, email address, date of birth, profile photo, and optional profile details such as occupation, income range, gender, and address.
- Family membership, role, invitations, sharing relationships, and onboarding status.
- Google or Apple sign-in information provided through Firebase. We do not receive your Google or Apple password.
Financial items and contacts
You may add bank accounts, credit cards, loans, real estate, insurance, investments, subscriptions, tax filings, contacts, and documents. These records can include identifiers, balances, amounts, dates, nominees, addresses, contact details, notes, and linked records.
Sensitive details for these item types belong inside the client-side encrypted payload. The section below explains the information that must remain visible to our servers for Unyt to work.
Authentication and security
- Session identifiers, sign-in events, device and app information, verification status, and rate-limit counters.
- Your app PIN is stored as a salted hash. The PIN is for local app access and is not your encryption master password.
- Your public encryption key and encrypted copies of your private key. We do not receive your master password, recovery key, or plaintext private key.
Documents and processing data
- Document IDs, category, size, upload status, owner, sharing settings, storage reference, and item links.
- The durable file, original file name, and original content type are encrypted on your device before storage.
- If you request document extraction, the temporary processing copy and extracted fields needed to complete that request.
Payments, support, and communications
- Billing name, email, payment status, plan, and provider transaction references. Unyt does not store your payment card details.
- Phone number or email address used for OTPs and essential service messages, together with delivery status.
- Support requests, feedback, and correspondence you send us.
Usage data and analytics
We collect page views, feature interactions, app version, device and browser details, performance information, referral or campaign data, and error diagnostics. Depending on the Unyt surface and configuration, we use PostHog, Google Analytics, Vercel Analytics, and Grafana for this purpose.
PostHog may use cookies and local storage across unyt.money and family.unyt.money to connect a visit with a later sign-in. Sampled session recordings are configured to mask form inputs, and analytics properties are filtered for sensitive values. We do not intentionally send financial item details, master passwords, recovery keys, OTPs, or document contents to analytics providers.
How client-side encryption works
Your device encrypts sensitive item details before sending them for durable storage. The backend stores ciphertext, not the readable item payload. Your master password unlocks your private encryption key on your device. It is not sent to Unyt.
What Unyt cannot normally read
For encrypted items, Unyt cannot normally read account and policy numbers, balances, holdings, amounts, rates, addresses, phone numbers, email addresses, nominees, notes, or the contents of durable stored documents.
What remains visible to Unyt
Unyt must keep some information readable so the product can authorize access, sync devices, show the right lists, enforce limits, and manage sharing. This can include:
- Item, user, family, and creator IDs.
- Visibility, ownership, recipients, and access levels.
- Item category or type, lifecycle status, timestamps, and limited reminder or linkage metadata.
- Generic encrypted-item labels and client-computed comparison hashes used for duplicate detection.
- Ciphertext, encryption version, encrypted key grants, and other information needed to deliver encrypted data to authorized devices.
| Your financial entity | What can Unyt see in the database | What Unyt cannot see in the database |
|---|---|---|
| Bank accounts | Ownership and sharing, account type, primary flag, linked holder IDs, an encrypted placeholder, and a duplicate-check hash. | Your account name and number, IFSC, holder names, UPI IDs, balances, nominees, and notes. |
| Credit cards | Ownership and sharing, item type, currency, linked item IDs, and an encrypted placeholder. | Your card name and number, issuer details, limits, balances, interest, payment dates, and notes. |
| Loans | Ownership and sharing, loan type, currency, linked insurance and debit-account IDs, an encrypted placeholder, and a duplicate-check hash. | Your lender and account number, principal, outstanding balance, interest rate, EMI, repayment schedule, and notes. |
| Real estate | Ownership and sharing, property type and subtype, and an encrypted placeholder. | Your property name, address, deed or registration numbers, owners, value, loan details, nominees, and notes. |
| Insurance | Ownership and sharing, end and renewal dates, linked record IDs, and a policy-number comparison hash. | Your insurer, policy number, premiums, coverage, beneficiaries, covered people or property, and notes. |
| Investments | Ownership and sharing, investment type and partner, maturity date, linked bank or document IDs, an encrypted placeholder, and duplicate-check hashes. | Your account, folio, demat, PRAN, UAN, or ISIN values; amounts, holdings, returns, rates, nominees, and notes. |
| Subscriptions | Ownership and sharing, payment-source and recurring-transaction links, an encrypted placeholder, and a duplicate-check hash. | Your service or merchant name, amount, billing frequency, renewal date, auto-pay details, and notes. |
| Tax filings | Ownership and sharing, linked document and family-member IDs, an encrypted placeholder, and a filing comparison hash. | Your financial year and filing type in readable form, filing details, amounts, status, dates, and notes. |
| Contacts | Ownership and sharing, linked entity IDs, an encrypted placeholder, and phone or email comparison hashes. | Your contact's name, phone numbers, email addresses, postal address, relationship, and notes. |
| Documents | Ownership and sharing, category, size, upload status, storage reference, linked item IDs, ciphertext, and encryption metadata. | The durable file's contents, original file name and type, and the sensitive details inside it. |
This table describes readable fields for durable records. The database also stores ciphertext and encrypted key envelopes. If you choose AI document extraction, the separate temporary processing copy is readable during that workflow, as explained below.
Sharing encrypted items
When you share an item, your device encrypts access to its item key for each approved recipient. Recipients use their own encryption keys; they do not receive your master password. Removing access stops future access through Unyt and rotates the item key where required. It cannot erase a copy or screenshot someone already made while they had access.
Recovery is your responsibility
Your recovery key is a second way to unlock your encrypted private key. If you lose both your master password and recovery key, no one, including Unyt, can recover your encrypted details. Reinstalling the app removes trusted local access but does not by itself delete your stored encrypted data.
The document extraction exception
Current AI extraction runs on the server. When you choose that flow, a separate temporary copy of the source document is readable by Unyt and sent to OpenAI for extraction. It may contain sensitive information such as PAN, dates of birth, account numbers, and transaction history.
The temporary copy is kept out of normal document lists and storage quotas, is designed to be deleted after processing, and expires for cleanup if deletion fails. The durable copy is encrypted on your device. You can avoid this processing by entering information manually.
Why we process data
- To create and secure your account.
- To store, retrieve, organize, and share the records you ask us to manage.
- To process a document when you explicitly choose an extraction flow.
- To process payments and manage plan limits.
- To deliver OTPs, security notices, and service messages.
- To detect abuse, investigate errors, maintain reliability, and improve the Service.
- To meet legal obligations and respond to lawful requests.
We process personal data with your consent where required, when you voluntarily provide it for a purpose you request, or under another use permitted by applicable law. Withdrawing optional consent does not affect processing that already occurred lawfully, but it may disable the related optional feature.
Who receives data
We use service providers only for defined operational purposes. The data they receive depends on the feature you use.
- Google Firebase and Apple: authentication and app services.
- Cloud object storage: encrypted durable documents and temporary readable document-processing copies.
- OpenAI: document content when you request AI extraction.
- PostHog, Google Analytics, Vercel, and Grafana: usage analytics, performance, diagnostics, and reliability monitoring.
- MSG91 and other communication providers: phone number or email address and the message needed for OTP or service delivery.
- Razorpay, Cashfree, and Apple's App Store: payment and subscription processing. Their own privacy terms also apply.
- Your chosen family members or recipients: the items and permissions you choose to share.
We may also disclose data when required by law, court order, or a lawful government request; to protect users and the Service; or as part of a merger, acquisition, financing, or sale, subject to continued protection of the data.
Cookies and local storage
We use necessary storage for authentication, security, trusted-device encryption sessions, and preferences. Analytics tools may also use cookies and local storage for measurement, attribution, and session continuity. You can delete or block browser storage, but doing so may sign you out, remove trusted-device access, or reduce functionality.
Where an in-app analytics preference is available, you can use it to opt out of optional product analytics. Browser controls can also block or delete analytics storage on the website.
How long we keep data
- Account data, encrypted items, and durable documents are kept while your account is active or until you delete them.
- OTPs, upload links, and sessions expire according to their short security time limits.
- Temporary document-processing copies expire and are cleaned up if the normal deletion step does not complete.
- Logs and analytics are kept according to operational retention settings and then deleted or aggregated.
- After account deletion, we delete or anonymize personal data within 90 days, subject to legal obligations, dispute records, fraud prevention, and backup cycles.
Security measures
We use client-side encryption for sensitive item payloads and durable documents, HTTPS/TLS in transit, short-lived presigned file URLs, authenticated sessions, authorization checks, rate limiting, restricted service access, and sensitive-field filtering for logs and analytics.
No service can promise perfect security. If a personal data breach occurs, we will investigate, limit the impact, and notify affected users and authorities as required by applicable law.
International processing
We primarily store and process data in India. Some providers, including OpenAI, PostHog, Google, Vercel, and Grafana, may process data in other countries. We use contractual and technical safeguards and comply with applicable restrictions on cross-border processing.
Your rights
Subject to applicable law, you can ask us to:
- Provide a summary of the personal data we process about you.
- Correct, complete, or update inaccurate personal data.
- Erase personal data that is no longer needed, unless we must retain it by law.
- Explain the processors with whom your data has been shared.
- Withdraw consent for optional consent-based processing.
- Register a grievance and nominate another person to exercise rights in the event of death or incapacity.
Send a request to support@unyt.money. We may need to verify your identity before acting on it. Please give us the opportunity to resolve a grievance before approaching the Data Protection Board of India.
Children's data
Unyt accounts are for adults. An adult may add limited information about a child as a family member, nominee, beneficiary, or covered person when needed for a household record. If you provide a child's data, you confirm that you are the parent or lawful guardian, or are otherwise permitted by law to provide it. Contact us if you believe a child's data was provided without proper authority.
Changes to this policy
This policy applies to unyt.money, the Unyt web and mobile apps, and our APIs. We may update it as the product, providers, or law changes. For a material change, we will provide notice through the app, website, or email before the change takes effect when required.
Contact us
Privacy questions, access or deletion requests, and grievances can be sent to:
support@unyt.money
CRAFTFIN TECHNOLOGY LABS PVT LTD
Bengaluru, Karnataka, India
Last updated: June 21, 2026