Privacy Policy

MyChelavu ("we", "our", or "us") is an automated expense-tracking service for Indian households, operated at www.mychelavu.com. This Privacy Policy explains what personal data we collect, how we use it, and your rights under applicable law, including India's Digital Personal Data Protection Act 2023 (DPDPA).

By using MyChelavu, you agree to the practices described here.

We access only emails from recognised Indian bank senders (HDFC, Kotak, SBI, ICICI, Axis, etc.). We do not read personal emails, attachments, or any other inbox content.

• Parse and categorise bank transaction alerts to populate your expense dashboard.
• Generate AI-powered spending insights and monthly financial health reports.
• Authenticate your account and maintain session security.
• Send account-related notifications (sync status, budget alerts).
• Improve the categorisation engine and detect parsing errors.
• Comply with applicable legal obligations.

We never sell your data to third parties or use it for advertising.

We process your data under the following bases:

• Contract performance — to deliver the service you signed up for.
• Legitimate interests — to improve accuracy, prevent fraud, and maintain security.
• Consent — for Gmail access (you can revoke at any time in Google Account settings).
• Legal obligation — to comply with Indian law, including DPDPA 2023.

• All data is stored on Supabase (PostgreSQL) with Row-Level Security enforced at the database layer — you can only access your own rows.
• Gmail OAuth tokens are encrypted with AES-256-GCM using per-user HKDF-derived keys before being stored.
• All data is transmitted over TLS 1.2+.
• Your data is hosted in data centres operated by Supabase and Render, which maintain SOC 2 Type II compliance.

We share your data only with:

• Google Gemini API — anonymised transaction summaries are sent to generate AI insights. No personally identifiable information (name, email, raw email body) is sent.
• Supabase — database and authentication infrastructure provider.
• Render — cloud hosting provider for our backend API.
• Law enforcement or regulators — only when required by a valid legal order.

We retain your data for as long as your account is active. If you delete your account, all your personal data (profile, transactions, Gmail tokens) is permanently and irreversibly deleted within 30 days, in accordance with your right to erasure under DPDPA 2023.

As an Indian data principal, you have the right to:

• Access — download all your data (Settings → Export Data).
• Correction — edit any transaction in your dashboard at any time.
• Erasure — delete your account and all associated data (Settings → Delete Account).
• Withdraw consent — revoke Gmail access at any time via Google Account settings.
• Grievance redressal — contact our Data Protection Officer at privacy@mychelavu.com.

We use only essential cookies required for authentication (Supabase session token) and user preference storage (dark/light mode). We do not use tracking or advertising cookies.

MyChelavu is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us at privacy@mychelavu.com.

We may update this policy from time to time. We will notify you by email or an in-app notice at least 14 days before material changes take effect.

Data Protection Officer
MyChelavu
Email: privacy@mychelavu.com