Built secure. By design, not by chance.

Spendly's entire architecture is built around a single principle: get you the best financial insights using the least amount of data. Here's exactly how we keep your information safe.

Last review: May 2026 Zero-knowledge architecture
Zero OTPs collected Zero bank logins Zero UPI PINs On-device processing HTTPS everywhere

How Spendly reads your UPI data - safely

Spendly operates by reading UPI transaction confirmations sent to your device by your bank or payment processor. Here is how the flow works while keeping your data safe:

  • Bank sends a spend signal: When you make a UPI payment, your bank sends a spend signal confirmation to your phone. This is a standard bank communication - Spendly does not initiate it.
  • Purpose-limited reading: With your permission, Spendly reads only the UPI spend signal (amount, merchant, date). It never reads personal chats, OTPs, or any non-transactional messages.
  • On-device analytics: All parsing and categorisation happens locally on your phone. Only structured metadata - never raw spend signal text - is optionally backed up to the cloud if you opt in.

Platform Security

  • HTTPS/TLS encryption for all data in transit (TLS 1.3)
  • Cloud storage encryption-at-rest by infrastructure provider
  • Email verification required before accessing dashboard, account, or admin pages
  • Access control enforced via Firebase Auth and Firestore security rules (default-deny)
  • CSRF protection via X-CSRF-Token header with SameSite=Strict cookies
  • Content Security Policy (CSP) blocks XSS, clickjacking, and data injection
  • Rate limiting on all public write endpoints: support (5/min), contact (3/min), chat (5/min)
  • Admin routes gated by Basic + Bearer authentication with constant-time comparison
  • Spam detection using honeypot fields and URL threshold analysis

What We Never Collect

  • OTPs or one-time verification codes of any kind
  • UPI PINs or payment passcodes
  • Bank login credentials, usernames, or passwords
  • Raw spend signal message bodies - never stored on our servers
  • Personal chats, non-transactional messages, or contacts
  • Biometric data, location data, or camera access

Spend Signal Data Handling

  • Only transactional bank spend signals (UPI, NEFT, IMPS confirmations) are read
  • SMS permission is requested only for reading transactional messages - not personal messages
  • Raw spend signal text is parsed locally on your device and immediately discarded
  • Only extracted metadata (merchant name, amount, date, category) is stored
  • Cloud Backup of metadata is strictly opt-in - off by default

Account Safety

  • Use a unique password with uppercase, lowercase, numbers, and symbols
  • Do not share password reset links or verification emails
  • Review account activity regularly and log out on shared devices
  • Enable 2FA via Google Sign-In for an extra layer of protection
  • Report any suspicious activity to us immediately

Your Data Controls - Always Available

You have full control over your data at any time. Use your account page to delete cloud backup data or permanently delete your Spendly account and all associated data. Deletion is immediate and irreversible.

Full Data Deletion Policy →

Responsible Disclosure

We take security reports seriously. If you've discovered a potential vulnerability in Spendly or Clearflow Digital systems, please report it responsibly. We review all reports within 48 hours and will publicly acknowledge researchers who help us improve security.

Report a vulnerability →

Stay updated

Get early access & product updates.

Be the first to know when Spendly launches. No spam, unsubscribe anytime.

No spam. Unsubscribe anytime. Launching soon.