Legal

Privacy Policy

Effective date: 12 May 2026 · Last updated: 12 May 2026

This Privacy Policy describes how Altibix Codelab Pvt. Ltd. (“Altibix”, “we”, “our”, “us”) collects, uses, stores, and shares your information when you use the Credebit mobile application (the “App”). The App is published under the package name com.altibixcodelab.credebit on Google Play.

By installing or using Credebit you agree to the practices described here. If you do not agree, please do not use the App.

1. Information we collect

1.1 Account information

Phone number — required to sign in via SMS one-time password (OTP). Authentication is handled by Google Firebase Authentication.
Display name and email address — collected when you sign up or sign in with Google. The email is collected only if you choose Google Sign-In or enter it yourself.
Profile preferences — language, currency, country, theme, and notification preferences you set.

1.2 Financial data you enter

Names and phone numbers of clients you record (people you transact with).
Transactions (credit/debit entries), expenditures, bills, EMIs, and budgets you create within the App.
Savings goals and category labels you create.

1.3 Permissions and on-device data

The App requests the following Android permissions. Each is used only for the purpose described:

Permission	Purpose
`READ_PHONE_STATE`	Detects the device’s phone state so that SMS-based OTP authentication, SIM-aware features, and call-state-aware notification handling work correctly. The App does not read or transmit your phone number, IMEI, or call logs.
`SEND_SMS`, `READ_SMS`, `RECEIVE_SMS`	If you enable SMS-based transaction auto-detection, the App reads incoming SMS bodies locally on your device to identify bank, UPI, and bill payment messages. Parsed data is stored on your device and is never uploaded with the raw SMS text. OTP and verification messages are explicitly filtered out and discarded.
`READ_CONTACTS`	Optional. If you grant it, the App lets you pick a contact to record as a client. Contact data is stored locally on your device and is not uploaded to our servers unless you save that contact as a Credebit client.
`POST_NOTIFICATIONS`	Shows bill reminders, EMI reminders, and budget alerts.
`SCHEDULE_EXACT_ALARM`, `USE_EXACT_ALARM`	Schedules reminders at the exact times you choose.
`INTERNET`	Communicates with our backend, Firebase, and the exchange-rate service.
Notification Listener Service	Optional. If you enable it from in-app settings, the App reads notifications posted by banking and UPI apps locally to detect transactions. The raw notification text is parsed on-device; OTP messages are filtered out. You can disable this at any time from Android Settings → Notification access.

SMS & notification data never leaves your device in raw form. Only the parsed, structured fields (amount, type, merchant, date) are stored locally and optionally synced to your account.

1.4 Information collected automatically

Crash and diagnostic data — if Firebase Crashlytics is active, technical information about app crashes (device model, OS version, stack traces) is collected to help us fix bugs. This does not include personally identifying financial data.
Authentication tokens — Firebase issues and stores authentication tokens locally so you stay signed in.

2. How we use your information

To authenticate you and keep your session signed in.
To store and display the financial data you choose to record.
To sync your data between your devices when you sign in to the same account.
To send local and push notifications you have requested (bill reminders, EMI alerts, budget warnings).
To convert and display amounts in your chosen currency by fetching public exchange-rate data.
To diagnose and fix crashes and improve App stability.

We do not sell your personal information. We do not use your financial data for advertising. We do not share your financial entries with any third party except as described below.

3. Where your data is stored

On your device — the primary copy of your data lives in an encrypted SQLite database in the App’s private storage.
Our backend — if you are signed in, data is synced to a backend service operated by Altibix Codelab Pvt. Ltd. on commercial cloud infrastructure. Transit is protected by TLS.
Google Firebase — authentication credentials, anonymous diagnostics, and push-notification tokens are stored by Google as our processor under the Firebase Data Processing Terms.

4. Third-party services

The App relies on the following third-party services. Their own privacy policies apply when your data passes through them:

Google Firebase Authentication — phone OTP, Google Sign-In. firebase.google.com/support/privacy
Google Sign-In — policies.google.com/privacy
Firebase Cloud Messaging (FCM) — push notification delivery.
exchangerate.host — public currency conversion rates. No personal data is sent; only currency codes.

5. Data sharing

We do not share your personal information with third parties except:

Processors who act on our behalf (Google Firebase, our cloud hosting provider) and are bound by data-processing agreements.
When required by law, valid legal process, or to protect the rights, safety, and property of Altibix, our users, or the public.
In a business transfer, such as a merger or acquisition, in which case continuity of this Privacy Policy will be honoured or you will be notified.

6. Data retention

Account data is retained as long as your account is active.
If you delete your account, all personal data is removed from our active systems within 30 days. Encrypted backups are purged within a further 60 days.
Anonymised, aggregated analytics may be retained indefinitely.
You can sign out at any time from in-app Settings; sign-out clears the local database on the device.

7. Your rights

Depending on where you live, you may have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate personal data.
Delete your account and associated personal data (see Account & Data Deletion).
Object to or restrict certain processing.
Withdraw a consent you have given (e.g. SMS permission) at any time from your device settings.

To exercise any of these rights, contact us at the address below. We respond within 30 days.

8. Children

Credebit is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

9. Security

We use industry-standard safeguards including TLS in transit, encrypted local storage for sensitive tokens, biometric/PIN app-lock, and least-privilege access controls. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the appropriate regulator as required by law.

10. International transfers

Our backend and Firebase may store and process data on servers outside India. By using the App, you consent to such transfers, which are protected by contractual safeguards approved by the receiving jurisdictions.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced inside the App or by email. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact us

Altibix Codelab Pvt. Ltd.
Kollam, Kerala, India
Email: info@altibix.com