PafillPafill

Privacy Policy

Effective date: 2025-11-21

This Privacy Policy applies to the Pafill mobile application ("Application") provided by Görkem Çirtma ("Service Provider") as an ad-supported service (with optional premium subscriptions). The Service is provided "AS IS."

Information We Collect

1) Information you provide

  • Account data: name, surname, email address, password (stored hashed, never in plain text), or social login identifiers (Apple sub, Google sub) and verified-email status.
  • In-app budgeting data: salary and plan settings, expenses (amount / date / category), saving entries and withdrawals, goals (title / amount / deadline), expense limits, currency, theme preference, and notification preferences.
  • Subscriptions (if purchased): subscription and transaction metadata, such as transaction ID, original transaction ID, product ID, price and currency, purchase and expiry dates, and auto-renew / upgrade status, to operate your premium access.
  • Support messages: any information you include when you contact support@pafiapp.com.
  • Profile photo: if you add one, it is stored locally on your device and is not uploaded to our servers.

We use this data to create and operate your account, provide core features (budgeting, summaries, limits, goals), send one-time codes and important service messages, operate subscriptions, and respond to support requests.

2) Information collected automatically

  • Server logs: when you use the Service, our servers record a request ID, your IP address (or proxy IP), request path and status code for security, rate-limiting, and troubleshooting.
  • Rate-limit & OTP controls: we keep short-lived counters and hashed OTP tokens in a managed Redis service to prevent abuse and deliver login/verification codes.
  • No additional analytics / attribution SDKs: other than the advertising SDK described below, the Application does not use separate analytics tracking, ads attribution SDKs, or device fingerprinting.
  • No precise location: the Application does not access device GPS or background location.

3) Local notifications

With your permission, the Application may schedule local reminders (for example daily, weekly, or month-end reminders). Whether notifications are allowed is controlled by your system settings and the in-app toggle. You can enable or disable them in iOS Settings or in the app.

Advertising (Google AdMob)

We display ads via Google AdMob (Google Mobile Ads SDK). AdMob may use your device's advertising identifier (IDFA) and device/app-related information to serve, cap, and measure ads.

  • App Tracking Transparency: on iOS, the Application will ask for permission before accessing the advertising identifier. The app continues to work if you decline tracking; in that case, you may receive non-personalized ads.
  • Controls: you can reset or limit ad tracking in your device settings (for example, iOS Settings → Privacy & Security).
  • Children: the Service is not directed to children, and we do not knowingly enable interest-based ads to children.
  • AdMob privacy policy: https://policies.google.com/privacy.

Third-Party Services We Use

We only share the minimum necessary data with these processors:

  • Google AdMob (Google Mobile Ads SDK) — advertising provider. Receives device/app information and, if you allow tracking, may access the advertising identifier (IDFA) to serve and measure ads. Privacy.
  • Sign in with Apple — authentication provider. May share your Apple identifier and, if you allow, name/email. Privacy.
  • Google Sign-In (Google Identity Services / OAuth 2.0) — authentication provider. May share your Google identifier and verified email (and name if available). Privacy.
  • Apple In-App Purchases — handles payments and receipts. We store subscription metadata (transaction IDs, product ID, price/currency, purchase & expiry dates) to operate your premium access. Apple Privacy.
  • Postmark (by ActiveCampaign) — transactional email (verification/reset codes, account emails). Processes your email address and message metadata to deliver emails. Privacy.
  • Upstash (Redis over HTTPS) — stores short-lived rate-limit counters and hashed OTP tokens; no analytics or advertising use. Privacy.

We do not sell personal data.

Data Retention & Deletion

  • We keep account and budgeting data for as long as your account is active.
  • Using the in-app "Delete Account" feature removes your account and related budgeting records (such as expenses, savings, limits, goals, and subscriptions) from our primary database immediately via cascading deletes.
  • Minimal operational items (for example, email suppression flags from delivery providers and short server logs) may persist for a limited period for security, anti-abuse, and legal compliance, after which they are removed.

If you need help with deletion, contact: support@pafiapp.com.

Children’s Privacy

The Service is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided personal data, contact us and we will delete it. Where required, you must be at least 16 to consent to processing in your country (or have parental consent).

Security

We use industry-standard safeguards, including encryption in transit (TLS) and strong password hashing (Argon2). No security method is perfect, but we continuously work to protect your information.

Legal Requests

We may disclose information where required by law, to protect our rights, property, or safety (or that of our users or others), or to service providers acting on our behalf under confidentiality and limited-use obligations.

Changes to This Policy

We may update this Policy from time to time. We will post the updated version here and update the effective date above. Your continued use of the Service after changes become effective means you accept the updated Policy.

Contact

Questions about privacy? Email us at support@pafiapp.com.