Does Obba upload my SMS messages?

No. Obba processes SMS locally on your phone to detect bank transaction messages. SMS content is never uploaded to any server. The app does not have internet permission.

Why does Obba need SMS access?

Obba reads SMS from known bank sender IDs to identify transaction messages and present spending summaries. It does not read personal messages, and automatically excludes OTP and password messages.

Do you store my financial data on your servers?

No. All spending data is stored only on your device. We do not operate servers or cloud infrastructure. The app has no internet permission.

Yes. Obba is completely free with all features. No ads, no premium, no in-app purchases.

Privacy Policy

Name: Obba
Author: Obba

1. Introduction

This Privacy Policy describes how Obba (“we”, “us”, or “our”) handles information when you use our mobile application (“App”). Obba is a privacy-first, offline expense tracker designed for the Middle East and North Africa (MENA) region.

Our core principle: All processing happens locally on your device. Obba processes bank SMS on your phone to detect transaction messages. No SMS content is uploaded to any server. We do not operate servers, databases, or cloud infrastructure. We do not collect, transmit, or store any of your personal or financial data on our end. The app has no internet permission.

2. Information We Access

2.1 SMS Messages (Android Only)

When you grant SMS read permission, Obba reads SMS messages only from known bank sender IDs (such as CIB, NBE, HSBC, QNB, and other MENA financial institutions). Specifically:

What we read: SMS messages from whitelisted bank sender IDs to extract transaction details (amount, currency, merchant name, transaction date).
What we never read: Personal messages, group messages, social media notifications, or any non-banking SMS. Messages from unknown senders are ignored.
Automatic exclusions: OTP (one-time password) messages, verification codes, PIN notifications, password reset messages, and any SMS containing sensitive authentication data are automatically detected and excluded before processing.

2.2 Data Extracted from SMS

From qualifying bank SMS, Obba extracts only:

Transaction amount
Currency (EGP, SAR, AED, USD, EUR, GBP)
Merchant or vendor name
Transaction date
Bank/sender name

The raw SMS text is never stored. After parsing, the original SMS content is immediately discarded from memory. Only structured transaction data is saved to the local database. A SHA-256 cryptographic hash (one-way, irreversible) is generated from the transaction details for duplicate detection — the original SMS cannot be reconstructed from this hash.

2.3 Data Storage

Only structured transaction data extracted from bank SMS is stored locally on your device. No raw SMS content is retained.

3. How Data Is Stored

Location: All data is stored locally on your device in an SQLite database within the app's private storage area, which is not accessible to other apps.
Encryption: The database resides in Android's app-private directory, which is encrypted at the OS level on devices with device encryption enabled (default on Android 10+).
No cloud storage: Data is never uploaded, synced, backed up to, or transmitted to any server, cloud service, or remote location.
No internet permission: The app does not include the Android INTERNET permission. It is technically impossible for the app to transmit data over any network.

4. Data We Do NOT Collect

We do not collect, store, transmit, or have access to any of the following:

Personal identification information (name, email, phone number)
Location data
Device identifiers or advertising IDs
Contact information
Photos, videos, or files
Browsing history
Usage analytics or telemetry
Crash reports (no crash reporting service is integrated)
Any data from third-party services

5. Third-Party Services

Obba does not integrate with any third-party services. Specifically:

No analytics services (no Google Analytics, Firebase Analytics, or similar)
No crash reporting services (no Crashlytics, Sentry, or similar)
No advertising networks
No social media SDKs
No authentication providers
No push notification services
No cloud storage providers

6. Data Retention

Transaction data remains on your device until you delete it.
You can delete all data at any time via Android Settings (Apps → Obba → Storage → Clear Data).
Uninstalling the app permanently removes all stored data.
We have no retention policy because we do not retain any of your data.

7. Your Rights

Since all data is stored locally on your device and we have no access to it, you have complete control:

Right to access: All your data is visible within the app at all times.
Right to deletion: Delete all data via Android Settings or uninstall the app. See our Data Deletion Policy for detailed instructions.
Right to withdraw consent: Revoke SMS permission at any time in Android Settings.
Right to data portability: All your data is stored locally on your device and is accessible within the app.

8. GDPR Compliance

For users in the European Union or European Economic Area: Obba is designed to be GDPR-compliant by architecture. Since we do not collect, process, or store any personal data on our end, the data protection requirements are inherently satisfied. All processing occurs on your device under your control.

9. Google Play Data Safety

As declared in our Google Play Data Safety section:

Data collected: Financial information (transaction amounts, categories) — stored on device only.
Data shared: None. No data is shared with any third party.
Data encrypted: Data is stored in the app's private directory with OS-level encryption.
Data deletion: Users can delete all data via Android Settings or by uninstalling the app.

10. Children's Privacy (COPPA)

Obba is not directed at children under the age of 13. We do not knowingly collect any information from children. Since the app requires access to bank SMS, it is inherently designed for adult users with bank accounts.

11. SMS Permission Justification

Obba requests SMS read permission because processing bank transaction SMS locally on your device is the core functionality of the app. This permission is used exclusively to:

Read SMS from whitelisted bank sender IDs on your device
Extract transaction details (amount, currency, merchant, date) for expense tracking — all processing happens locally
Detect new bank SMS in real-time for automatic transaction recording

SMS access is required for the core functionality of automatic expense tracking. The app does not use SMS data for advertising, profiling, or sharing. No SMS content is uploaded to any server.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the “Last updated” date at the top of this page. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: privacy@obba.pro
General support: support@obba.pro
Website: https://obba.pro