Last updated: June 24, 2026

​

Introduction

​

Ruply ("we", "us", "Ruply") is a personal expense tracker built and operated by Mehul Bhargava, an independent developer based in India. We've built Ruply with one principle that everything else flows from: your money data belongs to you, and nobody else needs a copy of it.

​

This Privacy Policy explains, in plain language, what data Ruply handles, where it lives, and what you can do about it. We've tried to keep it short. If anything here is unclear, email mebhargava02@icloud.com.

​

1. The short version

​

• Your expenses, budgets, EMIs, household activity, and personal data stay on your iPhone and in your own iCloud account. We never
  see them.
• Splits are encrypted on your device before they leave it, and are relayed to your friend through a server we operate. We hold the encrypted blob; we cannot decrypt it. The keys never leave the two phones involved.
• We do not have a user account database. We do not sell or share your data with anyone, ever.
• A few features rely on external services (Apple Push Notifications, our stateless AI proxy, anonymous app-usage analytics, our minimal subscription-verification record). Each is described below.
• You can delete everything we hold about you, from inside the app, at any time.

​

2. Data we handle

​

2.1 Data you provide directly

​

• Your name — captured during onboarding so the app can greet you and label your household/splits identity. Stored in your iCloud only.
• Monthly budget and monthly income — optional, used to compute the home-screen budget bar and EMI-to-income ratio. Stored in your iCloud only.
• Expense data — amount, category, payment method, merchant, date, optional note. Stored in your iCloud only.
• Receipts you scan — the photo is sent through our AI proxy for one-time text extraction (see Section 4) and then discarded by the proxy. The parsed expense is saved to your iCloud only.
• Bank statement PDFs you import — same handling as receipts. Sent through our AI proxy for one-time parsing, never stored by us.
• Friend and household member details — names, emoji avatars, and (if you choose) profile photos. Stored in your iCloud. Household members are synced via Apple's CloudKit Sharing (Section 5). Splits friends are also delivered to the friend's device, end-to-end encrypted, through the Splits relay (Section 5b).
• Location (optional). If you grant location permission and tap a location for an expense, Ruply stores latitude, longitude, and a human-readable name on that expense record in your iCloud. Location is used only to power the Spending Map in the Analytics tab. We never transmit your location to our servers. You can revoke location permission anytime in iOS Settings → Ruply → Location.
• Microphone audio (Log by Voice). When you tap the mic, audio is captured on your device and sent through our AI proxy for transcription. The audio file and the transcript are not stored by the proxy after the response is returned. See Section 4 for details.

​

2.2 Data Apple provides to Ruply

​

• Your Sign in with Apple identifier. When you sign in with Apple, Apple provides a stable identifier and (on first grant) your name and an email address. We store these locally on your device. We use the identifier only as a key for the subscription-verification record described in Section 4, and only after applying a one-way SHA-256 hash.
• Apple Push Notification service device token. Used to deliver push notifications to other household members and split friends when you take an action affecting them. The token is held on the Splits relay alongside your hashed identifier so the relay can wake your friend's device the moment you share or settle a split (Section 5b and Section 6).

​

2.3 What we do NOT collect

​

• We do not collect your bank account number, credit card number, debit card number, CVV, UPI PIN, OTP, or any other financial credential. Ruply does not connect to any bank.
• We do not collect your contacts list. The "Add from Contacts" picker for friends opens iOS's native picker, and only the friend you tap is stored locally on your device.
• We do not collect your call history, SMS history, browsing history, or any data from other apps.
• We do not use cookies, fingerprinting, IDFA, or any cross-app tracking.

​

3. Where your data lives

​

Ruply is a local-first, private-by-default app. Your financial data is stored in two places, both controlled by Apple, not by us:

​

1. Locally on your device using Apple's Core Data framework.
2. In your iCloud private database, synced automatically via Apple's NSPersistentCloudKitContainer. iCloud data is end-to-end encrypted between your devices and tied to your Apple ID. It is stored in Apple's data centres under your Apple ID, not under any Ruply account.

​

We have no servers that store your personal expense data, budget data, EMI data, envelope data, custom category data, or household activity data — these live only on your device and in your iCloud. There is no Ruply user database. There is no Ruply expense database.

​

Splits are the one exception. Because a split needs to reach a friend whose iCloud is separate from yours, splits and settlements pass through our Splits relay as encrypted blobs. We hold the ciphertext; we cannot read it. Section 5b describes this in full.

​

If you delete the app, your local copy is removed. Your iCloud copy remains under your control in Apple's iCloud storage and can be deleted from inside Ruply (Settings → Delete Account & Data) or from Apple's iCloud storage management.

​

4. AI features and our stateless proxy

​

A handful of Ruply features use cloud AI: AI Quick Add, Ask Ruply, Receipt Scanning, Bank Statement Import, Money Story, AI Compare, and Log by Voice. These features send a single request to our AI proxy, which is a stateless Cloudflare Worker that:

​

1. Receives your request from the app.
2. Adds the secret API key for the AI provider on the server side (so the key never lives in the app binary).
3. Forwards the request to the AI provider — Anthropic's Claude for text features, and Sarvam Saaras V3 for multilingual speech-to-text.
4. Returns the AI provider's response back to your device.
5. Does not store, log, or retain the request or response after the call completes.

​

What is sent depends on the feature:

​

• AI Quick Add / Log by Voice: the text you typed or the audio file from the mic, plus a small block of your recent merchants/categories so the model can disambiguate Indian brand names. No expense history is sent.
• Ask Ruply: your question, plus a structured summary of your expenses needed to answer it (totals, category breakdowns, anonymised merchant names where relevant). No iCloud sync state, no household member identifiers, no friend identifiers are sent.
• Receipt Scanning / Statement Import: the image or PDF you selected, sent once for parsing, not retained.
• Money Story / AI Compare: aggregated, anonymised spending summaries for the period you requested. Individual expense rows are not sent.

​

What is NOT sent: your Apple ID, your real name (unless you typed it into a note), your email, your phone number, your device identifier, your location, your friend identities, your household member identities, or any data outside the scope of the request you triggered.

​

Provider sub-processors: Anthropic (Claude) and Sarvam (Saaras V3) process the data they receive under their own privacy and retention policies. Cloudflare provides the network layer for the Worker.

​

5. Household sharing (CloudKit Sharing)

​

If you create or join a Household in Ruply, the household record is shared via Apple's CloudKit Sharing (CKShare). What this means:

​

• Each household member's iCloud syncs a small subset of household-scoped data: member records, mirrored expense rows (subject to your chosen privacy level), household budget, and shared activity entries.
• All sharing runs through Apple's encrypted CloudKit infrastructure. We do not host the shared zone; Apple does.
• Members can have different privacy levels — Open, Standard, or Private — that control how much of their own spending is visible to other members. You can change this anytime in Settings → Household.

​

If you leave a household or the financier dissolves it, your local copy of that household's shared data is removed.

​

5b. Splits relay (end-to-end encrypted)

​

Splits in Ruply 2.1 and later are delivered via a relay we operate on Cloudflare Workers. Here is exactly how that works.

​

When you share a split, your iPhone:

​

1. Derives a per-connection encryption key on-device, from SHA-256 hashes of both Apple IDs plus a salt, run through HKDF-SHA256. This key is never transmitted.

2. Encrypts the split — amounts, merchant, friend names, notes, shares, settlements, and profile images — using AES-256-GCM.

3. Uploads only the ciphertext to the relay.

​

The relay holds:

​

• A SHA-256 hash of your Apple User ID, used only as an opaque routing address. It cannot be reversed back to your Apple ID, your name, or your email.
• Your APNs device token, so the relay can wake your friend's device the moment a new split arrives.
• The encrypted ciphertext of split expenses, settlements, and profile images you have added.
• A connection record linking your hashed identifier to your friend's hashed identifier, so the relay knows where to route each blob.

​

The relay does not hold your name, email, Apple ID, plaintext expense amounts, plaintext merchant names, plaintext notes, plaintext friend

names, unencrypted profile photos, or anything outside Splits.

​

When you delete a split or remove a friend, your device instructs the relay to delete the corresponding blob and connection record. When you tap Delete Account & Data, all blobs and connection records tied to your hashed identifier are deleted from the relay.

​

Infrastructure: the relay runs on Cloudflare Workers, with Cloudflare D1 (SQLite) holding the metadata layer and Cloudflare R2 (object storage) holding the encrypted blobs. Cloudflare processes data on Ruply's behalf and does not use it for its own purposes.

​

If you do not use Splits, no data is sent to the Splits relay.

​

6. Push notifications

​

Local notifications. Daily reminders, streak nudges, EMI alerts, recurring-expense reminders, and similar prompts are scheduled locally on your device using iOS's notification framework. We do not transmit these to any server.

​

Push notifications for households and splits. When you take an action affecting another user — joining a household, dissolving it, a financier's subscription ending, settling a split, marking a household expense as paid — Ruply sends a notification to the affected user's

device via Apple Push Notification service (APNs). The push request is signed by a Cloudflare Worker using our Apple developer key.

​

For splits, the recipient's APNs device token is held on the Splits relay alongside their hashed identifier (Section 5b). For household activity, the token is looked up in CloudKit at the moment of the action and used in transit. In both cases, notification payloads carry no plaintext expense content — your device fetches the encrypted record and decrypts it locally before showing the alert.

​

Notifications can be turned off per-type in iOS Settings → Ruply → Notifications, or as a master switch in Ruply → Settings → Notifications.

​

7. Subscription verification record

​

Ruply offers an optional Ruply+ subscription via Apple In-App Purchase. For the Household Yearly plan, where one user's subscription grants Plus access to up to five household members, we maintain a minimal server-side record of subscription status.

​

This record contains:

​

• A SHA-256 hash of your Sign in with Apple identifier. The original identifier cannot be recovered from this hash.
• A household identifier (a random UUID generated by your device).
• A flag indicating whether the subscription is active or expired.

​

It does not contain your name, email, device identifier, expense data, financial data, transaction history, or any personally identifying information.

​

The record is updated when Apple's Server-to-Server Notification V2 webhook reports a subscription state change (renewal, cancellation, billing failure, refund). Its only purpose is to allow Ruply to revoke Plus features promptly across household members when a financier's plan ends, so members are not silently using paid features they no longer have access to.

​

You can request deletion of this record at any time by emailing mebhargava02@icloud.com. Deletion is also triggered automatically when you tap Delete Account & Data inside Ruply.

​

8. Anonymous app-usage analytics

​

Ruply uses TelemetryDeck, a privacy-first analytics provider based in Germany, to collect anonymous, aggregate signals about which features people use. Signals include:

​

• Feature open counts (e.g., "Money Story opened", "Receipt Scanner opened").
• Session events (e.g., app launched, app backgrounded).
• Error categories (e.g., "AI request failed: network").

​

Signals carry no user identifier, no expense data, no monetary values, no merchant names, and no notes. TelemetryDeck does not track users across apps or sessions. It exists solely so we can prioritise the features people actually use.

​

You can opt out anytime by disabling Analytics & Improvements in iOS Settings → Privacy & Security, which Ruply respects.

​

9. Backup to iCloud Drive

​

Ruply automatically writes a weekly encrypted JSON backup of your expense data to your own iCloud Drive in a folder labelled "Ruply". This is your data, in your iCloud, accessible via the Files app. We do not have access to this backup. You can disable automatic backup in Settings → iCloud & Backup. You can delete the backup files from Files.app at any time.

​

10. Your rights

​

You can, at any time and without contacting us:

​

• View every piece of data Ruply holds about you — it's all in the app.
• Edit any expense, budget, EMI, envelope, split, or household record.
• Export your data as a CSV or as a Google Sheets-compatible file from Settings → Export.
• Delete your entire dataset by tapping Settings → Delete Account & Data. This action wipes your local Core Data store, your iCloud Ruply database, your iCloud Drive backups, and triggers deletion of the subscription verification record described in Section 7.

​

You can also stop using Ruply at any time by deleting the app and signing out of iCloud — your iCloud copy will remain under your control in Apple's storage management.

​

If you are a resident of a jurisdiction that grants you additional rights under data protection law (e.g., GDPR, India's DPDP Act), you can exercise those rights by emailing mebhargava02@icloud.com.

​

11. Data retention

​

We do not retain most of your data because we do not store it. Your iCloud data is retained for as long as you keep it; you control its

lifecycle through Apple.

​

Two pieces of data have a Ruply-side retention policy:

​

• The subscription verification record (Section 7), retained while your subscription is active and for 30 days after cancellation, then deleted automatically.
• The Splits relay blobs and connection records (Section 5b), retained while the corresponding splits and friend connections exist on your device, and deleted when you delete the split, remove the friend, or tap Delete Account & Data.

​

12. Changes to this policy

​

If we change this policy materially, we'll update the date at the top, post the new version at this URL, and surface the change inside the app the next time you open it. Material changes do not take effect retroactively for data already collected.

​

13. Contact

​

For privacy questions, data deletion requests, or anything else: