Legal

Privacy Policy

Last updated 17 July 2026

Persfina is built for people in Singapore managing their own personal finances, and this policy is written with the Singapore Personal Data Protection Act (PDPA) in mind. It explains what data we collect, why, and how you can control it.

1. What we collect

  • Account details — your email address and a bcrypt-hashed password. We never store your password in plain text.
  • Statement data — the contents of the bank and brokerage statement PDFs you upload: transactions, balances, account metadata (such as bank name and masked card/account numbers), and trades.
  • Contact details — an optional phone number you may add in Settings, used only for SMS or call marketing you have opted into.

2. What happens to your uploaded files

Uploaded PDF files are used only to extract the transaction and account data described above. Once a statement import is successfully confirmed, the source PDF is deleted from our servers. If an upload is abandoned before you confirm the import, we delete the file automatically within 24 hours. What remains after that is the structured data (transactions, balances, trades) you chose to import — not the original file.

3. How your data is processed

Statement parsing is deterministic and runs entirely on our own servers, using code written per bank layout. No AI models and no third-party services ever see the contents of your statements — parsing never leaves our infrastructure.

The only outbound calls Persfina makes are:

  • Market price quotes (Yahoo Finance) — used to price your investment holdings. These requests contain only public ticker symbols, never anything personal to you.
  • Email (Resend) — used to send transactional messages such as email verification and password resets, which are always sent, and marketing email only if you have opted in. Resend receives only your email address, not your financial data.

You may optionally provide a phone number in Settings. It is used only for SMS or phone-call marketing you have expressly opted into, and for nothing else.

4. Marketing communications

We send marketing by email, SMS, or phone call only with your opt-in consent, and consent is given separately for each channel. The default is off for every channel, and consent is never bundled with your acceptance of the account terms — you can use Persfina in full without opting into any marketing.

Where you give clear consent to receive marketing by SMS or voice call, we are not required to check Singapore’s Do Not Call (DNC) Registry for that number before contacting you on those channels.

You can withdraw consent for any channel at any time in Settings → Marketing preferences. Withdrawal is applied immediately, and in any case within 10 business days as the PDPA provides. We record the time and source of every consent change and retain those records as required by law.

5. Where data is stored

Your account and financial data are stored in a PostgreSQL database that we operate and control. We do not sell or share your data with advertisers or data brokers.

6. Cookies and sessions

Persfina sets a single cookie, persfina_session, used strictly to keep you signed in. We do not use tracking, advertising, or analytics cookies.

7. Deleting your data

You can delete your account and all associated data — statements, transactions, accounts, and trades — self-serve at any time from Settings. Deletion is permanent.

8. Contact

For questions about this policy or to exercise any data protection rights under the PDPA, contact us at sulaimanbins@gmail.com.