PrivacyLast updated · June 2026

We don't collect your data.
Here's exactly what that means.

No accounts, no analytics, no ads. Safra is local-first by architecture, not just by policy. This page is the long version.

Safra does not collect your data. Not anonymised, not aggregated, not even metadata. Nothing. This page explains exactly how that works and what it means for you.

The short version

Account required
No
Data collected
None
Ads
No
Analytics
No
Third-party SDKs
None
Data sold
Never
Cloud backup
Opt-in · your own iCloud or Google Drive
Network calls
Exchange rates · version check · weather (opt-in) · City Guide downloads · Trip Sync (opt-in) · all through *.thesafra.com

Where your data lives

Everything you enter into Safra (trips, expenses, budgets, receipts, documents, travel companions) is stored in a database on your device. Only on your device.

There is no Safra account. There is nothing for us to breach, subpoena, or sell.

Cloud backup

Safra includes an optional backup feature. It is turned off by default. On iOS, your data is backed up to your personal iCloud account. On other platforms, it is backed up to your personal Google Drive AppData folder. In both cases:

  • Your data is sent to your personal cloud account, not ours
  • Apple and Google handle the storage, and we have no access to it
  • You can turn it off or delete the backup at any time from your device settings
  • The backup is used only to restore your data on a new device

If you never enable cloud backup and never choose to share a trip, your data never leaves your device.

Exchange rates

Safra fetches exchange rates via its own endpoint at thesafra.com/api/rates. The request contains only a currency code and a timestamp. There is no user data, no device identifier, and no information about your trips or expenses.

Rates are cached on your device for 6 hours so the app works fully offline between refreshes.

On-device AI

Safra includes an optional AI feature that suggests expense categories and narrates your travel insights. It is turned off by default.

When enabled, the AI runs entirely on your device using Apple's Foundation Models framework (iPhone 15 Pro and later). No data is sent to Apple or to us. No network request is made. The inference happens on your Neural Engine and nowhere else.

Weather correlation

Safra can show how your spending changed with the weather on a completed trip. This feature is turned off by default.

When enabled, Safra fetches historical weather data via its own endpoint at thesafra.com. The request contains only a country's approximate geographic coordinates (a fixed central point, not your GPS location) and the trip's date range. No user data, device identifier, or expense information is included.

The weather data is used to compute the insight and is not stored after the calculation.

City guides

When you browse a City Guide, Safra downloads a PDF for offline use from guides.thesafra.com. The request contains only the file path. There is no user data, no device identifier, and no information about your trips.

The guide file is cached on your device for offline use. No usage data is sent anywhere.

Nearby Share

Safra can transfer a trip directly to another device over Bluetooth and local Wi-Fi. No internet connection is required and no data passes through any server.

The transfer happens device-to-device only and is always initiated by you explicitly.

Trip Sync (optional)

Safra includes an optional feature that lets travel companions sync a shared trip in real time, without creating an account.

When Trip Sync is enabled, your trip data is encrypted on your device before it is sent. The encryption key exists only on devices that have scanned the invite link. We do not have it and cannot decrypt the data.

Our relay server at appsync.thesafra.com stores a session identifier (a random code, not linked to any identity), encrypted payloads (we cannot read these), and approximate device join timestamps. It does not store your name, email address, or any personal information. It does not store the encryption key or any unencrypted trip content.

Trip Sync sessions expire 90 days after the last activity and are then permanently deleted. You can end a session at any time from the trip settings, which permanently removes all server-side data for that session.

Settlement public link (optional)

When you choose to share a settlement summary as a public link, Safra encrypts the settlement data on your device and uploads only the encrypted blob to our relay server. The encryption key travels in the URL fragment only. Our server never receives it and cannot decrypt the content.

The link expires in seven days by default. You can revoke it at any time, which permanently removes the encrypted blob from our server.

Receipt scanning (OCR)

When you photograph a receipt, Safra reads the amount, date, and merchant from the image entirely on your device using Apple's Vision framework (iOS) or ML Kit with bundled models (other platforms). The receipt image is never uploaded. No data leaves your device during or after scanning.

Report a problem (optional)

Safra includes an optional in-app feedback form for reporting bugs. Nothing is sent automatically. When you choose to submit a report, you see exactly what will be included: your message, app version, operating system version, and optionally a truncated technical error log. You choose whether to include the technical details, and you confirm before anything is sent.

The report is submitted anonymously to appsync.thesafra.com. No name, no email, no account, and no personal data is included unless you choose to write it in the message field yourself.

Notifications

Safra can send optional local notifications: budget alerts and a daily recap while a trip is active. These are turned off by default. Notifications are scheduled locally on your device and are not delivered through any external push notification service. No data leaves your device for notification delivery.

Location

Safra can suggest locations when you add an expense. This uses Apple Maps on your device, and no GPS data is sent to us or any third party. Location access is requested only when you tap the location field and only while the app is in use. You can skip it entirely; it is always optional.

Photos and documents

Receipt photos and documents are stored locally on your device. We cannot see them. They are included in your cloud backup only if you have enabled it.

Analytics and crash reporting

Safra has no analytics. No automatic crash reporting service. No heatmaps. No session recording. No A/B testing.

We do not know how many people use the app, which features they use, or whether the app has crashed on your device. The optional Report a problem form described above is the only way any diagnostic information ever reaches us, and only when you choose to send it.

Advertising

There are no ads in Safra. There is no advertising SDK. Your data is not used for any advertising purpose, on Safra or anywhere else.

Children

Safra is rated 4+ on the App Store. We do not knowingly collect any information from anyone, including children. Since we collect nothing at all, the question does not meaningfully arise.

Changes to this policy

If anything described here ever changes, we will update this page and change the date at the top. The core promise (no accounts, no data collection, no ads) is not going to change. It is the reason the app exists.


Questions

You can reach Marwan at hi@thesafra.com.

There is no legal department. There is no privacy team. It is one person, and this is what they genuinely believe.