Safra does not collect your data. Not anonymised, not aggregated, not even metadata. Nothing. This page explains exactly how that works and what it means for you.
The short version
Where your data lives
Everything you enter into Safra (trips, expenses, budgets, receipts, documents, travel companions) is stored in a database on your device. Only on your device.
There is no Safra account. There is nothing for us to breach, subpoena, or sell.
Cloud backup
Safra includes an optional backup feature. It is turned off by default. On iOS, your data is backed up to your personal iCloud account. On other platforms, it is backed up to your personal Google Drive AppData folder. In both cases:
- Your data is sent to your personal cloud account, not ours
- Apple and Google handle the storage, and we have no access to it
- You can turn it off or delete the backup at any time from your device settings
- The backup is used only to restore your data on a new device
If you never enable cloud backup and never choose to share a trip, your data never leaves your device.
Exchange rates
Safra fetches exchange rates via its own endpoint at thesafra.com/api/rates. The request contains only a currency code and a timestamp. There is no user data, no device identifier, and no information about your trips or expenses.
Rates are cached on your device for 6 hours so the app works fully offline between refreshes.
On-device AI
Safra includes an optional AI feature that suggests expense categories and narrates your travel insights. It is turned off by default.
When enabled, the AI runs entirely on your device using Apple's Foundation Models framework (iPhone 15 Pro and later). No data is sent to Apple or to us. No network request is made. The inference happens on your Neural Engine and nowhere else.
Weather correlation
Safra can show how your spending changed with the weather on a completed trip. This feature is turned off by default.
When enabled, Safra fetches historical weather data via its own endpoint at thesafra.com. The request contains only a country's approximate geographic coordinates (a fixed central point, not your GPS location) and the trip's date range. No user data, device identifier, or expense information is included.
The weather data is used to compute the insight and is not stored after the calculation.
City guides
When you browse a City Guide, Safra downloads a PDF for offline use from guides.thesafra.com. The request contains only the file path. There is no user data, no device identifier, and no information about your trips.
The guide file is cached on your device for offline use. No usage data is sent anywhere.
Nearby Share
Safra can transfer a trip directly to another device over Bluetooth and local Wi-Fi. No internet connection is required and no data passes through any server.
The transfer happens device-to-device only and is always initiated by you explicitly.
Trip Sync (optional)
Safra includes an optional feature that lets travel companions sync a shared trip in real time, without creating an account.
When Trip Sync is enabled, your trip data is encrypted on your device before it is sent. The encryption key exists only on devices that have scanned the invite link. We do not have it and cannot decrypt the data.
Our relay server at appsync.thesafra.com stores a session identifier (a random code, not linked to any identity), encrypted payloads (we cannot read these), and approximate device join timestamps. It does not store your name, email address, or any personal information. It does not store the encryption key or any unencrypted trip content.
Trip Sync sessions expire 90 days after the last activity and are then permanently deleted. You can end a session at any time from the trip settings, which permanently removes all server-side data for that session.
Settlement public link (optional)
When you choose to share a settlement summary as a public link, Safra encrypts the settlement data on your device and uploads only the encrypted blob to our relay server. The encryption key travels in the URL fragment only. Our server never receives it and cannot decrypt the content.
The link expires in seven days by default. You can revoke it at any time, which permanently removes the encrypted blob from our server.
Receipt scanning (OCR)
When you photograph a receipt, Safra reads the amount, date, and merchant from the image entirely on your device using Apple's Vision framework (iOS) or ML Kit with bundled models (other platforms). The receipt image is never uploaded. No data leaves your device during or after scanning.
Report a problem (optional)
Safra includes an optional in-app feedback form for reporting bugs. Nothing is sent automatically. When you choose to submit a report, you see exactly what will be included: your message, app version, operating system version, and optionally a truncated technical error log. You choose whether to include the technical details, and you confirm before anything is sent.
The report is submitted anonymously to appsync.thesafra.com. No name, no email, no account, and no personal data is included unless you choose to write it in the message field yourself.
Notifications
Safra can send optional local notifications: budget alerts and a daily recap while a trip is active. These are turned off by default. Notifications are scheduled locally on your device and are not delivered through any external push notification service. No data leaves your device for notification delivery.
Location
Safra can suggest locations when you add an expense. This uses Apple Maps on your device, and no GPS data is sent to us or any third party. Location access is requested only when you tap the location field and only while the app is in use. You can skip it entirely; it is always optional.
Photos and documents
Receipt photos and documents are stored locally on your device. We cannot see them. They are included in your cloud backup only if you have enabled it.
Analytics and crash reporting
Safra has no analytics. No automatic crash reporting service. No heatmaps. No session recording. No A/B testing.
We do not know how many people use the app, which features they use, or whether the app has crashed on your device. The optional Report a problem form described above is the only way any diagnostic information ever reaches us, and only when you choose to send it.
Advertising
There are no ads in Safra. There is no advertising SDK. Your data is not used for any advertising purpose, on Safra or anywhere else.
Children
Safra is rated 4+ on the App Store. We do not knowingly collect any information from anyone, including children. Since we collect nothing at all, the question does not meaningfully arise.
Changes to this policy
If anything described here ever changes, we will update this page and change the date at the top. The core promise (no accounts, no data collection, no ads) is not going to change. It is the reason the app exists.
You can reach Marwan at hi@thesafra.com.
There is no legal department. There is no privacy team. It is one person, and this is what they genuinely believe.
