Privacy Policy

Last updated: May 18, 2026

1. Overview

Jumble ("the App", "we", "us", "our") is a personal ledger and budget management application developed by Soban Rafiq. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our App on Android, iOS, or Web.

By using the App, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the App.

2. Information We Collect

Account Information: When you register, we collect your full name, email address, and phone number to create and identify your account.

Ledger Data: Transaction entries you create (amounts, descriptions, dates, notes) and budget records are stored in your account and synced via Google Firebase.

Profile Data: Your display name and currency preference are stored to personalise your experience.

Device & Technical Data: Firebase Cloud Messaging (FCM) tokens are stored to deliver push notifications to your device(s). We collect crash reports and performance data via Firebase Crashlytics to improve app stability. This data is anonymised and does not identify you personally.

Advertising Data: If you are shown advertisements, Google AdMob may collect device identifiers and usage data to serve relevant ads. For users in the EU/EEA, this occurs only with your explicit consent.

We do NOT collect sensitive personal data (health, biometric, financial account credentials, precise geolocation) beyond what is described here.

3. Permissions We Request

Contacts (Optional): If you choose to import a customer from your contacts, we read only the selected contact's name and phone number. We do not upload, store, or access your full contact list.

Internet: Required to sync your ledger data, authenticate your account, and deliver notifications.

Notifications (Optional): Used to alert you about khata activity (new transactions, reminders, account updates). You can disable notifications in your device settings at any time.

Biometrics / Screen Lock (Optional): Used locally on your device to power the App Lock feature. Biometric data (fingerprint, Face ID) is processed entirely by your device's operating system and never transmitted to our servers or any third party.

Accessibility Service (Optional): The "Shortcut Service" feature uses an Accessibility Service to provide quick-add shortcuts. This service only enables launcher shortcuts and does not read, capture, or transmit any screen content or personal data.

4. How We Use Your Data

  • To create, manage, and sync your khata (ledger) and budget records across your devices.
  • To allow shared khatas between two users, using phone numbers to match accounts.
  • To authenticate your identity and keep your account secure.
  • To send you push notifications about activity in your khatas and budget reminders.
  • To diagnose crashes and improve App performance via anonymised crash reports.
  • To serve advertisements (Android only). EU/EEA users will only receive personalised ads if they have given explicit consent.
  • We do NOT sell, rent, or share your personal data with third parties for marketing or commercial purposes.

5. Legal Basis for Processing

EU / EEA / UK (GDPR — EU 2016/679 / UK GDPR):
  • Contract Performance (Art. 6(1)(b)): Creating and operating your account, and providing ledger and budget features.
  • Legitimate Interest (Art. 6(1)(f)): Transactional notifications, crash diagnostics, fraud prevention.
  • Consent (Art. 6(1)(a)): Serving personalised advertisements via Google AdMob on Android. You may withdraw consent at any time.
  • Legal Obligation: Complying with applicable laws and regulations.
Saudi Arabia (KSA PDPL — Royal Decree M/19):
  • Contractual Necessity: Creating and operating your account and providing ledger and budget features.
  • Legitimate Interest: Transactional notifications, crash reports, fraud prevention.
  • Consent: Serving personalised advertisements via Google AdMob on Android. You may withdraw consent at any time by contacting support.
UAE (UAE PDPL — Federal Decree-Law No. 45 of 2021):
  • Contractual Necessity: Creating and operating your account and providing ledger and budget features.
  • Legitimate Interest: Transactional notifications, analytics, fraud prevention.
  • Consent: Serving personalised advertisements via Google AdMob on Android only with your explicit consent. You may withdraw consent at any time.
California (CCPA / CPRA — Cal. Civ. Code §§ 1798.100 et seq.):
  • Your personal data is processed to provide the App and its features, and to support advertising consistent with the CCPA/CPRA.
  • We do NOT sell personal information as defined by the CCPA.
  • California residents have the right to know, delete, correct, and opt out of the sharing of personal data.

6. Data Storage & Security

Your data is stored on Google Firebase (Firestore database and Firebase Authentication), operated by Google LLC. Firebase infrastructure is protected by Google's industry-leading security measures, including encryption at rest and in transit.

International Data Transfers: Google Firebase infrastructure may store and process data in data centres outside your country. For users in the EU/EEA/UK and the GCC, Google has entered into Standard Contractual Clauses (SCCs) and robust data protection agreements with data processors, providing adequate protection for international transfers as required by GDPR and GCC PDPL regulations. You can review Google's terms at firebase.google.com/terms/data-processing-terms.

Our Firebase Security Rules ensure each user can only access their own data. Sensitive fields (payment details, FCM tokens) are stored in a private subcollection not accessible to other users.

No security system is 100% impenetrable. We encourage you to use a strong password and enable App Lock for an additional layer of protection.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the App services.

Account Deletion: When you delete your account (Settings → Danger Zone → Delete Account), all your Firestore data (khatas, transactions, expenses, settings) is permanently deleted immediately. Firebase Authentication removes your login credentials. This action is irreversible.

8. Your Privacy Rights

All users:
  • Access & Correction: View and update your name, email, and currency in Settings.
  • Deletion: Permanently delete your account and all data via Settings → Danger Zone → Delete Account.
  • Data Portability: Export your own data for your records.
California residents (CCPA/CPRA — Cal. Civ. Code §§ 1798.100 et seq.):
  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, sold, or disclosed.
  • Right to Delete: Request permanent deletion of your personal information.
  • Right to Opt-Out: Choose not to have your data sold or shared. We do NOT sell personal information as defined by the CCPA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
  • Minimum Retained Data: Google Ad ID (truncated IP, device ID) is used solely for ad-serving consent. This non-personal data may be retained for 26 months per Google policy.
  • Responding to Requests: We acknowledge within 45 days and may extend by up to 90 days for complex requests.
EU/EEA/UK users (GDPR rights — EU 2016/679):
  • Right of Access (Art. 15): Request a copy of your personal data.
  • Right to Rectification (Art. 16): Correct inaccurate data.
  • Right to Erasure (Art. 17): Request deletion of your data (right to be forgotten).
  • Right to Data Portability (Art. 20): Request your data in a machine-readable format.
  • Right to Restriction (Art. 18): Request that we limit processing of your data.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent (Art. 7): Withdraw consent for personalised advertising at any time.
  • Right to Lodge a Complaint: lodge a complaint with your national data protection supervisory authority (e.g. ICO in the UK, CNIL in France).
Saudi Arabia users (KSA PDPL — Royal Decree M/19):
  • Right to be Informed (Art. 4): Know how your data is collected, used, and processed.
  • Right of Access (Art. 4): Request access to and a copy of your stored personal data.
  • Right to Rectification (Art. 4): Request correction or updating of inaccurate or outdated data.
  • Right to Erasure (Art. 4): Request permanent deletion of your data when no longer needed.
  • Right to Withdraw Consent: Withdraw consent for data processing (such as personalised ads) at any time.
UAE users (UAE PDPL — Federal Decree-Law No. 45 of 2021):
  • Right to be Informed (Art. 13): Know how your data is collected, used, and processed.
  • Right of Access (Art. 13): Request access to and a copy of your stored personal data.
  • Right to Rectification (Art. 13): Request correction or updating of inaccurate or outdated data.
  • Right to Erasure (Art. 13): Request permanent deletion of your data when no longer needed.
  • Right to Withdraw Consent (Art. 13): Withdraw consent for data processing (such as personalised ads) at any time.
  • Right to Lodge a Complaint: lodge a complaint with the UAE Data Office (the national data protection authority).
Australia consumers (Australian Consumer Law — Schedule 2 of the Competition and Consumer Act 2010):
  • This Privacy Policy sets out our Australian Privacy Principles (APP) commitments where applicable.
  • You may request access to or correction of personal information held by us.
  • You may make a privacy complaint to the OAIC (Office of the Australian Information Commissioner).

To exercise any of these rights, contact us at contact@jumbleapp.online. We will respond within 30 days (10–45 days for EU, 45 days for California, 60 days for GCC).

9. Advertising & Consent (Google AdMob & Mediation)

Jumble displays advertisements on Android via Google AdMob and its mediation partners (InMobi and Meta Audience Network) to support the free service.

For users in the EU/EEA: Before showing any ads, Jumble will present the Google-managed consent form (UMP — User Messaging Platform). You can choose to consent to personalised ads or opt for non-personalised ads. You can change your preference at any time through your device's Google settings.

For users outside the EU/EEA: Personalised ads are shown by default in accordance with the partners' standard terms.

AdMob and its mediation partners may collect: device identifiers, IP address (truncated), ad interaction data, and app usage signals. This data is governed by their respective privacy policies.

Ads are NOT shown on Web or to users who have not consented in the EU/EEA.

10. Third-Party Services

We use the following third-party services, each governed by their own privacy policies:
  • Google Firebase (Authentication, Firestore, Cloud Messaging, Remote Config, Crashlytics) — privacy policy: firebase.google.com/support/privacy
  • Google Sign-In & Apple Sign-In — Social login providers.
  • Google AdMob — Advertising on Android. Privacy policy: policies.google.com/privacy
  • InMobi — Advertising mediation partner. Privacy policy: inmobi.com/privacy-policy
  • Meta Audience Network — Advertising mediation partner. Privacy policy: facebook.com/about/privacy
  • Google Fonts — Typography assets. No personal data collected.

We do not use any third-party analytics, behavioral tracking, or advertising services beyond those explicitly listed above.

11. Children's Privacy

Jumble is not directed to children. We do not knowingly collect personal information from anyone under the age of digital consent in their jurisdiction (13 in most countries, 16 in EU/EEA member states, 13 in California under CCPA/SB-1272, 12 in many GCC states).

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@jumbleapp.online and we will promptly delete the information.

12. Cookies & Web Tracking

The Jumble web application (jumbleapp.online) may use browser storage (localStorage/sessionStorage) to maintain your session and preferences. We do not use tracking cookies for advertising on the web platform.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the App or applicable law. When we make material changes, we will update the "Last updated" date at the top of this policy and, where feasible, notify you in the App.

Your continued use of the App after any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Email: contact@jumbleapp.online
Developer: Soban Rafiq
Website: jumbleapp.online

For GDPR-related requests, we will acknowledge your request within 72 hours and respond fully within 30 days.
← Return to Home