Effective date: 1 March 2026 · Last updated: 1 March 2026
1. Who we are
Nura ("we", "our", or "us") is a personal finance application that helps you track and understand your spending. References to "you" or "your" mean any person who creates an account or uses the Nura service.
For enquiries about this policy, contact us at privacy@getnura.app.
2. Applicable regulations
We are committed to compliance with applicable data-protection laws, including:
- Hong Kong Personal Data (Privacy) Ordinance (PDPO)
- Singapore Personal Data Protection Act (PDPA)
- Malaysia Personal Data Protection Act 2010
- Thailand Personal Data Protection Act B.E. 2562 (PDPA 2019)
- Indonesia Personal Data Protection Law (PDP Law 2022)
- Philippines Data Privacy Act 2012 (Republic Act No. 10173)
- Vietnam Decree 13/2023/ND-CP on Personal Data Protection
- India Digital Personal Data Protection Act 2023 (DPDP Act)
- EU/UK General Data Protection Regulation (GDPR)
If there is a conflict between this policy and applicable local law, local law prevails.
3. What data we collect
3.1 Account data
- Email address — required to create your account and log in.
- Name — optional, used for personalisation.
- Password — stored as a bcrypt hash; we never store your plaintext password.
- Base currency preference
3.2 Forwarded email data
Nura does not connect to your email account and does not store OAuth tokens. Instead, you create a filter in your own Gmail or Outlook account to forward bank notification emails to Nura's ingestion address. Only the emails you choose to forward are ever received by Nura. We do not have access to your inbox, and we never send, delete, or modify emails on your behalf.
3.3 Transaction data
From forwarded bank notification emails and any PDF bank statements you upload, we extract and store:
- Transaction date, amount, and currency
- Merchant or receiver name
- Payment mode (e.g. FPS, PayNow, Octopus, credit card)
- AI-assigned category (Food, Transport, Shopping, etc.)
- Source email subject line and sender address (for deduplication)
Sensitive text fields (merchant name, receiver, email subject, bank) are encrypted with AES-256-GCM at rest. Numeric fields (amount, date) are stored in plaintext for aggregation.
3.4 Usage and analytics data
We may collect anonymised, aggregated product analytics (feature usage, page views) to improve the service. This data does not identify you individually.
4. How we use your data
- To provide the Nura service — syncing transactions, computing analytics, generating AI insights.
- To authenticate you and secure your account.
- To send budget-limit alert emails you have opted into.
- To improve our AI models and product features (using anonymised aggregate data only).
- To comply with legal obligations.
We do not sell your data, use it for advertising, or share it with third parties except as described in Section 5.
5. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| OpenAI | Transaction classification & AI insights | Anonymised transaction snippets (no names, no account numbers) |
| MongoDB Atlas | Database hosting | Encrypted user and transaction records |
Each third-party provider is bound by their own privacy policy and applicable data-processing agreements.
6. Data security
- Encryption at rest: Sensitive fields use AES-256-GCM with per-record random IVs and authentication tags.
- Encryption in transit: All connections use TLS 1.2 or higher.
- Authentication: Passwords are hashed with bcrypt (cost factor 10). Sessions use short-lived JWT access tokens and rotating refresh tokens.
- Access controls: Database access is restricted to application service accounts with minimum required permissions.
7. Data retention
We retain your data for as long as your account is active. If you delete your account, all associated data (transactions, budgets, goals, insights, OAuth tokens) is permanently erased from our systems within 30 days.
We may retain anonymised aggregate statistics that cannot identify you after account deletion.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification / Correction — ask us to correct inaccurate data.
- Erasure / Right to be forgotten — request deletion of your data. You can also do this yourself via the "Delete Account" feature in the app.
- Portability — receive your data in a machine-readable format.
- Objection / Restriction — object to or restrict certain processing activities.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, email privacy@getnura.app. We will respond within 30 days (or the shorter period required by applicable law).
9. Cookies
Nura uses only strictly necessary cookies and browser localStorage for session management (storing your access token). We do not use advertising cookies or third-party tracking cookies.
10. Children's privacy
Nura is not directed at children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. International transfers
Your data may be processed in countries outside your home country (for example, on servers operated by MongoDB Atlas or OpenAI). Where such transfers occur, we rely on standard contractual clauses or equivalent safeguards required by applicable law.
12. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice in the app before the changes take effect. The effective date at the top of this page will always show the most recent revision.
13. Contact us
For any privacy-related questions, requests, or complaints:
- Email: privacy@getnura.app
- General enquiries: hello@getnura.app
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.