What we do with your data, in plain English.
Version 1.0 · Last updated 2026-05-19
The short version
Foliom is a personal money tracker. We read your Gmail to find financial messages, extract the merchant, amount, and date, and show you a clean picture of your spending and net worth. We do not store your email bodies. We do not sell your data. We do not train AI on your messages. You can download or delete everything from Settings · Privacy at any time.
We follow India's Digital Personal Data Protection Act, 2023 ("DPDPA"). This page is the formal notice required by Section 5.
1. Who we are
Foliom is operated by Foliom Technologies (a sole-proprietor entity registered in India, transitioning to a private limited company). Address and registration details on request tokrish@foliom.app.
For DPDPA purposes we are the Data Fiduciary: we decide what data to collect and how to use it. You are the Data Principal.
2. What we collect
- Account basics from your Google sign-in: email, name, profile photo. Held via Clerk (our auth provider). Required for the account to exist.
- Gmail messages from financial senders once you connect Gmail. We fetch on demand via the Pica integration platform. We do not copy or persist the message body. We extract: sender domain, merchant, amount, date, category.
- Consolidated Account Statement (CAS) PDFs if you upload them. We extract holdings. We store your PAN and date of birth, encrypted at rest, because they are required to refresh your CAS.
- Subscription and billing data handled by Razorpay. We store only the subscription ID, status, and plan — never your card or bank account.
- Product analytics: anonymised event counts (e.g. "user opened Calendar"), no message contents.
We do not collect: location, contacts, photos, browsing history outside Foliom, or any sensitive personal data (caste, religion, biometrics, health) under DPDPA.
3. Why we use it (purposes)
- Service operation: show you your spending, net worth, calendar, nudges, and goals.
- AI summaries:we send extracted facts (not email contents) to Anthropic and OpenAI to generate weekly digests, daily briefings, and Q&A answers. Both providers contractually do not train models on Foliom traffic.
- Communication: transactional emails (sign-in, billing, security). Optional weekly digest (opt-out anytime).
- Fraud and abuse prevention: rate limiting, login security, refund-abuse detection.
- Compliance: we keep audit logs and consent records as DPDPA, the IT Act, and CERT-In Direction (20.04.2022) require.
We will not use your data for any new purpose without asking you first.
4. Lawful basis (DPDPA Section 4 + 6)
All Foliom processing is on the basis of your consent, granted separately for each purpose at the point of capture (Gmail connect, CAS upload, AI summaries, marketing). Consent is logged with timestamp, IP, user agent, and the verbatim text you saw. You can withdraw any consent any time from Settings · Privacy. Withdrawal does not affect processing already done; it stops future processing under that purpose.
5. Who we share with (sub-processors)
We use a small set of vendors to run the service. Each is bound by a written agreement that limits use of your data to providing services to us.
| Provider | Purpose | Data residency |
|---|---|---|
| Clerk | Authentication & user accounts | United States |
| Pica (One.ai) | Gmail read-only passthrough | United States |
| Neon | Primary database (Postgres) | AWS Mumbai (ap-south-1) |
| Vercel | Application hosting & edge | United States + global edge |
| AWS KMS | Encryption key custody | AWS Mumbai (ap-south-1) |
| Anthropic | AI summaries & briefings | United States |
| OpenAI | AI summaries & briefings | United States |
| Razorpay | Subscription billing | India |
| Inngest | Background job orchestration | United States |
| PostHog | Anonymised product analytics | United States |
| Resend | Transactional email | United States |
We do not sell, rent, or trade your data. We do not show advertising. We do not share your data with employers, banks, insurers, or any third party for their independent marketing.
6. How long we keep it (retention)
- Account data while your account is active.
- Extracted financial events for the lifetime of your account, so historical insights remain accurate.
- Email bodies: never stored, discarded immediately after extraction.
- Audit logs for 180 days (CERT-In Direction).
- Consent records for as long as Indian law requires evidence (typically beyond account deletion, with the user identifier severed).
When you delete your account, we hard-delete everything except consent log evidence within 24 hours. Encrypted columns are additionally crypto-shredded: the per-user key that decrypts them is destroyed, making the data unrecoverable even if a backup is restored.
7. Your rights under DPDPA
You have the right to:
- Access a copy of your data. Settings · Privacy → Download my data.
- Correct or update inaccurate data.
- Erase your data. Settings · Privacy → Delete account.
- Withdraw consent for any purpose at any time. Settings · Privacy → Consent.
- Nominate a person to exercise these rights on your behalf if you cannot. Contact krish@foliom.app to register a nominee.
- Complain to our Grievance Officer (below) or, if unresolved, to the Data Protection Board of India.
8. Grievance Officer
Under DPDPA Section 8(9), our designated Grievance Officer is:
Krish ParekhGrievance Officer, Foliom
krish@foliom.app
Response within 15 days as required by DPDPA Rules.
If you remain unsatisfied, you may approach the Data Protection Board of India under DPDPA Section 27.
9. Security
- In transit: TLS 1.2+ on every request.
- At rest: AES-256-GCM with per-user data encryption keys, wrapped by AWS KMS (Mumbai, ap-south-1). PAN, DOB, BO ID, merchant strings, and raw LLM extracts are individually encrypted.
- Access control: production database access is limited to the Foliom team, logged, and gated by SSO.
- Audit logging: 180-day retention as required by CERT-In Direction (20.04.2022).
- Breach notification: if a breach occurs, we will notify CERT-In within 6 hours and you and the Data Protection Board within 72 hours, as required.
10. Data transfers
Primary data is stored in Neon Postgres, AWS Mumbai (ap-south-1). Some sub-processors operate outside India (Anthropic, OpenAI, Clerk, Vercel, Pica). In those cases the data sent is limited to what the service needs; raw email content never leaves Pica's read-only pipeline; LLM providers receive non-identifying extracted facts. DPDPA does not prohibit transfers but requires safeguards; we use the providers' standard data processing addenda.
11. Children
Foliom is for adults. We do not knowingly collect data from anyone under 18. If you believe a child has signed up, email krish@foliom.app and we will delete the account.
12. Changes to this policy
If we change this policy in a way that affects your rights or our purposes, we will email you at least 14 days before the change takes effect, and re-prompt for consent where required. The version and date at the top of this page are always current.
13. Contact
For anything in this policy, email krish@foliom.app. For data subject rights requests, use Settings · Privacy when signed in.
See also: Terms of Service · Sub-processor list · Grievance procedure.