Sevra
Privacy Policy
1. Who we are
Sevra is a personal-finance app operated by Cultured Craft, LLC, a limited liability company based in Massachusetts, United States. You can reach us at david@culturedcraft.com. This policy applies on the same terms to every user of the service.
2. What data we collect
Account data. Email address and password hash via Firebase Authentication. Optional Google sign-in identifier if you choose Google. Optional time-based one-time-password (TOTP) factor if you enable two-factor authentication.
Financial data via Plaid. When you link a bank or card, Plaid Inc. provides Sevra with: account names, balances, APRs, minimum payments, transaction history (up to 24 months), and institution names. Sevra never sees your bank login. Plaid's own privacy policy governs data in transit between your bank and Plaid.
User-entered data. Manually-added debts, goals, and notes you choose to record.
Optional, opt-in. If you enable location-aware nudges, location samples are processed on your device only and never transmitted to our servers.
3. How we use it
Sevra uses your data to project your debt-free date, render your path to zero, surface spending patterns, and produce daily insights through on-device or server-side AI. We do not run third-party advertising, we do not sell data, and we do not share data with data brokers. AI features are opt-in and explained in plain language at the moment of opt-in.
4. How we store it
Account and financial metadata is stored in Google Cloud Firestore in the us-central1 region. Plaid access_token values are written and read only by server-side Cloud Functions; Firestore security rules prevent the client app from reading them. On your device, Sevra caches data locally in SQLite via Drift; the location-samples table, when enabled, is encrypted at rest. Backups follow Google Cloud's standard retention.
5. Who we share it with
We share your data only with the following processors, and only as needed to provide the service:
- Plaid Inc. — the conduit that connects your accounts. You control linked Items from Settings and may disconnect at any time.
- Google Firebase / Google Cloud — our infrastructure provider (authentication, database, functions, hosting).
- Anthropic and Google AI — when you opt into AI insights, anonymized and aggregated data is sent for inference. Raw account numbers, names, and identifying memos are redacted before send.
We do not sell your personal information. We do not use your data for advertising.
6. Security
Sevra uses Firebase App Check to deter abuse, Firestore security rules to enforce per-user isolation, and standard transport encryption (HTTPS / TLS) for all network traffic. You can enable two-factor authentication with a TOTP authenticator app from Settings. Access tokens for linked banks are server-side only. Signing out clears the on-device cache. No system is perfectly secure; we will notify affected users promptly if a breach occurs.
7. Your rights
You can export your data as CSV or JSON from Settings at any time. You can delete your account from Settings; we honor a 7-day grace period during which deletion can be reversed, after which your data is unrecoverable. You can unlink any Plaid Item from Settings, which immediately stops syncing and purges the corresponding access token.
If you are a resident of California, the EEA, the UK, or another jurisdiction with applicable data-protection law, you have the right to access, correct, and delete your personal data. Contact us at david@culturedcraft.com to exercise these rights.
8. Children's privacy
Sevra is not directed at and not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
9. Changes to this policy
We will post any updates to this page and revise the effective date above. For material changes, we will notify active users in-app before the change takes effect.
10. Contact
Cultured Craft, LLC
Massachusetts 01506, United States
david@culturedcraft.com