Privacy Policy | KORASSA

Your privacy is fundamental to Korassa. This Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it under Egyptian, EU/UK, and California privacy laws.

1. Introduction

This Privacy Policy ("Policy") describes how company legal name ("Korassa," "we," "us," or "our"), the operator of the Korassa mobile application (the "App") and any related websites and services (collectively, the "Services"), collects, uses, stores, shares, and protects your personal data when you use our Services.

This Policy is published in compliance with:

The Egyptian Personal Data Protection Law No. 151 of 2020 ("PDPL") and its Executive Regulations issued by Prime Ministerial Decree No. 816 of 2025;
The EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR, where applicable;
The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), where applicable;
The privacy requirements of the Apple App Store and Google Play Store;
Other applicable data protection and consumer privacy laws in jurisdictions where we offer the Services.

By creating an account, accessing, or using the Services, you confirm that you have read, understood, and agree to the practices described in this Policy. If you do not agree, please do not use the Services.

2. Who We Are (Data Controller)

The data controller responsible for your personal data under this Policy is:

Field	Value
Legal Name	company legal name
Trade Name	Korassa / كراسة
Commercial Registration No.	commercial registration no.
Tax Registration No.	tax id no.
Registered Office	registered office address
General Contact	hello@korassa.com
Privacy / Data Protection Inquiries	privacy@korassa.com
Security & Breach Reports	security@korassa.com
Data Protection Officer (DPO)	DPO name · dpo@korassa.com
PDPC License / Permit No.	PDPC license no.

For users outside Egypt, our local Egyptian representative (where required by Article 4 of the PDPL Executive Regulations for cross-border processing) is: Egyptian local representative.

For users in the EU/EEA, our EU representative under Article 27 GDPR (where applicable) is: EU representative.

3. Scope of This Policy

This Policy applies to personal data processed in connection with:

Your Korassa account (including guest/anonymous accounts);
Your profile and demographic information;
Your financial entries (transactions, recurring expenses, loans, ROSCAs, lending records, investments, strategic purchases);
Shared categories (multi-user expense groups);
Subscriptions and payments;
Customer support communications;
Marketing and analytics (where applicable and consented to).

It does not cover third-party services that you may link to or access through the App (such as Google Sign-In, Apple Sign-In, the Google Play Store, the Apple App Store, or any external website). Those services have their own privacy policies, which we encourage you to read.

4. Personal Data We Collect

We collect the following categories of personal data. We collect only what is necessary for the purposes described in Section 5.

4.1 Account & Identification Data

Email address
Password (stored only as a hashed value — we never see your plaintext password)
Name (where provided)
Language preference (English / Arabic)
Platform (iOS / Android)
Authentication provider identifier (Google ID / Apple ID, where you sign in via these)
A pseudonymous internal user identifier (firebase_uid)
Timestamps of account creation, login, and session

4.2 Profile & Demographic Data (Optional, Provided During Onboarding)

You choose what to enter during onboarding. The fields collected may include:

Username, last name, mobile number
Gender, date of birth (used to compute age and to gate age-appropriate features)
Marital status, expense-sharing model
Pregnancy status and expected due date (where you choose to enter this)
Whether you have children, number of children, age groups of children
Employment types and income sources (e.g., salary, freelance, business, pension)
Housing information (own / rent, monthly rent, rent due day, vehicle ownership)
Lifestyle indicators (e.g., smoker status)
Driver-specific fields (if you use the driver/ride-hailing module)

Note on sensitive data: Under the PDPL, data revealing health, religion, political opinions, or sexual life is "sensitive personal data." Pregnancy and related health information you choose to enter falls into this category. We process such data only with your explicit, written (electronic) consent and only to power the features you have enabled. You may withdraw this consent at any time from Profile → Privacy.

4.3 Financial Data You Enter

Income and expense transactions (amount, category, date, payment method, notes, optional receipt image path)
Recurring expenses
Loans, installments, and ROSCA (gam'eya / جمعية) details
Investment holdings, lots, and income records
Lending records — including the name and (optional) phone number of third parties you have lent money to or borrowed from
Strategic / planned purchases and savings goals
Bank account labels, credit-card labels, and cash-on-hand balances (you enter labels and balances; we do not connect to your bank and never receive account numbers, card numbers, statements, or transaction feeds from financial institutions)
Custom categories you create
Spending pattern summaries derived from your entries

4.4 Shared-Category Data

If you create or join a shared-expense category (e.g., a household budget), the other members of that category will see the transactions, amounts, payer name, and split details you record within it. Only data you choose to record inside a shared category is shared.

4.5 Subscription & Payment Data

We use RevenueCat as our subscription-management platform, which connects to Google Play Billing (Android) and Apple App Store StoreKit (iOS). We do not receive your full credit-card or banking details. We receive:

Subscription status, plan tier, billing period, store of origin
Anonymized purchase identifiers, receipt tokens, and invoice metadata
Payment-success and renewal events
Country/region of the store account
Promotional codes and discounts redeemed

For users in Egypt purchasing through Google Play, payment may be made via card, Google Pay, or carrier billing on Vodafone, Etisalat, or Orange Egypt — those carriers and Google handle the payment instrument and apply their own privacy policies.

4.6 Device & Technical Data (Collected Automatically)

Device model, operating system and version, app version, time zone, language
A device identifier (used for crash reports and security)
IP address (used transiently for routing requests, security, and abuse prevention)
Approximate location derived from IP (country/region only — we do not collect GPS location)
Crash logs and diagnostic data
API request logs (endpoint, status code, latency) for security and debugging

4.7 Usage & Analytics Data

Onboarding step completion events
Feature-use counts (e.g., whether you have used investments, lending, ROSCA, shared categories)
Daily activity flags (whether you opened the app, recorded a transaction)
Session-cohort retention metrics
Aggregated, k-anonymized counts (we apply a k-anonymity threshold of 20 before any aggregate is shown in our internal dashboards, so no fewer than twenty users are ever represented in a visible aggregate)

We do not use third-party advertising SDKs, behavioral-advertising trackers, or cross-app tracking identifiers.

4.8 Communications

Emails you send to support, security, or privacy mailboxes
In-app messages and feedback
Password-reset codes and account-security notifications (transactional emails, sent via ZeptoMail)

4.9 Data You Provide About Other People

If you record a person in your lending tracker or invite someone to a shared category, you provide us with that person's name and (optionally) phone number or email. You are responsible for ensuring you have the right to share that information with us. We will only use such third-party data to operate the feature for you (e.g., display the contact in your list, send the invitation), and we will not contact those people independently for marketing.

4.10 Data We Do NOT Collect

For clarity, we do not collect:

Bank or credit-card account numbers, statements, or transaction feeds (we don't integrate with banks);
Continuous GPS or precise location;
Contact-list dumps from your device;
Photos, videos, or files on your device unless you explicitly attach a receipt image;
Microphone or camera streams;
Health-app data, biometrics (other than the local face/fingerprint check used by your device's OS to unlock the App, which never leaves your device);
Government-issued ID numbers (national ID, passport, etc.);
Any data about your contacts beyond what you explicitly enter into the lending tracker or invitation flows.

5. How We Use Your Data and Our Legal Bases

We process personal data only when at least one lawful basis under Article 6 of the PDPL (and the corresponding Article 6 GDPR basis, where applicable) is satisfied. The table below maps each processing purpose to its legal basis.

Purpose	Categories of Data	Legal Basis
Create and operate your account; authenticate you	4.1, 4.6	Performance of the contract (PDPL Art. 6(2); GDPR Art. 6(1)(b))
Display the financial records and reports you have entered	4.3, 4.4	Performance of the contract
Provide profile-driven category suggestions, smart filtering, and reminders	4.2, 4.3	Performance of the contract; consent for optional sensitive fields
Process subscriptions, generate invoices, prevent payment fraud	4.5	Performance of the contract; legal obligation (tax/accounting)
Send transactional emails (password reset, receipts, security alerts)	4.1, 4.5, 4.8	Performance of the contract; legitimate interest (security)
Detect, prevent, and investigate fraud, abuse, and security incidents	4.1, 4.6, 4.7, 4.8	Legitimate interest; legal obligation
Provide customer support	4.1, 4.8	Performance of the contract; legitimate interest
Improve the App, debug crashes, plan features (using aggregated, k-anonymized data only)	4.6, 4.7	Legitimate interest, balanced through aggregation and k-anonymity
Compute personalized subscription pricing or promotions (Phase 3 feature, when launched, only after you opt in)	4.3, 4.7	Explicit, granular consent — you may opt out at any time
Comply with legal, regulatory, tax, accounting, and law-enforcement obligations	All	Legal obligation (PDPL Art. 6(3); GDPR Art. 6(1)(c))
Establish, exercise, or defend legal claims	All	Legal claim or defense
Send optional marketing emails and product announcements	4.1, 4.8	Explicit consent only — you must opt in, you may opt out at any time

We will not process your personal data for purposes that are materially different from the above without first obtaining your fresh consent.

6. Automated Decision-Making and Profiling

We perform the following limited forms of automated processing on data you have entered:

Smart category filtering — your profile attributes (e.g., employment type, presence of children) drive which transaction categories appear by default. This is a UX convenience, not a decision about you.
Spending-pattern detection — we look for recurring entries to surface reminders. You can dismiss or restore any detected pattern.
Quota tracking — we sum the absolute values of your transactions to enforce the monthly quota associated with your subscription tier.
Personalized pricing (Phase 3, when launched) — we may compute personalized discount percentages on subscription plans based on signals such as your savings rate and category mix. This will only be activated with your explicit, granular opt-in. You may opt out, request a non-personalized price, request human review of any pricing decision, or contest the outcome by writing to privacy@korassa.com.

We do not use your data to make decisions that produce legal effects on you (such as creditworthiness, employment, insurance, or eligibility for government benefits). We do not sell your data to data brokers, ad networks, or scoring agencies.

7. How We Share Your Data

We share personal data only in the limited circumstances below.

7.1 Service Providers (Data Processors)

We rely on a small set of vetted processors. Each is bound by a data-processing agreement and must comply with privacy obligations equivalent to those in this Policy.

Processor	Role	Location of Processing
Google LLC (Firebase / Firestore, Google Sign-In, Google Cloud)	Cloud sync, authentication, push notifications	United States, EU, and other Google regions
Apple Inc. (Sign in with Apple, App Store, StoreKit)	iOS authentication and in-app purchases	United States
RevenueCat, Inc.	Subscription state, paywall, entitlements	United States
ZeptoMail (Zoho Corporation)	Transactional email delivery	India / United States
hosting provider	Backend API hosting and database	hosting region
Codemagic / Shorebird	Build automation and over-the-air updates (no personal data)	EU / United States

We do not share your data with advertising networks, data brokers, or analytics-aggregator services.

7.2 Other Users (Only Where You Initiate)

When you use the shared category feature, the transactions and split details you record inside that shared category are visible to the other members. When you accept an invitation, the host sees that you joined.

7.3 Legal, Regulatory, and Safety Disclosures

We may disclose personal data when we believe in good faith that disclosure is necessary to:

Comply with a binding legal obligation, court order, subpoena, or lawful request from a competent authority (including the Egyptian Personal Data Protection Centre, courts, prosecutors, tax authorities, and anti-money-laundering authorities);
Enforce our Terms of Use;
Protect the rights, property, or safety of Korassa, our users, or the public;
Investigate fraud or security incidents.

Where legally permitted, we will notify you before producing your data in response to such requests.

7.4 Business Transfers

If Korassa is involved in a merger, acquisition, financing, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will give you advance notice (where legally required) and the successor will be bound by this Policy or an equivalent one.

7.5 With Your Explicit Consent

We may share data for purposes not listed above only with your specific, prior consent.

8. International Transfers of Personal Data

The Services are operated in part outside the Arab Republic of Egypt. Some of the processors named in Section 7.1 process data in the United States, the European Union, India, or other regions. Cross-border transfers are governed by Articles 14–15 of the PDPL and the Executive Regulations, which require:

A license or permit from Egypt's Personal Data Protection Centre (PDPC) for cross-border transfers;
Your explicit consent to the transfer (which you provide by accepting this Policy when creating an account);
A finding that the receiving country provides protection at least equivalent to the PDPL, or appropriate safeguards (such as Standard Contractual Clauses) if it does not.

For users in the EU/EEA and the UK, where we transfer personal data to a country that has not received an adequacy decision from the European Commission or the UK ICO, we rely on the latest version of the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) entered into with each processor, supplemented by technical and organizational safeguards (such as encryption in transit and at rest).

You may request a list of countries to which your data is transferred, and copies (with commercial information redacted) of the safeguards in place, by writing to privacy@korassa.com.

9. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law.

Category of Data	Retention Period
Account credentials and profile (active account)	For the life of your account
Financial transactions, recurring expenses, loans, ROSCAs, investments, lending, strategic purchases, spending patterns	For the life of your account, so that you can view long-term history and reports
Subscription invoices and tax-relevant records	At least 7 years after issuance, to comply with Egyptian Tax Law and Egyptian Commercial Law record-keeping obligations
Audit logs of administrative actions	2 years, then archived for a further 5 years in restricted-access storage for fraud and security investigations
API request logs	90 days in hot storage
Crash and diagnostic logs	90 days
Password-reset codes	60 minutes (then expire and are deleted)
Session tokens	Until you log out, or until token revocation
Closed-account residual data (after account deletion)	Up to 30 days in cold backups before final purge; tax records retained for the period above; aggregated, anonymized statistics may be kept indefinitely
Marketing-consent withdrawals (suppression list)	Indefinitely, to ensure we honor your opt-out

If you delete your account (Section 10.4), we will erase or irreversibly anonymize the data above on the timelines stated, except where retention is required by law.

Our codebase carries a development convention that historical entries are not auto-purged so that long-term reports remain consistent. This convention does not override your right to deletion. When you exercise the right under Section 10.4, we perform an actual erasure or irreversible anonymization on the timelines above.

10. Your Rights

You have the rights below in respect of your personal data. To exercise any of them, write to privacy@korassa.com from the email address registered to your account, or use the in-app Profile → Privacy → Data Rights menu. We will respond within 30 days (extendable by an additional 30 days for complex requests, with notice to you). There is no charge for routine requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, with reasons.

Right	Description
Access (Art. 11 PDPL; Art. 15 GDPR)	Receive confirmation of whether we process your data, a copy of the data, and the purposes, categories, recipients, retention periods, and sources
Rectification (Art. 11 PDPL; Art. 16 GDPR)	Correct inaccurate or incomplete data. Most fields are editable in-app
Erasure / "Right to be Forgotten" (Art. 11 PDPL; Art. 17 GDPR)	Have your data deleted, subject to legal retention (e.g., tax records)
Restriction (Art. 18 GDPR)	Limit our processing while a dispute or accuracy issue is resolved
Objection (Art. 11 PDPL; Art. 21 GDPR)	Object to processing based on legitimate interest, including profiling for marketing or pricing personalization
Portability (Art. 20 GDPR)	Receive your data in a structured, commonly used, machine-readable format (we provide JSON export)
Withdraw consent (Art. 11 PDPL; Art. 7 GDPR)	Withdraw any consent you previously gave, without affecting the lawfulness of prior processing
Not be subject to solely automated decisions (Art. 22 GDPR)	We do not currently make such decisions; if we ever do, you will have human review
Lodge a complaint	With the Egyptian Personal Data Protection Centre (PDPC), or your local supervisory authority (e.g., the UK ICO, the California Attorney General)
Non-discrimination (CCPA)	We will not deny service, charge different prices, or provide a lesser quality of service because you exercised a CCPA right
No sale or "share" (CCPA)	We do not sell or "share" (as those terms are defined under the CCPA) your personal information for cross-context behavioral advertising

10.1 Identity Verification

To protect you, we will verify the identity of any requester before disclosing or deleting data. This usually means confirming control of your registered email and providing a one-time code.

10.2 Authorized Agents

You may use an authorized agent (e.g., under California law or a power of attorney) to make a request on your behalf. We will require proof of authorization.

10.3 In-App Self-Service

You can change most profile fields, your email address, your password, your language, your subscription, your PIN, and your biometric setting directly in the App. You can export your data via Settings → Privacy → Export Data.

10.4 Account Deletion

You can delete your account via Settings → Account → Delete Account, or by emailing privacy@korassa.com. Deletion is irreversible. As described in Section 9, certain records (such as paid invoices) are retained for legally required periods.

11. Children and Minors

Korassa is not directed to children under 13. We do not knowingly collect personal data from children under 13.

The App contains modules that may be used by minors aged 13–17 (e.g., pocket-money tracking, school-tuition planning) and the onboarding logic adapts to age (for example, smoking and marital-status questions are skipped for users under 18). Where these modules are used:

We require, where the user is identified as a minor, the express consent of a holder of parental responsibility before collecting personal data, in line with Article 3 of the PDPL Executive Regulations and Article 8 GDPR;
We do not present targeted advertising to minors;
We do not apply personalized pricing models to minors;
Sensitive-category questions are suppressed or simplified;
Parents or guardians may contact privacy@korassa.com at any time to review, correct, or delete the data of a minor for whom they are responsible.

If you believe we have collected personal data from a child under the age threshold without proper consent, please contact us and we will delete the data promptly.

Pending product change to verify minor consent at scale: We are implementing a verifiable parental-consent flow ahead of the November 2026 PDPL enforcement deadline. Until then, minors under 18 should use Korassa only with the supervision and explicit consent of a parent or legal guardian, and accounts identified as belonging to a minor without verified consent may be restricted to local-only mode (no cloud sync) or suspended.

12. Security

We protect your data using a defense-in-depth program that includes:

Encryption in transit — all communications between the App and our servers use TLS 1.2 or higher;
Encryption at rest — production databases and backups are encrypted with industry-standard ciphers (e.g., AES-256);
Password hashing — passwords are hashed using bcrypt; we never store plaintext passwords;
Tokenized authentication — Laravel Sanctum bearer tokens, with the option to revoke tokens on logout;
Local-device protection — optional 4-digit PIN and biometric (fingerprint/face) lock on the App; these checks happen on your device and biometric data never reaches our servers;
Role-based access control — administrative access is restricted by role (super_admin, admin, support, analyst), audited, and protected by IP allowlisting and 180-day password rotation;
Audit trails — every administrative action is logged and retained;
K-anonymity — internal analytics dashboards apply a k≥20 threshold so no aggregate exposes a small group of users;
Vulnerability management — regular dependency updates, security reviews, and penetration testing prior to major releases.

No system can be 100% secure. If you suspect your account has been compromised, change your password immediately and email security@korassa.com.

12.1 Data Breach Notification

If we become aware of a personal data breach, we will:

Notify the Egyptian Personal Data Protection Centre within 72 hours, as required by Article 7 PDPL and the Executive Regulations;
Notify affected data subjects within 3 working days thereafter, as required by the Executive Regulations;
For users in the EU/EEA, follow the corresponding 72-hour timeline under Article 33 GDPR and notify users without undue delay where the breach is likely to result in a high risk to their rights (Article 34 GDPR).

13. Cookies, Local Storage, and Similar Technologies

The App stores data locally on your device in an encrypted on-device database (Hive) so that the App works offline. This local storage holds your transactions, profile, settings, session token, and a quota cache. The local database is cleared when you sign out or uninstall the App.

The App does not use third-party advertising cookies, advertising identifiers, or cross-app tracking SDKs. The App does not rely on Apple's IDFA or Google's Advertising ID.

If we operate a marketing website (e.g., korassa.com), that website may use a small set of strictly necessary and analytics cookies, governed by a separate cookie notice on the website.

14. Anonymous (Guest) Accounts

You may use Korassa in guest mode without providing an email address. In guest mode:

We assign a local pseudonymous identifier (local_xxx);
Your data is stored locally on your device, with optional cloud backup attached to that pseudonymous identifier;
We process the same categories of financial and profile data described above, where you choose to enter them;
You can convert a guest account to a full account at any time by adding an email and password (the data is migrated and the same retention rules apply).

If you uninstall the App without converting your guest account, the local data is removed from your device. The pseudonymous cloud copy (if any) is retained for 180 days before automatic deletion, so that you can re-install and recover data; you can request immediate deletion by emailing privacy@korassa.com with the device-shown pseudonymous identifier.

15. Marketing Communications

We will only send you direct electronic marketing (such as promotional emails or push notifications) if you have opted in. You may opt out at any time by:

Tapping the unsubscribe link in any marketing email;
Disabling marketing notifications in Settings → Notifications;
Emailing privacy@korassa.com.

We treat transactional messages (password resets, receipts, security alerts, and material changes to this Policy or the Terms of Use) as service messages, not marketing, and will continue to send them while you have an account.

In Egypt, our direct electronic marketing activity (where conducted) is subject to the licensing regime introduced by the PDPL Executive Regulations, and we will hold the required permit.

16. Changes to This Policy

We may update this Policy from time to time. When we do, we will:

Update the "Last Updated" date at the top;
Post the new version in the App and on our website;
For material changes (e.g., new categories of data, new processors in different countries, new purposes), notify you in-App and by email at least 30 days before the change takes effect, and (where required by law) seek your fresh consent.

Your continued use of the Services after the effective date of an updated Policy means you accept the changes, except for changes that legally require fresh consent.

17. Contact

If you have any questions, complaints, or requests regarding this Policy or your personal data, please contact us:

Subject	Email
Privacy / data-rights requests	privacy@korassa.com
Security incidents and breach reports	security@korassa.com
General support	support@korassa.com
Data Protection Officer	dpo@korassa.com

Postal address: company legal name, postal address, Arab Republic of Egypt.

You also have the right to lodge a complaint directly with:

The Egyptian Personal Data Protection Centre (PDPC) — for matters under the PDPL;
Your local EU/EEA supervisory authority — for matters under GDPR;
The UK Information Commissioner's Office (ICO), ico.org.uk — for UK matters;
The California Attorney General, oag.ca.gov — for CCPA/CPRA matters.