Trust
Privacy, in plain English.
Last updated · 2026-04-29
Hisaab is a personal-finance Telegram bot. This page describes what data we collect, why, where it lives, and how to delete it. We've kept it plain-spoken instead of legalese — if anything's unclear, email bharat@bharat-jaju.com.
Contents
What we collect
When you use Hisaab, the following gets stored:
- Your Telegram numeric user ID, first name, and (if set) Telegram username.
- The text of every message you send to the bot.
- The parsed expense fields derived from each message — amount, category, description, timestamp.
- Your household membership: the group of users you share data with, plus invites you generate or consume.
- A daily counter of messages and analytics queries — solely to enforce free-tier rate limits. Counters reset at midnight IST.
- Categorization preferences your household teaches the bot (e.g. mapping "Lavonne" →
food).
That's the entire data model. We don't collect device fingerprints, IP addresses, location, or any analytics events.
Where it lives
Hisaab uses three providers to operate. Each sees a specific slice of your data:
- Neon (Postgres database, AWS Singapore region) — stores everything in the list above.
- Vercel (US, where the serverless function runs) — handles the webhook traffic. Function logs may briefly contain message text and Telegram user IDs while requests are processing; Vercel retains function logs for 24 hours on the free tier.
- fal.ai → OpenRouter → Anthropic — when you log an expense or use
/ask, the message text is sent to fal.ai, which proxies it through OpenRouter to Anthropic's Claude Haiku 4.5 for parsing or analytics generation. These providers process your prompt to return a response and may retain it briefly per their own retention policies. Your Telegram identity is never sent to them — only the message text.
Plain English: the words you type to Hisaab are sent to a third-party AI model for parsing. If you'd rather not have a particular thing leave our infrastructure, don't type it into the bot.
What we don't do
- No advertising.
- No analytics, fingerprinting, or tracking pixels against your bot data — no Google Analytics, Mixpanel, Segment, etc.
- No selling, renting, or sharing of your data with anyone for marketing.
- No human reading of your data, except briefly when debugging an error you've reported.
- No cross-household data leakage. Every analytics query is hard-scoped to your household at both the prompt and SQL-validator level — even if our LLM tried to write a query touching another household, it would be rejected before running.
One exception: this marketing website
The site you're reading right now (hisaab.bharat-jaju.com) uses
Vercel Web Analytics to count visitors and page views. It's
cookieless, doesn't store IP addresses, and uses a daily-rotated hash to
de-duplicate visits — so we know roughly how many people land here and which
pages they read, but not who you are. No data from this measurement is ever
joined with your bot data.
Retention
Forever, unless you delete it. We don't auto-expire data, and we don't sweep old rows. If you stop using Hisaab, your rows just sit there until you tell us to remove them.
Your rights
- Export. Send
/exportto the bot — you'll receive a CSV of every expense you've logged. - Delete. Send
/delete. After a confirmation prompt, this wipes your account, expense rows, taught categorizations, and usage counters in a single transaction. If you were the only member of your household, the household is deleted too. If others remain, their data is untouched. - Leave a household.
/leavemoves you into a fresh empty household. Past expenses stay where they were logged. - Email us. For anything else: bharat@bharat-jaju.com. We'll respond within a reasonable time.
Children
Hisaab is not directed at children under 13 and we don't knowingly create accounts for them. If you believe a child has signed up, email us and we'll delete the data.
Security
Data in transit is TLS-encrypted (Vercel + Neon both default to TLS). Data at rest in Neon is encrypted on AWS managed disks. The webhook endpoint requires a secret in the URL path; the cron endpoint requires a bearer token.
That said, this is a side project — we are not SOC 2 compliant, do not run formal pen-tests, and you should treat the data sensitivity ceiling accordingly. Hisaab is fine for your daily expense log; it's not the right place for, say, account passwords or anything else where a breach would hurt.
Changes
If we change anything material here, we'll update the date at the top and message active users via the bot. Continued use after a change means you accept it.
Contact
Questions, complaints, deletion-by-email requests, or anything else: bharat@bharat-jaju.com.
End of policy