Legal

Privacy Policy

Effective date: 15 April 2026 · Last updated: 16 April 2026

Nimbler ("the app", "we", "our") is a local-first personal expense tracker. This policy explains exactly what data the app collects, where it goes, and what control you have over it. We keep it specific because vagueness in a privacy policy usually hides something.

The short version

• Your expense records — amounts, descriptions, merchants, dates, categories — are stored only on your device, in a local SQLite database. They are not uploaded to our servers.
• When you type a message for the AI to parse (e.g. "coffee 5"), that message text is sent to whichever AI provider you have selected — either our free self-hosted AI, or a third-party provider you have configured with your own API key.
• We use Amplitude for anonymous usage analytics. You can turn this off in Settings → Privacy. It never receives your expense data, descriptions, merchants, or amounts.
• We don't collect your name, email, phone number, contacts, location, or any account credentials. The app does not connect to your bank.

What we collect

1. Anonymous device identifier

On first launch the app generates a random UUID and stores it in your device's secure storage (Keychain on iOS, Keystore on Android). This identifier is sent with every API request as X-Nimbler-User-Id so our server can enforce rate limits and detect abuse. It is not linked to your name, email, or any other personal information. Uninstalling the app removes it.

2. AI request content (only when you send one)

When you type something into the chat for the AI to parse, the text of that message is sent to the AI provider you have selected. The destination depends on your choice in Settings:

• Built-in (default): our self-hosted Llama model running at api.nimbler.app, operated by us on a server we control. Requests are forwarded to the model and a response is returned. We log the request text, response, duration, and token counts to help diagnose problems and improve the model prompt. Logs are retained for up to 90 days and are never sold or shared.
• OpenAI / Anthropic / Google Gemini (optional, BYOK): if you configure your own API key, messages go directly to that third-party provider. We don't see or proxy those requests. Your data is subject to that provider's privacy policy.

3. Anonymous usage analytics (Amplitude)

If you leave the "Anonymous usage analytics" toggle on (Settings → Privacy), the app sends event data to Amplitude to help us understand which features are used and to find bugs. The following events are sent:

• app_opened — with app version and build number
• screen_viewed — with screen name (chat, expenses, analytics, insights, settings)
• expense_saved — with category, currency code, AI confidence level, and whether it was income. Never the amount, description, or merchant.
• ai_provider_changed — with the provider name
• api_error — with provider name and a generic error category
• insights_generated — when you refresh the AI insights screen
• analytics_toggled — when you turn analytics on or off

Amplitude uses the anonymous UUID described above as the user identifier. No advertising ID, app set ID, or device location is collected. You can disable analytics at any time in Settings.

4. Session replay (with aggressive masking)

If analytics is on, we also use Amplitude Session Replay to reconstruct how users navigate the app. This is configured so that:

• All text and form fields are automatically masked at the SDK level. What Amplitude receives is a greyed-out wireframe of your screen, not the actual content.
• On top of that, specific widgets that hold financial data — chat message bubbles, the expense list, the expense edit form, and any API key input — are explicitly blocked from capture in the app code. They appear as solid rectangles in the replay.
• The replay captures which buttons were tapped, which tabs the user opened, how long they stayed on each screen, and scroll patterns — nothing more. Amounts, descriptions, merchants, messages, and API keys never leave your device through session replay.
• On the marketing website (nimbler.app, nimbler.app/download), session replay is also active on public marketing content only — there is no user financial data on those pages. Session replay is intentionally not enabled on the privacy policy page.
• Disabling the "Anonymous usage analytics" toggle in Settings also stops session replay.

5. Bank notification capture (Android, optional, opt-in)

On Android, you can optionally grant Nimbler permission to read your notifications so that bank transaction alerts can be captured automatically. This requires explicit user action in Android system settings. When enabled:

• Only notifications from known banking/payment apps, or notifications containing transaction-related keywords, are processed.
• The text of such a notification is sent to the AI for parsing, just like if you had typed it manually.
• The notification content is not stored separately. Only the parsed expense (which you can edit or delete) ends up in your local database.
• You can revoke notification access at any time from Android system settings, and disable the feature from Settings → Bank Notifications.

What we do not collect

• Your name, email address, phone number
• Your contacts, calendar, SMS, photos, or files
• Your precise or approximate location
• Advertising identifiers (IDFA, GAID) or app set IDs
• Any bank account credentials or financial account numbers — the app does not connect to financial institutions
• Your expense amounts, descriptions, merchants, or any data in your local database (except when you send it to the AI as a message)

Your choices and rights

• Turn off analytics — Settings → Privacy → "Anonymous usage analytics" toggle.
• Export your data — Settings → Data → Export to CSV. All local expenses are exported to a CSV file on your device.
• Delete your data — uninstalling the app removes all local data. To request deletion of any server-side logs tied to your anonymous UUID, email privacy@nimbler.app with your device UUID (shown in Settings → About in a future release).
• GDPR / UK GDPR — if you are in the EU, UK, or EEA, you have the right to access, correct, port, or erase data we hold about you, and to object to or restrict processing. Contact us at the email above.
• CCPA (California) — we do not sell personal information. California residents have the right to know what personal information is collected and to request deletion.

Data retention

• On-device data: retained until you uninstall the app or clear it manually.
• Server request logs (self-hosted AI only): up to 90 days.
• Amplitude events and session replays: subject to Amplitude's retention policy. See amplitude.com/privacy.

Third-party services

Nimbler uses the following third-party services. Each has its own privacy policy.

• Amplitude — anonymous usage analytics.
• OpenAI — only if you configure an OpenAI API key.
• Anthropic — only if you configure an Anthropic API key.
• Google — only if you configure a Gemini API key.

Security

All network traffic between the app and our server uses HTTPS (TLS 1.2+). API keys you enter for third-party providers are stored in your device's secure storage (Keychain / Keystore), not in plain preferences. Our server enforces rate limits and abuse detection, and the app token is scoped so it cannot be used for anything other than the expense-parsing endpoint.

No security is absolute. If you discover a security issue, please email security@nimbler.app.

Children

Nimbler is not directed at children under 13 (or under 16 in the EU/UK), and we do not knowingly collect personal information from children. If you believe a child has provided us with data, contact us and we'll delete it.

International transfers

Our self-hosted server is located in Germany. Amplitude processes data in the United States. If you use a third-party AI provider (OpenAI, Anthropic, Google) with your own key, data is transferred according to that provider's infrastructure.

Changes to this policy

We may update this policy as the app evolves. The "Last updated" date at the top reflects the most recent change. Material changes will be noted in the app's release notes.

Contact

For privacy questions, data requests, or complaints: privacy@nimbler.app