Privacy Policy

Effective Date: April 4, 2026

Coconutica ("we", "us", or "our") operates the TrackDue mobile application (bundle ID: com.coconutica.TrackDue). This Privacy Policy explains how we collect, use, and protect your information when you use our app.

1. Information You Provide

TrackDue allows you to enter and manage personal financial data, including:

• Expenses and transactions (amounts, dates, descriptions)
• Bills, subscriptions, and loan payment schedules
• Budgets and spending categories
• Currency preferences
• Receipt images (for OCR scanning)

This data is entered by you and is essential to the core functionality of the app.

2. Local-First Data Storage

TrackDue is designed with a local-first architecture. By default, all of your financial data is stored exclusively on your device using Apple's on-device storage frameworks. Your data does not leave your device unless you explicitly enable cloud sync or use the AI statement import feature.

3. Cloud Sync (Optional)

If you choose to sign in with Apple and enable cloud sync, your data is transmitted to our servers powered by Cloudflare Workers and stored in Cloudflare D1 databases. All data in transit is encrypted via HTTPS (TLS 1.2+). Cloud sync is entirely optional and can be disabled at any time. Data synced to the cloud includes your expenses, categories, bills, loans, and budgets.

4. Third-Party Services

TrackDue uses the following third-party services in specific features:

a) AI-Powered Statement Import (OpenAI)

When you use the AI bank statement import feature (Premium), text extracted from your PDF statement is sent to OpenAI's API (GPT-4o-mini) for transaction parsing and categorization. The data sent includes transaction descriptions, amounts, and dates as they appear in your statement. No bank account numbers, login credentials, or personally identifiable information beyond transaction text is sent. This feature is optional and only activated when you explicitly choose to import a PDF statement. OpenAI's data usage policies apply to this processing. We do not use OpenAI's API for training purposes.

b) Exchange Rate Data

TrackDue fetches currency exchange rates from third-party providers to support multi-currency conversion. These requests contain only the currency codes being converted. No personal data, financial data, or device identifiers are sent with these requests.

c) Cloudflare Workers (Cloud Sync Backend)

If you enable cloud sync, your encrypted data is stored on Cloudflare's infrastructure. Cloudflare acts as a data processor on our behalf. For details, see Cloudflare's Privacy Policy.

5. Sign in with Apple

TrackDue supports Sign in with Apple for account creation. When you use this feature, we receive:

• Your Apple user identifier (a unique, anonymous ID)
• Your email address (only if you choose to share it; Apple may provide a private relay address)

We do not receive your Apple ID password, and we use this information solely for account authentication and cloud sync.

6. Biometric Authentication

TrackDue supports Face ID and Touch ID for app lock functionality. Biometric authentication is processed entirely by Apple's secure enclave on your device. We never access, store, or transmit your biometric data. The biometric data never leaves your device.

7. Camera and Receipt Scanning

TrackDue uses your device camera for receipt scanning with optical character recognition (OCR). Images captured for receipt scanning are processed locally on your device using Apple's Vision framework. Receipt images are not uploaded to any server. You can revoke camera access at any time through your device's Settings.

8. What We Do Not Collect

We are committed to your privacy. TrackDue does not:

• Use any third-party analytics or tracking SDKs
• Display advertisements or use ad tracking
• Sell, rent, or share your personal data with third parties for marketing purposes
• Collect device identifiers for profiling purposes
• Track your location
• Access your bank accounts or financial institution credentials

9. Subscriptions

TrackDue offers optional premium subscriptions managed through the Apple App Store. All payment processing is handled by Apple. We do not collect or store your payment information, credit card details, or billing address.

10. Data Retention and Deletion

Your locally stored data remains on your device until you delete the app or clear the app data. If you use cloud sync:

• Your cloud data is retained as long as your account is active
• You can request deletion of your cloud data by contacting us at support@trackdue.co
• We will process deletion requests within 30 days
• Cloud data may be automatically deleted after 90 days of account inactivity

11. Children's Privacy

TrackDue is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

12. International Data Transfers

If you use cloud sync, your data may be processed and stored in data centers located outside your country of residence. By enabling cloud sync, you consent to the transfer of your data to these locations. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

13. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your personal data
• Object to or restrict processing of your data
• Request a copy of your data in a portable format
• Withdraw consent for data processing

To exercise any of these rights, please contact us at support@trackdue.co.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy in the app and updating the effective date above. Your continued use of TrackDue after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions or concerns about this Privacy Policy or your data, please contact us at:

Email: support@trackdue.co