Privacy Policy

Last updated: 26 February 2026

The short version: You upload a bank statement PDF. We send it to our server over an encrypted connection, extract the financial signals needed to build your report, then immediately delete the PDF. We do not store your statement file, individual transaction descriptions, account holder name, or account number on our servers.

1. Who we are

Vetta is a financial health application developed by IngweSpot Worx, operating as Vetta ("we", "us", "our"). We are based in South Africa and process personal information in accordance with the Protection of Personal Information Act (POPIA), Act 4 of 2013.

Contact: vetta@getvetta.co.za

2. What information we collect

Statement file (transmitted for processing, then deleted):

When you upload a bank statement PDF, it is transmitted to our server over TLS (encrypted in transit) for text extraction and parsing. Once parsing is complete, the PDF is deleted from our server. We do not store the file beyond the time needed to generate your report.

Account information (if you sign in):

Email address — used for sign-in and to identify your account
Firebase Authentication UID — a unique identifier assigned by Google Firebase; we use this to link your session and data to your account

Usage analytics:

We collect anonymised app events to understand how the app is used and where it fails. Events include actions such as: app opened, onboarding completed, statement uploaded, analysis started, analysis completed, analysis failed, report viewed, and export initiated. These events do not include financial amounts, transaction descriptions, or account details. We also collect app version, device platform (Android), and a session identifier. Numeric values such as file size are grouped into bands (for example, "under 1 MB") rather than stored as exact figures.

What we store on our servers (per statement submission):

Bank name (Capitec, Standard Bank, Nedbank, or Absa)
Statement date range (the earliest and latest transaction dates derived from the uploaded statement)
Parse status (Success, Partial, or Failed)
Parse confidence score (a numeric value between 0 and 1)
Statement file size in bytes (not the file itself)
Parser template identifier (the internal template used to read the statement format)
Audit event log: timestamps for upload, parsing start, parsing complete, and deletion events

What we do not store on our servers:

The statement PDF file
Individual transaction descriptions or merchant names
Bank account number
Account holder name
Transaction amounts at row level

What we do not collect at all:

Bank login credentials or passwords
Location data
Contacts, camera, or microphone data

3. How we use your information

To parse your bank statement and generate your financial readiness report
To authenticate your account and maintain your signed-in session
To monitor parse success rates, error rates, and app stability using aggregated, anonymised analytics events — no financial content is used for this purpose
To send essential account messages such as email verification (Firebase Authentication)

4. Data storage and retention

On your device: Your generated reports and report history are stored in your device's private app storage (local SQLite database and app preferences). This data does not leave your device unless you explicitly export a report. You can clear all on-device data from the app settings at any time.

On our servers: We retain the statement metadata listed in Section 2 above. This data is stored on Amazon Web Services infrastructure located in South Africa. The statement PDF itself is deleted immediately after parsing.

Retention period: Server-side metadata is retained for 90 days after your last access. After 90 days of inactivity, it is permanently deleted. You may also request immediate deletion at any time (see Section 6).

Analytics retention: Firebase Analytics retains event-level data for up to 14 months by default. Aggregated reports are retained indefinitely. No financial data is included in analytics events.

5. Third-party services

The following third-party services process data on our behalf:

Firebase Authentication (Google) — receives your email address and issues an authentication token to manage your signed-in session
Firebase Analytics (Google) — receives anonymised app events, app version, platform, and session identifiers; no financial data or transaction content
Google BigQuery (Google) — receives the same anonymised analytics data exported from Firebase Analytics for reporting and analysis
Amazon Web Services (AWS) — hosts our server infrastructure in South Africa; processes and temporarily holds statement PDFs during parsing, and stores the metadata described in Section 2

We do not sell your personal data to any third party.

6. Your rights under POPIA

As a South African resident, you have the right to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion of your personal information held on our servers
Object to processing based on legitimate interest
Withdraw consent at any time, which will stop further processing and trigger deletion of your data

To exercise any of these rights, contact us at vetta@getvetta.co.za. You can also request deletion directly from within the app: go to Settings → Danger Zone → Delete account for full account deletion, or Settings → Data & Storage → Delete my data to remove server-side data while keeping your account.

Data controls page: getvetta.co.za/data-deletion.html

7. Data security

All data transmitted between the app and our servers is encrypted using TLS 1.2 or higher. Statement PDFs and server-side metadata are encrypted at rest on AWS. Access to production systems is restricted to authorised personnel only, using role-based access controls. Statement PDFs are deleted from server storage immediately after parsing is complete and are never written to long-term storage.

8. Children's privacy

Vetta is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at vetta@getvetta.co.za.

9. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects when the policy was last changed. Material updates will be communicated in-app or by email before they take effect.

10. Contact us

For any privacy-related questions, requests, or complaints:

Email: vetta@getvetta.co.za
Website: getvetta.co.za

If you are not satisfied with our response, you may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.