We don't collect your data.
Here's exactly what that means.

Everything you enter into Safra (trips, expenses, budgets, receipts, documents, travel companions) is stored in a database on your device. Only on your device.

We do not have a backend. We do not have servers that store user data. There is no Safra account. There is nothing for us to breach, subpoena, or sell.

Safra includes an optional backup feature. It is turned off by default. On iOS, your data is backed up to your personal iCloud account. On Android, it is backed up to your personal Google Drive AppData folder. In both cases:

• Your data is sent to your personal cloud account, not ours
• Apple or Google handles the storage, and we have no access to it
• You can turn it off or delete the backup at any time from your device settings
• The backup is used only to restore your data on a new device

If you never enable cloud backup and never choose to share a trip, your data never leaves your device.

Safra fetches exchange rates via its own endpoint at thesafra.com/api/rates. The request contains only a currency code and a timestamp. There is no user data, no device identifier, and no information about your trips or expenses.

Rates are cached on your device for 6 hours so the app works fully offline between refreshes. If the endpoint is unavailable, Safra falls back to the last cached rates silently.

Safra includes an optional AI feature that suggests expense categories and narrates your travel insights. It is turned off by default.

When enabled, the AI runs entirely on your device using Apple's Foundation Models framework (iPhone 15 Pro and later). No data is sent to Apple or to us. No network request is made. The inference happens on your Neural Engine and nowhere else.

Safra uses numbers from your local database (totals, categories, dates) as input. The AI generates phrasing only. Your raw expense data is never embedded in a prompt that leaves your device.

For a completed trip, Safra can show how your spending lined up with the weather. It stays off until you switch it on, one trip at a time.

That weather data comes from Safra's own server at thesafra.com, which runs a private copy of the open-source Open-Meteo engine. Nothing is sent to a third-party weather service. The request carries only a country's approximate central coordinates (a fixed point, never your GPS location) and the trip's dates. It includes no personal data, no device identifier, and nothing about your expenses. Safra works out the insight from the result and then discards it. It is never stored.

Safra can share a trip directly to another device using Bluetooth and local Wi-Fi. No internet connection is required and no data passes through any server. The transfer happens device-to-device only.

You initiate Nearby Share explicitly. It does not happen automatically. The receiving device gets a copy of the trip data you choose to share.

Safra can send optional notifications: budget alerts, and a daily recap while a trip is active. They are turned off by default and scheduled locally on your device, using the standard notification systems built into iOS and Android. They are not delivered through Apple's push notification servers or any external service, and no data leaves your device for notification delivery.

When you photograph a receipt, Safra can read the amount, date, and merchant name from the image. This happens entirely on your device using Apple's Vision framework (iOS) or ML Kit with bundled models (Android). The receipt image is never uploaded. No data leaves your device during or after scanning.

Safra can suggest locations when you add an expense. This uses Apple Maps on iOS and Google Maps on Android, both on your device, and no GPS data is sent to us or any third party. Location access is requested only when you tap the location field, and only while the app is in use. You can skip it entirely; it is always optional.

If you attach receipt photos or documents to an expense, those files are stored locally on your device. We cannot see them. They are included in your cloud backup only if you have enabled it.

Safra has no analytics, no crash reporting service, no heatmaps, no session recording, and no A/B testing. We do not know how many people use the app, which features they use, or whether the app has crashed on your device.

This was a deliberate choice. Every analytics SDK is a third party that receives data about your behaviour. We don't want that relationship, and you shouldn't have to accept it just to track your travel expenses.

There are no ads in Safra. There is no advertising SDK. Your data is not used for any advertising purpose, on Safra or anywhere else.

Safra is rated 4+ on the App Store. We do not knowingly collect any information from anyone, including children. Since we collect nothing at all, the question does not meaningfully arise.

If anything described here ever changes, we will update this page and change the date at the top. The core promise (no accounts, no data collection, no ads) is not going to change. It is the reason the app exists.