Sally
Privacy Policy
Effective date: March 24, 2026 · Jurisdiction: Canada
Who We Are
Sally is developed and operated by Song Soon Yang, an independent developer based in Toronto, Canada ("I", "me", or "my"). If you have questions about this policy, email me at admin@hellosally.app.
Data You Provide
When you use Sally, you may provide the following information:
- Name and email address — used when you sign in via magic link or Apple Sign In, and when sending or accepting group invites. Stored in Supabase.
- Group names and member names — stored locally on your device and synced to Supabase when you are signed in.
- Expense amounts, labels, categories, dates, and split details — stored locally on your device and synced to Supabase when you are signed in.
- Settlement records — stored locally on your device and synced to Supabase when you are signed in.
Data Stored Locally on Your Device
All core app data — expenses, groups, group members, balances, settlements, and receipt photos — is stored on your device using Apple's SwiftData framework. This data is the primary copy and is always available offline.
Deleting the app from your device permanently removes all local data.
Cloud Sync (Supabase)
When you are signed in, Sally syncs the following data to Supabase, a cloud backend platform:
- Expenses and split details — automatically synced when you create or edit an expense.
- Settlements — automatically synced when you record a settlement.
- Groups and members — synced when you create a group, accept an invite, or update group details.
- Receipt images — uploaded to Supabase Storage when you attach a receipt to an expense. Stored at a path scoped to your user ID.
- Invite data — when you create or accept a group invite, invite tokens, group names, and member snapshots are sent to Supabase.
This sync enables data recovery if you sign in on a new device. All synced data is associated with your authenticated Supabase user ID.
If you are not signed in, no data is sent to Supabase and the app functions fully offline.
If you delete your account in-app (Settings → Account → Delete Account), all server-side data — including synced expenses, groups, settlements, receipt images, and invite records — is permanently deleted.
Supabase's own Privacy Policy governs how Supabase handles infrastructure and data hosting. If you choose to connect a bank account, additional data flows through Supabase as described in Bank Account Linking (Plaid) below.
Authentication
Sally supports sign-in via magic link (email) and Apple Sign In. When you sign in:
- Magic link: Your email address is sent to Supabase to generate and verify the link. Supabase stores your email and an authentication token.
- Apple Sign In: Your Apple ID token is sent to Supabase. Your name (if shared by Apple) is stored in your user profile metadata.
Authentication tokens are stored securely in your device's Keychain.
Bank Account Linking (Plaid)
Bank linking is optional. If you choose to connect a bank account, Sally uses Plaid Inc., a financial-data network, to do so. When you link an account:
- Plaid receives your bank credentials directly through the secure Plaid Link interface. I never see your bank credentials.
- Plaid then issues Sally an access token for your linked institution. I store this token encrypted at rest in Supabase's pgsodium vault and use it only to retrieve transactions and account metadata for the institutions you have linked.
- Sally pulls and stores account names, balances, and transaction records (date, amount, merchant, and category as supplied by Plaid) in Supabase. Row-level security restricts these records so that only your authenticated account can read them.
You can disconnect a linked institution at any time from Settings → Manage Connections. Disconnecting:
- revokes Sally's access at Plaid (via Plaid's
/item/removeAPI), - deletes the encrypted access token from the vault, and
- soft-deletes the institution and its accounts and transactions in Sally's database; a scheduled job permanently purges these records within 30 days.
You may additionally revoke Sally's access at any time directly with Plaid at my.plaid.com.
Plaid's collection and use of your data is governed by the Plaid End User Privacy Policy, which is also displayed inside the app before you link an account.
No Plaid-derived data — bank credentials, balances, transactions, or account metadata — is ever sent to PostHog or any other analytics provider.
Camera and Photo Library
Sally may request access to your camera or photo library to let you attach receipt images to expenses. These images are stored locally on your device and, when you are signed in, uploaded to Supabase Storage.
Contacts
Sally may request read-only access to your device's Contacts to help auto-fill member names and email addresses when you add a group member. Contact data is never stored in the app's database and never transmitted anywhere.
Analytics
Sally uses PostHog, a product analytics platform, to understand how the app is used and improve it. PostHog collects:
- Usage events — such as creating a group, adding an expense, completing onboarding, or confirming a settlement. These events do not contain personal content (expense amounts, group names, or member names are not sent).
- Application lifecycle events — app open, app backgrounded, etc.
- Pseudonymous user identifier — if you are signed in, your Supabase user ID is sent to PostHog so events can be associated across sessions. Your name and email are not sent to PostHog.
PostHog data is hosted in the US. PostHog's own Privacy Policy governs how they handle this data.
Sally contains no advertising frameworks. I do not sell or share analytics data with third parties.
Data Retention and Deletion
| Data | How to Delete |
|---|---|
| Local expenses, groups, settlements, receipts | Uninstall the app |
| Auth account (email, auth token) | Settings → Account → Delete Account |
| Synced expenses, groups, settlements, receipt images | Deleted automatically when account is deleted |
| Invite tokens | Deleted automatically when account is deleted |
| Plaid access token (encrypted in vault) | Settings → Manage Connections → Disconnect, or Settings → Account → Delete Account |
| Plaid account and transaction records | Cascade-deleted when account is deleted; purged within 30 days of disconnecting an institution |
| Analytics events (PostHog) | Email admin@hellosally.app |
Your Rights
You have the right to:
- Access your data — all local data is visible in the app; server-side data is accessible by contacting me.
- Delete your account and associated server-side data — use the in-app delete option.
- Request data deletion — email admin@hellosally.app.
Children
Sally is not directed at children under 13. I do not knowingly collect personal information from children.
Changes to This Policy
I may update this policy from time to time. The effective date at the top of this page will reflect the most recent revision. Continued use of the app constitutes acceptance of the updated policy.
Contact
For privacy questions or data deletion requests, email admin@hellosally.app.