Privacy Policy

Rokada is a read-only financial tracking tool for Non-Resident Indians (NRIs). It helps you monitor cross-border expenses, investments, and income across US banks, Indian NRE/NRO accounts, UPI payments, and cash. Rokada never initiates payments, moves money, or stores raw bank credentials.

This Privacy Policy explains what data we collect, how we use it, and your rights as a user. We have written it in plain English — no legal jargon where we can avoid it.

We collect only the data necessary to provide the service:

• Account information — your full name and email address, collected at sign-up via AWS Cognito.
• Transaction data — amounts, dates, payees, categories, currencies, and notes that you enter manually or import from bank statements and UPI files. This data is provided entirely by you.
• Bank account metadata (US banks only) — when you connect a US bank via Plaid, we store account names, last-four digits, and institution names so Rokada can display them. We do not store your online banking username or password.
• Session data — authentication session tokens issued by AWS Cognito to keep you signed in. These are stored in secure HTTP-only cookies.
• Support correspondence — if you email us, we retain that email thread to resolve your issue.

We do not collect browsing history, location data, device fingerprints, or any information beyond what is listed above.

Your data is used exclusively to operate the service for you:

• Display your financial summaries, project dashboards, and reconciliation reports.
• Import and parse bank statements and UPI files you upload.
• Sync transactions from your connected US bank accounts (via Plaid).
• Send account-related emails — verification codes, password resets, and important notices.
• Respond to support requests you initiate by emailing us.

We do not use your data for advertising, analytics products, or any purpose outside of operating Rokada for you.

Rokada follows data residency best practices for NRI financial data:

• US financial data — stored in AWS us-west-2 (Oregon, USA). This includes Plaid-synced US bank transactions and your account credentials in AWS Cognito.
• Indian financial data — stored in AWS ap-south-1 (Mumbai, India). This includes NRE/NRO account transactions, UPI imports, and Indian bank statement data.

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. No financial data is replicated across regions.

We do not sell, rent, or share your personal or financial data with any third party for commercial purposes.

The only third parties that process your data are infrastructure providers necessary to run the service:

• Amazon Web Services (AWS) — cloud infrastructure (compute, database, storage, authentication). AWS processes data only as directed by Rokada and under their Data Processing Agreement.
• Plaid — if you connect a US bank account, Plaid facilitates the connection. Plaid's handling of your bank credentials is governed by Plaid's Privacy Policy. Rokada receives only account metadata and transaction records from Plaid — never your banking password.

When you upload a bank statement PDF or CSV, or a UPI statement file, Rokada parses the file to extract transaction records and stores those transactions in your account.

The original uploaded file is stored in AWS S3 and is automatically deleted after 7 days via an S3 lifecycle policy. Parsed transaction records are retained until you delete them or close your account.

Rokada uses session cookies only — specifically the authentication session cookie issued by AWS Cognito to keep you signed in.

• No advertising cookies.
• No analytics or tracking cookies (no Google Analytics, Mixpanel, etc.).
• No third-party marketing pixels.

If you sign out or close your browser, the session cookie is invalidated.

You have the following rights over your data:

• Access — you can view all your data at any time from within the app.
• Export — you can download your transaction data as CSV or Excel from any project.
• Deletion — you can request deletion of your account and all associated data by emailing hello@rokada.app. We will process deletion requests within 30 days. Backups are purged within 90 days.
• Correction — if any account information is incorrect, email us and we will correct it promptly.

We take reasonable technical measures to protect your data:

• AES-256 encryption at rest for all stored data.
• TLS 1.3 for all data in transit.
• Authentication via AWS Cognito with optional MFA.
• Plaid OAuth tokens for US bank connections — we never see your banking password.
• Role-based access control — contributors see only the projects they are added to.

No system is perfectly secure. If you believe your account has been compromised, email hello@rokada.app immediately.

Rokada is intended for adults (18+) who are legal account holders of the financial accounts they track. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please email us and we will delete it.

If we make material changes to this policy, we will notify you by email before the changes take effect. Continued use of Rokada after that date constitutes acceptance of the updated policy.

For any privacy-related questions or requests, email hello@rokada.app. We aim to respond within 5 business days.

See also: Terms of Service · FAQ