Privacy Policy

Last updated: February 27, 2026

What SumaBot collects

SumaBot stores the minimum data needed to function as a budget tracker:

• Telegram user ID — used to identify your account.
• Display name — your Telegram first name, used for greetings. Encrypted at rest (AES-256-GCM).
• Transactions — amounts, categories, and descriptions you enter.
• Voice messages — if you send a voice note, it is forwarded to OpenAI Whisper for transcription and immediately discarded. We do not store audio files.
• Receipt photos — if you send a photo, it is forwarded to OpenAI for analysis and immediately discarded. We do not store images.

Encryption

Sensitive fields (username, first name) are encrypted at rest using AES-256-GCM via Cloak. Transaction data (amounts, categories, descriptions) is stored in plaintext in the database.

Third-party services

• Telegram Bot API — to send and receive messages.
• OpenAI API — for voice transcription (Whisper) and receipt analysis. Data is sent per OpenAI's API data usage policy (not used for training).
• Render — hosting and managed PostgreSQL database.

Data retention

Your data is kept as long as your account exists. You can delete all your transactions at any time using the /deleteall command in Telegram.

No tracking

SumaBot does not use cookies for tracking, analytics, or advertising. The web dashboard uses a session cookie solely for authentication.

Open source

SumaBot is open source. You can inspect the full codebase at github.com/jonaprieto/budget-bot.

Contact

Questions? Open an issue on GitHub.