Accounts & data

Privacy & your data

Where your data lives, who can read it, and the things we never touch. Here's the honest version.

The short version

We never see your bank credentials. No ads, no trackers, and we don't sell your data. And in iCloud mode, we can't read your data at all.

Two modes, two very different stories

OpenTeller runs one of two ways. The mode you pick decides who can read your data, so it's worth understanding the difference.

iCloud mode (no account)

Your data lives in your own iCloud, not with us. We have no account for you, no copy of your data, and no way to read it. The app is the only thing that touches it.

Sensitive fields like transaction descriptions and merchant names are end-to-end encrypted. Want to go further? Turn on Advanced Data Protection in your iCloud settings and end-to-end encryption extends to everything.

OpenTeller account

Your data lives on our servers (Google Cloud) so it can sync to the web, to your household, and to AI tools. It's encrypted in transit (TLS) and at rest (AES-256).

Be clear-eyed about this part: account mode is not zero-knowledge. We can access your data to run the service for you. That's how sync, Ask, and categorization work. And our hosting provider technically can too. Encryption at rest doesn't change that. If you want nobody but you to be able to read your data, use iCloud mode.

Your bank credentials

We never collect, transmit, or store them. Bank sync opens your bank's own website inside the app, right on your device. Your login goes to your bank and nowhere else. No Plaid, no aggregator, no middleman.

We never see it. The app is the only way in.

AI & third parties

Apple Intelligence runs the default Ask assistant, screenshot import, and CSV column detection. It works on-device or on Apple's Private Cloud Compute. That data never reaches our servers.

In account mode, some AI features are optional and go through us:

If you pick the GPT model in Ask, or use AI categorization, AI CSV column detection, or bank-sync setup, the data those features need is sent through our server to OpenAI. Per OpenAI's API policy, it isn't used to train their models.
Screenshot import is careful even in account mode: the raw screenshot image stays on your device. Only the OCR text gets sent.

What we don't collect

No analytics SDKs.
No advertising identifiers.
No location.
No contacts.
No tracking across other apps or websites.

Deleting your data

In account mode, you can permanently delete your account and everything on our servers from Settings. It's immediate, and there's no undo.

In iCloud mode there's no account to delete. Your data is yours in iCloud, and you can clear it from the app whenever you want.

Want the legal details? Read the full Privacy Policy and Terms of Service.

← MCP & API Plans & billing →