Protection

How your data is protected

AES-256 Encryption

Local database encrypted with bank-grade AES-256 via the Android Keystore hardware module. The encryption key never leaves your device.

No SMS Access

UPI detection uses Android's NotificationListenerService and never requests READ_SMS or RECEIVE_SMS permissions. Your personal messages are never read.

Biometric Lock

Fingerprint or face unlock protection for the app on shared devices. Auto-locks after 30 seconds in the background.

Offline Architecture

Data lives on your device first - cloud is secondary and optional. Your business records are never transmitted without your explicit consent.

OTP Authentication

Phone-number-based OTP login - no passwords to steal or forget. PINs are hashed with bcrypt (cost factor 10) and never stored in plain text.

Zero Data Sales

We never sell, rent, or trade user data to third parties. Your business records are yours - we earn nothing from your data.

Architecture

Technical details

Security Architecture

Local StorageAES-256 encrypted Hive database

BackupOptional Supabase cloud sync with TLS 1.3

AuthOTP via SMS + biometric secondary

NetworkAll API calls over HTTPS only

Data RetentionUser-controlled - delete anytime

Data we never collect

Contacts or address book
SMS messages
Payment amounts from SMS
Location data
Call logs
Photos or camera

These permissions are never requested and never used. You can verify this in your Android app settings under Permissions.

Responsible Disclosure

Found a security issue?

Please report security vulnerabilities privately before any public disclosure. Email us at security@hisabexpert.com

We acknowledge all reports within 24 hours and commit to resolving critical issues within 7 days. Good-faith researchers are protected from legal action.