Your finances never leave your phone.

This page is not the GDPR legal text — for that, see the privacy policy. This is the product doctrine: why we picked 100% local, how it's implemented, and what this architecture does (and does not) protect you against.

What Sandouq stores (local SQLite, encrypted by Android)

Every piece of data you enter in Sandouq is written to a SQLite database embedded in the app's private folder:

• Transactions: amount, currency, category, date, note, linked account.
• Accounts: name, type (cash, checking, savings, debt), starting balance.
• Categories and budgets: groceries, transit, Sadaqah, family, your custom categories.
• Savings goals, religious data: Zakat configuration, Sadaqah history, flagged Hijri dates, Nisab preference.
• Preferences: language, currency, theme, date format.

This SQLite file sits in the Android private sandbox (/data/data/app.sandouq/databases/). On Android 8.0+, the system encrypts internal storage at rest: the key is derived from your PIN or fingerprint. No other app can read this file without root access.

We do not add an application-layer encryption on top, because it would be a false sense of security: the key would have to live somewhere on the phone for the app to use it. Real protection comes from the Android sandbox plus your lock screen. Same approach Signal takes for its local metadata.

What doesn't exist: no server, no account, no email asked

The best way to protect a piece of data is to never collect it. Sandouq takes that principle to the extreme:

• No backend server. There is no api.sandouq.app. If our servers were breached tomorrow, the attacker would find nothing about you — because there's nothing to find.
• No account to create. No password, no email, no phone number, no Google or Apple OAuth. You install, you open, you use.
• No email asked. Not to sign up, not to "recover" anything. The only time you write to us is if you send feedback to [email protected].
• No usage telemetry. We don't know how many screens you open, or what time you log your expenses. No analytics SDK (Firebase, Amplitude, Mixpanel, AppsFlyer: all absent).
• No advertising SDK. No AdMob, no Meta Audience Network, no retargeting pixel. The app will never show ads.

Put your Pixel in airplane mode right after install: the app works completely. The only useful connection is the "Unlock Sandouq" purchase verification with Google Play, which transmits no financial data.

Why we refuse bank linking — a decision, not a limitation

Many users write to us thinking bank linking is "coming soon". It isn't: we explicitly ruled it out. Here's why.

1. It's incompatible with a serverless app. Connecting an account through an aggregator (Plaid, Tink, Bridge, Budget Insight) means storing OAuth tokens. Keeping them on the phone alone is too fragile; keeping them on a server forces us to have a server, therefore an account, therefore a target. 100% local and bank linking are mutually exclusive.

2. It's a massive delegation of trust. Linking your account to an aggregator gives a third party permanent read access to your full transaction history. That's the opposite of what we want to build.

3. For many MENA families, it doesn't apply. In Morocco, Algeria, Egypt, and parts of the Gulf, open banking is not mature, and a significant share of income flows through cash, informal transfers, or non-conventional finance products. An app that depends on it excludes that audience.

4. Manual entry is a feature. Logging your expenses forces financial awareness — behavioural studies are consistent on this. Sandouq makes up for it by keeping entry ultra-fast (3 taps for a typical expense) and supporting recurring transactions for fixed bills.

Change phones without losing a thing: manual JSON backup

A direct consequence of being local: no automatic cloud sync. If you switch phones without precaution, your data stays on the old device. That's the honest truth — and we ship the tool: JSON export.

From Settings → Backup, Sandouq generates a .json file containing your entire database. This file:

• Belongs to you. You decide where it lives: Google Drive, OneDrive, USB stick, SD card, an email to yourself, a family NAS.
• Stays readable. Standard JSON, openable in any text editor. No lock-in.
• Restores identically. On the new device, install Sandouq, open Settings → Restore, pick the file. Everything comes back — 10,000 transactions or 50.
• Versioned by schema. An older export restored into a newer version triggers migrations automatically.

Our recommendation: export at the end of the month, the same moment you check your categories. An optional monthly reminder is built in. If automatic backup to your cloud interests you, that's on the v2 roadmap — not ours, yours.

Sentry crash reports: opt-in and anonymised

One exception to the "zero transmission" rule: error reports. When the app crashes, we need to know where and why. We use Sentry with three guardrails:

• Off by default. On first launch, crash reports are OFF. Turn it on in Settings → Privacy → Help improve Sandouq.
• Strictly technical content. Stack trace (file, line, type), Android version (e.g. "Android 14"), device model (e.g. "Pixel 7a"), app version. No transaction, no account name, no amount is transmitted — breadcrumbs that might contain user data are stripped at the source.
• Reversible at any time. Flip the switch off and transmission stops.

Why Sentry and not "nothing at all"? An app shipped with no crash telemetry is an app that crashes and nobody fixes. The compromise we make: explicit opt-in, technical data only, named vendor — same approach as Standard Notes, Bitwarden mobile, Signal Android.

Threat model: what Sandouq protects you against (and what it doesn't)

Any security promise without an explicit threat model is marketing. Here's the reality.

What 100% local protects you against

• Massive data breaches on the publisher side. Nothing is recorded on our side, so there's nothing to lose in a server intrusion.
• Resale to data brokers. Many free budget apps resell aggregated history. Since we don't have your data, that business is mechanically excluded.
• Ad profiling. No ad SDK on board: Meta, Google Ads, TikTok learn nothing about your financial behaviour through Sandouq.
• Unilateral policy changes. An app that owns your data can change its terms to use it differently. We can't do that.
• Service discontinuity. If the publisher disappears tomorrow, your app keeps running on your phone, indefinitely.

What 100% local does NOT protect you against

• A lost or stolen unlocked phone. If someone grabs an unlocked Pixel, they see everything. Set a PIN or fingerprint — at minimum.
• Malware with root access. A compromised device can read the SQLite database. Keep Android updated.
• A JSON backup in a poorly secured cloud. A .json export sitting in a Google Drive without 2FA becomes the weak link. Treat it like a bank document.
• Someone over your shoulder. Local protects you from servers, not from a neighbour. The app offers a privacy mode that masks amounts.
• Religious calculation errors. Nisab, Zakat, and Hijri conversions are aids, not fatwas — see our terms of use.

An app that promises absolute security is lying. An app that tells you which compromise it makes lets you decide as an adult.

Verify it yourself

Three ways to confirm what this page claims:

1. Cut internet right after install. Sandouq works completely — the only exception is the one-time purchase verification.
2. Inspect network traffic with NetGuard or PCAPdroid (both free, F-Droid). No connection to sandouq.app, no telemetry — only play.google.com and, if you turned it on, *.sentry.io.
3. Read the permissions on the Play Store listing. No location, contacts, SMS, camera, microphone — strictly the ones described in our privacy policy.

If you still have questions, the frequently asked questions page covers practical cases — including financial halal compatibility.

See also: Sandouq home page · Sandouq Zakat Calculator · Frequently asked questions · Unlock Sandouq · Privacy policy