M
Money360°
Your Financial Dashboard

Privacy Policy

Moneylizer, operated by Megagraphs Technologies Private Limited ("Moneylizer", "we", "us", "our")
Primary website: https://moneylizer.com
Additional covered domain: https://megagraphs.com
Effective Date: 1 May 2026
Last Updated: 1 May 2026

1. Introduction

Moneylizer is a personal finance platform that helps you consolidate, categorize, and understand your bank statements in one place. We are built around a simple commitment: your financial data is yours, we do not monetize it, and we do not show advertisements.

The platform is organized into modules. m360 is the first such module and the one you currently interact with for statement ingestion, transaction extraction, and categorization. Additional modules will be added to the platform over time and, unless otherwise stated at the point of collection, will be governed by this same Privacy Policy.

This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and the rights you have over it. This policy is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and applicable rules thereunder.

Scope. This policy applies to your use of Moneylizer (including the m360 module and any future modules) through https://moneylizer.com and, where the same services are made available to real users through https://megagraphs.com (a domain we also operate, primarily used for development and testing but which may serve real users from time to time). Both domains are operated by Megagraphs Technologies Private Limited and are governed by this single policy.

By creating an account or using Moneylizer on either domain, you ("you", "User", "Data Principal") consent to the practices described in this policy.

2. Who We Are (Data Fiduciary)

Under the DPDP Act, Megagraphs Technologies Private Limited is the Data Fiduciary for the personal data processed through Moneylizer.

  • Legal Entity: Megagraphs Technologies Private Limited
  • Platform: Moneylizer (https://moneylizer.com; also served on https://megagraphs.com)
  • Registered Address: 105B, Bldg 3, N G Suncity, Thakur Village, Kandivali (East), Mumbai 400101, India
  • Grievance Officer: Vishwas
  • Grievance Officer Email: support@megagraphs.com

3. Data We Collect

We collect the minimum data needed to operate the service. Categories below.

3.1 Account & identity data

  • Name, email address, and profile picture obtained from your Google OAuth login. (We may add other OAuth providers such as Apple or Microsoft in the future; this policy will be updated accordingly.)
  • We do not receive or store your Google account password.

3.2 Financial statement data (uploaded by you)

  • PDF and Excel bank/credit card statements you upload directly.
  • The password for password-protected statements, which you provide so we can unlock them. As you noted, these passwords are typically derived from a combination of date of birth, name, account number, or PAN. We treat them as sensitive credentials and store them encrypted in a dedicated keyring (see Section 6).

3.3 Financial statement data (fetched via Gmail integration — optional)

If you choose to enable our Gmail integration:

  • We use Google's OAuth and request the most restricted scopes possible to read only emails that meet both of the following filters:
    • the sender is on a pre-defined allowlist of known statement-issuing senders (banks, brokers, card issuers); and
    • the email contains a file attachment (PDF/XLSX).
  • We do not read, scan, index, or store the rest of your inbox. Emails outside the allowlist are never accessed.
  • We download only the qualifying attachments. We do not retain copies of the email body beyond what is needed to associate the attachment with its source.
  • This integration is optional. You can decline it and upload statements manually, and you can revoke the Gmail permission at any time from your Google Account settings or from within Moneylizer.

Google API Services User Data Policy — Limited Use disclosure: Moneylizer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Gmail data for serving advertisements, and we do not allow humans to read this data except (a) with your explicit consent for a specific message, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations. We do not transfer or sell this data to third parties.

3.4 Extracted transaction data

From your statements, we extract individual transactions and store them in our NoSQL database. Each transaction record may include date, amount, currency, merchant/counterparty as printed on the statement, transaction reference number, and the source statement.

3.5 Labels, categories, and notes

  • Auto-categorization labels (e.g., Food, Travel, SIP, Shopping, Education) generated by our system.
  • Community labels and location labels that you apply to vendors to help recognise them.
  • Personal notes you attach to specific transactions. Personal notes are private to your account and are never shared, surfaced to other users, or used for community labelling.

3.6 Technical and usage data

  • Device information (browser, OS, device type), IP address, session identifiers, and approximate location derived from IP.
  • Product analytics events (pages visited, features used, time-on-task) to identify journey bottlenecks. See Section 8.

3.7 Data we do not collect

  • We do not collect or store your bank account passwords or net-banking credentials.
  • We do not initiate transactions on your behalf.
  • We do not request access to your full Gmail inbox, contacts, drive, or calendar.
  • We do not collect biometric data, government IDs (Aadhaar, etc.), or PAN as a standalone identifier. Where your PDF password happens to incorporate a PAN, we treat the password as an opaque credential and do not parse it for the PAN value.

4. How and Why We Use Your Data (Purpose & Legal Basis)

Under the DPDP Act, we process your personal data only for lawful purposes and based on your consent (or, where applicable, legitimate uses recognised by the Act).

PurposeData UsedBasis
Authenticate you and run your accountOAuth identity, emailConsent
Ingest, unlock, parse, and store your statementsStatements, PDF passwordsConsent
Extract and categorize transactionsStatement contentsConsent
Let you label, annotate, and search your transactionsTransactions, labels, notesConsent
Allow export of your dataTransactions, master passwordConsent
Account safety (login alerts, anomaly detection, abuse prevention)Account & device dataConsent / legitimate use
Product analytics for fixing usability bottlenecksAggregated/anonymized usage eventsConsent
Comply with Indian law and respond to lawful requestsAny of the aboveLegal obligation

What we explicitly do not do

  • We do not sell, rent, license, or monetize your personal data or financial data in any form.
  • We do not use your data to serve advertisements. Moneylizer does not display ads.
  • We do not use your financial data to train any machine learning model. We currently do not use any LLM, and we do not intend to in the foreseeable future. If this ever changes, we will update this policy and obtain fresh consent before using your data for any such purpose.
  • We do not share your transactions with marketers, brokers, lenders, credit bureaus, or any third party for commercial purposes.

5. The PDF Password Re-keying Process

Because your statement passwords vary per bank and per statement and are inconvenient to remember, we offer a re-keying mechanism:

  1. When you upload a statement, you supply the original password.
  2. We unlock the PDF and extract its contents.
  3. We remove the original password from the stored copy of the PDF and apply a single master password, unique to your account, to all your stored financial documents.
  4. The original password is stored, encrypted, in our keyring so we can unlock future statements from the same source automatically. You may delete stored passwords at any time.
  5. When you export your data (Section 7), the export file is protected with the same master password.

You are responsible for keeping your master password safe. We cannot recover the master password if you lose it; we can only help you reset it through your authenticated session.

6. How We Protect Your Data

  • Encryption in transit: All traffic to and from Moneylizer is encrypted using TLS.
  • Encryption at rest: All user data, including statement files, transaction records, and the password keyring, is encrypted at rest using AWS KMS-managed keys.
  • Keyring isolation: PDF passwords are stored in a dedicated, encrypted keyring with restricted access.
  • Hosting: All infrastructure is hosted on Amazon Web Services in the India region. Your personal data does not leave India in the ordinary course of operations.
  • Access control: Production data access is restricted to authorized engineering personnel under role-based access control, audit logging, and the principle of least privilege.
  • Privacy-first design (commitment): We are actively working towards an architecture in which no single internal process is capable of identifying an individual user by combining the data it can see. This is an engineering commitment we are building towards; we will describe progress transparently as we ship it. Until that goal is fully achieved, customer data is protected through the controls described above.

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act and rules thereunder.

7. Data Export and Portability

You can export all your transactions from your account at any time. Exports are generated as a downloadable file protected with your master password. This gives you a complete local copy of your data outside Moneylizer.

8. Analytics

We perform product analytics to identify bottlenecks in user journeys and to fix bugs and usability problems. Wherever possible, analytics events are aggregated or anonymized and do not include the contents of your statements, transactions, labels, or notes. Analytics data is not sold or shared with advertisers.

9. Data Retention

  • Account data: retained while your account is active.
  • Statement files, transactions, labels, notes, keyring entries: retained while your account is active, so that you can keep using and searching your historical data.
  • On account deletion: when you delete your account through the in-app deletion flow, we delete your statements, transactions, labels, notes, keyring entries, and OAuth tokens within 30 days, except where retention is required to comply with Indian law (for example, tax, anti-money-laundering, or law-enforcement requirements), in which case only the legally required minimum is retained for the legally mandated period.
  • Backups: residual copies in encrypted, time-limited backups are purged on the standard backup rotation.
  • Analytics events: retained in aggregated/anonymized form.

10. Your Rights as a Data Principal

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we process about you and the processing activities involved.
  • Correct, complete, or update inaccurate or outdated personal data.
  • Erase your personal data, subject to legal retention requirements.
  • Withdraw consent at any time. Withdrawing consent for core processing (e.g., statement ingestion) will mean we can no longer provide the corresponding feature, but it will not affect the lawfulness of processing done before withdrawal.
  • Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Grievance redressal — raise a concern with our Grievance Officer (Section 2) and receive a response within the timeline prescribed by law. If you are not satisfied, you may escalate to the Data Protection Board of India.

To exercise any of these rights, contact us at the Grievance Officer email in Section 2, or use the in-app controls in your account settings.

11. Third Parties

We use a small number of trusted infrastructure providers strictly as Data Processors acting on our instructions:

  • Amazon Web Services (AWS), India region — hosting, storage, encryption (KMS).
  • Google LLC — only for the OAuth login flow and (if you enable it) the scoped Gmail integration.

We do not share your personal data with any other third parties for their own purposes. We do not sell your data. We do not transfer your data outside India in the ordinary course of operations. If we ever need to engage additional processors, we will update this policy.

12. Children

Moneylizer is intended for users aged 18 and above. We do not knowingly collect personal data of children under 18. If you believe a child has provided us with personal data, please contact our Grievance Officer and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes — for example, adding a new OAuth provider, launching a new module on the platform that introduces a new type of processing, adding a new processor, or otherwise changing the way we process data — we will:

  • post the updated policy on https://moneylizer.com (and https://megagraphs.com where applicable) with a new "Last Updated" date, and
  • where the change materially affects your rights, notify you via email or an in-app notice and, where required by law, seek your fresh consent.

14. Contact

For any privacy questions, requests, or grievances:

Grievance Officer: Vishwas
Email: support@megagraphs.com
Company: Megagraphs Technologies Private Limited
Address: 105B, Bldg 3, N G Suncity, Thakur Village, Kandivali (East), Mumbai 400101, India