Appearance
Privacy Policy
Last updated: March 2026
MegaSuperSoft Limited ("MegaSuperSoft", "we", "us") operates FFFFinance, a personal finance desktop application for New Zealand. This policy explains what data is collected, how it is used, and your rights under the New Zealand Privacy Act 2020.
The short version: FFFFinance is local-first. Your financial data lives on your device. We collect almost nothing. The details are below.
1. Who We Are
MegaSuperSoft Limited Wellington, New Zealand hello@megasupersoft.comffffinance.org
2. What Data FFFFinance Handles
2.1 Data Stored Locally on Your Device
FFFFinance stores the following in a SQLite database on your machine:
| Data type | Where it comes from | Stored where |
|---|---|---|
| Bank account names and balances | Akahu open banking sync | Local SQLite |
| Bank transactions (description, amount, date, category) | Akahu open banking sync | Local SQLite |
| Akahu access token | Your Akahu authorisation | Local SQLite |
| Budget rules and categories you create | You, in the app | Local SQLite |
| App settings and preferences | You, in the app | Local SQLite |
| AI model files | Downloaded from public model hubs | Local filesystem |
This data never leaves your device unless you explicitly enable cloud sync (see section 2.3).
2.2 Bank Data via Akahu
FFFFinance connects to your NZ bank accounts via Akahu, a licensed open banking aggregator. When you connect an account:
- You authorise Akahu through their secure OAuth flow in a system browser window
- FFFFinance receives a read-only access token — it never sees your bank login credentials
- We fetch account names, balances, and up to 90 days of transaction history on first sync, then incremental updates thereafter
- Transaction data includes: description, amount, date, merchant (where available), Akahu's category enrichment, and account identifiers
- Akahu's own Privacy Policy governs how Akahu handles your data on their systems
You can revoke FFFFinance's access to your Akahu-connected accounts at any time from your Akahu account settings, independently of this app.
2.3 Cloud Sync (Optional — Pro and Cloud Tiers)
Cloud sync is entirely opt-in. If you enable it:
- Selected data (accounts, transactions, budgets, settings) is synced to Cloudflare D1, a hosted SQLite service
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Cloudflare's infrastructure)
- Sync is authenticated with a per-user API key you generate — MegaSuperSoft does not have access to your cloud data store
- Your raw Akahu token is never synced to the cloud
You can disable cloud sync and delete your cloud data at any time via Settings → Cloud → Delete cloud data.
2.4 AI Processing
Local AI (default): The AI assistant "Freddy" runs language models directly on your device. No financial data or queries leave your machine during local AI use.
Cloud AI (opt-in): If you enable the cloud AI tier in Settings, your typed queries (not your raw transaction data) may be sent to Anthropic or OpenAI. You provide your own API key. MegaSuperSoft does not intercept or log these requests. The respective provider's privacy policy applies to data they receive.
3. Analytics and Telemetry
We collect no analytics or telemetry. There is no tracking SDK, no crash reporting service, no usage statistics, no heatmaps, and no third-party analytics of any kind embedded in FFFFinance.
The only network requests the app makes are:
- To
api.akahu.io(bank sync, when you trigger a sync) - To your Cloudflare Worker endpoint (cloud sync, only if enabled)
- To your chosen AI API (cloud AI, only if enabled and only for the query text)
- To GitHub releases (auto-update check, version string only — no device identifiers)
4. Website and Marketing
If you visit ffffinance.org, standard web server logs may capture your IP address and browser user agent. We do not use cookies beyond what the hosting platform requires for operation, and we do not run advertising trackers on the website.
5. Third-Party Services
| Service | Purpose | When used | Their privacy policy |
|---|---|---|---|
| Akahu | NZ bank data aggregation | When you connect a bank account | akahu.nz/legal/privacy-policy |
| Cloudflare | Cloud sync (D1 database) | Only if you enable cloud sync | cloudflare.com/privacypolicy |
| Anthropic | Cloud AI fallback | Only if you enable cloud AI + use Anthropic | anthropic.com/privacy |
| OpenAI | Cloud AI fallback | Only if you enable cloud AI + use OpenAI | openai.com/policies/privacy-policy |
| GitHub | Auto-update version check | On app launch | docs.github.com/en/site-policy |
None of these services are active by default except the auto-update check (which sends no personal data).
6. Data Retention
- Local data: Retained until you delete it or uninstall the app. Uninstalling the app does not automatically delete the database — you must manually delete
~/.local/share/FFFFinance/(Linux) or the equivalent OS path. - Cloud sync data: Retained until you delete it via the app's cloud settings, or until your Pro/Cloud subscription lapses (in which case data is retained for 90 days, then deleted).
- Akahu data: Akahu retains data per their own policy. Revoking access in your Akahu account stops further syncing.
7. Data Security
See our Security Policy for full details. In summary:
- Local data is protected by your OS filesystem permissions and (if enabled) full-disk encryption
- Cloud sync uses TLS 1.3 in transit and AES-256 at rest
- Akahu tokens are stored locally and never logged or transmitted beyond
api.akahu.io
8. Children's Privacy
FFFFinance is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact hello@megasupersoft.com and we will take steps to delete it.
9. NZ Privacy Act 2020 Compliance
MegaSuperSoft is a New Zealand company and complies with the Privacy Act 2020. Your rights under this Act include:
- Access: You have the right to request access to personal information we hold about you.
- Correction: You have the right to request correction of inaccurate personal information.
- Deletion: You can delete your data from within the app at any time.
Because FFFFinance stores data locally on your device and MegaSuperSoft does not have access to it (unless you enable cloud sync), most of your rights are exercisable directly within the app itself.
To make a formal privacy request or to raise a concern, contact us at hello@megasupersoft.com. We will respond within 20 working days as required by the Privacy Act.
Complaints: If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner (New Zealand).
10. Changes to This Policy
We will update this policy when there are material changes to how we handle data. If you use cloud sync, we will notify you via the app when we make material changes. The "Last updated" date at the top of this page always reflects the most recent revision.
11. Contact
hello@megasupersoft.com MegaSuperSoft Limited, Wellington, New Zealand