Sikka Privacy Policy
Effective 12 July 2026 · applies to usesikka.com, demo.usesikka.com, and the Sikka reveal app at /app
The short version: when you connect Gmail, your emails are fetched and read entirely in your browser. Sikka's servers never receive, store, or see your email content, statements, passwords, or tokens — the app is technically incapable of sending them to us. Disconnecting wipes everything from your device and revokes Sikka's access to your Google account.
1 · What the Sikka app does
Sikka analyses your card spending to show what verified rewards cards would have earned on it. The analysis runs on your device: your browser downloads the Sikka page and code from our server, and from that point the financial computation happens locally.
2 · Google user data: what we access and why
If you choose to connect Gmail, the app asks Google for these OAuth scopes:
openidandemail— to confirm which Google account granted access, shown back to you in the app.gmail.readonly— read-only access your browser uses to find financial emails (bank transaction alerts, e-statements, reward summaries) and statement PDF attachments. Read-only means the app can never send, modify, delete, or label your mail.
The Gmail search is limited to financial senders and financial subjects; your browser fetches only those messages.
3 · Where your data goes — and where it can't
- Your OAuth token stays in your browser. Sikka uses Google's token-in-fragment flow: the access token is delivered by Google directly to the page in your browser and is never transmitted to Sikka's servers. So the app can restore your session after a reload, the token and your Google email address are kept in the same encrypted on-device vault described below — still only in your browser.
- Email content stays in your browser. Message bodies and PDF statements are parsed on-device and immediately discarded. Only derived fields — merchant names, amounts, card last-4 digits, points counts — are kept, encrypted (AES-GCM via your browser's WebCrypto), in your browser's local storage. The encryption key is generated by your browser as non-extractable: it cannot be exported by any code, ours included, and can never leave your browser. Raw content is never persisted, never transmitted.
- The app cannot phone home. The /app page ships a Content-Security-Policy that allows network connections only to Google's own domains (accounts.google.com, oauth2.googleapis.com, www.googleapis.com). Our build pipeline scans the shipped code for any other network destination and fails if one appears; our test suite asserts the same. Statement passwords you type are used on-device to unlock the PDF and are never stored or sent anywhere.
- Sikka's servers receive no Gmail data. What our servers see from the app is the ordinary web traffic of serving you the page and its code — never your email content, attachments, passwords, or tokens.
4 · Limited Use disclosure
Sikka's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Google user data is used only to provide the user-facing feature you asked for — your on-device rewards report.
- We do not transfer Google user data to anyone; it never leaves your device, so there is nothing to transfer, sell, or share.
- We do not use Google user data for advertising of any kind.
- No human at Sikka reads your Google user data — architecturally we cannot, because it never reaches us.
- We do not use Google user data to train AI or machine-learning models — generalized or otherwise.
5 · Retention and deletion
Everything the app derives from your Gmail lives encrypted in your own browser's storage. Pressing Disconnect & wipe deletes all of it and revokes the app's Google access token. Clearing your browser's site data does the same. There is no server-side copy to delete, and access tokens expire on their own within about an hour. You can also review or revoke Sikka's access at any time at myaccount.google.com/permissions.
6 · Data we do hold on our servers
- Waitlist: if you join the waitlist we store the email address you give us, and use it only to contact you about access to Sikka.
- WhatsApp assistant: if you message Sikka on WhatsApp we store your number, the card names you tell us about, and conversation history needed to answer you. Statements you send there are parsed on our servers: the parsed transaction summary is kept for your reports, and the raw file is not retained after parsing. A password-protected PDF is held, encrypted, only until you unlock it or the attempt expires — then it is deleted; the password you type is used once to unlock and is never stored. Your Gmail content is never involved: the WhatsApp assistant has no access to it.
- No advertising trackers: the Sikka app contains no third-party advertising or analytics trackers — the same build gate that blocks data exfiltration blocks them too.
7 · Your rights
UAE PDPL and equivalent laws give you rights of access, correction, and erasure over personal data we hold. For anything in section 6 — or any privacy question — contact us and we will respond within 30 days.
8 · Contact
Sikka FZ-LLC, Dubai, UAE · praneet.sinha28@gmail.com
9 · Changes
If this policy changes, the new version appears here with a new effective date. We will never weaken the on-device guarantees above without asking for your consent again.