Stave Privacy Policy
Version 1.7 · Last updated: May 2026
In one paragraph
Stave is a Mac app that reads your bank SMS and email statements locally on your machine and helps you understand where your money goes. Stave never asks for your bank passwords, doesn’t talk to any server we run, and doesn’t share your data with anyone. If you opt in, Stave can send anonymous crash reports and feature usage events through Apple’s CloudKit so we can fix bugs and decide what to build next. Both are off by default. Read on for specifics, or jump to Section 7 to verify these claims yourself.
1. Our position on privacy
Stave is local-first. Your money is your business, and ours is only to help you see it clearly.
The architecture follows one principle: your data never leaves your sight without your explicit decision. Stave never asks for your bank credentials, never holds your account information, and never has access to your transactions.
Stave does not use any cloud-based AI services. There is no OpenAI integration, no Anthropic integration, no Google Cloud integration, no third-party model API.
2. Core principles
- On-device processing. All transaction reading and categorisation happens locally on your Mac. No message or statement content is sent to any server we run.
- Zero knowledge of your transactions. As the developer, Avysion has zero access to your transactions, balances, messages, or statements.
- No cloud AI. Stave does not send your data to OpenAI, Anthropic, or any other cloud-based AI service.
- No always-on telemetry. No analytics or crash data is sent unless you opt in. Stave makes no automatic phone-home calls.
- No aggregators. Stave does not use third-party “bank login” services such as Plaid or Yodlee.
- No third-party tracking. Stave contains no advertising trackers and no third-party analytics SDKs (no Google Analytics, no Firebase, no Amplitude).
- No accounts. Stave does not require you to create an account with us. There is no Stave login.
3. How Stave works
3.1 Data sources
Stave reads two types of data, both stored locally on your Mac by Apple’s own apps:
- Transaction SMS from
~/Library/Messages/, synced from your iPhone via your private iCloud - Bank statement PDFs from Apple Mail (
~/Library/Mail/), filtered to a strict allow-list of known bank sender addresses
You explicitly grant access to each source during setup. Stave reads transaction information directly from these local files on your machine.
3.2 On-device categorisation
Stave categorises transactions through a three-tier pipeline that runs entirely on your Mac:
- Your own rules. When you categorise a transaction, Stave learns the pattern and applies it to similar transactions in the future.
- Static rules. A built-in dictionary of common Indian merchants (Swiggy, Uber, BESCOM, etc.) provides starting categorisation without any model inference.
- Apple Intelligence. For transactions that don’t match the first two tiers, Stave uses Apple’s on-device Foundation Models (macOS 15.1+) to suggest a category. The model runs on your Mac’s Apple Silicon. No prompts, transactions, or results are sent to Apple’s servers.
For SMS transaction extraction (parsing the merchant, amount, and account from a raw SMS string), Stave uses Apple’s CoreML Named Entity Recognition framework, also running on-device.
Two additional post-processing detectors run locally to improve accuracy: a self-transfer pairing detector and a credit-card payment validator. Both are deterministic logic, not models.
3.3 How Stave handles edge cases
When the on-device pipeline cannot fully resolve a transaction or statement, Stave surfaces it for manual review rather than guessing:
- Low-confidence SMS are flagged as “needs review” so you can manually enter the merchant, amount, and account.
- Password-protected statement PDFs show a manual password input — Stave doesn’t try to guess hints.
- Statement PDFs from unrecognised senders show a manual account picker — Stave doesn’t try to infer which account they belong to.
These manual paths add slight friction but mean Stave never sends your data to a cloud service to make these decisions for you.
3.4 Anonymous diagnostics (opt-in only)
If you opt in, Stave sends two kinds of anonymous data to a public CloudKit database that Avysion controls. Both are off by default. A user who never enables diagnostics sends zero events.
During setup, Stave asks once: “Help improve Stave by sharing anonymous diagnostics?” — a single combined toggle, off by default. After setup, Settings → Privacy splits this into two separate toggles you can control independently:
Toggle 1 — Crash reports
- Sent: stack traces, OS version, Stave version, anonymous install ID
- Used to: identify crashes affecting users so we can fix them
- Not sent: any transaction, message, statement, or category data
Toggle 2 — Feature usage events
- Sent: anonymous events like “user opened dashboard,” “user categorised a transaction,” “user imported a statement”
- Used to: understand which features get used and which don’t
- Not sent: transaction amounts, merchant names, account numbers, message content, email content, PDF content, categories you’ve created, tags, notes, bank names, or your specific account list
Both kinds of data include a stable per-install identifier so we can group events from the same Stave installation (helping us measure crash impact, retention, and feature adoption). The identifier is generated locally on your Mac. It is not linked to your Apple ID, your name, or any contact information you’ve shared with Apple.
You can disable either toggle at any time in Settings → Privacy. When disabled, we delete events tied to your install ID from the CloudKit public database within 30 days.
3.5 iCloud synchronisation (optional)
If you choose to use Stave on multiple devices (your Mac and your iPhone), data syncs through Apple CloudKit:
- Data is stored in your private iCloud database
- Protected by your Apple ID and Apple’s end-to-end encryption
- Neither Apple nor the Stave team can access this data
- You can disable sync at any time in Settings — when off, Stave makes zero CloudKit writes to the private database
Note: the diagnostics in Section 3.4 use CloudKit’s public database, which is separate from your private database. Disabling iCloud sync (private database) doesn’t disable diagnostics, and disabling diagnostics doesn’t disable iCloud sync. They’re independent toggles.
4. What data is handled
| Data type | Purpose | Storage location |
|---|---|---|
| Transaction SMS | Reading transactions | On-device only |
| Bank statement PDFs | Reading transactions | On-device only (read from Apple Mail) |
| Bank names and account last-4 digits | Categorising accounts | On device, optionally syncs via your private CloudKit |
| Categories, tags, and notes you create | Personalisation and recall | On device, optionally syncs via your private CloudKit |
| Crash reports with a per-install identifier (optional, opt-in) | Identifying and fixing bugs | CloudKit public database controlled by Avysion |
| Anonymous feature usage events with a per-install identifier (optional, opt-in) | Understanding feature adoption | CloudKit public database controlled by Avysion |
| Banking passwords | Stave never requests these | N/A |
| PDF attachment passwords | Held only in your Mac’s Keychain when you provide one | macOS Keychain (not synced by Stave) |
| Contacts, photos, location | Stave never accesses these | N/A |
5. The pseudonymity question
The diagnostics events in Section 3.4 use a stable per-install identifier rather than fully anonymous events. This is a deliberate trade-off:
- Stable IDs let us answer questions like “which crashes affect the most users?” and “do users come back the next day?” That signal is genuinely useful for improving Stave.
- Stable IDs are not anonymous in the strict sense — events from the same install can be linked. We call this “pseudonymous”: tied to an install, not to a real-world identity.
- The ID is generated on your Mac. We don’t know whose Mac it is. We can’t tie it to your name, email, or Apple ID.
- You can break the link. Disabling diagnostics in Settings deletes the historical events from CloudKit public within 30 days, and re-enabling later generates a new install ID.
If pseudonymous events still feel too revealing for you, leave diagnostics off. The app works exactly the same with diagnostics off as with it on.
6. Network usage
Stave is designed to operate primarily offline. Network traffic falls into these categories:
Always allowed (when the relevant feature is in use):
- iCloud sync to Apple’s
icloud.cominfrastructure, only when you’ve enabled it in Settings. - Software update checks to
getstave.app/updates/appcast.xml(when opt-in update checking is enabled). Sends only your Stave version and macOS version.
Opt-in only (off by default):
- Anonymous diagnostics (crash reports and/or feature usage events) to Apple’s CloudKit public database when you’ve enabled the corresponding toggle.
There is no Avysion server that collects data from your Stave installation outside of CloudKit public (which only receives data when you opt in to diagnostics). Stave does not send data to OpenAI, Anthropic, or any other cloud AI service.
7. Verification: don’t trust us, verify
You can confirm Stave’s network behaviour using built-in macOS tools:
- App Privacy Report. Go to System Settings → Privacy & Security → App Privacy Report. Stave’s network connections appear there. With diagnostics off, you’ll see only Apple domains and
getstave.app. - Activity Monitor. Open Activity Monitor, select the Network tab, and search for Stave. Sent bytes stay near zero except during iCloud sync, update checks, or opt-in diagnostics events.
- Sandboxing. Stave is a sandboxed Mac app. macOS prevents Stave from accessing files, folders, or system resources unless you’ve explicitly granted permission.
- Source code inspection. We’re happy to walk through the code with anyone who asks.
8. Your data, your control
You’re never locked into Stave:
- Delete all data. Settings → Delete all Stave data. Clears your local database. If iCloud sync is enabled, also clears your private CloudKit data. Cannot be undone.
- Disable diagnostics. Settings → Privacy → toggle off Crash reports and/or Feature usage events. Stops sending events; deletes historical events tied to your install ID within 30 days.
- Work fully offline. Turn off iCloud Sync in Settings to keep all data on a single machine. Disable diagnostics. Now Stave makes zero outbound calls except update checks (which you can also disable).
- Uninstall. Removing Stave from your Mac leaves no remote data behind we control beyond any CloudKit public diagnostics events you sent. Disabling diagnostics first ensures those are deleted on schedule.
Data export to CSV/JSON is on the roadmap but not yet shipped. When it lands, it will be a one-click action.
9. Changes to this policy
If we update this policy, the change is recorded in the version history at the top of this document. Material changes (new data types handled, new third-party services that fire by default, changes to sync or diagnostics behaviour) will be communicated in-app at the next launch following the change.
Contact
Questions about how Stave handles your data, or about the architecture described above:
Email: stave@avysion.studio
Website: https://www.getstave.app/
Stave is built by Avysion in India. The Stave team has zero access to your transactions, balances, or messages. That’s not a policy choice — it’s an architectural constraint. The code is sandboxed by macOS, the network is observable in Activity Monitor, and every external service is opt-in. We invite scrutiny.