And why we'll never touch your sensitive messages
We've been fielding a lot of questions lately about how we handle SMS data, particularly around OTPs and privacy. These are fair questions, and you deserve straight answers. So here's exactly how it works, no hand-waving.
We read your bank transaction SMSes to track your expenses automatically. We filter out everything else, including OTPs, right on your device. We don't touch your bank account. Your personal data stays yours and is never sold to anyone. Subscriptions keep the lights on.
Now, the longer version
Sri Lanka doesn't have open banking infrastructure. There's no standardized API that lets apps talk to your bank securely on your behalf, the way you might see in the UK or parts of Europe. SMS is the only reliable channel we have for automating expense tracking here.
We're not pretending this is the ideal solution. But it's the only one that actually works for the problem we're solving, and we've built tight guardrails around it.
This is worth saying clearly: Kiwi Money never asks for your bank login, your password, or any banking credentials. We have zero access to your bank app. The only thing we work with is the transaction SMS your bank sends to your phone.
No. Our app only looks for bank transaction SMS based on known sender IDs and message formats from Sri Lankan banks.
If a message doesn't match, it's never read, never processed, and never leaves your phone.
We have zero interest in your personal conversations.
When an SMS arrives, our app runs a filter locally, on your device, before anything leaves your phone.
OTPs? Discarded. Personal messages? Ignored. Promotional bank SMS? Filtered out.
Only transaction-related SMS gets processed. This isn't an afterthought. We built it this way deliberately, both for your privacy and to comply with data protection regulations.
From your transaction SMS, we extract only what's needed to show you where your money is going:
That's the full list. Nothing more.
Your transaction data is stored in a way that can't be traced back to you as an individual. We don't store personal identifiers alongside your financial data. Data we don't need gets deleted. And if you ever want to wipe everything, you have that option, full stop.
This is the concern we hear most, so let's address it head-on.
First: we don't store OTPs. They're filtered and discarded on your device before they ever reach us.
But even in a hypothetical scenario where someone had access to an OTP, it's effectively useless on its own. An OTP without the associated login credentials and an active session is like having a house key with no address. Nobody's getting in with just that.
We never have access to your login credentials or active banking sessions. Period.
There's a common business model in fintech where the app is free and your personal data is the product. We went the other direction.
Subscriptions are how we pay the bills. Your personal information is never sold to or shared with third parties. We believe your identity, your accounts, and your individual financial details should remain private, and the subscription model is what makes that possible.
We mean it when we say transparency matters to us. If something here doesn't make sense or you want to dig deeper, reach out. We'll answer everything we can.
