And why we'll never touch your sensitive messages
We've been fielding a lot of questions lately about how we handle SMS data, particularly around OTPs and privacy. These are fair questions, and you deserve straight answers. So here's exactly how it works, no hand-waving.
We read your bank transaction SMSes to track your expenses automatically. We filter out everything else, including OTPs, right on your device. We don't touch your bank account. We don't sell your data. Subscriptions keep the lights on.
Now, the longer version.
Sri Lanka doesn't have open banking infrastructure. There's no standardized API that lets apps talk to your bank securely on your behalf, the way you might see in the UK or parts of Europe. SMS is the only reliable channel we have for automating expense tracking here.
We're not pretending this is the ideal solution. But it's the only one that actually works for the problem we're solving, and we've built tight guardrails around it.
This is worth saying clearly: Kiwi Money never asks for your bank login, your password, or any banking credentials. We have zero access to your bank app. The only thing we work with is the transaction SMS your bank sends to your phone.
When an SMS arrives, our app runs a filter locally, on your device, before anything leaves your phone.
OTPs? Discarded. Personal messages? Ignored. Promotional bank SMS? Filtered out.
Only transaction-related SMS gets processed. This isn't an afterthought. We built it this way deliberately, both for your privacy and to comply with data protection regulations.
From your transaction SMS, we extract only what's needed to show you where your money is going:
+ Amount and currency
+ Merchant name or reference
+ Transaction date and time
+ Account balance
+ Account/Card number
+ Whether it's a debit or credit
That's the full list. Nothing more.
Your transaction data is anonymized. It can't be traced back to you as an individual because we don't store personal identifiers alongside it. Data we don't need gets deleted. And if you ever want to wipe everything, you have that option, full stop.
This is the concern we hear most, so let's address it head-on.
First: we don't store OTPs. They're filtered and discarded on your device before they ever reach us.
But even in a hypothetical scenario where someone had access to an OTP, it's effectively useless on its own. An OTP without the associated login credentials and an active session is like having a house key with no address. Nobody's getting in with just that.
We never have access to your login credentials or active banking sessions. Period.
There's a common business model in fintech where the app is free and the product is your data. We went the other direction.
Subscriptions are how we pay the bills. Your data isn't a revenue stream for us. It's not packaged, sold, or shared with advertisers. We think that's how it should be, and the subscription model is what makes that possible.
We mean it when we say transparency matters to us. If something here doesn't make sense or you want to dig deeper, reach out. We'll answer everything we can.
