Financial data is some of the most sensitive information you have. Zimma's architecture is designed from the ground up to protect it. This page explains how.
Offline-first by design
Zimma's most important security feature is also its core architecture: your data lives on your device first.
- All financial data is stored locally on your phone
- Every feature works without an internet connection
- No data leaves your device unless you explicitly enable cloud backup
This means even if our servers were compromised, your data would remain safe on your device.
Most finance apps store everything in the cloud and show you a cached copy. Zimma does the opposite. Your device is the source of truth. The cloud is just a backup.
How your data is protected
| Layer | Protection |
|---|---|
| On device | Your data is stored in an isolated, sandboxed database on your phone. Other apps cannot access it. |
| Login credentials | Stored in your device's hardware-backed secure storage, not in regular app storage. |
| In transit | All communication between your device and our servers is encrypted. |
| At rest (cloud) | Cloud backup data is encrypted at rest on our servers. |
| Authentication | Sign in with email/password, Google, or Apple. Passwords are never stored in plain text. |
Cloud backup security
When you enable cloud backup, every change is saved to your device first, then uploaded to our servers in the background over an encrypted connection. If your internet drops, changes queue up and sync automatically when you are back online. Your local data is never affected by sync status.
All your user-created data (transactions, accounts, assets, categories, Zakat records, and settings) is backed up. Publicly available reference data like gold prices and tax rules is fetched fresh and not included in your backup.
Commodity and tax data
Zimma fetches gold and silver prices (for Zakat) and FBR tax slabs (for tax calculations) from our servers. These requests do not include your personal financial data — they are lookups for publicly available reference information.
Device migration
When you sign in on a new device, Zimma pulls your cloud backup over an encrypted connection and restores your data. All balances are recalculated from your transaction history to ensure accuracy.
Account deletion
When you delete your account, your cloud data is permanently removed from our servers. This is irreversible. Local data on your device is removed when you uninstall the app.
What we do not do
We do not sell, rent, or share your financial data with anyone. We do not use third-party analytics or advertising SDKs. We do not track your behavior across apps. We do not use your data for profiling or marketing. We do not store payment card numbers or bank credentials.
Zimma tracks what you tell it. It does not connect to your bank accounts, read your SMS messages, or access any data you have not explicitly entered.
Protecting yourself
Zimma staff will never ask for your password, verification codes, or login credentials. We will only ever ask you to sign in through the app itself. If someone contacts you claiming to be from Zimma and asks for sensitive information, do not respond and report it to security@zimma.app.
Infrastructure
We use industry-standard, SOC 2 compliant infrastructure providers for cloud storage, authentication, and email. We do not operate our own data centers.
Your controls
You always have the ability to:
- Use Zimma offline only. Never create an account, never send data to our servers.
- Delete your account. Remove all cloud data permanently. Email privacy@zimma.app or use the in-app option.
Responsible disclosure
If you discover a security vulnerability in Zimma, please report it to security@zimma.app. We take all reports seriously and will respond within 72 hours. Please do not publicly disclose vulnerabilities until we have had a chance to address them.
Questions
For security questions or concerns:
- Email: security@zimma.app
Security is not a feature we bolt on. It is a consequence of how Zimma is built. Offline-first means your data starts private and stays private. The cloud is a convenience, not a requirement.