1. Overview
Cashuary is a personal finance tool that syncs bank transaction data to Google Calendar. This policy describes what data we collect, how it is stored and protected, how long we retain it, and how users can request deletion. It applies to all data processed through the Cashuary application.
2. Data We Collect
Cashuary stores the minimum data necessary to operate the service. The following table describes each category of data and its purpose.
| Category | Data Stored | Purpose |
|---|---|---|
| User account | Google user ID, email address, encrypted Google OAuth tokens, calendar preferences (sync mode, minimum amount filter) | Authentication, calendar access, user preferences |
| Bank connections | Plaid item ID, encrypted Plaid access token, institution name, connection status, sync cursor, provider type (Plaid or Stripe Financial Connections) | Maintaining active bank links and incremental transaction sync |
| Bank accounts | Account ID, account name, last-four mask, account type/subtype, current/available balances, enabled/disabled flag | Displaying connected accounts, filtering transactions by account |
| Transaction records | Transaction ID, data hash only (SHA-256), calendar event ID reference, date, account ID, amount, merchant name, removal flag | Deduplication, calendar event management, sync state tracking |
| Calendar references | Google Calendar ID, calendar display name, sync preferences, daily summary event IDs | Mapping bank connections to specific calendars |
| Billing | Stripe customer ID (reference only — no card numbers or billing details stored in our database) | Subscription management via Stripe |
data_hash) is retained for change detection during subsequent syncs.
3. How Data Is Stored and Protected
Encryption at rest
All sensitive tokens (Plaid access tokens, Google OAuth refresh tokens) are encrypted using AES-256-GCM with authenticated encryption before being written to the database. Each encrypted value includes a unique initialization vector (IV) and authentication tag. The encryption key is stored as an environment variable and is never committed to source code or logs.
Database security
Data is stored in a PostgreSQL database hosted on Railway with TLS-encrypted connections. Database credentials are managed through environment variables and are not accessible to application code at rest.
Transport security
All communication between users and Cashuary, and between Cashuary and third-party APIs (Plaid, Stripe, Google), occurs over HTTPS/TLS.
Token handling
Tokens are never logged, never written to disk in plaintext, and are decrypted only at the moment of use for API calls. Plaid webhook payloads are verified using body-hash signature verification before processing.
4. Retention Periods
| Scenario | Data Affected | Retention Period |
|---|---|---|
| Active account | All user data | Retained for the duration of the active account |
| Bank disconnection | Plaid/Stripe access tokens | Deleted immediately upon disconnection. The bank connection is revoked via the provider's API (Plaid Item Remove). |
| Bank disconnection | Transaction hashes, calendar event references | Retained to preserve calendar event continuity. Users can manually delete calendar events at any time via Google Calendar. |
| Account deletion | All user data (account, tokens, bank connections, transaction hashes, calendar references, billing references, sync progress) | Purged within 30 days of the deletion request. Immediate deletion from our database; propagation to backups within 30 days. |
| Sync progress | Temporary sync state | Automatically purged after 10 minutes of inactivity |
| Application logs | Request logs, error logs (no tokens or financial data) | 90 days, managed by the hosting provider (Railway) |
5. Data Deletion Procedures
User-initiated deletion
Users can request complete account deletion by contacting us at support@cashuary.com. Upon receiving a verified deletion request, we will:
- Revoke all active Plaid and Stripe Financial Connections access tokens via their respective APIs
- Revoke Google OAuth tokens
- Delete all records from our database: user account, bank connections, bank accounts, transaction hashes, calendar references, daily summaries, sync progress, and billing references
- Confirm deletion to the user via email
Calendar events that were previously created in the user's Google Calendar are owned by the user's Google account and will remain unless the user deletes them directly from Google Calendar.
Bank disconnection
Users can disconnect individual bank connections from within the app. When a bank is disconnected:
- The Plaid access token is revoked via Plaid's Item Remove API and deleted from our database
- The connection status is marked as disconnected
- Transaction hashes and calendar references are retained so existing calendar events remain intact
Automatic cleanup
- Temporary sync progress records are automatically deleted after 10 minutes of inactivity
- Stale connection states are cleaned up during regular sync cycles
6. Data Disposal Methods
When data is deleted (whether through account deletion, bank disconnection, or automatic cleanup), Cashuary uses the following disposal methods to ensure data is permanently destroyed and unrecoverable.
Database records
All records are permanently deleted via SQL DELETE with cascade constraints. Records are removed from PostgreSQL entirely — they are not soft-deleted and no tombstone records are retained.
Encrypted tokens
Encrypted ciphertext is deleted from the database. The plaintext was never stored — only the AES-256-GCM encrypted blob existed. Once the database row is deleted, the ciphertext is unrecoverable.
Third-party provider data
Access tokens are revoked via provider APIs (Plaid Item Remove, Google token revoke, Stripe disconnect) before database deletion. This ensures providers can no longer access user data on our behalf.
Session data
Server-side session records are deleted from PostgreSQL. Session cookies are invalidated.
Application logs
Logs are retained for 90 days by Railway's infrastructure and automatically purged. Logs never contain tokens, credentials, or raw financial data.
Backups
Railway's managed PostgreSQL handles the backup lifecycle. Deleted data propagates out of backups within 30 days.
Calendar events
Events created in Google Calendar remain in the user's Google account. Cashuary cannot delete events from a user's calendar without active authorization. Users are informed they can manually delete calendar events at any time via Google Calendar.
7. Third-Party Data Sharing
Cashuary shares data with third parties only as strictly necessary to provide the service. We do not sell, rent, or trade user data.
| Third Party | Data Shared | Purpose |
|---|---|---|
| Plaid | Bank credentials (handled entirely by Plaid Link; never touch our servers) | Bank account linking and transaction retrieval |
| Stripe | Customer ID, payment information (handled entirely by Stripe; no card data stored by us) | Subscription billing and Financial Connections bank linking |
| OAuth tokens (encrypted), calendar event data | User authentication, calendar event creation and management | |
| Railway | Application logs (no tokens or financial data) | Application hosting and infrastructure |
| Sentry | Error reports (no tokens or financial data) | Error monitoring and application reliability |
8. Plaid-Specific Data Handling
In accordance with Plaid's data access policies:
- Access tokens are encrypted with AES-256-GCM and stored only for the duration of the active bank connection
- Transaction data is processed in memory to generate calendar events; only a cryptographic hash is persisted for sync deduplication
- Bank credentials are handled entirely by Plaid Link and never pass through our servers
- Webhook verification uses Plaid's signed body-hash method to ensure authenticity
- Upon disconnection or account deletion, Plaid access tokens are revoked via the Item Remove API and deleted from our database immediately
9. User Rights
Users have the right to:
- Access their data by viewing connected accounts and preferences within the app
- Disconnect any bank connection at any time, triggering immediate token deletion
- Delete their entire account and all associated data by contacting support
- Export their calendar events via Google Calendar's built-in export functionality
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the email address associated with your account. The effective date at the top of this page indicates when the policy was last revised.
11. Contact
For questions about this policy, data deletion requests, or any privacy concerns, contact us at:
Email: support@cashuary.com