Privacy Policy

1. Introduction

Cashuary ("we", "our", or "us") is a personal finance tool that syncs your bank transaction information to Google Calendar as all-day events. This Privacy Policy explains what data we collect, how we use it, and how we protect it.

By using Cashuary, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

2. Information We Collect

We collect the following categories of information:

• Google Account Information: When you sign in with Google, we receive your name, email address, and Google account identifier. We also receive OAuth tokens that allow us to create and manage calendar events on your behalf.
• Bank Account Metadata via Plaid: When you connect a bank account through Plaid, we receive transaction metadata including merchant name, transaction amount, date, and category. We use this information solely to create calendar events.
• Plaid Access Tokens: We store encrypted Plaid access tokens to maintain your bank connection and receive ongoing transaction updates.

3. Information We Do NOT Store

Cashuary is designed with a privacy-first architecture. We do not store raw financial data on our servers. Specifically:

• No raw transaction data: We do not persist raw transaction details in our database. Transaction information is processed in memory and written directly to your Google Calendar. Only a cryptographic hash of each transaction is stored to prevent duplicate calendar events.
• No account numbers: We never receive or store your bank account numbers, routing numbers, or login credentials. Plaid handles all bank authentication directly.
• No financial balances: We do not request or store your account balances.

4. How We Use Your Information

We use the information we collect exclusively for the following purposes:

• Creating calendar events: Transaction metadata is formatted into all-day Google Calendar events showing merchant name and amount.
• Preventing duplicates: Transaction hashes are stored to avoid creating duplicate calendar events for the same transaction.
• Maintaining your connection: Encrypted tokens are used to keep your bank and Google Calendar connections active.
• Service operation: We use your email address for account management and to communicate important service updates.

5. Data Security

We take the security of your data seriously:

• Token encryption: All sensitive tokens (Google OAuth tokens and Plaid access tokens) are encrypted at rest using AES-256-GCM, an industry-standard authenticated encryption algorithm. Tokens are never stored in plaintext.
• Transport security: All data in transit is encrypted using TLS/HTTPS.
• Webhook verification: Plaid webhook payloads are verified using cryptographic signatures to ensure authenticity before processing.
• Session security: User sessions are secured with HTTP-only cookies, CSRF protection, and are stored in an encrypted server-side session store.

6. Third-Party Services

Cashuary integrates with the following third-party services:

• Plaid (plaid.com): We use Plaid to securely connect to your bank and retrieve transaction data. Plaid acts as an intermediary and handles all direct communication with your financial institution. Plaid's use of your data is governed by the Plaid End User Privacy Policy.
• Google Calendar API (google.com): We use the Google Calendar API to create and manage a dedicated "Cashuary" calendar and its events in your Google account. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
• Sentry: We may use Sentry for error tracking and monitoring to improve service reliability. Error reports do not contain financial data or access tokens.
• PostHog (posthog.com): We use PostHog for privacy-friendly product analytics and session replay. Analytics traffic is routed through Cloudflare as a managed reverse proxy. We collect page views, anonymized click events (including the visible text of buttons and links you interact with), and screen replays. Form input values are masked in session replay. Elements rendering bank, account, or calendar names are marked to be excluded from click-text collection on a best-effort basis, and a regex scrubber strips account-suffix patterns (e.g. "··5891") from any element text that does reach PostHog. The only event property tied to your bank connections is Plaid's stable institution identifier (e.g. "ins_109508"), never the bank's name. Session replay captures the rendered page so on-screen text such as bank or calendar names may appear in replay video; you can request deletion at any time. No financial data, bank credentials, account numbers, or access tokens are sent to either provider.

7. Google API Services User Data Policy

Cashuary's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We only request the minimum Google OAuth scopes necessary to operate the service: calendar event management and basic profile information. We do not sell, rent, or trade Google user data to any third party. We do not use Google user data for advertising, credit assessment, lending, AI model training, or any purpose other than providing and improving the Cashuary service. We do not share Google user data with third parties except as necessary to provide and improve the service (e.g., Plaid for bank connectivity, Google Calendar API for event creation).

8. Data Retention and Deletion

We retain your data only as long as your account is active and as needed to provide the service. You may request deletion of your account and all associated data at any time.

When you delete your account:

• Your user record and all associated data are permanently removed from our database.
• All encrypted tokens (Google and Plaid) are deleted.
• All stored transaction hashes are deleted.
• Calendar events previously created in your Google Calendar will remain unless you manually delete the Cashuary calendar from your Google account.

9. Children's Privacy

Cashuary is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website prior to the change becoming effective. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your personal data, please contact us at:

Email: privacy@cashuary.com