1. Introduction
Cashendar ("we", "our", or "us") is a personal finance tool that syncs your bank transaction information to Google Calendar as all-day events. This Privacy Policy explains what data we collect, how we use it, and how we protect it.
By using Cashendar, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.
2. Information We Collect
We collect the following categories of information:
- Google Account Information: When you sign in with Google, we receive your name, email address, and Google account identifier. We also receive OAuth tokens that allow us to create and manage calendar events on your behalf.
- Bank Account Metadata via Plaid: When you connect a bank account through Plaid, we receive transaction metadata including merchant name, transaction amount, date, and category. We use this information solely to create calendar events.
- Plaid Access Tokens: We store encrypted Plaid access tokens to maintain your bank connection and receive ongoing transaction updates.
3. Information We Do NOT Store
Cashendar is designed with a privacy-first architecture. We do not store raw financial data on our servers. Specifically:
- No raw transaction data: We do not persist raw transaction details in our database. Transaction information is processed in memory and written directly to your Google Calendar. Only a cryptographic hash of each transaction is stored to prevent duplicate calendar events.
- No account numbers: We never receive or store your bank account numbers, routing numbers, or login credentials. Plaid handles all bank authentication directly.
- No financial balances: We do not request or store your account balances.
4. How We Use Your Information
We use the information we collect exclusively for the following purposes:
- Creating calendar events: Transaction metadata is formatted into all-day Google Calendar events showing merchant name and amount.
- Preventing duplicates: Transaction hashes are stored to avoid creating duplicate calendar events for the same transaction.
- Maintaining your connection: Encrypted tokens are used to keep your bank and Google Calendar connections active.
- Service operation: We use your email address for account management and to communicate important service updates.
5. Data Security
We take the security of your data seriously:
- Token encryption: All sensitive tokens (Google OAuth tokens and Plaid access tokens) are encrypted at rest using AES-256-GCM, an industry-standard authenticated encryption algorithm. Tokens are never stored in plaintext.
- Transport security: All data in transit is encrypted using TLS/HTTPS.
- Webhook verification: Plaid webhook payloads are verified using cryptographic signatures to ensure authenticity before processing.
- Session security: User sessions are secured with HTTP-only cookies, CSRF protection, and are stored in an encrypted server-side session store.
6. Third-Party Services
Cashendar integrates with the following third-party services:
- Plaid (plaid.com): We use Plaid to securely connect to your bank and retrieve transaction data. Plaid acts as an intermediary and handles all direct communication with your financial institution. Plaid's use of your data is governed by the Plaid End User Privacy Policy.
- Google Calendar API (google.com): We use the Google Calendar API to create and manage a dedicated "Cashendar" calendar and its events in your Google account. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
- Sentry: We may use Sentry for error tracking and monitoring to improve service reliability. Error reports do not contain financial data or access tokens.
7. Google API Services User Data Policy
Cashendar's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We only request the minimum Google OAuth scopes necessary to operate the service: calendar event management and basic profile information. We do not use Google user data for advertising, and we do not share Google user data with third parties except as necessary to provide and improve the service.
8. Data Retention and Deletion
We retain your data only as long as your account is active and as needed to provide the service. You may request deletion of your account and all associated data at any time.
When you delete your account:
- Your user record and all associated data are permanently removed from our database.
- All encrypted tokens (Google and Plaid) are deleted.
- All stored transaction hashes are deleted.
- Calendar events previously created in your Google Calendar will remain unless you manually delete the Cashendar calendar from your Google account.
9. Children's Privacy
Cashendar is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website prior to the change becoming effective. Your continued use of the service after the effective date constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or your personal data, please contact us at:
Email: privacy@cashendar.com