Privacy Policy

Overview

CashTrack ("we", "us", "our") is a mobile app for small business owners — convenience stores, gas stations, and similar retail operations — to manage daily cash closeouts, reconcile bank transactions, and oversee worker submissions across one or more stores. The Service is operated from New Jersey, United States.

This Privacy Policy explains what data we collect when you use our app or website, how we use it, who we share it with, and what choices you have. We've tried to keep it short and plain.

What we collect

Information you give us

• Account details — your name, email address, phone number (optional), and an optional profile photo. If you sign up as a business owner, we also collect your business name and the names of any workers you invite.
• Authentication data — passwords (stored only as one-way hashes), multi-factor authentication settings, and records of devices used to sign in.
• Business records — daily closeout entries (cash counts, sales totals, expense entries, shift notes), worker assignments, store settings, expense categories, and weekly summary reports. Workers submit closeouts; owners review and approve them.
• Bank transaction data — if you choose to connect a business bank account, we receive transaction records (dates, amounts, descriptions, account names) through Plaid. See the dedicated Plaid section below.
• Subscription data — if you upgrade to CashTrack Pro, we receive a record of your subscription status (active, expired, billing issue) through Apple, Google, and RevenueCat. We do not receive your full payment card or banking details.
• Communications — messages you send through support email, surveys, or feedback forms.

Information collected automatically

• Device & usage data — device model, operating system version, app version, language, crash reports, and basic in-app events used to diagnose problems.
• Push notification tokens — issued by Apple Push Notification Service or Firebase Cloud Messaging when you allow notifications, used solely to deliver in-app alerts about closeouts, report status, and bank events.
• Approximate location — derived from your IP address only, used for fraud prevention and time-zone defaults. We do not collect precise GPS location.
• Address autocomplete input — when you type an address while adding a store, the text you type is sent to Google Places for suggestions. We do not collect or store your physical location automatically.

How we use it

We use the information above to:

• Provide the closeout, reporting, and worker-management features you sign up for.
• Sync your data securely across the devices you authenticate.
• Reconcile your worker-submitted closeouts against bank activity (if you connect a bank).
• Send transactional notifications — closeout submission alerts, review approvals, bank reconciliation events, login codes, and account notices.
• Detect fraud, prevent abuse, and protect the security of accounts.
• Diagnose bugs and improve app reliability.
• Process subscriptions and provide access to Pro features.
• Comply with applicable legal obligations.

We do not use your financial records or bank data to train advertising models, target ads, or build marketing profiles. We do not sell your data to anyone.

Third-party services

CashTrack uses the following third-party service providers to deliver the app. Each receives only the minimum data needed for its function. Their handling of your data is governed by their own privacy policies, linked below.

• Supabase (database, authentication, file storage, serverless functions) — stores your account information, business records, closeout entries, encrypted Plaid access tokens, and notification preferences. Hosted in the United States on AWS infrastructure. Supabase privacy policy.
• Plaid (bank account linking and transaction data) — see the dedicated Plaid section below.
• RevenueCat (subscription management) — receives your subscription identifier, the platform you're on (Apple or Google), and your subscription state. Does not receive your name, email, or financial entries. RevenueCat privacy policy.
• Apple App Store / Google Play — when you subscribe, payment is processed by Apple or Google. We never receive your full payment card details. Apple privacy · Google privacy.
• Apple Push Notification Service / Firebase Cloud Messaging (push notifications) — receives the notification token issued by your device. Required to deliver alerts.
• Expo (mobile app delivery platform) — facilitates push token registration and over-the-air app updates. Expo privacy policy.
• Google Places (address autocomplete) — when you type an address while adding a store, the text you type is sent to Google for suggestions. Google privacy policy.

We may also disclose information if required by law, to respond to valid legal process, to protect our rights, or to prevent harm — and we will tell you when we are legally allowed to.

Plaid & bank connections

CashTrack uses Plaid Inc. ("Plaid") to securely connect your business bank account to the app. Connecting a bank is optional — you can use CashTrack without it — but doing so allows the app to reconcile your worker-submitted closeouts against actual bank deposits and expenses.

How it works:

• When you tap "Connect a bank," you are handed off to Plaid's secure interface inside the app.
• You enter your bank credentials (username, password, MFA codes) directly into Plaid's screen. Your bank credentials never touch CashTrack's servers and we never see them.
• Plaid exchanges your credentials with your bank for a long-lived access token. Plaid sends only this access token to us — not your credentials.
• We store the access token encrypted at the database column level using server-managed keys. Only our authenticated backend services can decrypt it.
• We use the access token only to fetch your transaction history, account names, and account balances from Plaid, on your behalf, for the bank you connected.
• If you disconnect a bank from inside the app, we revoke the token with Plaid and delete it from our database.

What Plaid does with your data: Plaid is the data controller for the information they collect from your bank on your behalf. Their use of that data is governed by Plaid's End User Privacy Policy: https://plaid.com/legal/#end-user-privacy-policy. By connecting a bank through CashTrack you also acknowledge Plaid's End User Privacy Policy.

What we use your bank data for: only to display your transactions, categorize expenses, detect cash discrepancies between worker closeouts and bank activity, and produce weekly reconciliation summaries. We do not share your bank data with any third party other than the service providers listed above (e.g. Supabase, our database host) and we do not use it for advertising, credit decisions, or any purpose outside CashTrack.

Storage & security

Your data is hosted in the United States by Supabase on AWS infrastructure.

• In transit: all communication between the app and our servers uses TLS 1.2 or higher.
• At rest: the underlying database disks are encrypted by our hosting provider.
• Column-level encryption: sensitive credentials, including Plaid bank access tokens, are additionally encrypted at the database column level using server-managed keys, so they remain unreadable even to anyone who gains direct database access.
• Access controls: per-row access policies enforce that you can only read or modify your own business's records. Workers see only what their owner has granted them.
• Authentication: we support multi-factor authentication and track trusted devices. You can review your sign-in activity inside the app.
• Backups: the database is backed up daily by Supabase.

No system is perfectly secure. If we ever discover a breach affecting your data, we will notify you promptly by email and inside the app, explain what happened, what we're doing about it, and what you should do.

Your rights

Depending on where you live, you may have the right to:

• Access — request a copy of the data we hold about you.
• Correct — fix anything that is inaccurate.
• Delete — close your account and remove your data. CashTrack has a dedicated Delete Account screen inside the app that performs this end-to-end (including disconnecting any Plaid bank links and revoking access tokens).
• Export — download your business data as CSV or PDF from inside the app at any time, using the Export Data screen.
• Object or restrict — limit certain processing of your information.
• Withdraw consent — turn off push notifications, disconnect a bank, or stop using the app at any time.

To exercise any of these rights, you can use the in-app controls or email us at privacy@cashtracks.app. We respond within 30 days.

Data retention

We retain your account data for as long as your account is active. If you delete your account from within the app, we remove your personal data and business records from active systems within 30 days. Backups containing deleted data are rotated and purged within 30 days after that.

We may retain a minimal subset of records longer where required for legal, tax, fraud-prevention, or accounting reasons — for example, records of subscription transactions required by tax authorities. Anonymized, aggregated data (not tied to your identity) may be kept longer for analytics.

Children

CashTrack is intended for adults running a business. It is not directed at children under 13 (or under 16 in some regions). We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy as the product and applicable law evolve. When we make material changes, we will notify you by email and inside the app at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Contact

Questions about privacy? Reach us at:

• Email: privacy@cashtracks.app
• Support: support@cashtracks.app
• Operator: CashTrack, New Jersey, United States