1. What we collect

When you use CashMate we collect information that you enter directly: email address, password (stored as a bcrypt hash), account names, transaction amounts and categories, budget configurations, and Zakat snapshots. We do not connect to your bank, we do not use Plaid or any bank-linking aggregator, and we do not purchase transaction data from third parties.

We also collect minimal technical data to operate the service: IP addresses for abuse prevention, user-agent strings for compatibility, and product analytics via Vercel Analytics. Analytics are event-level and not tied to individual users beyond the session.

2. How we store it

Your data is stored in Supabase, a managed PostgreSQL provider. Row Level Security is enforced on every user-scoped table — your rows are isolated at the database level, and another CashMate user cannot read your data even if they try. All traffic is TLS- encrypted in transit. Data at rest is encrypted by the underlying provider.

3. How we use it

We use your data only to operate the service you signed up for: showing you your transactions, running your budget calculations, computing your Zakat, and sending you account-related emails. We do not sell your data. We do not share it with third parties for advertising. We do not use your transaction history to train AI models that we then sell or syndicate.

4. Cookies and tracking

We use a session cookie for authentication. We use Vercel Analytics for aggregate site usage and Vercel Speed Insights for performance monitoring. We do not run third-party advertising pixels.

5. Your rights

You can export all your data as CSV from Settings at any time. You can delete your account from Settings — deletion removes all your records within 30 days. You can update or correct any data you entered. If you are in the EU/UK, you have the rights granted by GDPR and can request access, rectification, portability, or erasure by emailing us.

6. Data retention

We keep your data for as long as your account is active. After you delete your account, active records are removed within 30 days. Backup copies may persist for up to 90 days before permanent deletion. Anonymized analytics may be retained indefinitely.

7. Children

CashMate is not intended for users under 13. We do not knowingly collect data from children. If we learn that we have collected data from a user under 13, we will delete it.

8. Changes

We will post material changes here with at least 30 days notice. For minor updates we will update the "Last updated" date above.

9. Contact

Questions about this policy? Email us.

Privacy Policy