Privacy Policy
Cashletics privacy policy: personal data, legal bases, retention periods and data subject rights.
Privacy Policy
Cashletics mobile application — English version
⚠️ GOVERNING LANGUAGE NOTICE This document is an English translation of the Hungarian Privacy Policy (AT-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail. Hungarian version: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=hu |
| Data Controller | Mózer Ferenc (sole trader / egyéni vállalkozó) 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary |
| Effective date | 5 July 2026 |
| Version | v1.5 | 2026 |
| Governing language | Hungarian (AT-001) — this EN version is a translation |
1. Data Controller Details
| Data Controller | Mózer Ferenc |
| Business form | Sole trader (egyéni vállalkozó / EV), Hungary |
| Registered address | 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary |
| Registration number | 58145155 |
| Tax number | 41905517-1-23 |
| Privacy contact email | privacy@cashleticsapp.com |
| Support email | support@cashleticsapp.com |
| Legal email | legal@cashleticsapp.com |
| Support phone | +36 30 728 4422 |
| Website | https://cashleticsapp.com/legal.php |
| Data request (web form) | https://cashleticsapp.com/adatkerelem.php |
| Account deletion (web form) | https://cashleticsapp.com/fiok-torlese.php |
| Response deadline | 30 days (GDPR Article 12) |
2. Purpose of This Policy and Data Processing Principles
This Privacy Policy describes what personal data we process when you use the Cashletics application, for what purpose, on what legal basis, for how long we retain it, and what rights you have as a data subject.
Data processing principles (GDPR Article 5):
Lawfulness, fairness, and transparency
Purpose limitation — data is used only for specified, explicit purposes
Data minimisation — only data necessary for the given purpose is processed
Accuracy and storage limitation
Integrity, confidentiality, and accountability
| Please do not enter special category data (e.g. medical conditions, political views) or personal data of third parties into the application, unless you have a lawful basis to do so. |
3. Overview of Legal Bases
| Legal basis | GDPR reference | When applied |
|---|---|---|
| Performance of contract | Art. 6(1)(b) | Account, financial records, goals — core app functions |
| Consent | Art. 6(1)(a) | Analytics, marketing notifications, AdMob, leaderboard, banking notifications |
| Explicit consent | Art. 9(2)(a) | Health data (step count) — special category data |
| Legitimate interests | Art. 6(1)(f) | Bug fixing, fraud prevention, internal statistics |
| Legal obligation | Art. 6(1)(c) | Tax / accounting retention obligations (where applicable) |
4. Personal Data Processed — Itemised Table
The table below covers all processing activities. The detailed Record of Processing Activities (GDPR Art. 30): ROPA-001.
| Data category | Specific data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account data | Email, username, avatar, password (hash), Google UID | Registration, authentication, security | Art. 6(1)(b) | Until account deletion + 30 days |
| Profile data | Country, age, gender, language, currency, theme | Personalisation, app function | Art. 6(1)(b) | Until account deletion |
| Financial records | Income/expense amount, category, date, note | Core app function, statistics | Art. 6(1)(b) | Until account deletion + 30 days |
| Savings goals | Goal name, amount, deadline, status | Core app function | Art. 6(1)(b) | Until account deletion + 30 days |
| Points / badges | XP, CP, coins, levels, badges, streaks | Gamification, motivation | Art. 6(1)(b) | Until account deletion |
| Leaderboard data | Username, avatar, score — publicly visible | Community competition, motivation | Art. 6(1)(a) consent | Until consent withdrawal |
| Consent records | Who accepted what, when (timestamp, version) | GDPR Art. 7(1) accountability | Art. 6(1)(c) legal obl. | Account deletion + 5 years |
| Prize draw data | Participation, draw, winner identification | Running and fulfilling draws | Art. 6(1)(b) | Prize delivery + 5 years |
| Health data | Step count (daily aggregate) | Activity tracking, reward | Art. 9(2)(a) explicit consent | Until consent withdrawal / max 90 days |
| Banking notification text | Notification text (deleted after processing) | Expense recognition (optional) | Art. 6(1)(a) consent | Deleted immediately after processing |
| Analytics data | Usage events, screen time, app version | Bug fixing, development | Art. 6(1)(a) consent | 90 days (Firebase Analytics default) |
| Ad data (AdMob) | Ad identifier, Android ID, IP address | Personalised advertising | Art. 6(1)(a) consent | Per AdMob own policy |
| Support communication | Email correspondence content | Customer support | Art. 6(1)(b) / 6(1)(f) | 3 years |
| Technical / diagnostic | Device type, OS version, app version | Bug fixing, security | Art. 6(1)(f) legitimate int. | 90 days |
5. Data Processors and Firebase Data Flow
The application uses the following Firebase (Google LLC) services and other data processors. A written Data Processing Agreement (DPA) is in place / to be concluded with each processor (GDPR Art. 28). Detailed register: DPA-001.
5.1 Active Firebase services
| Service | Google LLC entity | Data processed | Server location | Transfer basis |
|---|---|---|---|---|
| Firebase Auth | Google LLC | Email, Google UID, password (hash), login timestamps | USA / EU | EU-US DPF |
| Cloud Firestore | Google LLC | All user data (profile, transactions, points, consent) | USA / EU | EU-US DPF |
| Firebase Analytics | Google LLC | Usage events, session data, device info | USA | EU-US DPF |
| Cloud Functions | Google LLC | Server-side processing (rewards, draws) | USA / EU | EU-US DPF |
5.2 Other data processors
| Processor | HQ | Role | Data processed | Transfer basis |
|---|---|---|---|---|
| Google LLC / AdMob | USA | Ad serving | Android ID, IP, ad tracking data | EU-US DPF |
| Google LLC / Play Store | USA | Subscription, purchases | Transaction metadata | EU-US DPF |
| Sybell Informatika Kft. | Budapest, HU | Web hosting, email (support) | Support correspondence | EU — no USA transfer |
| Masterpont Kft. (masterpont.hu) is NOT a data processor — it has no access to any user data. |
5.3 Firebase data flow (schematic)
Phone → Firebase Auth (authentication) → Cloud Firestore (data storage) → Firebase Analytics (analytics) → Cloud Functions (server processing) → AdMob (advertising) — all USA transfers on EU-US DPF basis.
6. Health Data — Step Count (GDPR Article 9)
| ⚠️ SPECIAL CATEGORY DATA — GDPR ARTICLE 9 | Step count qualifies as health data. Processing is only lawful with explicit consent (GDPR Art. 9(2)(a)). |
| Parameter | Android (Health Connect) | iOS (HealthKit) |
|---|---|---|
| Data source | Health Connect API or device sensor | iOS / HealthKit currently inactive; to be updated before iOS launch |
| Permission type | READ_STEPS | iOS / HealthKit currently inactive |
| Data processed | Daily aggregate step count | iOS / HealthKit currently inactive; to be updated before iOS launch |
| Legal basis | GDPR Art. 9(2)(a) explicit consent | GDPR Art. 9(2)(a) explicit consent |
| Storage | Firestore (aggregated, not raw) | Firestore (aggregated, not raw) |
| Retention | Until consent withdrawal / max 90 days | iOS / HealthKit currently inactive; to be updated before iOS launch |
| Revocable? | Yes — at any time via app settings | Yes — at any time |
Health data (step count) is used EXCLUSIVELY for:
activity tracking and gamified reward calculation
NOT transferred to AdMob, any third-party advertiser, or any external server beyond Firestore (EU-US DPF basis)
NOT displayed on the public leaderboard
NOT used for profiling, insurance, or employment decisions (Google Play Health Policy)
Detailed consent text and conditions: HE-001-EN Health Data Statement.
7. Banking Notification Reading
The application may optionally — and only with the user's explicit consent — read the text of banking push notifications to help identify expenses.
| Parameter | Value |
|---|---|
| Data processed | Notification text (push notification content) |
| App ACCESSES | Notification text only |
| App does NOT ACCESS | Bank account, account number, balance, PIN code |
| Purpose | Automatic expense recognition from text |
| Processing location | Locally on device |
| Retention | Notification text deleted immediately after processing |
| Legal basis | GDPR Art. 6(1)(a) consent (BH-001-EN) |
| Revocable? | Yes — at any time via app settings |
| Play Store policy | Google Play Financial Data policy compliant |
Detailed conditions: BH-001-EN Banking Notification Consent.
8. Push Notifications and Marketing
| Notification type | Legal basis | Revocable? |
|---|---|---|
| Transactional / service (e.g. reward available) | Art. 6(1)(b) contract | Can be limited (not fully disabled) |
| Motivational / daily reminder | Art. 6(1)(a) consent | Yes — at any time |
| Marketing / promotional | Art. 6(1)(a) consent | Yes — at any time |
9. International Data Transfers (USA)
The cashleticsapp.com website and email infrastructure operate exclusively in the EU (Sybell Informatika Kft., Budapest) — no USA transfer occurs via email. The following transfers to the USA take place through Firebase and AdMob, exclusively on the basis of the EU–US Data Privacy Framework (EU-US DPF):
| Processor | Data transferred | Transfer basis | DPF certification |
|---|---|---|---|
| Google LLC / Firebase Auth | Authentication data | EU-US DPF | Google LLC — certified |
| Google LLC / Cloud Firestore | All user data | EU-US DPF | Google LLC — certified |
| Google LLC / Firebase Analytics | Usage analytics | EU-US DPF | Google LLC — certified |
| Google LLC / Cloud Functions | Server processing | EU-US DPF | Google LLC — certified |
| Google LLC / AdMob | Ad-related data | EU-US DPF | Google LLC — certified |
| Google LLC / Play Store | Subscription metadata | EU-US DPF | Google LLC — certified |
| Sybell Informatika Kft. (email) | Support correspondence | EU — no USA transfer | — |
EU-US DPF framework: https://www.dataprivacyframework.gov/
10. Profiling and Automated Decision-Making (GDPR Article 22)
The application may build a combined user profile from financial, activity, and gamification data (combination of financial + health + behavioural data). This carries profiling risk.
Profiling is used EXCLUSIVELY for:
Displaying personalised rewards and challenges
Calculating leaderboard scores
Prohibited profiling purposes (Google Play Health Policy and GDPR Art. 22):
Automated credit, insurance, or employment decisions
Use of health data for advertising purposes
Transfer to third parties without notification
Detailed Data Protection Impact Assessment: DPIA-001.
11. Your Rights as a Data Subject (GDPR Articles 15–22)
| Right | GDPR Art. | Description | How to exercise |
|---|---|---|---|
| Right of access | Art. 15 | Information about data processed | privacy@cashleticsapp.com or adatkerelem.php |
| Right to rectification | Art. 16 | Correction of inaccurate data | App profile settings or email |
| Right to erasure | Art. 17 | Deletion of data ("right to be forgotten") | fiok-torlese.php or privacy@cashleticsapp.com |
| Right to restriction | Art. 18 | Request restriction of processing | privacy@cashleticsapp.com |
| Right to portability | Art. 20 | Data in machine-readable format | privacy@cashleticsapp.com (JSON export) |
| Right to object | Art. 21 | Object to legitimate interest processing | privacy@cashleticsapp.com |
| Withdrawal of consent | Art. 7(3) | At any time, without retroactive effect | App settings or email |
| Right to complain | Art. 77 | Lodge complaint with supervisory authority | NAIH: www.naih.hu | ugyfelszolgalat@naih.hu |
Response deadline: 30 days (GDPR Art. 12). Extendable to 60 days in justified cases; you will be notified. Detailed request handling procedure: EJ-001.
12. Protection of Children's Data
The application is NOT available to persons under 16 (GDPR Art. 8, Google Play Families Policy). If we become aware that we are processing data of a person under 16, we will delete it immediately and suspend the account. Please report such cases to: privacy@cashleticsapp.com
13. Data Security
Firebase Security Rules (Firestore) — per-user data access isolation
Authentication: Firebase Auth (email + password hash, Google SSO)
Data in transit: HTTPS / TLS encryption on all communication; Data at rest: Google Cloud AES-256 encryption — consistent with GPS-001 Play Console declaration
Access control: Firebase Console access may be granted to the Data Controller and to a developer acting under a data processing agreement; access is limited, logged, MFA/2FA protected and based on the need-to-know principle.
Data breach: NAIH notification within 72 hours (GDPR Art. 33); template: INC-001
14. Cookies and Tracking
The cashleticsapp.com website is tracker-free — no Google Analytics, Meta Pixel, Google Tag Manager, or other cookies. No cookie banner is required.
Within the application, Firebase Analytics uses app-level identifiers rather than traditional cookies. Detailed policy: CK-001-EN Cookie & Tracking Policy.
15. Changes to This Policy and Governing Language
The Data Controller may update this Privacy Policy. For material changes, you will be notified at least 15 days in advance (email or in-app). The current version is always available at: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=en
⚠️ GOVERNING LANGUAGE NOTICE This document is an English translation of the Hungarian Privacy Policy (AT-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail. Hungarian version: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=hu |
Publication addendum
v1.5a supplement — step-count permissions:
On Android, the application may request READ_HEALTH_DATA_HISTORY and ACTIVITY_RECOGNITION in addition to READ_STEPS. These permissions support historical aggregated step totals and Android activity/step-count handling. This does not involve processing GPS, routes, heart rate, workout type, or other health data.
Next review: 5 July 2027.