Cashletics
Home Legal documents Delete account Contact HU
Documents Terms of Use Privacy Policy Cookie & Tracking Policy Health Data Statement Banking Notification Consent Age Restriction Statement In-app Consent Flow Prize Draw Rules Imprint
adatvédelem

Privacy Policy

Cashletics privacy policy: personal data, legal bases, retention periods and data subject rights.

Privacy Policy

Cashletics mobile application — English version

⚠️ GOVERNING LANGUAGE NOTICE

This document is an English translation of the Hungarian Privacy Policy (AT-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail.

Hungarian version: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=hu

Data Controller Mózer Ferenc (sole trader / egyéni vállalkozó) 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary
Effective date 5 July 2026
Version v1.5 | 2026
Governing language Hungarian (AT-001) — this EN version is a translation

1. Data Controller Details

Data Controller Mózer Ferenc
Business form Sole trader (egyéni vállalkozó / EV), Hungary
Registered address 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary
Registration number 58145155
Tax number 41905517-1-23
Privacy contact email privacy@cashleticsapp.com
Support email support@cashleticsapp.com
Legal email legal@cashleticsapp.com
Support phone +36 30 728 4422
Website https://cashleticsapp.com/legal.php
Data request (web form) https://cashleticsapp.com/adatkerelem.php
Account deletion (web form) https://cashleticsapp.com/fiok-torlese.php
Response deadline 30 days (GDPR Article 12)

2. Purpose of This Policy and Data Processing Principles

This Privacy Policy describes what personal data we process when you use the Cashletics application, for what purpose, on what legal basis, for how long we retain it, and what rights you have as a data subject.

Data processing principles (GDPR Article 5):

  • Lawfulness, fairness, and transparency

  • Purpose limitation — data is used only for specified, explicit purposes

  • Data minimisation — only data necessary for the given purpose is processed

  • Accuracy and storage limitation

  • Integrity, confidentiality, and accountability

Please do not enter special category data (e.g. medical conditions, political views) or personal data of third parties into the application, unless you have a lawful basis to do so.

3. Overview of Legal Bases

Legal basis GDPR reference When applied
Performance of contract Art. 6(1)(b) Account, financial records, goals — core app functions
Consent Art. 6(1)(a) Analytics, marketing notifications, AdMob, leaderboard, banking notifications
Explicit consent Art. 9(2)(a) Health data (step count) — special category data
Legitimate interests Art. 6(1)(f) Bug fixing, fraud prevention, internal statistics
Legal obligation Art. 6(1)(c) Tax / accounting retention obligations (where applicable)

4. Personal Data Processed — Itemised Table

The table below covers all processing activities. The detailed Record of Processing Activities (GDPR Art. 30): ROPA-001.

Data category Specific data Purpose Legal basis Retention
Account data Email, username, avatar, password (hash), Google UID Registration, authentication, security Art. 6(1)(b) Until account deletion + 30 days
Profile data Country, age, gender, language, currency, theme Personalisation, app function Art. 6(1)(b) Until account deletion
Financial records Income/expense amount, category, date, note Core app function, statistics Art. 6(1)(b) Until account deletion + 30 days
Savings goals Goal name, amount, deadline, status Core app function Art. 6(1)(b) Until account deletion + 30 days
Points / badges XP, CP, coins, levels, badges, streaks Gamification, motivation Art. 6(1)(b) Until account deletion
Leaderboard data Username, avatar, score — publicly visible Community competition, motivation Art. 6(1)(a) consent Until consent withdrawal
Consent records Who accepted what, when (timestamp, version) GDPR Art. 7(1) accountability Art. 6(1)(c) legal obl. Account deletion + 5 years
Prize draw data Participation, draw, winner identification Running and fulfilling draws Art. 6(1)(b) Prize delivery + 5 years
Health data Step count (daily aggregate) Activity tracking, reward Art. 9(2)(a) explicit consent Until consent withdrawal / max 90 days
Banking notification text Notification text (deleted after processing) Expense recognition (optional) Art. 6(1)(a) consent Deleted immediately after processing
Analytics data Usage events, screen time, app version Bug fixing, development Art. 6(1)(a) consent 90 days (Firebase Analytics default)
Ad data (AdMob) Ad identifier, Android ID, IP address Personalised advertising Art. 6(1)(a) consent Per AdMob own policy
Support communication Email correspondence content Customer support Art. 6(1)(b) / 6(1)(f) 3 years
Technical / diagnostic Device type, OS version, app version Bug fixing, security Art. 6(1)(f) legitimate int. 90 days

5. Data Processors and Firebase Data Flow

The application uses the following Firebase (Google LLC) services and other data processors. A written Data Processing Agreement (DPA) is in place / to be concluded with each processor (GDPR Art. 28). Detailed register: DPA-001.

5.1 Active Firebase services

Service Google LLC entity Data processed Server location Transfer basis
Firebase Auth Google LLC Email, Google UID, password (hash), login timestamps USA / EU EU-US DPF
Cloud Firestore Google LLC All user data (profile, transactions, points, consent) USA / EU EU-US DPF
Firebase Analytics Google LLC Usage events, session data, device info USA EU-US DPF
Cloud Functions Google LLC Server-side processing (rewards, draws) USA / EU EU-US DPF

5.2 Other data processors

Processor HQ Role Data processed Transfer basis
Google LLC / AdMob USA Ad serving Android ID, IP, ad tracking data EU-US DPF
Google LLC / Play Store USA Subscription, purchases Transaction metadata EU-US DPF
Sybell Informatika Kft. Budapest, HU Web hosting, email (support) Support correspondence EU — no USA transfer
Masterpont Kft. (masterpont.hu) is NOT a data processor — it has no access to any user data.

5.3 Firebase data flow (schematic)

Phone → Firebase Auth (authentication) → Cloud Firestore (data storage) → Firebase Analytics (analytics) → Cloud Functions (server processing) → AdMob (advertising) — all USA transfers on EU-US DPF basis.

6. Health Data — Step Count (GDPR Article 9)

⚠️ SPECIAL CATEGORY DATA — GDPR ARTICLE 9 | Step count qualifies as health data. Processing is only lawful with explicit consent (GDPR Art. 9(2)(a)).
Parameter Android (Health Connect) iOS (HealthKit)
Data source Health Connect API or device sensor iOS / HealthKit currently inactive; to be updated before iOS launch
Permission type READ_STEPS iOS / HealthKit currently inactive
Data processed Daily aggregate step count iOS / HealthKit currently inactive; to be updated before iOS launch
Legal basis GDPR Art. 9(2)(a) explicit consent GDPR Art. 9(2)(a) explicit consent
Storage Firestore (aggregated, not raw) Firestore (aggregated, not raw)
Retention Until consent withdrawal / max 90 days iOS / HealthKit currently inactive; to be updated before iOS launch
Revocable? Yes — at any time via app settings Yes — at any time

Health data (step count) is used EXCLUSIVELY for:

  • activity tracking and gamified reward calculation

  • NOT transferred to AdMob, any third-party advertiser, or any external server beyond Firestore (EU-US DPF basis)

  • NOT displayed on the public leaderboard

  • NOT used for profiling, insurance, or employment decisions (Google Play Health Policy)

Detailed consent text and conditions: HE-001-EN Health Data Statement.

7. Banking Notification Reading

The application may optionally — and only with the user's explicit consent — read the text of banking push notifications to help identify expenses.

Parameter Value
Data processed Notification text (push notification content)
App ACCESSES Notification text only
App does NOT ACCESS Bank account, account number, balance, PIN code
Purpose Automatic expense recognition from text
Processing location Locally on device
Retention Notification text deleted immediately after processing
Legal basis GDPR Art. 6(1)(a) consent (BH-001-EN)
Revocable? Yes — at any time via app settings
Play Store policy Google Play Financial Data policy compliant

Detailed conditions: BH-001-EN Banking Notification Consent.

8. Push Notifications and Marketing

Notification type Legal basis Revocable?
Transactional / service (e.g. reward available) Art. 6(1)(b) contract Can be limited (not fully disabled)
Motivational / daily reminder Art. 6(1)(a) consent Yes — at any time
Marketing / promotional Art. 6(1)(a) consent Yes — at any time

9. International Data Transfers (USA)

The cashleticsapp.com website and email infrastructure operate exclusively in the EU (Sybell Informatika Kft., Budapest) — no USA transfer occurs via email. The following transfers to the USA take place through Firebase and AdMob, exclusively on the basis of the EU–US Data Privacy Framework (EU-US DPF):

Processor Data transferred Transfer basis DPF certification
Google LLC / Firebase Auth Authentication data EU-US DPF Google LLC — certified
Google LLC / Cloud Firestore All user data EU-US DPF Google LLC — certified
Google LLC / Firebase Analytics Usage analytics EU-US DPF Google LLC — certified
Google LLC / Cloud Functions Server processing EU-US DPF Google LLC — certified
Google LLC / AdMob Ad-related data EU-US DPF Google LLC — certified
Google LLC / Play Store Subscription metadata EU-US DPF Google LLC — certified
Sybell Informatika Kft. (email) Support correspondence EU — no USA transfer —

EU-US DPF framework: https://www.dataprivacyframework.gov/

10. Profiling and Automated Decision-Making (GDPR Article 22)

The application may build a combined user profile from financial, activity, and gamification data (combination of financial + health + behavioural data). This carries profiling risk.

Profiling is used EXCLUSIVELY for:

  • Displaying personalised rewards and challenges

  • Calculating leaderboard scores

Prohibited profiling purposes (Google Play Health Policy and GDPR Art. 22):

  • Automated credit, insurance, or employment decisions

  • Use of health data for advertising purposes

  • Transfer to third parties without notification

Detailed Data Protection Impact Assessment: DPIA-001.

11. Your Rights as a Data Subject (GDPR Articles 15–22)

Right GDPR Art. Description How to exercise
Right of access Art. 15 Information about data processed privacy@cashleticsapp.com or adatkerelem.php
Right to rectification Art. 16 Correction of inaccurate data App profile settings or email
Right to erasure Art. 17 Deletion of data ("right to be forgotten") fiok-torlese.php or privacy@cashleticsapp.com
Right to restriction Art. 18 Request restriction of processing privacy@cashleticsapp.com
Right to portability Art. 20 Data in machine-readable format privacy@cashleticsapp.com (JSON export)
Right to object Art. 21 Object to legitimate interest processing privacy@cashleticsapp.com
Withdrawal of consent Art. 7(3) At any time, without retroactive effect App settings or email
Right to complain Art. 77 Lodge complaint with supervisory authority NAIH: www.naih.hu | ugyfelszolgalat@naih.hu

Response deadline: 30 days (GDPR Art. 12). Extendable to 60 days in justified cases; you will be notified. Detailed request handling procedure: EJ-001.

12. Protection of Children's Data

The application is NOT available to persons under 16 (GDPR Art. 8, Google Play Families Policy). If we become aware that we are processing data of a person under 16, we will delete it immediately and suspend the account. Please report such cases to: privacy@cashleticsapp.com

13. Data Security

  • Firebase Security Rules (Firestore) — per-user data access isolation

  • Authentication: Firebase Auth (email + password hash, Google SSO)

  • Data in transit: HTTPS / TLS encryption on all communication; Data at rest: Google Cloud AES-256 encryption — consistent with GPS-001 Play Console declaration

  • Access control: Firebase Console access may be granted to the Data Controller and to a developer acting under a data processing agreement; access is limited, logged, MFA/2FA protected and based on the need-to-know principle.

  • Data breach: NAIH notification within 72 hours (GDPR Art. 33); template: INC-001

14. Cookies and Tracking

The cashleticsapp.com website is tracker-free — no Google Analytics, Meta Pixel, Google Tag Manager, or other cookies. No cookie banner is required.

Within the application, Firebase Analytics uses app-level identifiers rather than traditional cookies. Detailed policy: CK-001-EN Cookie & Tracking Policy.

15. Changes to This Policy and Governing Language

The Data Controller may update this Privacy Policy. For material changes, you will be notified at least 15 days in advance (email or in-app). The current version is always available at: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=en

⚠️ GOVERNING LANGUAGE NOTICE

This document is an English translation of the Hungarian Privacy Policy (AT-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail.

Hungarian version: https://cashleticsapp.com/legal.php?slug=adatkezeles&lang=hu

Publication addendum

v1.5a supplement — step-count permissions:

On Android, the application may request READ_HEALTH_DATA_HISTORY and ACTIVITY_RECOGNITION in addition to READ_STEPS. These permissions support historical aggregated step totals and Android activity/step-count handling. This does not involve processing GPS, routes, heart rate, workout type, or other health data.

Next review: 5 July 2027.

Back to list
Cashletics

Pénzügyi motiváció játékosan – pénzügy, lépésszám és jutalmak egy appban.

Legal

ÁSZF / Terms Privacy Cookie & Tracking

Support

support@cashleticsapp.com Data request
© 2026 Cashletics. All rights reserved.