In-app Consent Flow
Consent flows and withdrawal options displayed in the Cashletics app.
In-app Consent Flow
& Texts Specification
| Data Controller | Mózer Ferenc (sole trader) |
| Registered address | 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary |
| Tax number | 41905517-1-23 |
| Privacy contact | privacy@cashleticsapp.com |
| Effective date | 5 July 2026 |
| Version | v1.5 |
| Target audience | Developer (implementation) + GDPR audit |
| Governing language | Hungarian (HJ-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail. |
cashleticsapp.com/legal.php · Public consent-flow notice GDPR-compliant ✔
|
1. Purpose and Scope
This document specifies the complete consent management (consent flow) of the Cashletics mobile application in English. It contains:
exact UI texts displayed to the user (in English, in implementable form),
the 5-step consent flow sequence and the logical conditions of each step,
references to the Firestore consent log data structure (see HJ-001 Section 10),
withdrawal pathways and the Settings menu consent management structure,
Play Store review-ready compliance notes.
|
2. Consent Flow Architecture — Overview
Cashletics applies a 5-step consent flow. The order of steps is fixed — optional steps may be skipped by the user, but mandatory (blocking) steps must be completed before registration can proceed.
| # | Consent type | Required? | Legal basis document |
| 1 | Terms of Use + Privacy Policy acceptance | ⛔ MANDATORY — blocking | ASZF-001-EN, AT-001-EN |
| 2 | Health Connect step-count permission (Android) HealthKit step-count permission (iOS — currently inactive) |
✔ Optional — recommended | HE-001-EN |
| 3 | Banking notification read permission | ✔ Optional | BH-001-EN |
| 4 | Marketing push notifications (FCM) | ✔ Optional — future [FCM not yet active] | AT-001-EN §6 |
| 5 | Analytics and ad tracking (AdMob) | ✔ Optional — relevant for Free users only | CK-001-EN |
|
3. Consent Flow Step Diagram
The diagram below shows the logical flow of the registration process. Each step includes the decision point and the resulting state.
REGISTRATION START ↓ [ Step 1 ] Terms of Use + Privacy Policy → MANDATORY ├ Accepts → proceed to Step 2 └ Declines → registration aborted, app unusable ↓ [ Step 2 ] Health Connect / step count → OPTIONAL ├ Grants → step-count XP and challenges available └ Skips → step-count features unavailable (can be enabled later) ↓ [ Step 3 ] Banking notification access → OPTIONAL ├ Grants → automatic transaction import available └ Skips → manual entry required (can be enabled later) ↓ [ Step 4 ] Marketing push notifications (FCM) → OPTIONAL — future ├ Grants → challenge and reward notifications enabled └ Skips → notifications off (changeable in Settings) ↓ [ Step 5 ] Analytics / AdMob tracking → OPTIONAL (Free users only) ├ Accepts → personalised ads and analytics enabled └ Declines → non-personalised ads, analytics limited └ PRO user → this step is skipped (no ads) ↓ HOME SCREEN — app fully accessible |
4. Step 1 — Terms of Use and Privacy Policy Acceptance
4.1 When it appears
During registration, after entering email/password, before account creation. Blocking: the account is only created after acceptance.
4.2 UI text — dialog/modal
|
4.3 Implementation notes
Checkbox default state: unchecked (not pre-ticked — GDPR Art. 7: no implicit consent).
The "Create Account" button is disabled until the checkbox is ticked.
Terms of Use and Privacy Policy links open cashleticsapp.com/legal.php in an in-app WebView.
Consent log entry: see HJ-001 Section 10 — consent_type: "terms_and_privacy".
5. Step 2 — Health Connect / Step Count Permission
5.1 When it appears
Immediately after successful registration, on first login. Optional — skippable via "Skip" button. Can be re-enabled later: Settings → Health data.
5.2 Prominent disclosure dialog (required by Play Store policy)
Per GDPR Art. 9(2)(a): step count data qualifies as health data and requires explicit prior disclosure BEFORE the system permission request.
|
5.3 Health Connect system dialog
After tapping "Open Health Connect", the Android operating system's own Health Connect permission screen is displayed. The app logs the result of the system dialog.
5.4 iOS — HealthKit (future)
|
5.5 Implementation notes
The prominent disclosure dialog above MUST appear before the Health Connect system dialog (Play Health Connect policy requirement).
If the user denies in Health Connect: the app logs the denial, the feature is unavailable, but the app continues normally.
Consent log entry: consent_type: "health_connect" — see HJ-001 Section 10.
6. Step 3 — Banking Notification Read Permission
6.1 When it appears
After the Health Connect step (regardless of its outcome). Optional. Can be re-enabled later: Settings → Banking notifications.
6.2 Prominent disclosure dialog
|
6.3 Android NotificationListenerService system screen
Tapping "Enable notification access" navigates to Android Settings → Apps → Special app access → Notification access. The user enables the system-level permission there.
6.4 Implementation notes
The NotificationListenerService only starts if the user has also granted the system-level permission.
Permission status (granted/denied/revoked) must be checked on every app launch.
Consent log entry: consent_type: "banking_notification" — see HJ-001 Section 10.
7. Step 4 — Marketing Push Notifications (FCM)
|
7.1 UI text (prepared in advance for future implementation)
|
8. Step 5 — Analytics and Ad Tracking (AdMob)
8.1 When it appears
Free users only. For PRO users this step is skipped (no ads). In addition to the Android system ATT equivalent, the app displays its own consent dialog.
8.2 UI text
|
8.3 Implementation notes
Integration of the Google UMP (User Messaging Platform) SDK is mandatory for Google Consent Mode v2 compliance.
"I agree" → GDPR consent state: GRANTED → Firebase Analytics + AdMob personalised mode.
"I decline" → GDPR consent state: DENIED → AdMob non-personalised ads mode, Analytics limited.
PRO users: AdMob SDK initialisation may be skipped, consent request not required.
Consent log entry: consent_type: "analytics_ads" — see HJ-001 Section 10.
9. Consent Withdrawal — Settings Menu Structure
The user may withdraw any consent at any time from the app Settings menu. The following structure must be implemented:
| Settings menu item | What it withdraws | Effect of withdrawal |
| Privacy → Terms & Privacy Policy | Irrevocable — only removable via account deletion | Account deletion button available |
| Privacy → Health data | Health Connect / HealthKit permission | Step-count features stop; prior data retained (separately deletable) |
| Privacy → Banking notifications | NotificationListenerService permission | Auto-import stops; imported transactions retained |
| Privacy → Notifications | FCM push permission (future) | Notifications stop |
| Privacy → Ads & Analytics | AdMob + Analytics consent | Non-personalised ads; analytics limited |
| Account → Delete account | All data + all consents | Firestore data deleted, account closed |
|
10. Firestore Consent Log Schema Reference
|
11. Play Store Review-Ready Compliance Summary
| Play Store requirement | Cashletics implementation | Status |
| Prominent disclosure before Health Connect | Section 5.2 — prior disclosure dialog | ✔ Ready |
| Prominent disclosure before NotificationListener | Section 6.2 — prior disclosure dialog | ✔ Ready |
| Explicit opt-in (not pre-ticked) | Section 4.2 — unchecked checkbox | ✔ Ready |
| Revocability in Settings | Section 9 — Settings menu structure | ✔ Ready |
| Consent logging | HJ-001 Section 10 — Firestore schema | ✔ Ready |
| Google UMP SDK (AdMob) | Section 8.3 — implementation note | ⚠ To implement |
| FCM opt-in text | Section 7 — prepared in advance | ⏳ Future |
| iOS HealthKit NSUsageDescription | Section 5.4 — currently inactive until iOS launch | ⏳ Before iOS launch |
Publication addendum
v1.5a supplement — Health Connect permission request:
After Health Connect / step-count consent, Android system permissions may include READ_STEPS, READ_HEALTH_DATA_HISTORY and ACTIVITY_RECOGNITION. These are used only for step count and aggregated historical step totals; the app does not request GPS, routes, heart rate or workout type.
Next review: 5 July 2027.