Cashletics
Home Legal documents Delete account Contact HU
Documents Terms of Use Privacy Policy Cookie & Tracking Policy Health Data Statement Banking Notification Consent Age Restriction Statement In-app Consent Flow Prize Draw Rules Imprint
hozzájárulás

In-app Consent Flow

Consent flows and withdrawal options displayed in the Cashletics app.

In-app Consent Flow

& Texts Specification

Data Controller Mózer Ferenc (sole trader)
Registered address 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary
Tax number 41905517-1-23
Privacy contact privacy@cashleticsapp.com
Effective date 5 July 2026
Version v1.5
Target audience Developer (implementation) + GDPR audit
Governing language Hungarian (HJ-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail.

cashleticsapp.com/legal.php · Public consent-flow notice GDPR-compliant ✔

GOVERNING LANGUAGE NOTICE

This document is the English translation of the Hungarian In-app Consent Flow specification (HJ-001).

In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail.

Hungarian version: cashleticsapp.com/legal.php?lang=hu

1. Purpose and Scope

This document specifies the complete consent management (consent flow) of the Cashletics mobile application in English. It contains:

  • exact UI texts displayed to the user (in English, in implementable form),

  • the 5-step consent flow sequence and the logical conditions of each step,

  • references to the Firestore consent log data structure (see HJ-001 Section 10),

  • withdrawal pathways and the Settings menu consent management structure,

  • Play Store review-ready compliance notes.

ℹ Developer guide

The UI texts in this document are copy-paste implementable specifications.

Campaign/iOS-specific fields are finalised only when the relevant feature or campaign starts.

All consent events must be logged in Firestore as per the schema in HJ-001 Section 10.

2. Consent Flow Architecture — Overview

Cashletics applies a 5-step consent flow. The order of steps is fixed — optional steps may be skipped by the user, but mandatory (blocking) steps must be completed before registration can proceed.

# Consent type Required? Legal basis document
1 Terms of Use + Privacy Policy acceptance ⛔ MANDATORY — blocking ASZF-001-EN, AT-001-EN
2 Health Connect step-count permission (Android)
HealthKit step-count permission (iOS — currently inactive)
✔ Optional — recommended HE-001-EN
3 Banking notification read permission ✔ Optional BH-001-EN
4 Marketing push notifications (FCM) ✔ Optional — future [FCM not yet active] AT-001-EN §6
5 Analytics and ad tracking (AdMob) ✔ Optional — relevant for Free users only CK-001-EN

⚠ Important: optional steps (2–5) are NOT conditions for using the app.

If the user declines steps 2–5, all core app features (financial tracking,

gamification, goals) remain fully accessible.

3. Consent Flow Step Diagram

The diagram below shows the logical flow of the registration process. Each step includes the decision point and the resulting state.

REGISTRATION START

↓

[ Step 1 ] Terms of Use + Privacy Policy → MANDATORY

├ Accepts → proceed to Step 2

└ Declines → registration aborted, app unusable

↓

[ Step 2 ] Health Connect / step count → OPTIONAL

├ Grants → step-count XP and challenges available

└ Skips → step-count features unavailable (can be enabled later)

↓

[ Step 3 ] Banking notification access → OPTIONAL

├ Grants → automatic transaction import available

└ Skips → manual entry required (can be enabled later)

↓

[ Step 4 ] Marketing push notifications (FCM) → OPTIONAL — future

├ Grants → challenge and reward notifications enabled

└ Skips → notifications off (changeable in Settings)

↓

[ Step 5 ] Analytics / AdMob tracking → OPTIONAL (Free users only)

├ Accepts → personalised ads and analytics enabled

└ Declines → non-personalised ads, analytics limited

└ PRO user → this step is skipped (no ads)

↓

HOME SCREEN — app fully accessible

4. Step 1 — Terms of Use and Privacy Policy Acceptance

4.1 When it appears

During registration, after entering email/password, before account creation. Blocking: the account is only created after acceptance.

4.2 UI text — dialog/modal

[ SCREEN: Registration — Step 3 of 3 ]

────────────────────────────────────────────────

Accept Terms

To use Cashletics, you need to accept the following

documents. Please read them carefully.

[ ☐ ] I have read and accept the Terms of Use

and the Privacy Policy.

→ Terms of Use [link]

→ Privacy Policy [link]

────────────────────────────────

[ Create Account ] — active only when checkbox is ticked

[ Cancel ]

4.3 Implementation notes

  • Checkbox default state: unchecked (not pre-ticked — GDPR Art. 7: no implicit consent).

  • The "Create Account" button is disabled until the checkbox is ticked.

  • Terms of Use and Privacy Policy links open cashleticsapp.com/legal.php in an in-app WebView.

  • Consent log entry: see HJ-001 Section 10 — consent_type: "terms_and_privacy".

5. Step 2 — Health Connect / Step Count Permission

5.1 When it appears

Immediately after successful registration, on first login. Optional — skippable via "Skip" button. Can be re-enabled later: Settings → Health data.

5.2 Prominent disclosure dialog (required by Play Store policy)

Per GDPR Art. 9(2)(a): step count data qualifies as health data and requires explicit prior disclosure BEFORE the system permission request.

[ SCREEN: Step Count Tracking Setup ]

────────────────────────────────────────────────

Step Count Rewards

Cashletics can reward you based on your daily step count.

To do this, we need access to the Health Connect app

(Android), which manages your device's health data.

What we read:

• Daily step count (today's value only)

What we do NOT read:

• Heart rate, sleep data, weight or any other

health metric

We use this data solely to award XP points and

evaluate challenges. You can revoke this permission

at any time.

→ Privacy Policy — Health Data section [link]

────────────────────────────────

[ Open Health Connect ]

[ Skip — continue without step count ]

5.3 Health Connect system dialog

After tapping "Open Health Connect", the Android operating system's own Health Connect permission screen is displayed. The app logs the result of the system dialog.

5.4 iOS — HealthKit (future)

iOS / HealthKit currently inactive; to be updated before iOS launch

The iOS App Store HealthKit permission text must be provided separately in App Store Connect

under the NSHealthShareUsageDescription key.

Suggested text: iOS / HealthKit currently inactive; to be updated before iOS launch

5.5 Implementation notes

  • The prominent disclosure dialog above MUST appear before the Health Connect system dialog (Play Health Connect policy requirement).

  • If the user denies in Health Connect: the app logs the denial, the feature is unavailable, but the app continues normally.

  • Consent log entry: consent_type: "health_connect" — see HJ-001 Section 10.

6. Step 3 — Banking Notification Read Permission

6.1 When it appears

After the Health Connect step (regardless of its outcome). Optional. Can be re-enabled later: Settings → Banking notifications.

6.2 Prominent disclosure dialog

[ SCREEN: Automatic Transaction Import ]

────────────────────────────────────────────────

Automatic Expense Tracking

Cashletics can automatically record your expenses

by reading your banking push notifications.

Important:

• The app reads ONLY the text of your notifications

• It does NOT access your bank account or login credentials

• Notification text is NOT sent to our servers — only

the parsed amount and merchant name are stored

• You can revoke this permission at any time

→ Banking Notification Consent Statement [link]

────────────────────────────────

[ Enable notification access ]

[ Skip — I will enter expenses manually ]

6.3 Android NotificationListenerService system screen

Tapping "Enable notification access" navigates to Android Settings → Apps → Special app access → Notification access. The user enables the system-level permission there.

6.4 Implementation notes

  • The NotificationListenerService only starts if the user has also granted the system-level permission.

  • Permission status (granted/denied/revoked) must be checked on every app launch.

  • Consent log entry: consent_type: "banking_notification" — see HJ-001 Section 10.

7. Step 4 — Marketing Push Notifications (FCM)

⚠ Future feature — FCM (Firebase Cloud Messaging) is NOT yet active.

This step is added to the consent flow only after FCM is activated.

Text prepared in advance. SZ-001 trigger: "when FCM is activated, implement this step".

7.1 UI text (prepared in advance for future implementation)

[ SCREEN: Notification Settings ] — FUTURE

────────────────────────────────────────────────

Stay motivated with notifications!

Would you like us to notify you:

• when you are close to completing a challenge,

• when you have received a reward,

• when a friend overtakes you on the leaderboard?

You can turn off notifications at any time in

Settings → Notifications.

────────────────────────────────

[ Yes, enable notifications ]

[ No thanks ]

8. Step 5 — Analytics and Ad Tracking (AdMob)

8.1 When it appears

Free users only. For PRO users this step is skipped (no ads). In addition to the Android system ATT equivalent, the app displays its own consent dialog.

8.2 UI text

[ SCREEN: Personalisation and Statistics ]

────────────────────────────────────────────────

Help us improve Cashletics!

If you agree, we collect the following data:

• App usage statistics (Firebase Analytics)

• Advertising ID (GAID) — for personalised

ads (Google AdMob)

If you decline:

• Non-personalised ads will be shown

• Core app features are unaffected

→ Cookie & Tracking Policy [link]

────────────────────────────────

[ I agree ]

[ I decline ]

8.3 Implementation notes

  • Integration of the Google UMP (User Messaging Platform) SDK is mandatory for Google Consent Mode v2 compliance.

  • "I agree" → GDPR consent state: GRANTED → Firebase Analytics + AdMob personalised mode.

  • "I decline" → GDPR consent state: DENIED → AdMob non-personalised ads mode, Analytics limited.

  • PRO users: AdMob SDK initialisation may be skipped, consent request not required.

  • Consent log entry: consent_type: "analytics_ads" — see HJ-001 Section 10.

9. Consent Withdrawal — Settings Menu Structure

The user may withdraw any consent at any time from the app Settings menu. The following structure must be implemented:

Settings menu item What it withdraws Effect of withdrawal
Privacy → Terms & Privacy Policy Irrevocable — only removable via account deletion Account deletion button available
Privacy → Health data Health Connect / HealthKit permission Step-count features stop; prior data retained (separately deletable)
Privacy → Banking notifications NotificationListenerService permission Auto-import stops; imported transactions retained
Privacy → Notifications FCM push permission (future) Notifications stop
Privacy → Ads & Analytics AdMob + Analytics consent Non-personalised ads; analytics limited
Account → Delete account All data + all consents Firestore data deleted, account closed

ℹ Developer note — logging withdrawal

Consent withdrawal must be recorded in Firestore with the same log entry format

as the original consent — with action: "revoked".

See: HJ-001 Section 10 — Firestore consent log schema.

10. Firestore Consent Log Schema Reference

The Firestore consent log schema is defined in HJ-001 (Hungarian version), Section 10.

The schema is identical for both language versions of the app — no duplication required.

Collection path: users/{userId}/consents/{consentId}

Key fields: consent_type | action | timestamp | app_version | document_version | platform

For full field definitions and consent_type values, refer to HJ-001 Section 10.

11. Play Store Review-Ready Compliance Summary

Play Store requirement Cashletics implementation Status
Prominent disclosure before Health Connect Section 5.2 — prior disclosure dialog ✔ Ready
Prominent disclosure before NotificationListener Section 6.2 — prior disclosure dialog ✔ Ready
Explicit opt-in (not pre-ticked) Section 4.2 — unchecked checkbox ✔ Ready
Revocability in Settings Section 9 — Settings menu structure ✔ Ready
Consent logging HJ-001 Section 10 — Firestore schema ✔ Ready
Google UMP SDK (AdMob) Section 8.3 — implementation note ⚠ To implement
FCM opt-in text Section 7 — prepared in advance ⏳ Future
iOS HealthKit NSUsageDescription Section 5.4 — currently inactive until iOS launch ⏳ Before iOS launch

Publication addendum

v1.5a supplement — Health Connect permission request:

After Health Connect / step-count consent, Android system permissions may include READ_STEPS, READ_HEALTH_DATA_HISTORY and ACTIVITY_RECOGNITION. These are used only for step count and aggregated historical step totals; the app does not request GPS, routes, heart rate or workout type.

Next review: 5 July 2027.

Back to list
Cashletics

Pénzügyi motiváció játékosan – pénzügy, lépésszám és jutalmak egy appban.

Legal

ÁSZF / Terms Privacy Cookie & Tracking

Support

support@cashleticsapp.com Data request
© 2026 Cashletics. All rights reserved.