Age Restriction Statement
Rules on the Cashletics 16+ age threshold and age verification process.
Age Restriction Statement
Minimum Age Requirement and Exclusion of Minors
| Data Controller | Mózer Ferenc (sole trader) |
| Registered address | 6044 Kecskemét, Hetény-Belsőnyír 268/2., Hungary |
| Tax number | 41905517-1-23 |
| Privacy contact | privacy@cashleticsapp.com |
| Effective date | 5 July 2026 |
| Version | v1.5 |
| Legal basis | GDPR Art. 8 + Google Play Families policy |
| Governing language | Hungarian (KK-001). In case of any discrepancy between the Hungarian and English versions, the Hungarian version shall prevail. |
|
1. Summary — Minimum Age and Exclusion
|
This document sets out the legal basis for the Cashletics minimum age requirement, the technical implementation of the age verification process, and the exclusion mechanism for underage users. The document has been prepared in compliance with the following regulatory frameworks:
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) — Article 8
Hungarian Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (as the national implementation of GDPR Art. 8 — 16-year threshold)
Google Play Families policy (current 2025 version)
2. Legal Basis
2.1 GDPR Article 8 — Child's consent
Under GDPR Article 8(1), in relation to the offer of information society services directly to a child, the processing of personal data of a child is lawful where the child is at least 16 years of age. Where the child is below the age of 16, such processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
2.2 Why 16 — why not lower?
GDPR Article 8(1) allows Member States to lower the age threshold to 13 years. Hungary has not exercised this option: under the Hungarian national implementation, the minimum age is 16 years. Since Cashletics targets the Hungarian and broader EU market as its primary audience, the 16-year threshold applies. For users outside the EU, the same threshold is applied as a consistent global standard.
2.3 Google Play Families policy
Under the Google Play Families policy, any application that processes health data (Health Connect) or financial data is automatically excluded from the Families programme. The age restriction declaration must state that the application is not designed for children. Cashletics falls into both categories:
Health data: step count (Health Connect / HealthKit) — GDPR Art. 9 special category data
Financial data: banking notification reading, income/expense tracking
|
3. Age Verification in the Registration Flow
3.1 When and how verification takes place
Age verification takes place at Step 2 of the registration process, after the user enters their email address and password, before the account is created. The user must enter their year of birth and actively confirm that they are at least 16 years old.
3.2 UI text — age verification step
|
3.3 Implementation notes
Year of birth field: numeric input, 4 digits, validation: 1900–(current year − 16).
If the entered year of birth indicates the user is under 16: registration is aborted — see Section 4.
Checkbox default state: unchecked (not pre-ticked — GDPR Art. 7: no implicit consent).
"Continue" button is disabled until both the year of birth field and the checkbox are completed.
The year of birth does NOT need to be stored in Firestore — it is checked at registration only. Storage is not justified under the data minimisation principle.
The timestamp of the age declaration (checkbox acceptance) is recorded in the consent log: consent_type: "age_declaration" — see HJ-001 Section 10.
4. Exclusion Mechanism — What an Under-16 User Sees
4.1 Error screen — under-16 user
|
4.2 Implementation notes
If the user is excluded, no account is created and no data is stored in Firestore.
The exclusion event does NOT need to be logged (no account, no personal data).
The support email (support@cashleticsapp.com) provided for the "error" case is sufficient — no separate appeals procedure is required.
5. Rationale for Excluding Parental Consent
GDPR Article 8(1) in principle allows children under 16 to participate in data processing with parental consent. In the case of Cashletics, this option is deliberately excluded for the following reasons:
| Reason | Explanation |
| Health data (GDPR Art. 9) | Step count qualifies as a special category of data. Under Art. 9(2)(a), explicit consent must come from the data subject — legally uncertain in the case of a child. |
| Financial profiling risk | Income/expense tracking + banking notification reading together create a detailed financial profile. This poses heightened risk for minors. |
| Technical verifiability | Reliably verifying that parental consent is genuinely given by a parent (rather than the child themselves) is not technically feasible in a mobile application. |
| Play Families policy | The Google Play Families programme cannot be applied to apps processing health or financial data — this applies regardless of parental consent. |
| Risk proportionality | Based on the DPIA-001 risk assessment, the risk level (special category data + financial profile) is disproportionately high to be managed via parental consent alone. |
6. Cross-References to Other Documents
| Document | Reference subject |
| ASZF-001-EN (Section 3) | Age restriction in the Terms of Use — persons under 16 cannot enter into a valid contract |
| AT-001-EN (Section 2) | Privacy Policy — definition of data subjects: natural persons aged 16 or older only |
| HE-001-EN (Section 1) | Health Data Statement — reference to KK-001-EN for age restriction justification |
| BH-001-EN (Section 1) | Banking Notification Consent — reference to KK-001-EN for eligible data subject definition |
| HJ-001-EN (Section 2) | Consent flow — age verification is Step 2 of the registration flow |
| DPIA-001 | Data Protection Impact Assessment — risk basis for parental consent exclusion |
| GPS-001 | Play Console Data Safety — "Designed for families": NO |
Next review: 5 July 2027.