Cashira Data Protection & Compliance Policy

Tagline: "Revolutionize Your Budgeting & Planning"

Last Updated:

Executive Summary

Cashira, a product of Consultants Lengu Inc., is an AI-powered budgeting and planning application that integrates with your bank accounts and calendars to provide personalized financial insights, smart alerts, and scheduling suggestions.

This comprehensive Data Protection & Compliance Policy explains how we collect, use, store, and protect your personal information across all jurisdictions where we operate. We are committed to transparency about our data practices and compliance with global privacy regulations.

Key Principles:

Data Minimization: We only collect data necessary to provide our services
Security First: Bank-level security measures protect your financial data
Read-Only Access: We cannot move money or initiate transactions
Transparency: Clear explanations of how we use AI and automated decision-making
User Control: Easy-to-exercise privacy rights across all regions

This policy covers our compliance with GDPR, CCPA/CPRA, PIPEDA, LGPD, and other major privacy frameworks. For specific regional requirements, please refer to the relevant sections below.

Key Definitions #

General Data Protection Terms

Term	Definition
Personal Data/Information	Any information relating to an identified or identifiable natural person
Processing	Any operation performed on personal data (collection, storage, use, etc.)
Controller	The entity that determines the purposes and means of processing personal data
Processor	An entity that processes personal data on behalf of a controller
Special Category Data	Sensitive personal data requiring enhanced protection (e.g., financial information, health data)
Data Subject/Consumer	The individual to whom personal data relates

Cashira-Specific Terms

Term	Definition
Financial Data	Account balances, transaction history, and other banking information accessed via read-only connections
Calendar Data	Events, schedules, and availability information from integrated calendar services
AI Insights	Personalized budgeting recommendations and financial planning suggestions generated by our algorithms
Smart Alerts	Automated notifications about unusual spending, budget limits, or financial opportunities
Read-Only Access	Our technical inability to move money or initiate financial transactions on your behalf

What We Collect #

Data Categories & Sources

Data Category	Examples	Source	Required/Optional
Account Information	Name, email, password, preferences	Direct from user	Required
Financial Data	Account balances, transactions, holdings	Bank/credit card APIs	Required
Calendar Data	Events, schedules, meeting details	Calendar service APIs	Optional
Device Information	IP address, browser type, device ID	Automated collection	Required
Usage Data	Feature usage, session duration, clicks	Automated collection	Required
Support Communications	Chat logs, emails, feedback	Direct from user	Optional

Special Category Data

We do not intentionally collect special category data as defined by GDPR (e.g., health, biometric, genetic data). However, financial information may be considered sensitive personal information under various regulations and is protected accordingly.

How We Use Data #

Processing Purposes & Legal Bases

Processing Purpose	Data Categories Used	GDPR Legal Basis	Other Jurisdictions
Account Creation & Management	Account Information	Contract Performance	Service Provision
Financial Insights & Budgeting	Financial Data, Calendar Data	Legitimate Interests	Business Operations
AI-Powered Recommendations	Financial Data, Usage Data	Consent (where required)	Service Improvement
Security & Fraud Prevention	Device Information, Financial Data	Legitimate Interests	Security Purposes
Customer Support	Account Information, Support Communications	Contract Performance	Customer Service
Service Improvement	Usage Data, Device Information	Legitimate Interests	Analytics
Marketing Communications	Account Information, Usage Data	Consent	Marketing (with opt-out)

Data Retention & Deletion #

Retention Schedule

Data Category	Retention Period	Deletion Process
Account Information	While account active + 30 days	Permanent deletion from all systems
Financial Data	While account active + 30 days	Secure erasure from databases and backups
Calendar Data	While account active + 7 days	Removal from all storage systems
Support Communications	3 years from resolution	Secure deletion after retention period
Usage Analytics	26 months	Automatic deletion after retention period
System Logs	90 days	Automatic rotation and deletion

Deletion Workflow

When you request account deletion or exercise your right to erasure:

Immediate deactivation of your account
Removal of personal data from active databases within 24 hours
Queueing of deletion from backup systems (processed within 30 days)
Confirmation email sent upon completion

Exceptions

We may retain certain data when required by law, such as:

Financial records for regulatory compliance (7 years)
Information related to ongoing legal disputes
Fraud prevention data where retention is necessary

International Data Transfers #

Transfer Mechanisms & Safeguards

Global Operations

Cashira operates globally with data processing activities in multiple jurisdictions. We ensure appropriate safeguards for international data transfers through:

Transfer Mechanism	Applicable Regions	Implementation
EU Standard Contractual Clauses (SCCs)	EU/EEA to third countries	Implemented with all non-EEA processors
UK International Data Transfer Agreement	UK to third countries	UK Addendum to EU SCCs
Adequacy Decisions	EU/EEA to adequate countries	Leveraged where applicable
Supplementary Measures	All transfers requiring enhancement	Encryption, access controls, audits

Data Storage Locations

Primary data processing occurs in the United States and European Union. We select storage locations based on:

Performance requirements for our global user base
Data protection regulations in the storage jurisdiction
Security and redundancy capabilities

Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for all international data transfers to evaluate:

Legal environment in the destination country
Specific risks to data subjects
Effectiveness of transfer mechanisms and supplementary measures

Your Rights & How to Exercise Them #

Global Rights Overview

Regardless of your location, we provide accessible mechanisms to exercise control over your personal data:

Right	Description	How to Exercise
Access	Obtain a copy of your personal data	Account settings or request to privacy@cashira.app
Correction	Rectify inaccurate or incomplete data	Edit profile or contact support
Deletion	Request erasure of your data	Account deletion option or email request
Restriction	Limit processing of your data	Contact privacy@cashira.app
Portability	Receive your data in a machine-readable format	Export feature or request to privacy@cashira.app
Objection	Object to certain processing activities	Opt-out mechanisms or contact privacy@cashira.app
Withdraw Consent	Revoke previously given consent	Privacy settings or contact privacy@cashira.app

Request Process

Submit Request: Use in-app features, online form, or email
Verification: We'll verify your identity to protect your data
Processing: We process most requests within 30 days (sooner where required by law)
Communication: We'll keep you informed throughout the process

GDPR/UK GDPR Specific Rights

Under GDPR and UK GDPR, you have specific rights including:

Right to be Informed: About how we use your personal data (this policy)
Right of Access: To receive a copy of your data and information about its processing
Right to Rectification: To have inaccurate personal data corrected
Right to Erasure: To have your personal data deleted in certain circumstances
Right to Restrict Processing: To limit how we use your data
Right to Data Portability: To receive your data in a structured, commonly used format
Right to Object: To object to processing based on legitimate interests or direct marketing
Rights Related to Automated Decision-Making: Including profiling (see Section 9)

Response Timelines

We respond to GDPR/UK GDPR requests within one month, extendable by two months for complex requests. We will inform you of any extension within one month of receiving your request.

Complaints

If you're unhappy with how we've handled your data, you have the right to lodge a complaint with your local supervisory authority:

UK: Information Commissioner's Office (ICO)
Ireland: Data Protection Commission (DPC)
Germany: Landesbeauftragter für den Datenschutz (state authorities)

US State Laws (CCPA/CPRA & Others)

Under California and other state privacy laws, you have rights including:

Right	CCPA/CPRA	Other States (VCDPA, CPA, etc.)
Know/Access	Yes	Yes
Delete	Yes	Yes
Correct	Yes (CPRA)	Yes
Opt-out of Sale/Sharing	Yes	Yes (where applicable)
Limit Use of Sensitive PI	Yes (CPRA)	Yes (CO, CT, VA)
Portability	Yes	Yes
Appeal	N/A	Yes (CO, CT, VA)

Opt-Out Mechanisms

We honor:

Global Privacy Control (GPC): Browser-based opt-out signal
In-App Preferences: Direct controls within your account settings
Do Not Sell/Share My Personal Information: Link in website footer

Authorized Agents

You may use an authorized agent to exercise your rights. We require verification of both your identity and the agent's authorization.

Children's Privacy #

Age Restrictions & Protections

Cashira is not directed at children, and we do not knowingly collect personal information from children without appropriate parental consent.

Region	Age Threshold	Requirements
United States	Under 13	COPPA compliance; verifiable parental consent required
EU/EEA/UK	Under 16 (may vary by country)	Parental consent required for information society services
Canada	Under 14 (Quebec: Under 14)	Parental consent required for collection from minors
Brazil	Under 18	Specific consent required from parent/guardian
Other Regions	Typically 13-16	Compliance with local age of consent requirements

Our Approach

We do not target our services to children
We implement age-screening during registration
We promptly delete any personal data collected from children without verification of parental consent
Parents can request review or deletion of their child's information

AI & Automated Decision-Making Transparency #

How We Use AI Responsibly

Cashira uses artificial intelligence to provide personalized budgeting insights and financial planning suggestions. We are committed to transparent and ethical AI practices.

AI Applications

AI Function	Purpose	Data Used
Spending Categorization	Automatically categorize transactions	Transaction descriptions, amounts, merchant data
Budget Recommendations	Suggest personalized budget limits	Historical spending, income patterns, financial goals
Anomaly Detection	Identify unusual spending patterns	Transaction history, spending averages
Calendar Integration	Suggest optimal meeting times based on financial calendar	Event data, financial deadlines, user preferences

Model Training & Data Sources

Our AI models are trained on:

Aggregated, anonymized financial data (with all personal identifiers removed)
Public financial datasets and benchmarks
Synthetic data generated to represent various financial scenarios

Human Oversight & Opt-Outs

All significant AI-driven decisions are subject to human review upon request
You can opt-out of personalized AI insights in your account settings
We provide explanations for significant automated decisions affecting your financial planning

Safeguards

Regular bias testing and model audits
Data minimization in model training
Transparency about model limitations
Clear communication when you're interacting with AI systems

Security Measures #

Our Security Posture

We implement comprehensive security measures to protect your financial and personal data, following industry best practices and "bank-level" security standards where appropriate.

Technical Safeguards

Security Area	Implementation
Encryption	AES-256 encryption for data at rest; TLS 1.2+ for data in transit
Access Controls	Role-based access, principle of least privilege, multi-factor authentication
Network Security	Firewalls, intrusion detection/prevention, DDoS protection
Application Security	Secure SDLC, code reviews, vulnerability scanning, penetration testing
Data Protection	Tokenization of sensitive data, data minimization, secure deletion
Monitoring & Logging	Comprehensive audit logs, SIEM, anomalous activity detection

Organizational Safeguards

Security Training: Regular security awareness training for all employees
Incident Response: Documented procedures for security incident handling
Business Continuity: Disaster recovery and business continuity plans
Vendor Management: Security assessments for third-party providers
Compliance Frameworks: Alignment with industry standards and regulations

Financial Data Specific Protections

Read-only access to financial institutions - we cannot move money
Bank-grade encryption for all financial data
Regular security assessments and penetration testing
Secure credential storage using industry-standard protocols

Cookies & Tracking Technologies #

Our Use of Tracking Technologies

We use cookies and similar technologies to provide, secure, and improve our services, and to personalize your experience.

Categories of Cookies

Category	Purpose	Examples	Consent Required
Essential	Necessary for basic functionality	Authentication, security, load balancing	No
Functional	Remember preferences and settings	Language, region, customized features	Yes
Analytics	Understand how users interact with our services	Usage patterns, feature popularity	Yes
Advertising	Deliver relevant marketing	Retargeting, conversion tracking	Yes

Consent Management

We implement region-appropriate consent mechanisms:

EU/EEA/UK: GDPR-compliant consent banner before non-essential cookies
California: Notice of financial incentive and opt-out rights
Other Regions: Context-appropriate notice and choice mechanisms

Opt-Out Options

Browser cookie settings
In-app privacy controls
Global Privacy Control (GPC) signal support
Do Not Track browser setting respect (where technically feasible)
Direct opt-out links for specific tracking technologies

Subprocessors & Third Parties #

Our Data Processing Partners

We engage carefully selected subprocessors to help provide our services. All subprocessors are subject to rigorous security and privacy assessments.

Subprocessor	Service Provided	Data Processed	Location
AWS	Cloud Infrastructure	All data categories	USA, Ireland, Germany
Plaid Technologies	Financial Data Aggregation	Financial account information	USA
Google Cloud	Analytics & AI Services	Usage data, anonymized insights	USA, EU
Stripe	Payment Processing	Billing information	USA
Zendesk	Customer Support	Support communications, account info	USA
SendGrid	Email Communications	Contact information, service messages	USA

Subprocessor Governance

All subprocessors are bound by data processing agreements
Regular security assessments of subprocessors
Notification process for adding or changing subprocessors
Right to object to new subprocessors (where required by law)

Updates & Notifications

We maintain a current list of subprocessors at cashira.app/subprocessors. You can subscribe to receive notifications of changes to our subprocessor list by emailing privacy@cashira.app.

Breach Notification #

Our Breach Response Framework

We have established procedures for detecting, investigating, and reporting personal data breaches in accordance with applicable laws.

Notification Timelines

Jurisdiction	Authority Notification	Individual Notification
GDPR/UK GDPR	72 hours where feasible	Without undue delay if high risk
CCPA/CPRA	N/A	As quickly as possible for unauthorized access to unencrypted data
PIPEDA	As soon as feasible	If real risk of significant harm
LGPD (Brazil)	Reasonable time period	Reasonable time period
Australia Privacy Act	As soon as practicable	If likely to result in serious harm

Breach Assessment

When a potential breach is detected, we immediately:

Contain the breach and assess the scope
Evaluate the risks to individuals' rights and freedoms
Determine notification requirements based on applicable laws
Implement remediation measures to prevent recurrence

Notification Content

When required, breach notifications include:

Description of the nature of the breach
Categories and approximate number of individuals concerned
Contact details for further information
Likely consequences of the breach
Measures taken or proposed to address the breach

Enterprise/API Terms #

Additional Provisions for Enterprise Customers

Enterprise customers using our API or advanced features have additional data protection considerations.

Data Processing Roles

Cashira as Processor: When processing personal data on behalf of enterprise customers
Cashira as Controller: For data necessary to provide and improve our services
Joint Controllership: In limited circumstances where we jointly determine purposes and means of processing

Data Processing Agreements (DPAs)

We offer standard DPAs for enterprise customers that include:

Instructions for processing personal data
Confidentiality obligations
Security measures and assistance
Subprocessor transparency and obligations
Data subject rights assistance
Breach notification procedures
Data transfer mechanisms
Return or deletion of data
Audit rights

API Security

Our Enterprise API includes:

API key authentication and rate limiting
Encrypted data transmission
Comprehensive audit logging
Regular security testing
Documented data handling procedures

Accessibility & Localization #

Making Our Policy Accessible to All

Accessibility Commitment

We are committed to making our Data Protection Policy accessible to everyone, including people with disabilities. This policy page is designed to meet WCAG 2.1 AA standards, including:

Proper heading structure for screen readers
Sufficient color contrast
Keyboard navigability
Clear focus indicators
Alternative text for meaningful images

Language Availability

This policy is currently available in English. We are working to provide translations in other languages commonly used by our global user base. If you need this policy in an alternate format or language, please contact us at privacy@cashira.app.

Alternative Formats

We can provide this policy in alternative formats upon request, including:

Large print versions
Audio recordings
Braille (with advance notice)
Simplified language versions

Contact Us / DPO #

How to Reach Our Privacy Team

General Privacy Inquiries

For questions about this policy or our privacy practices:

Email: privacy@cashira.app
Support: support@cashira.app
Mail: Consultants Lengu Inc., [Registered Address, Canada]

Data Protection Officer

While we are not legally required to appoint a Data Protection Officer under GDPR, we have designated a privacy contact who fulfills similar responsibilities:

Role: Privacy & Data Protection Lead
Contact: privacy@cashira.app
Responsibilities: Oversight of data protection compliance, handling data subject requests, privacy impact assessments

Changelog & Versioning #

Policy Update History

Version	Date	Changes
1.0		Initial comprehensive Data Protection & Compliance Policy
Future Updates	TBD	This policy will be updated as needed to reflect changes in our practices, services, or legal requirements.

Update Notification

We will notify users of material changes to this policy through:

In-app notifications
Email communications (where required by law or for significant changes)
Updated "Last Updated" date on this policy

Continued use of our services after changes constitutes acceptance of the updated policy.

Jurisdiction Appendices #

Region-Specific Legal Details

This section provides additional legal details specific to various jurisdictions where we operate.

GDPR/UK GDPR Appendix

Legal Bases for Processing (Article 6):

Contract Performance: Account management, service delivery
Legitimate Interests: Service improvement, security, fraud prevention
Consent: Marketing communications, certain cookies
Legal Obligation: Tax records, regulatory compliance

Data Protection Impact Assessments: We conduct DPIAs for high-risk processing activities, including large-scale processing of financial data and systematic monitoring.

CCPA/CPRA Appendix

Categories of Personal Information Collected:

Identifiers (name, email, IP address)
Financial information (account data, transactions)
Internet activity (usage data, cookies)
Geolocation data (approximate location from IP)

No Sale of Personal Information: We do not sell personal information as defined by CCPA/CPRA. We may share information with service providers for business purposes as described in this policy.

PIPEDA & Quebec Law 25 Appendix

Privacy Officer: We have designated a Privacy Officer responsible for compliance with Canadian privacy laws.

Consent Management: We obtain meaningful consent for collection, use, and disclosure of personal information, with specific requirements for sensitive financial information.

LGPD (Brazil) Appendix

Encarregado: While not legally required to appoint a DPO, we have designated a privacy contact who fulfills similar responsibilities for Brazilian users.

Legal Bases (Article 7): We process personal data based on consent, contract performance, legitimate interests, and legal obligations as appropriate under LGPD.