Privacy Policy
Last updated: 5 July 2026
Our Privacy Commitment
Cashflow is designed with privacy as a core principle. We do not connect to your bank accounts. Your Gmail credentials are handled via Google OAuth — we never see or store your Gmail password. To classify transactions, only the merchant name extracted from your emails is sent to OpenAI's API; no other email content, transaction amounts, or personal data is transmitted.
Information We Collect
We collect only the information necessary to provide the Cashflow service:
- Account information: Your email address when you create an account. This is stored securely in Supabase.
- Usage and error monitoring: We use PostHog for anonymized usage analytics and Sentry for error monitoring to improve the app. This data does not include personal identifiers or the content of your emails.
- Transaction data: Transaction information extracted from emails is stored only on your device. We do not collect or store your transaction data on our servers.
Google Gmail API Access
Cashflow requests access to your Gmail account via the Google Gmail API with the following restricted scope:
https://www.googleapis.com/auth/gmail.readonly— Read-only access to your Gmail messages.
We use this scope exclusively to scan your inbox for transaction-related emails (such as purchase receipts, payment confirmations, and bank alerts). Most email processing happens on-device. For transaction classification, only the merchant name extracted from an email is sent to OpenAI's API to categorise the transaction. The full email content, transaction amounts, and any other personal data remain on your device and are never sent to OpenAI or our servers. We do not scan or transmit the content of non-transaction emails, and no human at Cashflow ever reads your emails.
How We Use Your Information
We use the information we collect solely for the following purposes:
- To create and maintain your account.
- To identify transaction-related emails in your Gmail inbox and extract relevant financial data for display within the app. Only the merchant name is sent to OpenAI to classify the transaction category.
- To monitor app performance, track errors, and analyse anonymized usage patterns to improve the Cashflow experience.
- To communicate with you about your account or the service.
Data Storage & Retention
Account information (your email address) is stored in Supabase with encryption at rest and is retained for as long as your account remains active. You may request deletion of your account and all associated data at any time by contacting us.
All transaction data extracted from your emails is stored locally in a SQLite database on your device. This data never leaves your device and is not backed up to our servers. You can delete this data at any time by removing the app or clearing the app's local storage.
We do not store the contents of your emails on our servers at any time. Aside from the merchant name sent to OpenAI for classification, all email processing happens on-device and no other email content is transmitted to or stored by Cashflow.
Data Sharing & Third Parties
We do not sell, rent, or trade your personal information to anyone. We share data only in the following limited circumstances:
- Service providers:We use Supabase (Singapore region) for authentication and account data storage, Vercel for hosting, PostHog for anonymized usage analytics, Sentry for error monitoring, and OpenAI for merchant name classification. Only the merchant name is sent to OpenAI's API; no other transaction data, email content, or personal identifiers are shared. OpenAI processes this data under their standard API terms, not a bespoke data processing agreement.
- Legal obligations: We may disclose information if required to do so by law or in response to a valid legal request.
We do not transfer Gmail data to any third party except as necessary to provide the Cashflow service (for example, displaying transaction summaries within the app) or to comply with applicable law.
Google API Services User Data Policy & Limited Use
Cashflow's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only access Gmail data to identify transaction-related emails and display financial summaries within the app.
- We do not use Gmail data for advertising, market research, or building user profiles.
- We do not transfer Gmail data to third parties except as necessary to provide or improve the core user-facing features of Cashflow.
- We do not allow humans to read your Gmail data unless we have your explicit consent, it is necessary for security purposes, or it is required to comply with applicable law.
Your Rights & Choices
You have the following rights regarding your data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may update your account information at any time.
- Deletion: You may delete your account and all associated data by contacting us. Local transaction data can be deleted at any time by removing the app.
- Revoke Gmail access:You may revoke Cashflow's access to your Gmail account at any time through your Google Account permissions page. Revoking access will prevent the app from scanning new emails, but will not delete data already stored on your device.
Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption at rest (Supabase) and encryption in transit (TLS). Because transaction data is stored locally on your device and never transmitted to our servers, the risk of a server-side data breach exposing your financial information is greatly reduced.
Children's Privacy
Cashflow is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by email or through the app. The date at the top of this page indicates when it was last revised.
Contact Us
If you have questions about this privacy policy, wish to exercise your data rights, or need to report a privacy concern, please contact us at:
Email: [email protected]