Privacy Policy

This Privacy Policy explains how CASHO collects, uses, shares, stores, and protects personal information when you use our website, applications, APIs, and related services.

By using CASHO, you acknowledge this policy and consent to the handling of personal data as described here, subject to your legal rights under applicable privacy laws.

This policy is subject to GDPR (EU), CCPA/CPRA (California), PIPEDA (Canada), LGPD (Brazil), and Australian Privacy Act 1988 where applicable.

Account data: name, email address, phone number (if provided), login credentials, authentication methods (2FA, OAuth tokens), and profile preferences.

Financial and household data: income entries, expense transactions, budget categories, subscriptions tracked, household member names/roles (shared account), banking connections (Open Banking), and related metadata you submit.

Technical and usage data: browser type, IP address (anonymized after 30 days), device identifiers, feature interactions, session logs, error reports, and analytics for service reliability.

Communication data: emails, support ticket content, feedback, and survey responses you provide.

Payment data: payment method last 4 digits, billing address, transaction history (processed securely by third-party payment providers; CASHO does not store full credit card numbers).

Service delivery: authenticate users, process requests, deliver account features, generate reports, and provide customer support.

Security and compliance: detect fraud, prevent abuse, monitor platform security, investigate incidents, and ensure legal/regulatory compliance.

Analytics: aggregate and de-identified data to improve service reliability, understand usage patterns, and optimize features.

Communications: send billing notices, security alerts, policy updates, and (with consent) product announcements.

Legal obligations: respond to lawful government requests, court orders, or regulatory inquiries.

Contract performance: Processing necessary to provide service and fulfill your subscription agreement.

Legal obligation: Processing required by law, regulation, or legitimate legal process.

Legitimate interest: Fraud prevention, security, product improvement, and analytics (balanced against your privacy rights).

Consent: Where required (e.g., non-essential cookies, promotional emails), we obtain explicit consent that you may withdraw at any time.

Where GDPR applies, you may request a copy of the legal basis and supporting documentation by contacting privacy@casho.com.au.

Service providers: We share data with vetted providers supporting hosting, authentication, customer support, analytics, and infrastructure under contractual data protection obligations (Data Processing Addendum).

Legal requirements: We disclose data when required by law, court order, lawful government agency request, or to protect rights, safety, and platform integrity.

User-initiated sharing: If you invite household members or use open banking, financial data is shared with invited users or financial institutions per your selections.

Business transfers: In event of merger, acquisition, or asset sale, customer data may be transferred; we will notify affected users.

De-identified data: We may share anonymized or aggregated data for analytics, research, and benchmarking without identifying you.

We do not sell personal financial data to advertisers, data brokers, or third parties for marketing purposes.

Account data: Retained for account lifetime + 7 years (business records, billing, tax compliance).

Transaction data (financial): Retained for 7 years (Australian Tax Office requirements for business/household records).

Support tickets: Retained for 3 years (dispute resolution, service improvement).

Analytics/logs: Retained for 90 days (de-identified after 30 days).

Device/IP logs: Retained for 30 days (security monitoring).

Deleted account data: Removed from active systems within 30 days; backup copies may remain for up to 90 days per disaster recovery policies, then permanently deleted.

If required by law (legal hold, regulatory investigation), we retain data beyond standard schedules until legal obligation expires.

CASHO uses encryption (AES-256 at rest, TLS 1.3 in transit), token-based authentication, CSRF protections, access controls, rate limiting, and continuous security monitoring.

Admin access requires OAuth 2.0 + multi-factor authentication; admin actions are audited and logged.

Payment data is processed through PCI-DSS compliant third parties; we do not store full credit card details.

No security method is infallible, but we apply commercially reasonable safeguards and regularly update controls.

If we discover a confirmed personal data breach, we will notify affected users and relevant authorities within 24 hours of confirmation.

Depending on your jurisdiction, you may have rights including: access, correction, deletion, portability, restriction, objection, complaint to a supervisory authority, and human review of automated decisions.

Access: Request a copy of your personal data; we will provide in readable format (CSV/JSON).

Correction: Request correction of incomplete or inaccurate data; we will update within 14 days.

Deletion/Erasure: Request deletion of your data; we will delete within 30 days unless legal obligations require retention.

Portability: Request export of your data in structured format to migrate to another service.

Objection: Object to processing for marketing or profiling; we will cease within 14 days.

Complaint: Lodge complaints with your local supervisory authority (EU: national data protection authority; Australia: Office of the Australian Information Commissioner; California: California Attorney General).

Requests can be submitted via privacy@casho.com.au. We may verify your identity before processing requests.

Essential cookies: Required for authentication, security, and core feature operation; no consent required.

Preference cookies: Remember your settings (interface language, theme); you may disable via browser settings (may impact functionality).

Analytics cookies: Help us understand usage patterns; set by Google Analytics 4, Hotjar, Segment (third-party processors). Disable via browser controls or analytics opt-out: https://tools.google.com/dlpage/gaoptout

Consent requirement: Non-essential cookies require your explicit prior consent via our cookie banner on first visit.

Cookie management: You can manage cookie preferences via browser settings; disabling essential cookies may break app functionality.

Similar technologies: Local storage, service worker caches, server logs may store similar session data; privacy protections equivalent to cookies apply.

CASHO servers are located in Australia. Personal data processed in Australia is subject to Australian Privacy Act 1988.

If CASHO servers are in non-EU locations and you are an EU resident: transfers are safeguarded via Standard Contractual Clauses (SCCs), supplementary security measures (encryption, access limits), and CASHO's Data Processing Addendum (https://casho.com.au/dpa).

Data Subject Access Requests (DSARs) by EU residents are handled per GDPR Article 12 (15-day response maximum).

If you have concerns about cross-border transfers, contact privacy@casho.com.au.

If you are a California resident, you have rights under CCPA/CPRA: access, deletion, opt-out of 'sale' or 'shared' data, and non-discrimination for exercising rights.

Right to access: Request what personal information CASHO has about you.

Right to delete: Request deletion of data (with limited exceptions for fraud prevention, legal compliance).

Right to opt-out: CASHO does not 'sell' financial data, but you may opt-out of analytics/advertising via https://casho.com.au/privacy#ccpa-opt-out (to be implemented).

Right to non-discrimination: CASHO will not penalize you for exercising CCPA rights (price/service parity maintained).

Sensitive data: Financial data is classified as 'sensitive personal information' under CPRA; we limit use to service delivery and do not permit discrimination or profiling.

Submit California requests to: privacy@casho.com.au. Verification of identity required.

If you are a Brazilian data subject, you have rights under LGPD: access, correction, deletion, portability, opposition to processing, and complaint to ANPD (Brazilian National Data Protection Authority).

Legal basis for processing (LGP D Article 7): Contract performance, legal obligation, legitimate interest (fraud prevention, service improvement, security).

Submit Brazil requests to: privacy@casho.com.au.

If you are a Canadian data subject, you have rights under PIPEDA: access, correction, complaint to Privacy Commissioner of Canada.

CASHO is accountable for personal information under our control; contact privacy@casho.com.au for access or correction requests.

CASHO service is not intended for children under 18 years old.

If you are under 18, obtain parental/guardian consent before using CASHO.

If a parent/guardian discovers their minor child's account, they may request deletion at privacy@casho.com.au; we will delete within 7 days.

If CASHO becomes aware of collection of data from minors without consent, we will delete such data immediately.

If CASHO discovers a confirmed personal data breach, we will notify affected users within 24 hours of confirmation.

Notification includes: nature of breach, data types affected, recommended protective measures, CASHO's remediation steps.

Authorities: We will notify authorities (OAIC, ICO, CNIL, etc.) within 72 hours if legally required.

Incident response: CASHO investigates breaches within 5 business days and documents remediation steps.

CASHO processes financial data classified as 'high-risk' under GDPR Article 35; we conduct Data Protection Impact Assessments for new processing activities.

Customers may request a copy of applicable DPIAs (subject to confidentiality); contact privacy@casho.com.au.

Privacy by design: CASHO builds privacy into product architecture: encryption by default, data minimization, user-controlled permissions.

Current subprocessors (services that process personal data on CASHO's behalf): AWS (cloud hosting), Stripe (payments), Auth0 (authentication), Hotjar (analytics), Segment (data pipeline), Intercom (support), SendGrid (email).

Updated subprocessor list available at: https://casho.com.au/subprocessors (or available upon request).

If CASHO engages new subprocessors, customers will receive 30 days' notice and may object; contact privacy@casho.com.au.

All subprocessors are contractually bound by data protection obligations (DPA) equivalent to GDPR Article 28.

For privacy questions: privacy@casho.com.au

For data subject access requests: dsar@casho.com.au

For security incidents: security@casho.com.au

For California privacy requests: ccpa@casho.com.au

CASHO may update this Privacy Policy periodically. Material changes will be emailed to users with 30 days' notice before taking effect.

Your continued use of CASHO after the 30-day notice period constitutes acceptance of the updated policy.

Current policy version: 1.1 | Last updated: 20 March 2026