Privacy Policy

Last updated: June 7, 2026

This Privacy Policy describes how Kashend ("we", "us", "our") collects, uses, and discloses your personal information when you use our mobile applications and website (collectively, the "Service"). By using the Service, you agree to the practices described here.

1. Information we collect

1.1 Information you provide directly

• Account data: email address, password (stored only as a salted hash via bcrypt), full name, and your preferred currency.
• Expense data: amounts, descriptions, dates, categories, optional notes, optional receipt images, and the lists you place expenses in.
• Shared list data: the email addresses you invite as collaborators and the role you assign them (Editor, Viewer).
• Voice recordings: short audio clips you record to log expenses. We do not store recordings after they are transcribed.
• Receipt photos: images you upload for AI scanning. Images are sent to our AI processor and discarded after parsing unless you explicitly attach them to an expense.
• Chat messages: text you send to the AI assistant. Stored for context across conversation turns.

1.2 Information collected automatically

• Authentication tokens: short-lived JWTs stored locally on your device (in AsyncStorage on mobile, localStorage on web) so you stay signed in.
• Server logs: IP address, request paths, and timestamps to keep the Service running and detect abuse. Logs are kept for 30 days.
• Device information: operating system, app version, and locale, sent with API calls for compatibility purposes.

1.3 Information we do not collect

• We do not access your contacts, calendar, location, or other apps on your device.
• We do not use third-party advertising or analytics SDKs.
• We do not collect biometric data (other than what your OS uses locally for unlocking your device).

2. How we use your information

• To provide and improve the Service: storing your expenses, calculating budgets, syncing shared lists.
• To authenticate you and keep your account secure.
• To send transactional emails: password resets, account-deletion confirmations.
• To detect, prevent, and respond to fraud or abuse.
• To comply with legal obligations.

We do not use your data to train machine learning models, sell advertising, or build user profiles for marketing.

3. Third-party service providers

The Service relies on the following providers. By using Kashend, you agree to their respective privacy practices.

• OpenAI — receives the text, voice clips, and receipt images you submit for AI features (parsing, transcription via Whisper, vision scanning, chat). OpenAI processes the data on its servers under its API data usage policy. We do not opt your data into model training.
• Amazon Web Services (AWS) — hosts our backend, database, and file storage. Data resides in the AWS region(s) we select. AWS's privacy notice is at aws.amazon.com/privacy.
• open.er-api.com — provides exchange rates. We send only the currency code (e.g. USD), never your expense data.
• Expo / Google Play / Apple App Store — distribute the mobile app. They may collect download metrics under their own policies.

4. Data sharing

We share personal data only with:

• The service providers listed above, strictly to provide the Service to you.
• Other users you explicitly invite to a shared expense list. They can see expenses you add to that list.
• Authorities, if required by valid legal process.
• An acquirer or successor entity, if Kashend is sold or merges with another company. We will notify you in advance.

We do not sell your personal information.

5. Data retention

• Your account and associated data are retained until you delete your account.
• You can permanently delete your account from Settings → Delete Account in the app. Deletion is immediate and cascades to all your expenses, owned lists, budgets, and chat history.
• Server logs are retained for up to 30 days.
• Backups containing residual data may persist for up to 30 days after deletion before being overwritten.

6. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data — edit it directly in the app, or contact us.
• Delete your data — use the Delete Account option in Settings.
• Export your data — use the CSV / PDF export feature in Settings.
• Object to certain processing or withdraw consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at privacy@kashend.com.

7. Children's privacy

Kashend is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.

8. International data transfers

Data may be processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers. We rely on standard contractual clauses and other safeguards where required.

9. Security

• Passwords are hashed with bcrypt (we never store them in plain text).
• Network traffic uses HTTPS / TLS.
• JWT tokens have configurable expirations and can be revoked by signing out.
• We perform regular security audits of our codebase.

No system is perfectly secure. You're responsible for keeping your password and devices safe.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be announced in-app or by email.

11. Contact us

Questions about this policy? Email: privacy@kashend.com
General: support@kashend.com