Privacy Policy

Last updated: April 9, 2026

1. What Data We Collect

Kaching processes the following data on your device only:

SMS messages — only from recognized bank senders (Android only)
App notifications — only from apps you whitelist (Android only)
Emails — scanned via IMAP on your device for transaction receipts (Pro feature)
Manual entries — amounts, merchants, categories you type or paste

Personal SMS, social media messages, and non-financial notifications are never read.

2. How Data Is Processed

Native Android and iOS apps: All parsing — amount extraction, merchant identification, category assignment — happens entirely on your device. No transaction text is sent to any server for parsing.

Web app at app.kachingnow.com: Gmail scanning requires cloud processing. When you connect Gmail on the web app, email bodies are fetched by our server and sent to Google Gemini for classification. Card numbers, account numbers and OTP codes are masked before any admin review. If you want fully on-device parsing, use the Android or iOS app instead.

Original raw text (SMS body, notification content) is automatically deleted after 48 hours. Only structured data (amount, merchant, category, date) is retained. Admin can review debug captures only for users who have explicitly turned on Send Debug Data to Server in Settings; for all other users, no raw text is viewable.

3. What We Do NOT Collect

We do not collect analytics or usage telemetry.
We do not use advertising SDKs or tracking pixels.
We do not sell, share, or transfer your financial data to third parties.
We do not have access to your raw SMS, emails, notifications, card numbers, OTP codes, or passwords.
We do not access your transaction list unless you explicitly enable Cloud Sync (Ultra).
We do not view raw email/SMS bodies unless you explicitly enable "Send Debug Data to Server" in Settings (default off).

4. Email Scanning — Two Modes

Native Android and iOS apps (default and recommended): When you connect Gmail, Outlook, or an IMAP account, Kaching connects directly from your device to your mail provider. Email credentials are stored in Android Keystore (AES-256-GCM hardware-backed) or iOS Keychain. Gmail uses OAuth 2.0 with read-only scope — we cannot send, delete, or modify your emails. Parsing runs entirely on-device. No message text reaches our server.

Web app at app.kachingnow.com: Because web browsers cannot hold Gmail OAuth tokens securely, connecting Gmail on the web app routes through our server. Email bodies are fetched server-side and a snippet (up to ~3000 characters) is sent to Google Gemini for classification. Card numbers are stripped (full-PAN never appears in bank alert bodies anyway), partial card suffixes are masked (ending ****), OTP codes are masked, and email local parts are masked before any human (including admin) can view them. Only structured fields (merchant, amount, date, category) are retained long-term. Raw body snippets are auto-deleted from the debug capture file after 48 hours. If you prefer fully on-device parsing, install the Android or iOS app instead.

5. Google API Limited Use Disclosure

Kaching's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Gmail data to scan for bank transaction emails — nothing else
We do not transfer Gmail data to third parties (except as needed for AI Insights if you explicitly opt in)
We do not use Gmail data for advertising or marketing
A human will only read your Gmail data if you explicitly request support or give written consent

6. Cloud Sync (Ultra Feature, Opt-In)

Cloud sync is disabled by default. If you enable it:

Your transaction data is encrypted and synced to our server
Backups are retained for 30 days, then automatically deleted
You can delete your cloud account and all associated data at any time
Passwords are hashed with Argon2id (memory-hard) — we cannot see your password

7. AI Insights (Ultra Feature, Opt-In)

AI Insights is disabled by default and requires explicit consent. When enabled:

Aggregated spending data (categories and amounts, not raw text) is sent to a cloud AI service for analysis
A consent dialog explains this before activation
On-device AI processing is used when available (no data leaves your phone)
You can revoke consent at any time, which immediately stops external AI processing

8. Currency Conversion

Kaching fetches exchange rates from a public API (open.er-api.com) using a single bulk request for all currencies based on your home currency. We do not send individual transaction currencies — your spending in specific currencies is not revealed to any third party. Rates are cached locally for 6 hours.

9. Security Measures

PIN lock — hashed with PBKDF2, 600,000 iterations (browser Web Crypto API)
Biometric unlock — Android fingerprint / Face ID via native APIs
Encrypted storage — Android Keystore (AES-256-GCM) / iOS Keychain, SQLCipher database encryption
Hybrid encryption — RSA-4096 + AES-256-GCM for cloud API payloads
No debug logging in production — sensitive data never appears in logs

10. Data Retention

Local data — stored until you delete it or uninstall the app
Cloud data — retained for the duration of your subscription; deleted within 30 days of account deletion request
Raw text — automatically deleted after 48 hours
Export your data anytime via Settings → Export

11. Your Rights

You may at any time:

Export all your data (Settings → Export JSON / CSV)
Delete all data (Settings → Clear Data / Reset)
Disconnect email accounts (Settings → Email Accounts)
Revoke AI Insights consent (Settings → AI Insights)
Request account and data deletion by emailing: feedback@kachingnow.com

12. Children

This app is not intended for users under 13. We do not knowingly collect data from children.

13. Changes

We will notify users of material changes to this policy via an in-app notice. We will update the "Last updated" date at the top of this page.

14. Contact

For privacy questions or data deletion requests, contact us at:

feedback@kachingnow.com