CashCaptain

Privacy Policy

Effective June 12, 2026

This Privacy Policy describes how CashCaptain ("we", "us", "our"), operated by Corepass, collects, uses, shares, and protects your personal information when you use the CashCaptain web application and services available at cashcaptain.us (the "Service").

By creating an account or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account information

When you create an account, we collect your email addressand a hashed copy of your password. We never store your password in plain text. If you enable text alerts, we also collect the mobile phone number you provide.

Financial information (via Plaid)

When you connect a financial institution through our integration with Plaid Inc. ("Plaid"), Plaid collects credentials directly from you and returns to us:

  • Account names, types, balances, and account numbers in masked form
  • Transaction history (date, amount, merchant, category)
  • The institution name and a Plaid-issued access token

Plaid may also collect from you, on our behalf, your login credentials, full account and routing numbers, credit limits, and device data (including IP address, time zone, and hardware model). We never see or store your bank login credentials.They are handled exclusively by Plaid. Plaid's handling of your data is governed by Plaid's own End User Privacy Policy, which controls what Plaid does with your data and is available at plaid.com/legal. This Privacy Policy governs only what CashCaptain does with the data Plaid passes to us.

Usage data

We collect basic technical data when you use the Service, including IP address, browser type, and the pages you visit. We use this for security (rate-limiting, abuse prevention) and to debug issues.

2. How We Use Your Information

  • To provide the Service: showing your accounts, categorizing transactions, calculating budgets and net worth.
  • To power the in-app AI assistant when you choose to use it (see Section 3).
  • To send essential service emails (e.g. password reset) and, if you opt in, text alerts.
  • To detect and prevent fraud, abuse, and unauthorized access.
  • To debug and improve the product.
  • To comply with legal obligations.

We do not sell your personal information. We do not share it with advertisers or use it for cross-site advertising.

3. AI Assistant and Automated Processing

CashCaptain offers an optional in-app AI assistant that can answer questions about your finances (for example, "how much did I spend on dining last month?"). When you send a message to the assistant, the relevant portions of your financial data needed to answer your question — such as transactions, balances, budgets, and recurring charges — are sent to our AI provider, Anthropic, PBC, which operates the Claude models that generate the assistant's responses.

  • The AI assistant is opt-in — your data is sent to Anthropic only when you actively use it.
  • Anthropic processes this data as our service provider/subprocessor, solely to return a response to you, and does not use it to train its models under our commercial API terms.
  • We do not use the AI assistant to make automated decisions that produce legal or similarly significant effects about you. Its output is informational only and is not financial, investment, tax, or legal advice.

Anthropic's privacy practices are described at anthropic.com/legal/privacy.

4. How We Share Your Information

We share information only with:

  • Plaid — to maintain your bank connections and refresh transaction data.
  • Anthropic, PBC — to power the optional AI assistant, only when you use it (see Section 3).
  • Service providers we rely on to run the Service (currently: Fly.io for hosting, Microsoft 365 for transactional email, Twilio for text messages if you opt in, GoDaddy for domain registration). These providers act on our behalf and are bound to protect your information.
  • Legal authorities, when required by valid legal process or to protect rights, safety, or property.
  • Successors in the event of a merger, acquisition, or sale of assets — in which case we will notify you and require the successor to honor this Policy.

We do not sell or rent your personal information to marketers or any other third party, and we do not share it for cross-context behavioral advertising.

5. Cookies and Tracking Technologies

We use a single essential, first-party cookie to keep you signed in (an httpOnly session cookie). It is strictly necessary for the Service to function and cannot be turned off without logging you out.

We do not use advertising cookies, third-party analytics cookies, cross-site trackers, or web beacons, and we do not allow third parties to track you across other sites through the Service.

6. SMS / Text Message Program

If you opt in, CashCaptain may send you account and informational text messages (SMS) about your own finances — such as budget alerts, bill and payment reminders, unusual-activity notices, and progress updates. We send these only after you provide your mobile number and check the opt-in box in the Service; consenting to texts is never a condition of using CashCaptain.

  • Message frequency varies based on your account activity.
  • Message and data rates may apply.
  • Reply STOP to any message to opt out at any time, or HELP for help.

We do not share or sell your mobile phone number or your SMS consent with any third parties or affiliates for their marketing or promotional purposes, and no mobile information is shared with third parties for those purposes. Your number is used solely to deliver the messages you opted into, including through our messaging service provider (e.g., Twilio) acting on our behalf to transmit them. You can withdraw consent any time by replying STOP or turning off text alerts in your settings.

7. Financial Privacy (GLBA)

Because CashCaptain handles financial information, we may be treated as a "financial institution" under the federal Gramm-Leach-Bliley Act ("GLBA"). To the extent the GLBA applies, the following summarizes how we treat your nonpublic personal financial information ("NPI"):

  • What we collect: the account, financial, and usage information described in Section 1 (including information you give us and information we receive from your financial institutions through Plaid).
  • Why and with whom we share: we share NPI only as described in Section 4 — to operate the Service through the providers listed there, to power the opt-in AI assistant, as required by law, or in connection with a business transfer. We do not share your NPI with nonaffiliated third parties for them to market to you, and we do not share it with affiliates for their marketing.
  • Your opt-out: because we do not share your NPI with nonaffiliated third parties for purposes that would trigger a federal opt-out right, no opt-out is required for you to limit such sharing. If this ever changes, we will notify you in advance and give you a reasonable way to opt out before any such sharing occurs.
  • How we protect it: see Section 10 (Security).

We will notify you of changes to our information-sharing practices as required by law. If, in the future, we become subject to annual privacy-notice obligations, we will provide those notices as required.

8. Data Retention

We retain your account and financial data for as long as your account is active. When you delete your account through the in-app "Delete account" option, we:

  • Immediately revoke access to your linked bank accounts via Plaid's /item/remove endpoint.
  • Delete your user record and all associated transactions, accounts, budgets, categories, rules, and settings within 30 days.
  • Retain only minimal records (e.g. logs) needed to comply with legal, accounting, or fraud-prevention obligations, for as long as those obligations require.

Our full Data Retention & Disposal Policy is available at cashcaptain.us/legal/data-retention.

9. Your Rights and Choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Delete your account and personal data
  • Export a copy of your data
  • Opt out of any non-essential processing

To exercise these rights, use the in-app account controls or email support@cashcaptain.us. We will respond within 30 days.

California residents have additional rights under the CCPA/CPRA. We do not sell or "share" personal information for cross-context behavioral advertising.

10. Security and Breach Notification

How we protect your data:

  • In transit: all connections use TLS 1.2 or higher; HSTS is enabled.
  • At rest: Plaid access tokens are encrypted with AES-256-GCM in our database; the database itself sits on an encrypted volume.
  • Passwords: hashed with bcrypt (cost factor 12).
  • Access: sessions are httpOnly, SameSite=Lax cookies stored as hashes; failed logins are rate-limited.

No system is perfectly secure. If we discover a security incident that affects the confidentiality, integrity, or availability of your personal information, we will notify you and any applicable regulators without undue delay and within the timeframes required by applicable law.

11. California and Other State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under your state's privacy law, including the rights described in Section 9 above.

Categories of personal information we collect

For CCPA disclosure purposes, in the past 12 months we have collected:

  • Identifiers: email address, mobile phone number (if you opt in to texts), IP address.
  • Customer records: bank account information (account names, balances, masked numbers, transaction history) obtained through Plaid.
  • Internet activity: log data about how you interact with the Service (pages viewed, requests made).
  • Sensitive personal information: account login credentials for CashCaptain (stored only as bcrypt hashes) and financial account information. We use sensitive information only to provide the Service you requested and do not use it to infer characteristics about you.

We do not sell or "share" your personal information

CashCaptain does not sell personal information for monetary or other valuable consideration. We do not "share" personal information for cross-context behavioral advertising. We do not use your data for targeted advertising on third-party platforms.

Do Not Track

We do not currently respond differently to "Do Not Track" browser signals because we do not track you across third-party sites in the first place. We use no advertising or analytics cookies.

How to exercise your rights

Use the in-app account controls (Settings → Account → Delete account for deletion) or email support@cashcaptain.us with your request. We will verify your identity using the email on your account before responding. We will not retaliate against you for exercising any of these rights.

12. International Users and Data Transfers

CashCaptain is operated in, and intended for users in, the United States. We do not target the Service to users outside the United States. If you access the Service from outside the United States, your information will be processed and stored in the United States, where data-protection laws may differ from those in your location. By using the Service, you consent to that processing.

13. Children

The Service is not intended for anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact support@cashcaptain.us and we will delete it.

14. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you via email and update the "Effective" date above.

15. Contact Us

Questions about this Policy or your data?
Email support@cashcaptain.us.