CashCaptain

Privacy Policy

Effective May 4, 2026

This Privacy Policy describes how CashCaptain ("we", "us", "our") collects, uses, shares, and protects your personal information when you use the CashCaptain web application and services available at cashcaptain.us (the "Service").

By creating an account or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account information

When you create an account, we collect your email addressand a hashed copy of your password. We never store your password in plain text.

Financial information (via Plaid)

When you connect a financial institution through our integration with Plaid Inc. ("Plaid"), Plaid collects credentials directly from you and returns to us:

  • Account names, types, balances, and account numbers in masked form
  • Transaction history (date, amount, merchant, category)
  • The institution name and a Plaid-issued access token

We never see or store your bank login credentials.They are handled exclusively by Plaid. Plaid's privacy practices are described at plaid.com/legal.

Usage data

We collect basic technical data when you use the Service, including IP address, browser type, and the pages you visit. We use this for security (rate-limiting, abuse prevention) and to debug issues.

2. How We Use Your Information

  • To provide the Service: showing your accounts, categorizing transactions, calculating budgets and net worth.
  • To send essential service emails (e.g. password reset).
  • To detect and prevent fraud, abuse, and unauthorized access.
  • To debug and improve the product.
  • To comply with legal obligations.

We do not sell your personal information. We do not share it with advertisers or use it for cross-site advertising.

3. How We Share Your Information

We share information only with:

  • Plaid — to maintain your bank connections and refresh transaction data.
  • Service providers we rely on to run the Service (currently: Fly.io for hosting, Microsoft 365 for transactional email, GoDaddy for domain registration).
  • Legal authorities, when required by valid legal process or to protect rights, safety, or property.
  • Successors in the event of a merger, acquisition, or sale of assets — in which case we will notify you and require the successor to honor this Policy.

4. Data Retention

We retain your account and financial data for as long as your account is active. When you delete your account through the in-app "Delete account" option, we:

  • Immediately revoke access to your linked bank accounts via Plaid's /item/remove endpoint.
  • Delete your user record and all associated transactions, accounts, budgets, categories, rules, and settings within 30 days.
  • Retain only minimal records (e.g. logs) needed to comply with legal, accounting, or fraud-prevention obligations, for as long as those obligations require.

Our full Data Retention & Disposal Policy is available at cashcaptain.us/legal/data-retention.

5. Your Rights and Choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Delete your account and personal data
  • Export a copy of your data
  • Opt out of any non-essential processing

To exercise these rights, use the in-app account controls or email support@cashcaptain.us. We will respond within 30 days.

California residents have additional rights under the CCPA/CPRA. We do not sell or "share" personal information for cross-context behavioral advertising.

6. Security

How we protect your data:

  • In transit: all connections use TLS 1.2 or higher; HSTS is enabled.
  • At rest: Plaid access tokens are encrypted with AES-256-GCM in our database; the database itself sits on an encrypted volume.
  • Passwords: hashed with bcrypt (cost factor 12).
  • Access: sessions are httpOnly, SameSite=Lax cookies stored as hashes; failed logins are rate-limited.

No system is perfectly secure. If we discover a security incident affecting your data, we will notify you as required by law.

7. California and Other State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights under your state's privacy law, including the rights described in Section 5 above.

Categories of personal information we collect

For CCPA disclosure purposes, in the past 12 months we have collected:

  • Identifiers: email address, IP address.
  • Customer records: bank account information (account names, balances, masked numbers, transaction history) obtained through Plaid.
  • Internet activity: log data about how you interact with the Service (pages viewed, requests made).
  • Sensitive personal information: account login credentials for CashCaptain (stored only as bcrypt hashes).

We do not sell or "share" your personal information

CashCaptain does not sell personal information for monetary or other valuable consideration. We do not "share" personal information for cross-context behavioral advertising. We do not use your data for targeted advertising on third-party platforms.

Do Not Track

We do not currently respond differently to "Do Not Track" browser signals because we do not track you across third-party sites in the first place. We use no advertising or analytics cookies.

How to exercise your rights

Use the in-app account controls (Settings → Account → Delete account for deletion) or email support@cashcaptain.us with your request. We will verify your identity using the email on your account before responding. We will not retaliate against you for exercising any of these rights.

8. Children

The Service is not intended for anyone under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact support@cashcaptain.us and we will delete it.

9. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you via email and update the "Effective" date above.

10. Contact Us

Questions about this Policy or your data?
Email support@cashcaptain.us.