Privacy Policy

This Privacy Policy constitutes the Notice required under Section 5 of the Digital Personal Data Protection Act, 2023 ("DPDPA") and is provided before or at the time of collecting your personal data. Cashundo ("we", "us", "our") is the Data Fiduciary under the DPDPA. By creating an account or using Cashundo, you (the Data Principal) provide free, specific, informed, unconditional, and unambiguous consent to the processing described in this notice. You may withdraw consent at any time by deleting your account. Withdrawal does not affect the legality of processing carried out before withdrawal.

We collect only what is necessary to operate the service (data minimisation principle): • Identity & Contact: Email address (for authentication and account recovery). • Profile Preferences: Display name, preferred currency, timezone, accent colour setting. • Financial Records: Transactions, accounts, balances, budgets, notes, reminders, debts, splits, and travel records that you explicitly enter. • Device & Technical: Browser type, device OS, and IP address (stored by Supabase Auth for security audit logs only; not used for profiling). • Usage Analytics: Page-view events and feature-usage counts (anonymised, non-identifiable, aggregated only). • Telegram Integration (optional): If you choose to connect your Telegram account, we collect your Telegram numeric user ID, Telegram chat ID, and Telegram username (if publicly set on your Telegram profile). This data is stored only in your Cashundo profile and is used solely to link your Telegram bot session to your account. We do NOT collect: contacts, location, camera, microphone, biometric data, or browsing history. Connecting Telegram does not give us access to your Telegram messages or chats.

We process your personal data solely for the following purposes, with the corresponding lawful basis under DPDPA: • Account Authentication - to verify your identity and secure your session. (Consent + Legitimate Interest) • Service Delivery - to power your dashboard, reports, reminders, splits, debt tracker, and all other features you use. (Consent) • Security & Fraud Prevention - to detect and respond to account-takeover attempts and unauthorised access. (Legitimate Interest / Legal Obligation) • Service Communications - to send transactional emails (e.g. email verification, password reset). (Consent + Legitimate Interest) • Service Improvement - aggregated, anonymised analytics to understand feature usage. (Legitimate Interest) • Telegram Integration Authentication - if you connect a Telegram account, your Telegram user ID and chat ID are used to authenticate Mini App requests via HMAC-signed initData, and to route bot command responses to your account. (Consent) We do not use your data for advertising, profiling, automated decision-making with legal effects, or any purpose beyond those listed above.

We act as Data Fiduciary. The Data Processors we engage are: • Supabase Inc. - Database, authentication, and file storage. Data is hosted in ap-south-1 (Mumbai, India). Supabase is bound by a Data Processing Agreement and does not sub-process your personal data for its own purposes. • Vercel Inc. - Web application hosting (edge network). Vercel processes request metadata (IP, headers) in accordance with its privacy policy. No user financial data is stored on Vercel infrastructure. • Google LLC - OAuth login only (if you use "Continue with Google"). We receive only your Google email and profile name; no financial data is shared with Google. • Telegram Messenger Inc. - if you use the Telegram integration, bot commands and Mini App interactions are routed through Telegram's infrastructure. Telegram provides a cryptographically signed payload (initData) on each Mini App request; this is used solely for authentication and is verified server-side via HMAC-SHA256. Your financial data (transactions, accounts, balances) is never transmitted to or stored by Telegram. Telegram's use of your Telegram account data is governed by Telegram's own Privacy Policy. We do not share personal data with advertisers, data brokers, analytics companies, or any other third party not listed here. We do not sell personal data.

Your primary data is stored within India (Supabase ap-south-1, Mumbai). Vercel's edge network may process HTTP request metadata outside India solely to serve the web application; this does not involve personal financial data. If you use the Telegram integration, your Telegram user ID and chat ID are stored in our India-hosted database. Telegram's own servers process your Telegram account data and bot interactions in accordance with Telegram's privacy policy, which may involve servers outside India. Cashundo does not control or influence Telegram's data residency. When the Central Government of India notifies countries under DPDPA Section 16 for the purposes of cross-border transfers, we will ensure all transfers comply with those provisions and any Rules prescribed thereunder.

• Active account data: Retained for the duration your account is active. • Soft-deleted records (Trash): Retained for 30 days, then permanently and automatically purged. • Account deletion: Upon account deletion, all personal data - including database records and authentication data - is permanently erased within 24 hours. This action is irreversible. • Anonymised aggregates: Non-identifiable statistics (e.g. total user counts) may be retained indefinitely for service monitoring. • Security logs: Authentication audit logs are retained for up to 90 days for security purposes, after which they are automatically deleted. As required by DPDPA Section 8(7), we erase personal data as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served.

Cashundo is not directed at children under the age of 18. We do not knowingly collect or process personal data of minors without verifiable parental consent, as required under Section 9 of the DPDPA. If you are under 18, you must obtain consent from your parent or guardian before using Cashundo. If we become aware that we have collected personal data from a child without appropriate consent, we will delete it promptly. We do not undertake behavioural monitoring of children or serve targeted advertising to any user.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction: • Encryption at rest: AES-256 (managed by Supabase Postgres infrastructure). • Encryption in transit: TLS 1.3 on all API calls and web traffic. • Database access control: Row-Level Security (RLS) enforced at the Postgres level - no query can return another user's rows. • Authentication: JWT tokens with configurable expiry, bcrypt-hashed passwords. • No plain-text storage: Passwords and sensitive fields are never stored in plain text. • Vendor security: Supabase maintains SOC 2 Type II compliance. • Telegram initData verification: All requests from the Telegram Mini App (telegram.cashundo.in) are authenticated by verifying Telegram's HMAC-SHA256 signed initData payload against the bot token server-side. Requests with invalid or missing signatures are rejected. Link codes used to connect Telegram accounts are rate-limited (max 5 attempts per 15 minutes) and expire after use.

In the event of a personal data breach that is likely to cause harm to you, we will: 1. Notify the Data Protection Board of India as required under Section 8(6) of the DPDPA. 2. Notify affected Data Principals (users) at the email address on their account within the timeframe prescribed by the Board. 3. Provide details of the breach, its nature, the data affected, the likely consequences, and the measures taken to address it. To report a suspected security vulnerability or breach, email: cashundo.in@gmail.com immediately.

Under Chapter III of the DPDPA, you have the following rights, which you can exercise at any time: Right to Access Information (Section 11): You can view and export all your personal data from the app's Export page at any time. Right to Correction & Erasure (Section 12): You can correct any inaccurate personal data directly within the app (edit any record). You can erase your data using Settings → Clear Data or by deleting your account. Right to Grievance Redressal (Section 13): If you believe your rights under the DPDPA have been infringed, you may file a complaint with our Grievance Officer (see Section 12 below or visit /legal/grievance). If unresolved, you may escalate to the Data Protection Board of India. Right to Nominate (Section 14): You may nominate another individual to exercise your rights under the DPDPA in the event of your death or incapacity. To make a nomination, contact our Grievance Officer. To exercise any of these rights, use the in-app tools or contact: cashundo.in@gmail.com

When you join a Family group: • Your display name and the summary of shared transactions you explicitly add to the group are visible to other group members. • Your individual accounts, personal transactions, notes, and reminders remain strictly private. • You can leave a family group at any time from the Family page, which immediately revokes all shared access. • The Data Fiduciary who creates a family group is responsible for obtaining consent from members before adding them.

As required by Section 8(10) of the DPDPA, Cashundo has appointed a Grievance Officer to address complaints and queries regarding personal data processing. Grievance Officer: Cashundo Team Email: cashundo.in@gmail.com Jurisdiction: India Acknowledgement: Within 48 hours of receipt. Resolution: Within 30 days of receipt (or as prescribed by Rules). For complaints that remain unresolved after 30 days, or if you are not satisfied with the resolution, you may escalate to the Data Protection Board of India once it is operational. Visit /legal/grievance for more details.

Cashundo uses browser localStorage (not third-party cookies) to store your session preferences such as timezone, accent colour, and pinned clocks. These are entirely local to your browser and are never transmitted to a third party. Supabase Auth uses a session cookie (sb-access-token) strictly for authentication - it does not track you across other websites. No third-party advertising or analytics cookies are set. For full details, see our Cookie Policy at /legal/cookie-policy.

If this privacy policy changes in a material way, you will be notified via an in-app banner on your next login before the change takes effect. The "Last Updated" date at the top of this page reflects the most recent revision. Your continued use of Cashundo after a policy change constitutes acceptance of the updated terms. If you do not agree to the updated policy, you may delete your account at any time.

For any data-related inquiry, correction request, erasure request, or complaint that cannot be handled through the in-app tools, contact us directly: Email: cashundo.in@gmail.com Subject line: "DPDPA Request - [your request type]" We respond to all legitimate requests within 48 hours (acknowledgement) and action them within 30 days. For complaints that remain unresolved, you may contact the Grievance Officer at the address above, or escalate to the Data Protection Board of India.