← Back to home

Privacy Policy

Last updated: April 7, 2026

1. What Data We Collect

Kaching processes the following data on your device only:

• SMS messages — only from recognized bank senders (Android only)
• App notifications — only from apps you whitelist (Android only)
• Emails — scanned via IMAP on your device for transaction receipts (Pro feature)
• Manual entries — amounts, merchants, categories you type or paste

Personal SMS, social media messages, and non-financial notifications are never read.

2. How Data Is Processed

All parsing — amount extraction, merchant identification, category assignment — happens entirely on your device. No transaction text is sent to any server for parsing.

Original raw text (SMS body, notification content) is automatically deleted after 24 hours. Only structured data (amount, merchant, category, date) is retained.

3. What We Do NOT Collect

• We do not collect analytics or usage telemetry
• We do not use advertising SDKs or tracking pixels
• We do not sell, share, or transfer your financial data to third parties
• We do not have access to your transaction data unless you opt in to cloud sync

4. Email Scanning (Pro Feature)

When you connect an email account, Kaching connects directly from your device to your mail provider via IMAP. Your email credentials are stored in Android Keystore (AES-256-GCM hardware-backed encryption) or iOS Keychain.

For Gmail, we use OAuth 2.0 with read-only scope — Kaching cannot send, delete, or modify your emails. For IMAP providers, your password is stored encrypted on-device and transmitted only to your own mail server.

5. Google API Limited Use Disclosure

Kaching's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Gmail data to scan for bank transaction emails — nothing else
• We do not transfer Gmail data to third parties (except as needed for AI Insights if you explicitly opt in)
• We do not use Gmail data for advertising or marketing
• A human will only read your Gmail data if you explicitly request support or give written consent

6. Cloud Sync (Ultra Feature, Opt-In)

Cloud sync is disabled by default. If you enable it:

• Your transaction data is encrypted and synced to our server
• Backups are retained for 30 days, then automatically deleted
• You can delete your cloud account and all associated data at any time
• Passwords are hashed with PBKDF2 (100,000 iterations) — we cannot see your password

7. AI Insights (Ultra Feature, Opt-In)

AI Insights is disabled by default and requires explicit consent. When enabled:

• Aggregated spending data (categories and amounts, not raw text) is sent to a cloud AI service for analysis
• A consent dialog explains this before activation
• On-device AI processing is used when available (no data leaves your phone)
• You can revoke consent at any time, which immediately stops external AI processing

8. Currency Conversion

Kaching fetches exchange rates from a public API (open.er-api.com) using a single bulk request for all currencies based on your home currency. We do not send individual transaction currencies — your spending in specific currencies is not revealed to any third party. Rates are cached locally for 6 hours.

9. Security Measures

• PIN lock — hashed with PBKDF2, 100,000 iterations
• Biometric unlock — Android fingerprint / Face ID via native APIs
• Encrypted storage — Android Keystore (AES-256-GCM) / iOS Keychain
• Certificate pinning — for cloud API connections
• No debug logging in production — sensitive data never appears in logs

10. Contact

For privacy questions or data deletion requests, contact us at:

feedback@kachingnow.com