Privacy Policy
Version 1.0 — Effective April 10, 2026
This Privacy Policy explains how we collect, use, and protect your information when you use Kashiko. We believe in being straightforward about our data practices.
1. Who We Are
Kashiko is operated by Andrii Semenov. If you have any questions about this policy or your data, you can reach us at support@kashiko.app.
2. What Data We Collect
We collect only the data necessary to provide you with a functional expense tracking experience.
Account Information (provided by you at registration):
- Full name — to personalize your account
- Email address — for login, account recovery, and important service communications
- Password — stored only as a secure bcrypt hash; we never store or can read your actual password
Transaction Data (provided by you when tracking expenses):
- Merchant name, amount, currency, category, date, and notes
This is entirely user-entered data. We do not connect to your bank accounts, scan receipts, or import transactions from external sources.
Subscription Information:
- Your subscription tier (free or Kashiko Plus) and its status, managed through RevenueCat and Apple
On-Device Storage:
- Authentication tokens (for keeping you logged in) are stored securely on your device
- Currency selection and theme preference are stored on your device only and are not transmitted to our servers
Data We Do NOT Collect:
- Location data, contacts, photos, camera, or microphone access
- Device advertising identifiers (IDFA) — we do not participate in ad tracking or use the App Tracking Transparency framework
- Usage analytics or behavioral tracking data
- We do not use cookies or serve ads of any kind
3. How We Use Your Data
We use your data for the following purposes only:
- Providing the service: storing your transactions, displaying your spending history, and generating insights
- Account management: authenticating your login, processing password changes, and managing your subscription
- Service communications: sending essential emails related to your account (e.g., password resets)
- Improving the service: fixing bugs and maintaining server performance
We do not use your data for advertising, profiling, or selling to third parties.
4. Legal Basis for Processing (GDPR)
If you are in the EU/EEA, we process your data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): account data, transaction data, and subscription data — necessary to provide the service you signed up for
- Legitimate interest (Art. 6(1)(f) GDPR): service communications, bug fixes, and server performance maintenance — necessary for the operation and improvement of the service
5. Third Parties & Sub-Processors
We work with a limited number of third parties to operate the App. We do not sell, rent, or trade your personal data to anyone.
- RevenueCat — manages in-app subscription processing. They receive a user identifier and subscription event data from Apple, but not your expense data, name, or email.
- Apple — processes all payments for subscriptions via In-App Purchase. We do not receive or store your payment card details.
- Railway — a US-based cloud infrastructure provider that hosts our backend servers and database in the EU (Western Europe). Railway is contractually obligated to protect your data.
Each sub-processor is bound by data processing agreements that require them to protect your data in accordance with applicable law.
6. Data Security
We take the security of your data seriously:
- Passwords are hashed using bcrypt before storage
- All data is encrypted in transit using HTTPS/TLS
- Database access is restricted and protected by authentication
- User accounts are isolated: you can only access your own data
- Authentication sessions expire automatically (access tokens after 15 minutes, refresh tokens after 30 days) and are rotated on each renewal
- Temporary server-side caches are used for performance and expire automatically; cached data is not used for any secondary purpose
No system is perfectly secure. If we discover a data breach that affects your personal information, we will notify you and applicable regulatory authorities as required by law.
7. Data Retention
- Active accounts: your data is retained for as long as your account is active.
- Transaction data: retained for the lifetime of your active account.
- Deleted accounts: when you delete your account through the App, all associated data (account information, transactions, and session data) is marked as deleted immediately and permanently purged from our systems within 30 days.
- Cached data: temporary caches expire automatically within hours and are not retained beyond their operational purpose.
8. International Data Transfers
Our servers are located in Western Europe (EU). Your data is stored and processed within the EU.
Some of our sub-processors (RevenueCat, Railway as a company) are based in the United States. Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data is protected to EU standards.
9. Your Rights
Regardless of where you live, you have control over your data:
- Correction: edit any transactions or profile information directly in the App
- Deletion: delete your entire account and all associated data from within the App
EU/EEA residents (GDPR): you additionally have the right to request access to your data, rectification, erasure, restriction of processing, data portability, and withdrawal of consent. You also have the right to lodge a complaint with your local data protection supervisory authority.
California residents (CCPA/CPRA): you have the right to know what data we collect, request deletion, and opt out of data sales. We do not sell or share your personal information as defined by the CCPA. You may also use an authorized agent to submit requests on your behalf.
To exercise any rights, contact us at support@kashiko.app. We will respond within 30 days.
10. Children's Privacy
Kashiko is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn we have collected data from a child under 16, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the version number and effective date, and notify you through the App or via email for significant changes. Your continued use of Kashiko after changes are posted constitutes acceptance.
12. Contact Us
If you have questions about this Privacy Policy or your personal data, please contact us at support@kashiko.app.