Privacy Policy
Last updated: April 2026
Plain-English Summary: CashPulse collects only what it needs to run the service. We never sell your personal data to anyone. You can delete your account and all associated data at any time. We use industry-standard encryption throughout.
1 Data We Collect
We collect the following categories of information when you use CashPulse:
Account Information
- Email address — used to identify your account and send important service notifications.
- Password (hashed) — your password is never stored in plain text. We store only a one-way bcrypt hash.
- Display name (optional) — if you choose to set one.
Earnings & Financial Data
- Earnings records — the amounts, dates, app sources, and categories you manually log or import.
- Platform connection metadata — which gig/reward apps you have connected (e.g., eBay, PayPal, Swagbucks).
- OAuth tokens — access and refresh tokens issued by third-party platforms when you authorise CashPulse to read your earnings data. These are stored encrypted at rest.
- Bank connection data — if you connect a bank account via Plaid, transaction data is fetched and processed in accordance with Plaid's privacy policy. We store only the data necessary to provide the service.
Usage & Technical Data
- Log data — IP address, browser type, pages visited, timestamps, and error information for debugging and security monitoring.
- Device information — browser version, operating system, and screen size for compatibility purposes.
- Analytics — aggregated, anonymised usage patterns to improve the product (feature usage, session duration). We do not track individual user journeys for advertising purposes.
Payment Information
We do not store payment card details on our servers. All payment processing is handled by Stripe, a PCI-DSS Level 1 compliant provider. We store only a Stripe Customer ID and subscription status.
2 How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the CashPulse service | Contractual necessity |
| Authenticate your identity and secure your account | Contractual necessity / Legitimate interest |
| Process subscription payments via Stripe | Contractual necessity |
| Send transactional emails (password reset, receipts) | Contractual necessity |
| Product analytics and improvement | Legitimate interest |
| Detect and prevent fraud or abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We never sell your personal data. We do not share your data with advertisers, data brokers, or any third party for marketing purposes.
3 Third-Party Services
CashPulse integrates with the following third-party services. Each operates under its own privacy policy and data-processing terms.
Stripe (Payments)
We use Stripe to process subscription payments. When you add a payment method, your card details go directly to Stripe and are never transmitted to our servers. We receive a tokenised reference and subscription status only. Stripe may collect device fingerprint and fraud-detection data as described in their privacy policy.
Plaid (Bank Connections)
We use Plaid to securely connect your bank account. Plaid acts as a data processor on your behalf; they authenticate directly with your bank and return transaction data to us. Your bank credentials are entered into Plaid's interface and are never visible to CashPulse. You may revoke Plaid access at any time in your account settings.
Platform OAuth Integrations
When you connect platforms such as eBay, PayPal, Swagbucks, Ibotta, or others, you are redirected to that platform's OAuth authorisation screen. Upon granting access, the platform issues us an access token scoped to read earnings data. We store this token encrypted at rest and use it solely to fetch your earnings on your behalf. You may disconnect any platform at any time from your account settings, at which point we delete the associated token.
Hosting & Infrastructure
CashPulse is hosted on Railway (infrastructure provider). Server logs and database data reside on Railway's infrastructure, which is located in the United States. Railway's privacy policy applies to infrastructure-level data handling.
Transactional emails (account verification, password reset, receipts) may be sent via a third-party email delivery provider. Your email address is shared with this provider solely for the purpose of sending these messages.
4 Cookies & Sessions
CashPulse uses a minimal set of cookies that are strictly necessary for the service to function.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
cashpulse_token |
JWT authentication token — keeps you logged in | httpOnly, Secure, SameSite=Strict | 7 days (refreshed on activity) |
cashpulse_session |
Session state for OAuth flows | httpOnly, Secure, SameSite=Lax | Session (cleared on browser close) |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. There is no cookie consent banner because we only set strictly necessary cookies.
httpOnly & Secure flags: Auth cookies are set with HttpOnly (inaccessible to JavaScript, mitigating XSS attacks) and Secure (transmitted only over HTTPS). This is an industry best-practice security measure.
5 Data Security
We implement multiple layers of security to protect your data:
- Password hashing — passwords are hashed using bcrypt with a work factor of 12 or higher before storage. Original passwords are never persisted.
- HTTPS everywhere — all data in transit between your device and our servers is encrypted using TLS 1.2 or higher.
- Token encryption — OAuth access tokens and other sensitive credentials are encrypted at rest using AES-256 before being written to the database.
- httpOnly cookies — authentication tokens are stored in httpOnly cookies, preventing JavaScript access and reducing XSS risk.
- Rate limiting — login and sensitive endpoints are rate-limited to mitigate brute-force attacks.
- Input validation & parameterised queries — all user input is validated and sanitised; database queries use parameterised statements to prevent SQL injection.
- Principle of least privilege — OAuth scopes requested from third-party platforms are limited to the minimum required to read earnings data.
Despite our best efforts, no method of internet transmission or electronic storage is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities in accordance with applicable law.
6 Data Retention & Deletion
We retain your data only as long as necessary to provide the service and meet legal obligations.
| Data Type | Retention Period |
|---|---|
| Account & profile data | Until account deletion, then immediately purged |
| Earnings records | Until account deletion (cascades automatically) |
| OAuth tokens | Until platform disconnected or account deleted |
| Payment history (invoices) | 7 years (legal / tax compliance requirement) |
| Server logs | 30 days, then automatically rotated |
| Anonymised analytics | Up to 2 years (no personal identifiers) |
Account Deletion
You can delete your account at any time from Settings → Account → Delete Account. Deletion is permanent and immediate. All personal data, earnings records, linked platform connections, and associated OAuth tokens are removed via cascading database deletion. The only data retained post-deletion is billing history required for legal compliance, and anonymised aggregate analytics that contain no personal identifiers.
Data Export
Before deleting your account, you can export all of your earnings data in CSV or JSON format from Settings → Export Data. This export includes all earnings records, categories, and linked platform history.
7 Children's Privacy
CashPulse is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@cashpulse.app and we will promptly delete that information.
By creating an account, you represent that you are at least 13 years of age (or the applicable minimum age in your jurisdiction). Users in the European Union must be at least 16 years old, or have verifiable parental consent, to use the service.
8 GDPR & Your Rights (EU/EEA Users)
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
- Right to access — you can request a copy of all personal data we hold about you. We will provide this within 30 days.
- Right to rectification — you can correct inaccurate data directly in your account settings, or request correction for data you cannot edit yourself.
- Right to erasure ("right to be forgotten") — you can delete your account at any time to have your personal data removed. You may also request deletion of specific data points by contacting us.
- Right to data portability — you can export your earnings data in machine-readable format (CSV/JSON) at any time from your account settings.
- Right to restrict processing — you can request that we temporarily stop processing your data in certain circumstances.
- Right to object — you can object to processing based on legitimate interest, including any profiling.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@cashpulse.app. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national data protection authority in the EU).
Data transfers: CashPulse infrastructure is located in the United States. If you access the service from the EU/EEA, your data is transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and/or other lawful transfer mechanisms to ensure adequate protection.
9 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know — you have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
- Right to delete — you have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct — you have the right to request correction of inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share personal information with third parties for cross-context behavioural advertising. There is nothing to opt out of.
- Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.
- Right to limit use of sensitive personal information — we only use sensitive personal information (such as financial data) to the extent necessary to provide the service.
To exercise your California privacy rights, please contact us at support@cashpulse.app. We will respond to verifiable consumer requests within 45 days.
In the preceding 12 months, we have not sold any personal information to third parties, and we have not disclosed personal information to third parties for their own direct marketing purposes.
10 Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send an email notification to registered users if the changes are significant.
- Display an in-app notice for at least 30 days after material changes.
Your continued use of CashPulse after changes become effective constitutes your acceptance of the revised policy. We encourage you to review this page periodically.
11 Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: support@cashpulse.app
- Response time: We aim to respond to all privacy-related inquiries within 5 business days.
For GDPR-related requests, you may also contact us using the subject line "GDPR Request". For CCPA requests, use "CCPA Request".
Also see our Terms of Service.