Privacy Policy
At Kasha we take your privacy seriously. This policy explains in a clear and transparent way what data we collect, why we need it and what your rights are. We do not sell your data. We do not show ads.
1. Data controller
The controller responsible for processing your personal data is the developer of the Kasha application.
| Field | Detail |
|---|---|
| Name / Entity | Kasha (independent developer) |
| Privacy email | privacy@appkasha.com |
| Website | appkasha.com |
2. Data we collect and why
Below we detail the categories of personal data the application may collect, depending on the features you use:
| Category | Specific data | Purpose | Required |
|---|---|---|---|
| Authentication | Email address, display name, profile photo (if you use Google Sign-In), unique user identifier (UID) | Create and manage your account; allow you to access from multiple devices | Yes |
| Financial data | Transactions (amount, category, date, note), accounts, budgets, shared debts, recurring transactions that you enter | Provide the personal finance management service | Yes (they are the core of the service) |
| Push notifications | Device identifier for push notifications | Send you budget alerts, reminders and shared debt notifications | No — you can deny them at any time from the system settings |
| Subscription | Premium status and subscription identifier | Manage and verify your subscription to the Premium plan | Only if you purchase Premium |
| Drive backup | Backup files generated by the app (encrypted financial data) | Store backups in your personal Google Drive account | No — optional feature enabled by you |
| Local preferences | Visual theme preference (light / dark), stored in the device's localStorage | Remember your appearance preference without needing an account | No — purely local data, not sent to servers |
| Google Wallet notifications | Information contained in notifications from the Google Wallet package (com.google.android.apps.walletnfcrel): amount, currency, merchant, approximate date/time or payment description, when available |
Detect payments and help create, complete or sync financial transactions within Kasha | No — optional feature, disabled by default, available only to Premium users who voluntarily enable it |
We do not collect location data, phone contacts, browsing history or any data not listed above.
3. Legal basis for processing (GDPR)
For users in the European Economic Area (EEA) and the United Kingdom, the processing of your data is based on:
- Performance of a contract (Art. 6.1.b GDPR): to provide the financial management service (authentication, storage of financial data, synchronization).
- Consent (Art. 6.1.a GDPR): for sending push notifications and, in the case of Premium users who voluntarily enable it, for access to Google Wallet notifications. Access to Google Wallet notifications is based on the user's express consent, as the feature is optional and requires activation from the app and authorization in Android. You can withdraw your consent at any time from the operating system settings.
- Legitimate interest (Art. 6.1.f GDPR): for the security of the service and fraud prevention.
- Compliance with a legal obligation (Art. 6.1.c GDPR): for maintaining records required by applicable regulations (for example, subscription transaction data for tax purposes).
Access to Google Wallet notifications
Kasha offers Premium users an optional feature to facilitate the recording and synchronization of financial data from Google Wallet notifications. This feature uses Android's Notification Access permission.
When you enable this feature, Kasha limits access to notifications from the Google Wallet package (com.google.android.apps.walletnfcrel). The app does not process notifications from any other application. From those notifications, it can extract information such as the amount, currency, merchant, approximate date/time or payment description, when this data is available.
Kasha does not use this permission to read private messages, emails, conversations, social media or notifications that are not related to this financial functionality. The feature is disabled by default and is only enabled if the user voluntarily enables it.
The data derived from these notifications is used to create, suggest, complete or sync financial records within the user's account in Kasha. If you have cloud synchronization enabled, those financial records may be stored and synced just like manually entered transactions. The full content of the notifications is not sold, is not shared with advertisers and is not used for advertising purposes.
You can disable this feature at any time from the app or revoke the permission from Android's settings. If you revoke the permission, Kasha will stop accessing notifications and the automatic functionality will no longer be available.
4. Service providers with access to data
Kasha uses the following third-party service providers. Each one acts as a data processor under contract and only processes the data necessary for the indicated function:
| Provider | Function | Country / Region | Privacy policy |
|---|---|---|---|
| Google (authentication and cloud storage services) | User authentication, storage of financial data, synchronization and push notifications | USA (with global facilities) | policies.google.com/privacy |
| Subscription processor | Management and verification of the Premium plan | USA | revenuecat.com/privacy |
| Google Drive API (Google LLC) | Storage of backups (only if the user enables this feature) | USA | policies.google.com/privacy |
| Google Play Store (Google LLC) | Distribution of the app on Android (does not access your financial data) | USA | policies.google.com/privacy |
We do not share your personal data with advertisers, data brokers or any third party for commercial or advertising purposes.
5. International data transfers
Some of our service providers are based in the United States. When your data is transferred outside the EEA, we make sure that appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as stipulated in the data processing agreements with our providers.
- Applicable adequacy certifications or frameworks recognized by the competent regulatory authority.
You can request a copy of the applicable safeguards by writing to us at privacy@appkasha.com.
6. Data retention
| Type of data | Retention period |
|---|---|
| Account data and financial data | While the account is active. Deletion within 30 days from when you request account closure. |
| Subscription data | Up to 7 years from the last transaction, in accordance with applicable tax and accounting obligations. |
| Push notification tokens | Until you revoke the notification permission or delete your account. |
| Technical service logs | Maximum 90 days, automatically deleted by our systems. |
| Backups in Google Drive | Under the exclusive control of the user in their Google Drive account. Kasha does not manage their retention. |
| Data derived from Google Wallet notifications | Retained as part of your financial data while your account is active, or until you delete those records or request the deletion of your account. |
7. Your rights
Depending on your country of residence, you have the following rights over your personal data:
- Access (Art. 15 GDPR): obtain confirmation of whether we process your data and a copy of it.
- Rectification (Art. 16 GDPR): correct inaccurate or incomplete data. You can do this directly in the app.
- Erasure / "right to be forgotten" (Art. 17 GDPR): request the deletion of your account and all your data.
- Restriction of processing (Art. 18 GDPR): request that we suspend the processing of your data in certain circumstances.
- Portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
- Objection (Art. 21 GDPR): object to processing based on legitimate interest.
- Withdrawal of consent: if the processing is based on your consent (push notifications), you can withdraw it at any time without this affecting prior processing.
How to exercise your rights
Send an email to privacy@appkasha.com indicating the right you wish to exercise and your account email. We will respond within a maximum of 30 days.
To delete your account and all your data directly from the app, see our step-by-step data deletion guide.
If you believe that the processing of your data violates applicable regulations, you have the right to lodge a complaint with the competent supervisory authority in your country:
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
- France: CNIL — cnil.fr
- Germany: BfDI — bfdi.bund.de
- Mexico: INAI — home.inai.org.mx
- Colombia: Superintendencia de Industria y Comercio (SIC) — sic.gov.co
- Argentina: Agencia de Acceso a la Información Pública (AAIP) — argentina.gob.ar/aaip
8. Data security
We implement the following technical and organizational security measures:
- Encryption in transit via TLS (HTTPS) in all communications between the app and the servers.
- Encryption at rest on the servers of our storage providers.
- Two-factor authentication available (6-digit PIN, Face ID, Touch ID).
- Automatic locking of the app when it goes to the background.
- Access controls that ensure each user can only read and modify their own data.
- Restricted access to the production system by the development team.
- We limit the use of the Notification Access permission to the specific purpose of detecting compatible financial notifications and we apply controls to prevent the use of this permission for unrelated purposes.
9. Children's privacy
Kasha is intended exclusively for users over 18 years of age. By using the application, you confirm that you are of legal age according to the laws of your country of residence. The use of Kasha by minors under 18 years of age is not authorized.
We do not knowingly collect personal data from minors under 18 years of age. If you are a parent or guardian and you believe that your child has used Kasha or has provided personal data without your consent, contact us at privacy@appkasha.com and we will delete that information immediately.
10. Advertising and tracking
Kasha does not show ads. We do not integrate advertising networks, marketing tracking SDKs (such as Meta Pixel, Google Ads, etc.) and we do not sell or share data for advertising purposes.
The only local storage we use is the device's localStorage to save the visual theme preference (dark/light). This is not a cookie and has no tracking purpose.
Notification access is not used for advertising, commercial profiling, marketing analytics or the sale of data.
11. Applicable regulations by region
This policy complies with the main data protection regulations of the markets where Kasha operates:
| Region | Regulation |
|---|---|
| European Union / EEA | General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 |
| United Kingdom | UK GDPR and Data Protection Act 2018 |
| Mexico | Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) |
| Colombia | Ley Estatutaria 1581 de 2012 (Habeas Data) |
| Argentina | Ley 25.326 de Protección de Datos Personales |
| Brazil | Lei Geral de Proteção de Dados (LGPD) — Lei n.º 13.709/2018 |
| USA (California) | California Consumer Privacy Act (CCPA) / CPRA |
| USA (minors) | Children's Online Privacy Protection Act (COPPA) |
12. Changes to this policy
Kasha reserves the right to modify this privacy policy at any time. Any change will be published on this page with a new "Last updated" date and will take effect from that moment.
We recommend that you review this page periodically to stay informed about how we protect your data. Continued use of Kasha after the publication of an updated version will be considered acceptance of the new terms. If you do not agree with the changes, you can stop using the application and request the deletion of your account by writing to us at privacy@appkasha.com.
13. Contact
For any query about this privacy policy, to exercise your rights or to report a possible security incident, you can contact us at:
- Privacy: privacy@appkasha.com
- General support: support@appkasha.com
- Website: appkasha.com
We are committed to responding within a maximum of 30 calendar days from the receipt of your request.