Privacy Policy

Last Modified: March 28, 2026 · Effective: March 28, 2026

Privacy policies aren't exactly page-turners. We get it. But they matter — especially when your financial data is involved. At CashState, we believe that feeling in control of your money should extend to feeling in control of your personal information. So we've written this policy to be as clear and honest as we can make it.

Before you dive in, here are the highlights:

  • We make zero dollars from your data. CashState is free, and we don't run ads. Your financial information is not a product we sell — not now, not ever.
  • We can't touch your money. We use read-only bank connections through SimpleFin. We can see your balances and transactions, but we physically cannot move a single cent.
  • We only collect what we need. No more, no less. If we don't need it to make CashState work for you, we don't collect it.
  • Your data is yours. Want it gone? Delete your account and we wipe everything. No 90-day waiting periods, no "we'll keep it just in case."
  • We'll always be upfront with you. If something changes about how we handle your data, you'll know about it. Transparency isn't a feature — it's how we operate.

The rest of this document gets into the specifics. It's more detailed (our lawyers insisted), but every section has a clear purpose. We'd love it if you read the whole thing, but we understand if you just needed the bullet points above.

1. Information We Collect

We collect your account info, your bank data (read-only), the budgets and goals you create, and anonymous analytics about how the app is used. That's it.

Account Information

When you sign up through Clerk (our authentication provider), we collect:

  • Your email address
  • Your first and last name
  • A unique user ID from Clerk

We don't ask for your phone number, your birthday, your social security number, or your mother's maiden name. We don't need them.

Financial Data

When you connect your bank accounts through SimpleFin, we receive read-only access to:

  • Account names, balances, and currency
  • Transaction history — amounts, dates, descriptions, and payees
  • The name of your financial institution

Let us be very clear: SimpleFin provides read-only access. CashState cannot initiate transfers, make payments, or take any action on your accounts. We look, but we don't touch.

Your SimpleFin access credentials are encrypted using AES-256-GCM before we store them. Even we can't read them in plain text.

Data You Create

As you use CashState, you'll create things like:

  • Budgets and budget line items
  • Spending categories and subcategories
  • Rules for how transactions get categorized
  • Savings goals and debt payoff targets

All of this lives in your account and is tied to your identity. Nobody else can see it.

Analytics

We use PostHog to understand how people use the app — things like which screens get visited, which features get used, and when the app launches. This helps us figure out what to build next and what to fix.

We do not collect:

  • Screen recordings
  • Precise location data
  • Keystrokes
  • Any of your financial data in analytics

Analytics events are things like "someone created a budget" or "someone viewed the goals screen." They help us make the app better without knowing anything about your finances.

Website

When you visit cashstate.app, we collect what you voluntarily submit — feedback forms, support requests, waitlist signups. We use Cloudflare Turnstile to keep bots out. We don't run any advertising scripts on our website.

2. How We Use Your Information

We use your data to run the app and make it better. We don't use it for anything else.

Things we do with your data:

  • Sync your bank accounts and show you your financial picture
  • Categorize your transactions
  • Calculate your net worth, budget summaries, and goal progress
  • Respond when you reach out to us
  • Look at anonymous usage patterns to improve the app

Things we will never do with your data:

  • Sell it to anyone. Period.
  • Use it to show you ads
  • Share it with data brokers
  • Build marketing profiles about you
  • Train AI models on your financial information
  • Let third parties browse it

We don't have a clever loophole planned. We don't have a "but we reserve the right to..." buried in paragraph 47. We just don't do these things.

3. How We Protect Your Information

Encryption everywhere, verified access on every request, and no backdoor to browse your data.

Storage

Your data lives on Convex, our backend platform. Convex provides encrypted storage and runs secure serverless functions. Your authentication is handled by Clerk, which manages sessions and tokens.

Encryption

  • Your SimpleFin credentials are encrypted at rest with AES-256-GCM
  • All data moving between your phone, our servers, and third parties travels over HTTPS/TLS
  • Your login sessions are secured by Clerk's token infrastructure

Access Control

Every API request to our backend is verified against your JWT token. If the token doesn't check out, the request is denied. We don't have an admin panel that lets us scroll through user data. Your information is accessed by you, through the app, and that's it.

4. Third-Party Services

We use a small number of trusted services to make CashState work. Here's exactly what each one does and what data it sees.

ServiceWhat it doesWhat it sees
ClerkHandles login and authenticationYour email and name
ConvexStores and processes your app dataEverything in your account (encrypted)
SimpleFinConnects to your bank accountsRead-only bank credentials
PostHogTracks anonymous app usageUsage events — no financial data
CloudflareHosts and protects our websiteStandard web traffic

We chose these services carefully. Each has their own privacy policy, and we encourage you to read them if you're curious about how they handle data on their end.

5. Data Retention

We keep your data while you use CashState. Delete your account and it's gone.

Your data stays in our system for as long as your account is active. The moment you delete your account:

  • Your user profile, bank connections, transactions, budgets, categories, goals, and everything else tied to your account is permanently deleted.
  • We don't keep a shadow copy. We don't archive it "for research." It's gone.
  • Analytics data that was already collected is anonymized — there's no way to trace it back to you.

6. Your Rights

It's your data. You're in charge.

  • See it — Everything we have is visible to you in the app, all the time.
  • Fix it — Update your name or profile info through the app's settings.
  • Delete it — Remove your entire account and all data from the Settings screen.
  • Export it — We're building data export. It's coming.

Need help with any of this? Email us at contact@cashstate.app. We'll take care of it.

7. Children's Privacy

CashState is not designed for anyone under 13. We don't knowingly collect information from children. If you believe a child has created an account, let us know at contact@cashstate.app and we'll delete it immediately.

8. United States Only

CashState is currently available only in the United States. Your data is processed and stored in the US.

9. Changes to This Policy

If we change this policy, we'll update the date at the top of this page. For significant changes, we'll make sure you know about it. Continuing to use CashState after a change means you're okay with the updated terms.

We don't plan on making this policy worse. If anything, we'll make it more transparent over time.

10. Contact Us

Questions? Concerns? Just want to say hi?

Email: contact@cashstate.app
Web: cashstate.app/support

We read everything that comes in.