The short version:
your card data stays on your phone.

KasCash (“the app,” “we,” or “us”) is a credit-card tracker for iPhone and Android. One screen for every card you own, every statement, every due date. Operated independently from Manila, Philippines.

This Privacy Policy applies to the KasCash iOS app on the App Store and the KasCash Android app on Google Play. The website at kascashearly.vercel.app is a marketing page only and does not collect personal information beyond what your browser sends to any website.

Whatever the sign-in option you choose hands us — and nothing more.

Sign-in option	What we receive	Why
Continue with Google	Your Google email, display name, and a unique Google account ID.	So we know it’s you on each return visit, and your data stays separate from anyone else who signs in on the same device.
Continue with Apple	A unique Apple user ID, plus — only the first time you sign in — your name and an email address (either your real one or Apple’s private relay address if you choose “Hide My Email”).	Same reason as Google. If you used Hide My Email, we never see your real address, and we don’t try to.
Continue as guest	A random anonymous ID generated by Firebase. No name, no email.	Lets you use the app without sharing anything personal.

That’s the full list of identifying information. We do not collect your phone number, address, location, contacts, photo library, browsing history, or device advertising IDs.

To know whether the app is working — which screens crash, which features get used — we send a small stream of pseudonymous usage events to Google Firestore, tied to your Firebase account ID and nothing else.

What goes in	What doesn’t
Event name (e.g. app_open, card_added, tx_logged, reminder_fired)	Your name, email, or any other identifier outside the random Firebase ID
Timestamp of the event	Card numbers, last 4, bank names, nicknames
App version and platform (ios or android)	Balances, credit limits, statement days, due days
Success or error code (so we can fix bugs)	Transaction amounts, merchants, memos, notes

Firestore security rules enforce that each account can only write to its own anonymous event bucket. No one — including us — can read another user’s events.

Everything you type into KasCash, plus everything the app calculates from it, lives in encrypted storage on your phone. It’s not uploaded, mirrored, or backed up to any server we control.

Information	What it covers
Card metadata	Bank, nickname, last 4, expiry, network, credit limit, current balance, statement day, due day, color, notes
Transactions	Payments, purchases, and fees you record yourself
Reminder preferences	Which reminders are on for which card
App settings	Theme, accent color, display preferences, biometric lock
Profile photo	Optional. Saved to your device’s sandboxed storage. Never uploaded.

Storage is encrypted using your operating system’s native secure storage (iOS Keychain on iPhone, the Android Keystore equivalent on Android). Turn on the biometric app lock in Settings and the app demands Face ID, Touch ID, or your device passcode before any of this is decrypted.

Designed out of the app on purpose:

• Full card numbers. Last 4 digits only. There’s no field in the app to enter the rest.
• CVV / card verification codes. Never asked. Never stored.
• Bank login credentials. We don’t connect to your bank. No Plaid, no Yodlee, no MX, no aggregator of any kind. Your bank password never touches this app.
• Location. We don’t ask for it.
• Contacts or address book. We don’t ask for it.
• Your photo library. Beyond a profile picture you pick yourself — which stays on your device.
• Advertising IDs. We don’t track you across other apps or sites.
• Spending or behavioral profiles. No analytics build a picture of you.

The Google account info or anonymous session ID we receive does one job: it lets the app recognize you across sessions and keep your data attached to the right account on the right device.

Anonymous usage events do one job too: they tell us which screens crash, which features are getting used, and which paths to invest in. That’s it.

We don’t:

• Send marketing emails to your Google address
• Share your account ID with advertisers or data brokers
• Build a profile of your spending, card mix, or financial habits
• Sell, rent, or barter any of this information — under any circumstances

A small set, each with a specific job. None of them see your card data.

Service	Role	What it sees
Google Sign-In	Verifies your identity when you tap “Continue with Google”	Your Google email, name, and account ID. Governed by Google’s Privacy Policy.
Sign in with Apple	Verifies your identity when you tap “Continue with Apple”	Your Apple user ID, plus name and email on first sign-in (subject to your “Hide My Email” choice). Governed by Apple’s Privacy Policy.
Firebase Authentication	Issues a session token after sign-in (Google, Apple, or anonymous)	The identifier above. Nothing else. Firebase Privacy.
Google Firestore	Stores the anonymous usage events from section 03	Event name, timestamp, app version, platform. Keyed to your Firebase ID. No user-entered values, ever.
App Store & Google Play	Distribute the app, report installs and crashes	Whatever Apple and Google show developers in their consoles — aggregated, not user-identifying.

The marketing site at kascashearly.vercel.app is a static page served from Vercel. It doesn’t take logins or collect form data beyond what your browser sends to any website.

Three layers, in priority order:

• On-device encryption. Card data is written to your operating system’s secure storage (iOS Keychain, the Android Keystore equivalent). The encryption keys belong to the device and are tied to your unlock credentials.
• Per-account isolation. Each account’s local data lives under its own keyed namespace. Switch accounts and you get a fresh, empty app.
• Biometric app lock (optional). Turn it on in Settings and Face ID, Touch ID, or your passcode is required every time the app opens — before any data is decrypted.

Authentication runs against Google’s and Firebase’s production infrastructure over TLS, with short-lived session tokens.

Found a security issue? Email kascashapp.ph@gmail.com. We respond within 72 hours.

Most of your data lives on your phone, so most of your controls do too:

• Access. Everything the app holds is visible inside the app. There’s no hidden cloud copy of your card data to request.
• Export. To request a copy of your data, email kascashapp.ph@gmail.com — we’ll walk you through exporting it. A built-in download option is planned for a future update.
• Correct. Tap any card or transaction to edit it.
• Delete. Uninstalling the app wipes all on-device data. Signing out clears the same data and revokes the local session.
• Delete telemetry too. Email kascashapp.ph@gmail.com with your account email and we’ll erase the anonymous events associated with your Firebase ID.
• Revoke Google access. Open Google Account Permissions any time to disconnect KasCash from your Google account.
• Revoke Apple access. On your iPhone, open Settings → [Your Name] → Sign in with Apple → KasCash → Stop using Apple ID. The app also offers a “Delete my account” option that does the same thing in-app, as Apple requires.
• Disable notifications. Settings → Notifications → KasCash on your device.

If you’re in the EU, UK, California, or another jurisdiction with additional rights (access, rectification, erasure, portability, restriction, objection), email kascashapp.ph@gmail.com. We respond within 30 days.

KasCash is intended for users who are at least 16 years old and legally able to hold a credit card. We don’t direct the app at children under 13 and don’t knowingly collect anything from anyone under that age. If you’re a parent or guardian and you believe your child has used the app, get in touch and we’ll help you delete the account.

KasCash is operated from the Philippines. The identity information processed by Google Sign-In and Firebase, plus the anonymous usage events in Firestore, may be handled on Google’s servers in the United States, the European Union, or other regions where Google operates — under Google’s own contractual data-transfer safeguards.

Your use of KasCash is subject to this policy. Users in jurisdictions requiring explicit consent for cross-border data transfers may contact us to exercise those rights.

When something material changes, we will:

• Update the Effective and Last updated dates at the top of this page
• Bump the Version
• Show a one-tap notice inside the app the next time you open it

Minor edits (typos, clarifications, dead-link fixes) bump the Last updated date but don’t trigger an in-app notice.

Questions, requests, security disclosures, or feedback on this policy — one inbox handles all of it during early access:

kascashapp.ph@gmail.com

We read every message. If you don’t hear back within 7 days, please try again — yours didn’t reach us.