cashbff legal

Privacy Policy

Effective June 11, 2026. The Service is operated by Khanna's LLC.

Summary: cashbff reads your bank transactions (read-only, through Plaid) and helps you understand your money over SMS, WhatsApp, and through AI assistants you connect. We use first-party analytics (PostHog and Sentry) that are configured to exclude the content of your messages, so we can see what works and fix bugs. We never sell or share your data, run ads, or use third-party ad trackers. cashbff finds and surfaces things, and only you act on them. We never move, pay, or transfer your money. You can disconnect your bank anytime, and you can ask us to delete your data anytime (we take care of it within 30 days).

1. What We Collect

We collect only what we need to run cashbff:

Account and contact info: your phone number (used for one-time-passcode sign-in) and first name. Some sign-up flows also collect your email address, last name, and date of birth (your date of birth is used to confirm you are at least 18 and, where applicable, to help verify your identity).
Messages you send us: the texts you send over SMS and WhatsApp, and requests sent through any AI assistant you connect (see Section 4). How we handle message content is explained in Section 6.
Bank transaction data, read-only through Plaid: transaction dates, merchant names, amounts, categories, and account balances. Plaid connects to your bank with a read-only Transactions scope (the permission Plaid uses to read your transactions).
Payment info: when you subscribe to the paid "Talk" plan, payments are handled by Stripe. Stripe processes your card details. We do not store your full card number.

We do not collect your bank login credentials, passwords, full bank account numbers, or Social Security number. Plaid handles the connection to your bank, so we never see your bank login.

2. How We Use Your Data

We use your information to run cashbff and to make it better:

Answer your questions and respond to what you send us over SMS, WhatsApp, or a connected AI assistant.
Find and surface insights: detect recurring subscriptions and bills from your transaction patterns, categorize and summarize your spending, and infer general lifestyle traits to personalize what we tell you.
Support actions you confirm: for example, set savings goals, schedule reminders and expected income or expenses, add notes to a transaction, flag transactions as reimbursable, and confirm recurring bills we detect. cashbff finds and surfaces things, and you decide and confirm. cashbff does not move, pay, or transfer your money, and it cannot act on a financial change without your explicit confirmation.
Improve the product and do research: we study spending patterns and feature usage to understand what is working and make cashbff better. We do this on aggregated or de-identified data (data stripped of details that point to you) wherever the question allows. For example, learning that a share of users have a coffee subscription, rather than pointing at any one person. In the future, we may share what we learn from this research in aggregated or de-identified form (numbers and patterns that cannot identify you). If we ever want to use or share research in a way that could identify you, we will ask for your consent first.

We do not use your personal or financial data to train any artificial-intelligence model of our own. The AI provider that processes your messages on our behalf (see Section 4) states that, under its API terms, it does not train its models on this data by default.

3. How You Reach cashbff (Your Channels)

You can use cashbff through more than one channel, and this policy covers all of them. The channel you use does not change your data rights.

SMS, through Twilio.
WhatsApp, through the Meta WhatsApp Cloud API.
Connected AI assistants, through a secure data-access connection you set up (see Section 4). An AI assistant you connect, such as Claude, can read your money data and perform the same actions you confirm first that are described in Section 2 (for example, set goals, schedule reminders, add transaction notes, mark reimbursables, confirm recurring bills). These actions still require your confirmation, and the assistant cannot move, pay, or transfer money.

4. Third-Party Services We Rely On

We use a small set of vendors to run cashbff. Each one processes data on our behalf, under contract, to deliver the service. They are not permitted to use your data for their own purposes.

Plaid: read-only bank access (Transactions scope). Plaid access tokens are encrypted at rest. Plaid processes your data under its own End User Privacy Policy (plaid.com/legal). You can review and revoke your Plaid connections at any time at my.plaid.com.
Twilio: delivers SMS.
Meta (WhatsApp Cloud API): delivers WhatsApp messages.
Anthropic (Claude): processes your message context and aggregated spending data to generate responses. We never send raw full account numbers or stored access tokens. Anthropic states that, under its API terms, it does not train its models on this data by default.
AI-assistant connection: when you connect an AI assistant, it accesses your money data through a connection scoped to your account, with the action limits described in Section 3.
Supabase: our database (Postgres), where your account, transaction, and related data are stored.
Stripe: processes payments for the paid "Talk" plan and retains payment history under its own policy.
PostHog and Sentry: our first-party analytics and error monitoring (see Section 5).

We process and store your data in the United States.

We do not sell, rent, or share your personal or financial data with anyone for their own purposes. Ever. The vendors above are service providers, which is different from selling or sharing.

Sharing aggregated or de-identified research findings that cannot identify you (see Section 2) is not selling or sharing your data, and we will never present research in a way that points back to you.

5. Analytics and Monitoring (No Ad Trackers)

To see what is working and fix bugs, we use two first-party tools, both configured to exclude the content of your messages:

PostHog (product analytics), configured in privacy mode. It captures usage events and per-message AI cost, tokens, and latency. It is configured not to capture the content of your messages.
Sentry (error monitoring), with sensitive data scrubbed. We redact sensitive data such as balances, access tokens, and phone numbers before error reports are sent to Sentry.

We do not use third-party advertising trackers, Google Analytics, ad pixels, or cross-site tracking cookies. We have no ads.

6. How We Handle Your Messages

We process your conversations to generate responses, and we send your message context to our AI provider to do that (see Section 4). How we store messages can differ by channel and may change as the Service evolves. For example, SMS message bodies are stored so we can keep context across your conversation. We may also store WhatsApp message content to provide and improve the Service. Where a message is only processed in the moment, we still keep a message identifier to avoid duplicates.

Our team does not routinely read the content of your messages. Today, our team is the founder. A member of our team may access message content where needed to support you or resolve a problem, to study how the Service is used so we can improve it (product improvement and research), to investigate abuse or security issues, to comply with law or legal process, or with your consent.

7. Data Security

We treat your financial information as sensitive and maintain administrative, technical, and physical safeguards designed to protect it. Practical steps we take include:

Plaid access tokens are encrypted at rest using AES-256-GCM.
Bank link tokens are single-use and are nullified after your bank connects.
Incoming webhooks are validated by signature.
We apply per-user rate limiting.
We scope every request to your account, so the Service works on your own data.

No method of storage or transmission is perfectly secure, and we cannot guarantee absolute security.

8. Data Retention

We keep your data while your account is active and while you use the service. We retain each type of data only as long as we need it for the purpose we collected it: account and contact info and transaction data for as long as your account is active; message content for as long as needed to provide context and operate the service; and analytics and error data on a rolling basis. When you disconnect your bank, we remove the related Plaid access token and the cached transactions tied to it. You can ask us to delete your data at any time, and we take care of it within 30 days (see Section 9). We may retain limited information where the law requires it, to complete transactions, or to prevent fraud, and routine backups age out on their own schedule. Stripe retains payment history under its own policy.

9. Your Rights and Controls

You are in control of your data, and we make it easy:

Delete your data: email daksh@cashbff.com with the subject "Data deletion request," or text cashbff. We take care of it within 30 days.
Disconnect your bank anytime: this removes the Plaid access token and the cached transactions. You can also revoke access directly through Plaid at my.plaid.com.
Stop messages: reply STOP to opt out of SMS and START to opt back in. For WhatsApp, you can stop messages at any time, including through WhatsApp's own controls, or by contacting us.

Sensitive personal information. Some of what we collect is sensitive, including your financial-account and transaction data and your date of birth. We use this information only to provide and improve the Service, as described in this policy. We do not use it to infer characteristics about you beyond providing the Service, and we do not sell or share it. Because we use it only for these permitted purposes, no separate control to limit our use of sensitive personal information is required, and we honor the right regardless.

Your privacy rights. Depending on where you live, you may have the right to know and access the personal information we hold about you, to receive a copy of it (data portability), to correct it, and to delete it. You also have the right to opt out of the sale or sharing of your personal information. Because cashbff does not sell or share your personal information, there is nothing to opt out of, and we honor the right regardless. cashbff personalizes responses and detects patterns in your transactions; if you would like to ask about this automated processing, contact us using the details in Section 11.

What we collect, where it comes from, and who sees it. The personal information we collect includes identifiers (such as your phone number, name, and email), your date of birth, financial-account and transaction data through Plaid, the content of your messages, payment information through Stripe, and usage and device data through our analytics. It comes from you, from your messages, from the financial accounts you connect through Plaid, and from your use of the Service. We use it for the business purposes described in Section 2, and we disclose it for those purposes only to the service providers listed in Section 4.

How to exercise your rights. To make a request to know, access, delete, correct, or receive a copy of your information, email daksh@cashbff.com or text cashbff. We will verify your identity before acting on a request, and an authorized agent may submit a request on your behalf with proof of authorization. We respond within the time required by law (generally 45 days, which may be extended where permitted). We will not discriminate against you for exercising your rights.

Your financial data comes through Plaid and is sensitive. We handle it with care and apply the safeguards described in Section 7. cashbff is not a bank or a financial institution.

10. Changes to This Policy

We may update this policy as cashbff evolves. When we make a material change, we will update the "Last updated" date below and, where appropriate, let you know through the service. The effective date of this version is June 11, 2026.

11. Contact

Questions about your privacy? Text cashbff, or email daksh@cashbff.com. cashbff is operated by Khanna's LLC.