Privacy Policy
1 | // PrivacyPolicy.js
2 | // ------------------------------------------------------------
3 | // CashOnyx Privacy Policy — Short Scroll Version
4 | // Effective Date: October 21, 2025
5 | // ------------------------------------------------------------
6 |
7 | import React, { useEffect } from "react";
8 |
9 | const PrivacyPolicy = () => {
10 | useEffect(() => {
11 | console.log("📜 Privacy Policy loaded — scroll down to see the full version!");
12 | }, []);
13 |
14 | return (
15 | <div
16 | style={{
17 | color: "#d4d4d4",
18 | backgroundColor: "#1e1e1e",
19 | padding: "2rem"
20 | }}
21 | >
22 | <h1 style={{ color: "#ffd700", textAlign: "center" }}>
23 | CashOnyx Privacy Policy
24 | </h1>
25 |
26 | <p style={{ textAlign: "center" }}>
27 | <strong>Effective Date:</strong> October 21, 2025
28 | </p>
29 |
30 | <p>
31 | Hey there 👋 Welcome to <strong>CashOnyx</strong> — your financial toolkit.
32 | We respect your privacy and take it seriously. Below is the full policy
33 | (yeah, the long one 📜). It covers how we collect, use, protect, and store
34 | your info. TL;DR: we don’t sell your data, we encrypt everything, and you
35 | control what stays or goes.
36 | </p>
37 |
38 | <p
39 | style={{
40 | marginTop: "2rem",
41 | textAlign: "center",
42 | color: "#00b0ff"
43 | }}
44 | >
45 | ⬇️ Scroll down to read the full Privacy Policy ⬇️
46 | </p>
47 |
48 | {/* ------------------------------------------------------ */}
49 | {/* 🔽 Insert the full detailed Privacy Policy (Sections 1–11) below */}
50 | <div style={{ marginTop: "3rem" }}>
51 | {/*
52 | You can paste the expanded sections here.
53 | Example:
54 | <FullPrivacyPolicyContent />
55 | */}
56 | </div>
57 | </div>
58 | );
59 | };
60 |
61 | export default PrivacyPolicy;
About.js
Contact.js
FAQ.js
Features.js
Home.js
Individual.js
Login.js
MyAccount.js
Pricing.js
PrivacyPolicy.js
Professional.js
ResetPassword.js
Signup.js
> OUTLINE
> TIMELINE
Scroll to Bottom to See Full Privacy Policy
Privacy Policy
Effective Date: October 21, 2025
Last Updated: October 21, 2025
Welcome to CashOnyx (“we,” “our,” “us”). Your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile app, website, and related services (collectively referred to as the “Services”).
1. Information We Collect
We collect various types of information from you when you use our Services. This includes information that you voluntarily provide to us, information collected automatically, and information obtained from third-party integrations or data providers.
The type and amount of data we collect depend on how you use CashOnyx, such as whether you create an account, connect financial data, subscribe to premium features, or simply browse our website.
1.1 Personal Information
When you create an account, sign in, or interact with our Services, we may collect and store certain personally identifiable information (“Personal Information”). This data helps us verify your identity, provide you with accurate financial insights, and maintain the security of your account.
We may collect the following categories of Personal Information:
Basic Identifiers
Full Name — used to personalize your account and communications.
Email Address — used for account verification, notifications, password resets, and support.
Phone Number — optional, used for multi-factor authentication (MFA), account recovery, or customer support.
Demographic and Contact Information
Date of Birth — used to determine age eligibility, perform regulatory checks (if applicable), and provide tailored financial projections (such as retirement estimates).
Residential Address — optional, used to provide location-based tax rates, cost-of-living data, and financial insights based on your state or region.
Country of Residence and State — collected to comply with legal regulations and to customize calculations for state-level taxes, insurance, or investment options.
Authentication and Security Data
Login Credentials — such as your username and password (stored securely and encrypted using industry-standard methods).
Session Tokens or Access Keys — temporary authentication tokens generated when you sign in, used to maintain secure connections with our backend servers.
Device Identifiers and Metadata — unique device IDs, browser fingerprints, or security logs that help detect unauthorized access or suspicious behavior.
Financial and Personal Data (User-Provided)
When you use CashOnyx’s financial planning tools, calculators, or portfolio analysis features, you may voluntarily enter data such as:
Income and Employment Information — including salary, bonuses, or self-employment income, used to generate cash flow and savings projections.
Expenses and Spending Patterns — including recurring costs, debts, and discretionary spending for budgeting and forecasting.
Assets and Liabilities — such as stocks, bonds, cryptocurrencies, real estate, vehicles, loans, or mortgages that you manually input or import via API integration.
Investment Details — including purchase prices, quantities, cost basis, and portfolio weights for return and risk analysis.
Retirement and Savings Goals — such as desired retirement age, contribution amounts, or long-term targets to personalize your experience.
This data is used exclusively to provide financial analytics, insights, projections, and recommendations within your account. We do not sell or share your personal or financial data with third parties for marketing or profiling purposes.
User-Generated Inputs
Any notes, labels, or annotations you add to assets, goals, or scenarios.
Uploaded documents, spreadsheets, or screenshots that you voluntarily attach to your account.
Custom calculation preferences, portfolio settings, or simulation parameters (e.g., risk tolerance, inflation rate, or investment horizon).
Communication Data
When you contact us or interact with our support team, we may collect:
Your messages, feedback, and support tickets, including attachments or screenshots you submit.
Survey responses or feedback provided during product research or beta testing.
Referral information, if another user invited you to CashOnyx or you referred someone else.
Social and Marketing Preferences (Optional)
If you choose to connect via third-party platforms (like signing up with Google, Apple, or LinkedIn), we may receive:
Your public profile information, including name and email.
An authorization token used to authenticate your identity securely.
You can control or revoke these permissions at any time from your third-party account settings.
Regulatory or Compliance Data
For users in regions requiring Know-Your-Customer (KYC) or Anti-Money Laundering (AML) verification (for example, if CashOnyx later offers investment or advisory services), we may collect:
A copy of a government-issued ID (driver’s license, passport, etc.).
Proof of address documents (e.g., utility bill, bank statement).
Tax identification number or other compliance-related identifiers.
Such information would only be collected if required by law and handled through secure, verified channels.
1.2 Accuracy and Control of Personal Information
We believe that your control over your personal data is fundamental to trust and transparency. To ensure that your experience within CashOnyx remains secure, compliant, and accurate, we encourage you to maintain complete and up-to-date information within your account.
Your Responsibility for Accuracy
You are responsible for ensuring that the personal and financial information you provide to us is:
Accurate: Reflects your true personal and financial details at the time of submission.
Current: Updated promptly when changes occur (e.g., new address, income level, asset purchase, or change in filing status).
Complete: Contains all necessary data fields to enable accurate calculations, analytics, and projections.
Accurate information allows our system to produce precise results for your financial models, projections, and reports. Inaccurate or incomplete data may lead to misleading results and limit the effectiveness of the Services we provide.
Accessing and Managing Your Information
You can review, modify, or delete your personal data at any time through your account settings. Specifically, you may:
Update profile details such as your name, email address, date of birth, phone number, and residence.
Adjust financial inputs like income, assets, debts, and expenses within the app’s financial tools.
Edit or remove stored assets or portfolios to reflect real-time market changes or ownership adjustments.
Modify communication preferences to manage how and when we contact you regarding account updates, insights, or marketing content.
All modifications you make are logged and timestamped within our secure database for record-keeping and data integrity purposes.
If you experience difficulties updating any data, you may contact our support team at privacy@cashonyx.com, and we will assist you promptly.
Data Review and Verification
We may periodically request that you verify or confirm certain information for accuracy and compliance purposes.
This may include:
Confirming your email address or phone number to ensure continued account access.
Reviewing investment or asset data during major platform updates or regulatory checks.
Re-validating location information for users in specific jurisdictions where financial rules vary by region (e.g., U.S. state tax calculations).
Such verifications are optional unless required by law, platform security, or subscription compliance.
Correction and Rectification Rights
Under applicable data protection laws (including GDPR, UK Data Protection Act, and CCPA), you have the right to:
Request correction of inaccurate, outdated, or incomplete personal information.
Request assistance if you believe that your stored data does not accurately reflect your submissions.
Verify or confirm data accuracy before it is processed for analytics, reports, or projections.
To request corrections, you can contact us directly at privacy@cashonyx.com. We will review and process your request within a reasonable period, typically within 30 days, unless additional verification is required.
Account-Level Control
We provide built-in tools within your CashOnyx account dashboard that allow you to:
Download your personal data in a structured, machine-readable format (for portability).
Delete specific data sets (e.g., removing a portfolio or clearing calculator results).
Deactivate or permanently delete your account, after which your personal data will be securely removed in accordance with our Data Retention Policy (see Section 6).
If you delete your account, we may retain minimal identifying data (such as your email hash or account ID) solely for fraud prevention or to comply with legal recordkeeping obligations.
Security of Updates
To protect you from unauthorized changes or malicious activity:
Certain sensitive updates (like email address or password changes) may require two-factor authentication or email confirmation.
All updates are encrypted in transit and recorded in an audit trail to prevent tampering.
Our support team will never request your password or two-factor authentication code when assisting you.
We monitor changes in account information to detect anomalies and notify you in the event of suspicious edits or access attempts.
Joint Accounts or Shared Access
If CashOnyx introduces joint or family account features in the future, each authorized user will maintain independent control over their personal information.
One user’s updates or deletions will not affect another’s data, except where explicitly permitted (e.g., shared assets or co-owned investments).
Limitations of Our Responsibility
While we take extensive measures to ensure data accuracy and integrity, we rely on the accuracy of the information you provide.
We are not responsible for:
Incorrect calculations or projections resulting from incomplete or inaccurate inputs.
Discrepancies caused by external data sources or user-supplied third-party information.
Data inconsistencies introduced by imported files, integrations, or linked accounts.
We strongly encourage reviewing your information periodically, especially before relying on our analyses for major financial decisions.
Summary
Maintaining accurate and up-to-date information ensures:
Precision in your financial analytics, forecasts, and reports.
Security in your account authentication and identity verification.
Compliance with regulatory and data protection standards.
Transparency and control over how your information is stored and processed.
By keeping your data current and accurate, you help us deliver the most reliable financial insights and ensure the continued protection of your privacy.
1.3 Sensitive Personal Information
CashOnyx does not intentionally request, collect, or process Sensitive Personal Information as defined under applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and similar international privacy frameworks.
Sensitive personal information refers to data that reveals or relates to characteristics or attributes that are inherently private and may pose a higher risk to an individual’s rights or freedoms if improperly used or disclosed.
1.3.1 Categories of Sensitive Data We Do Not Collect
We do not intentionally collect or store data relating to:
Racial or Ethnic Origin
(e.g., information identifying a person’s heritage, background, or nationality beyond basic location data needed for regional financial calculations)Political Opinions or Affiliations
(e.g., party membership, voting history, or expressed political views)Religious or Philosophical Beliefs
(e.g., faith, spiritual affiliations, or moral convictions)Trade Union Membership
(e.g., information indicating participation in labor organizations or collective bargaining activities)Genetic or Biometric Data
(e.g., facial recognition, fingerprint scans, DNA data, or other identifiers used for unique identification)Sexual Orientation or Sexual Behavior
(e.g., information about personal relationships, gender identity, or sexual preference)Health-Related Information
(e.g., medical history, disabilities, diagnoses, medication use, or health insurance details)Criminal Records or Background Checks
(e.g., arrest records, court outcomes, or probationary information)
None of these categories of data are necessary for the operation of CashOnyx, and we do not request or process them in any form as part of our Services.
1.3.2 Unintentional Submission of Sensitive Information
We understand that some users may voluntarily enter information that could be considered sensitive in nature — for example:
Writing personal or emotional notes in free-text fields (e.g., “I left my job for health reasons”).
Uploading documents that contain incidental sensitive data (e.g., medical bills, pay stubs with identifiers, or government forms).
Including personal remarks within financial entries or uploaded spreadsheets.
If such information is submitted, we treat it with the same high level of confidentiality and security as all other personal data.
However, because these inputs are voluntary and not requested by CashOnyx, they are excluded from any financial analysis, statistical modeling, profiling, or algorithmic decision-making.
We also strongly advise against including sensitive personal information in any free-text fields or document uploads unless absolutely necessary for your own recordkeeping.
1.3.3 How We Handle Sensitive Information If Provided
If you voluntarily submit sensitive information, we follow these procedures:
Secure Storage and Access Control
Sensitive or potentially sensitive data is encrypted both in transit (via HTTPS/TLS) and at rest (via AES-256 or equivalent encryption).
Access to such data is restricted to authorized personnel under strict confidentiality agreements.
No Automated Processing or Profiling
Sensitive data is never analyzed, profiled, or included in financial algorithms, even if accidentally submitted.
Our AI-based analytics tools ignore non-financial metadata to ensure neutrality and fairness.
Anonymization and Filtering
Free-text or document uploads are filtered for sensitive content indicators before processing.
If detected, such data is either automatically redacted or excluded from computation.
User Notification (if applicable)
If sensitive data is identified within user uploads, we may notify you and suggest deletion or redaction.
You retain full control to edit or permanently remove the content.
Deletion Upon Request
You can request that any sensitive information you’ve submitted be deleted immediately by contacting privacy@cashonyx.com.
Once verified, we will erase the content from our systems and confirm the deletion in writing.
1.3.4 Data Minimization and Purpose Limitation
We adhere to the principles of data minimization and purpose limitation, meaning:
We collect only the minimum data necessary to deliver our Services.
We do not repurpose your data for unrelated activities such as advertising, profiling, or behavioral tracking.
Any sensitive data, if encountered, is automatically segregated and excluded from analytic models to prevent misuse or bias.
1.3.5 Compliance With Privacy Regulations
Our approach to sensitive data is designed to meet or exceed international standards, including:
GDPR Articles 9 and 10 – Prohibiting processing of special categories of data unless explicitly consented or legally required.
CCPA Section 1798.140(ae) – Restricting use of “Sensitive Personal Information” for cross-context behavioral advertising.
PIPEDA Principle 4.3.4 – Requiring express consent for collection of sensitive data.
CashOnyx does not rely on any of the exceptions provided under these regulations for sensitive data processing, as such data is not integral to our business or platform functions.
1.3.6 Safeguards for Compliance and Auditing
We perform regular data protection audits to ensure that:
Sensitive data fields are not being collected, logged, or stored inadvertently.
Input fields, calculators, and user-upload features remain compliant with privacy-by-design standards.
All system logs and database structures are reviewed to prevent any unintended data retention.
Our team follows privacy engineering principles, ensuring sensitive categories are excluded from datasets at the system architecture level — not merely through policy statements.
1.3.7 Summary
CashOnyx does not collect sensitive personal information by default.
If such data is provided voluntarily, it is handled with strict confidentiality, never processed for analytics, and may be deleted upon request.
Our systems are designed to identify and exclude sensitive content automatically, aligning with the highest standards of privacy compliance.
Your privacy is fundamental to our mission. We believe financial insight should be based on your data, not your identity — ensuring that every user, regardless of background, receives equal, secure, and unbiased service.
1.4 Lawful Basis for Collection and Processing
CashOnyx collects, processes, and stores your personal information only where there is a valid legal basis to do so under applicable privacy and data protection laws. These lawful bases define when and why your data may be processed, and they ensure that our use of your information is fair, transparent, and limited to legitimate purposes.
We rely on one or more of the following lawful bases depending on the type of data, the nature of the service you use, and your relationship with us.
1.4.1 Consent
We may process your personal data based on your explicit consent. Consent is obtained when you voluntarily provide information or take an affirmative action, such as:
Creating a CashOnyx account and accepting the Terms of Service and this Privacy Policy.
Entering personal or financial data to generate analytics, reports, or projections.
Connecting third-party financial accounts or authorizing integrations.
Opting in to receive newsletters, promotional messages, or beta access notifications.
Your consent is always freely given, specific, informed, and unambiguous.
We do not use pre-ticked boxes or assume consent through silence or inactivity.
You may withdraw consent at any time without penalty by:
Deleting your account.
Changing your privacy or communication preferences in the app.
Contacting us directly at privacy@cashonyx.com.
Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal, but it may limit your ability to access certain features that depend on that data.
1.4.2 Contractual Necessity
We process personal data where it is necessary to fulfill a contract with you or to take steps at your request before entering into a contract.
This includes cases where we need your information to:
Register and authenticate your account.
Deliver personalized financial analyses, projections, and calculators.
Maintain and display your asset data, portfolio history, or linked financial information.
Provide support or respond to account-related inquiries.
Without this data, we would be unable to perform core functions of the CashOnyx platform, such as:
Calculating your financial projections and portfolio analytics.
Generating custom dashboards and insights.
Allowing secure login and session management.
Therefore, contractual necessity serves as the primary lawful basis for the essential operation of your CashOnyx account.
1.4.3 Legitimate Interests
We may process certain personal data on the basis of legitimate interests, provided that such processing does not override your fundamental rights or freedoms.
Legitimate interests allow us to operate, protect, and improve our services in ways that benefit both our users and our business.
Examples include:
Product improvement: Analyzing usage patterns to refine tools, calculators, and user interfaces.
Security and fraud prevention: Detecting suspicious logins, duplicate accounts, or malicious activity.
Performance monitoring: Ensuring stable operation, fast response times, and minimal downtime.
Research and analytics: Aggregating anonymized data to improve financial modeling accuracy.
Marketing and communication: Sending relevant updates or new feature announcements to existing users.
Whenever we rely on legitimate interests, we perform a balancing test to ensure that our interests do not infringe upon your privacy rights.
We also give you clear options to opt out of communications or data uses that are not strictly necessary for service delivery.
1.4.4 Legal Obligations
We may process certain types of information when required to comply with legal, regulatory, or governmental obligations.
This includes, but is not limited to:
Responding to valid legal requests, subpoenas, or court orders.
Maintaining tax, accounting, or business records as required by law.
Fulfilling data protection or consumer protection reporting requirements.
Detecting and preventing fraud, money laundering, or financial misconduct.
Cooperating with law enforcement or regulators when legally mandated.
We will only disclose or process your information to the extent necessary to satisfy these obligations and will ensure that such disclosures comply with applicable legal standards.
1.4.5 Protection of Vital Interests (Rare Circumstances)
While highly uncommon, CashOnyx may process personal data if it is necessary to protect your vital interests or the vital interests of another individual, for example:
Preventing identity theft, account compromise, or serious financial harm.
Detecting security incidents that may endanger your personal data.
This legal basis is rarely used and only applies in emergency or high-risk scenarios where immediate action is needed to safeguard users or the platform.
1.4.6 Public Interest or Regulatory Requirements (If Applicable)
In limited circumstances, CashOnyx may process personal information where necessary for a task carried out in the public interest or under the authority of an official body, such as compliance with financial regulations.
If CashOnyx were to become registered as an investment adviser or broker-dealer in the future, additional record keeping obligations under securities or financial laws may apply, and this section would extend to those statutory requirements.
1.4.7 Data Minimization and Purpose Limitation
Regardless of the lawful basis, we commit to processing only the minimum amount of data necessary for each purpose.
We do not use your personal data for purposes incompatible with the reason it was collected.
Before reusing data for a new purpose, we will either:
Obtain your explicit consent, or
Confirm that the new use is compatible with the original lawful basis under applicable law.
This ensures your information is not repurposed or shared without your awareness or control.
1.4.8 Documentation and Accountability
We maintain internal documentation describing the lawful basis relied upon for each major category of data processing.
This includes:
The type of data collected.
The purpose of collection.
The applicable legal basis.
The retention period associated with that data.
This record keeping enables us to demonstrate compliance with privacy regulations and respond efficiently to any regulatory or user inquiries regarding data processing justification.
1.5 Summary
In short, we collect only the information necessary to:
Create and manage your account
Deliver personalized financial tools and analytics
Ensure platform security and reliability
Comply with applicable laws
Your personal data remains your property. You maintain control over what information you share, how it’s used, and when it’s deleted.
2. How We Use Your Information
We collect and process personal, financial, and technical data strictly to deliver, improve, and secure the CashOnyx platform.
Our guiding principles are transparency, necessity, and proportionality — we only use the data needed to fulfill legitimate functions, never for hidden or unrelated purposes.
2.1 Providing and Operating Our Services
Your information is essential for CashOnyx to function properly. We use it to:
Create and manage your account — including registration, authentication, and ongoing access.
Deliver core features such as financial calculators, portfolio analysis, risk/return modeling, and personalized dashboards.
Generate accurate reports and forecasts based on the financial data you enter, including projections for savings, investments, and retirement outcomes.
Store your preferences and configurations so that calculators, charts, and projections behave according to your personalized settings.
Provide customer support — responding to inquiries, troubleshooting issues, and addressing technical or billing questions.
Enable secure cloud synchronization across devices so you can access your data anywhere.
Processing basis: Contractual necessity and legitimate interests.
2.2 Personalization and User Experience
To make CashOnyx more relevant and useful, we use certain data to tailor your experience:
Display content, charts, or educational insights that align with your portfolio type or financial goals.
Remember your preferred interface mode (dark/light theme), currency, and measurement units.
Suggest calculators or investment tools you might benefit from based on usage trends.
Streamline onboarding by pre-filling fields with data you have previously entered.
Processing basis: Consent and legitimate interests.
You can adjust personalization settings or disable recommendations at any time in your account preferences.
2.3 Analytics and Performance Measurement
We perform statistical and analytical processing on aggregated or anonymized data to:
Evaluate how users interact with features to identify what is most valuable or needs improvement.
Measure app performance, crash frequency, and server response times.
Understand portfolio composition trends (in aggregate) to enhance future financial models.
Conduct benchmarking and simulation testing to validate financial calculations.
These analytics are performed on de-identified or pseudonymized data whenever possible to protect individual privacy.
No personally identifiable information (PII) is disclosed in reports or research outputs.
Processing basis: Legitimate interests and, where required, consent (for cookies or tracking technologies).
2.4 Security, Fraud Prevention & Account Integrity
We process certain technical and behavioral data to:
Authenticate user sessions and detect unauthorized logins or device changes.
Monitor suspicious activity, such as rapid login attempts or inconsistent geographic access.
Protect accounts from phishing, data breaches, or identity theft.
Maintain audit logs and incident reports for compliance and risk assessment.
Encrypt, hash, or tokenize sensitive fields to ensure confidentiality.
Processing basis: Legitimate interests and legal obligation.
Without these controls, we could not safeguard user accounts or maintain platform integrity.
2.5 Communications and Customer Engagement
We may use your contact information to:
Send transactional emails and in-app notifications (e.g., password resets, verification codes, or security alerts).
Provide updates about new features, releases, or system improvements.
Deliver service announcements, maintenance notices, or policy changes.
Request feedback or invite you to participate in surveys or beta testing programs.
Marketing or optional communications are only sent with your explicit consent, and every message includes an unsubscribe or preference-management link.
Processing basis: Consent (for marketing) and contractual necessity (for operational notices).
2.6 Legal and Regulatory Compliance
We may use and retain certain data to:
Fulfill statutory requirements under consumer-protection, taxation, or accounting laws.
Respond to law-enforcement inquiries, court orders, or regulatory requests.
Investigate and prevent fraud, abuse, or security incidents.
Document consent, processing activities, and risk assessments for compliance audits.
Processing basis: Legal obligation.
We limit disclosure strictly to what the law requires and only to authorized entities.
2.7 Research and Product Development
Aggregated and anonymized data may be used to:
Improve financial modeling accuracy, machine-learning algorithms, and risk-assessment tools.
Identify macro-level investment or demographic trends (without identifying individuals).
Test new simulation or forecasting features internally before release.
All such research data is stripped of direct identifiers and protected through technical and organizational safeguards.
Processing basis: Legitimate interests.
2.8 System Maintenance and Error Diagnostics
To ensure reliability and minimize downtime, we process limited diagnostic data:
Server logs, API latency metrics, and error traces.
App-crash reports (anonymized) to identify defective components.
Compatibility testing across devices and operating systems.
This processing helps maintain a stable, performant environment for all users.
Processing basis: Legitimate interests.
2.9 Protection of Rights and Interests
We may use personal data as reasonably necessary to:
Enforce our Terms of Service and other agreements.
Protect CashOnyx, our users, or the public from harm or legal liability.
Exercise or defend legal claims in litigation or arbitration.
Processing basis: Legitimate interests and legal obligation.
2.10 Corporate Events and Business Transfers
In the event of a merger, acquisition, restructuring, or asset sale, user data may be transferred to a successor entity under strict confidentiality and in accordance with this Privacy Policy.
You will be notified before any material change in ownership or data control takes effect.
Processing basis: Legitimate interests and contractual necessity.
2.11 Automated Decision-Making and Profiling
CashOnyx does not engage in automated decision-making or profiling that produces legal or significant effects on users.
All financial insights and projections are analytical outputs, not credit-scoring or lending decisions.
When modeling portfolio performance, calculations are purely quantitative and under user control.
If we ever introduce automated personalization features that materially affect you, we will provide:
Clear notice describing the logic and significance of the processing.
The right to request human review or opt out entirely.
Processing basis: Consent and legitimate interests, depending on the feature.
2.12 Summary
We process your information to:
Provide secure, personalized financial services.
Improve accuracy and performance of analytics.
Maintain compliance with laws and security standards.
Communicate transparently and respect your choices.
Each processing activity is mapped to a lawful basis, limited to its stated purpose, and governed by rigorous privacy controls.
3. How We Share Your Information
We understand that your personal and financial data is confidential.
CashOnyx does not sell, rent, or trade your personal information to third parties.
We only share data when it is necessary to deliver our Services, comply with the law, or protect your rights and security.
All sharing is governed by strict contractual agreements, data protection standards, and security requirements.
3.1 Sharing with Trusted Service Providers
We engage carefully selected third-party service providers to help us operate efficiently and securely. These providers perform specific tasks on our behalf and are bound by data processing agreements (DPAs) that require confidentiality, limited use, and adequate protection of your data.
Examples of such service providers include:
Infrastructure and Cloud Hosting
Supabase – for secure cloud-based storage, authentication, and database management.
Google Cloud / Amazon Web Services (AWS) – for hosting our servers, backups, and data encryption.
Cloudflare – for content delivery, DDoS protection, and connection security.
Analytics and Performance
Internal or third-party tools used to measure performance and usage trends (e.g., aggregated error tracking, API response monitoring).
These analytics never include personally identifiable or financial details unless anonymized.
Communication and Support
Email and messaging systems (such as SendGrid, Mailgun, or similar) for account verification and notifications.
Customer support platforms (e.g., Intercom, Zendesk, or Freshdesk) for managing inquiries and feedback.
In-app messaging or notification systems to communicate securely with you inside the platform.
Financial and Market Data Providers
Market data APIs (e.g., Yahoo Finance, Alpha Vantage, or equivalent) to retrieve stock, bond, or ETF price information for portfolio analysis.
These providers receive only ticker symbols or aggregate queries, not personal identifiers.
Geolocation and Mapping APIs
Google Maps Platform – for address verification, distance calculation, and regional data such as tax or cost-of-living estimates.
Only anonymized or query-level data (not user identity) is transmitted.
Each service provider is granted access only to the minimum data necessary to perform its assigned role.
They are prohibited from using your information for their own commercial purposes or sharing it further.
Processing basis: Contractual necessity, legitimate interests, and consent (where applicable).
3.2 Sharing with Affiliates and Subsidiaries
If CashOnyx operates through subsidiaries, partners, or future affiliates (for example, a CashOnyx Investments entity or analytics research division), your data may be shared internally to:
Support customer service and account administration.
Improve product functionality or ensure consistent experience across products.
Perform internal audits, compliance reviews, or data integrity checks.
All affiliated entities are subject to the same data protection obligations and this Privacy Policy.
3.3 Legal and Regulatory Disclosures
We may share limited data with government authorities, regulators, or law enforcement agencies only when required by law or in response to a verified request, such as:
A subpoena, court order, or legal process.
A government investigation or audit.
A lawful request concerning tax, fraud, or financial misconduct.
A report of suspected criminal or fraudulent activity involving our platform.
Before disclosing any information, we verify the legitimacy of the request and limit the disclosure to the minimum required scope.
If permitted by law, we will notify you before providing your information to any authority.
Processing basis: Legal obligation and public interest.
3.4 Business Transfers and Corporate Events
If CashOnyx undergoes a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the acquiring or successor entity.
Such transfers are conducted under strict confidentiality and consistent with this Privacy Policy.
In the event of a business change:
We will ensure that the receiving party assumes the same or stronger privacy obligations.
We will notify users in advance through email or platform notice before any material changes to ownership or control take effect.
You may choose to delete your account or withdraw consent prior to the transfer.
Processing basis: Legitimate interests and contractual necessity.
3.5 Professional Advisors
We may share data with external professional advisors such as lawyers, auditors, accountants, or compliance consultants, but only when necessary to:
Protect our legal rights and interests.
Conduct financial or regulatory audits.
Evaluate compliance with applicable laws.
Such advisors are bound by professional secrecy and confidentiality obligations, as well as data processing contracts where applicable.
Processing basis: Legitimate interests and legal obligation.
3.6 Aggregated, Anonymized, or Statistical Data
We may share aggregated or anonymized data with research partners, investors, or industry analysts for legitimate business and educational purposes.
For example:
To publish insights on general portfolio diversification trends (without any personal identifiers).
To evaluate the overall performance of financial tools and algorithms.
To demonstrate system performance or usage patterns in investor reports.
This type of data is completely de-identified and cannot be used to identify you individually.
Anonymization is performed using technical and organizational safeguards that comply with ISO/IEC 20889:2018 (Anonymization and De-identification Techniques).
Processing basis: Legitimate interests.
3.7 Cross-Border Data Transfers
As part of our global infrastructure, your data may be transferred and processed in other countries where our service providers or affiliates operate, including the United States, Canada, and the European Union.
When transferring data internationally, we ensure that your information remains protected by implementing:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Data Processing Agreements (DPAs) with all international partners.
Encryption during transfer and at rest using industry-standard protocols (e.g., TLS 1.3 and AES-256).
Access restrictions ensuring that only authorized personnel can view or manage your data.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, these mechanisms guarantee an equivalent level of protection to that required under European privacy laws.
Processing basis: Contractual necessity and legitimate interests, consistent with Articles 44–49 of the GDPR.
3.8 Preventing Unauthorized Sharing
CashOnyx has implemented multiple layers of controls to prevent unauthorized or accidental data sharing:
All employee and contractor access is governed by role-based permissions.
Staff are trained annually in data privacy, security, and confidentiality.
All data exports and transfers are logged and auditable.
Any detected unauthorized sharing triggers an immediate security investigation and notification process.
3.9 Your Rights Regarding Data Sharing
You have the right to:
Request a list of third parties with whom your personal information has been shared.
Withdraw consent for non-essential sharing (e.g., analytics or marketing).
Restrict processing if you believe your data is being used beyond necessary purposes.
Object to certain transfers where legitimate interest is claimed as the lawful basis.
To exercise any of these rights, contact us at privacy@cashonyx.com, and we will respond within 30 days in accordance with applicable privacy laws.
3.10 Summary
CashOnyx shares your data only when necessary, only with trusted parties, and only under strict protection.
We follow the principles of:
Transparency — You know who handles your data and why.
Minimization — Only the required data is shared for each task.
Security — Encryption, access controls, and contractual safeguards are mandatory.
Compliance — All sharing adheres to global privacy frameworks and financial data regulations.
We believe your personal and financial data should remain private, protected, and used solely for your benefit — never as a product.
4. Data Storage & Security
CashOnyx treats the protection of your personal and financial data as a core obligation, not just a compliance requirement.
We apply strict security controls, encryption technologies, and access management practices to ensure that your information remains confidential, intact, and available only to authorized personnel.
We follow the principles of data minimization, privacy-by-design, and defense-in-depth, meaning security and privacy are built into every layer of our systems — not added later.
4.1 Data Storage Locations
Your information is securely stored in encrypted databases hosted on Supabase, which uses modern cloud infrastructure providers such as Google Cloud Platform (GCP) or Amazon Web Services (AWS).
All data centers maintain ISO/IEC 27001, SOC 2 Type II, and GDPR compliance certifications.
Depending on your location, your data may be stored in the United States, Canada, or the European Union to ensure optimal performance and legal compliance.
We maintain redundant backups across geographically separate data centers to prevent loss in the event of an outage or disaster.
4.2 Encryption and Data Protection
CashOnyx employs strong encryption standards for all stored and transmitted data:
In Transit: All data exchanged between your device and our servers is encrypted using Transport Layer Security (TLS 1.3) to prevent interception or tampering.
At Rest: Data stored in our databases is encrypted using Advanced Encryption Standard (AES-256) — one of the most secure encryption algorithms available.
Password Security: User passwords are never stored in plaintext; they are hashed using modern key-derivation functions such as bcrypt or Argon2 with salt and multi-round hashing.
API Keys and Tokens: Authentication credentials, OAuth tokens, and third-party integration keys are encrypted and never visible to other users or staff.
File Uploads: Any documents, attachments, or reports you upload are stored in encrypted object storage, with access restricted by signed URLs that expire after a limited time.
We periodically rotate encryption keys and monitor for cryptographic vulnerabilities.
4.3 Access Control and Authorization
We enforce least-privilege access policies across all systems.
Only a small, vetted group of employees and contractors have access to production data, and their access is limited to what is necessary for their specific roles.
Controls include:
Role-based access control (RBAC) and multi-factor authentication for all administrative accounts.
Just-in-time access provisioning, requiring approval for any temporary escalations.
Comprehensive audit logging of all data access and configuration changes.
Quarterly access reviews to revoke unnecessary permissions.
No employee is ever permitted to access your portfolio, personal information, or financial details without explicit business justification and logged authorization.
4.4 Network and Infrastructure Security
Our infrastructure includes multiple defensive layers to mitigate cyber threats:
Firewalls and intrusion-detection systems (IDS) to block unauthorized network access.
Distributed Denial-of-Service (DDoS) mitigation via Cloudflare and GCP network filters.
Automated vulnerability scanning and dependency management for all servers and packages.
Security patch management procedures that ensure updates are applied promptly.
Secure development lifecycle (SDLC) integrating code reviews, dependency checks, and static analysis before deployment.
All servers run hardened operating systems configured according to CIS Benchmarks (Center for Internet Security).
4.5 Application-Level Security
The CashOnyx app and backend are designed with built-in protection mechanisms:
Input validation and sanitization to prevent cross-site scripting (XSS), SQL injection, and request-forgery attacks.
Rate-limiting and session timeouts to reduce brute-force attempts.
Automatic token expiration for all authentication sessions.
Secure APIs that validate every request with authorization headers and server-side checks.
Comprehensive error handling that prevents sensitive information from appearing in logs or messages.
4.6 Monitoring and Incident Detection
We continuously monitor for security events and anomalies through:
24/7 system monitoring and automated alerting for unusual activity.
Real-time log aggregation and analysis across infrastructure and application layers.
Security Information and Event Management (SIEM) tools to detect patterns of potential compromise.
Incident response plans with defined escalation procedures and response timelines.
If an incident is detected, our team investigates immediately, mitigates the issue, and documents all actions taken.
4.7 Data Breach Response
In the unlikely event of a data breach or unauthorized access:
We will investigate and contain the incident immediately.
Affected systems will be isolated and analyzed for the root cause.
We will notify all affected users and relevant regulatory authorities within the timeframes required by law (typically within 72 hours under GDPR).
A detailed report outlining corrective actions and prevention measures will be made available.
Our breach-response process aligns with the NIST Computer Security Incident Handling Guide (SP 800-61) and includes forensic retention of logs for auditing.
4.8 Data Retention and Backup
We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law.
Specific retention practices include:
User data: Retained while your account is active and for up to 30 days after deletion to allow recovery upon request.
Backups: Encrypted daily backups are maintained for up to 90 days before automatic purging.
Transaction and audit logs: Retained for one year to ensure integrity, traceability, and compliance.
Aggregated or anonymized data: May be retained indefinitely for research or statistical analysis since it cannot be used to identify individuals.
After expiration, data is securely deleted or overwritten using cryptographic erasure methods compliant with NIST SP 800-88 Rev.1.
4.9 Physical Security
Our hosting providers enforce strict physical security measures including:
24/7 on-site security personnel.
Multi-factor biometric and keycard access controls.
Redundant power, cooling, and fire-suppression systems.
CCTV surveillance and environmental monitoring.
Visitors to data centers are pre-authorized, logged, and escorted at all times.
4.10 Security Training and Governance
All employees, developers, and contractors undergo:
Annual data-protection and cybersecurity training covering phishing, social engineering, and secure data handling.
Confidentiality and non-disclosure agreements (NDAs) upon hiring.
Regular refresher sessions to stay current with evolving threats and regulatory requirements.
We maintain a Data Protection Officer (DPO) or equivalent internal lead responsible for ensuring compliance with privacy and security obligations.
4.11 Independent Audits and Compliance
Our systems and processes are reviewed regularly through internal and third-party audits.
We maintain documentation demonstrating adherence to:
GDPR Articles 5, 24, and 32 (integrity, confidentiality, and accountability).
CCPA/CPRA Section 1798.100 et seq. (security and access control).
ISO/IEC 27001:2022 and NIST Cybersecurity Framework (CSF) best practices.
We also perform periodic penetration tests and vulnerability assessments through independent security firms.
4.12 User Responsibilities
While we employ enterprise-grade safeguards, user vigilance is equally important.
You can enhance your own account security by:
Using a strong, unique password and changing it periodically.
Enabling two-factor authentication (2FA) where available.
Keeping your device software and app version up to date.
Avoiding the use of public Wi-Fi when entering sensitive data.
Reporting any suspicious account activity immediately to security@cashonyx.com.
4.13 Summary
CashOnyx employs a multi-layered, continuously monitored security framework to protect your data.
Through encryption, network defense, restricted access, and proactive monitoring, we maintain the confidentiality and integrity of your personal and financial information.
We consider data protection not only a legal duty, but a core part of the trust relationship between CashOnyx and its users.
5. Your Rights & Choices
At CashOnyx, we believe that privacy is a fundamental right — and that users should always have control over their personal information.
We provide tools and procedures that allow you to access, review, update, delete, download, and manage how your data is used.
These rights apply regardless of where you live, but additional protections may apply if you are in certain jurisdictions such as the European Union (EU), United Kingdom (UK), or California (USA).
We are committed to responding to all valid privacy requests in a timely, transparent, and lawful manner.
5.1 Overview of Your Privacy Rights
Depending on your region, you may have one or more of the following rights regarding your personal data:
RightDescriptionRight to AccessYou have the right to request a copy of the personal data we hold about you and understand how it is being used.Right to RectificationYou may request that inaccurate, incomplete, or outdated data be corrected or updated.Right to Erasure (“Right to Be Forgotten”)You can request the deletion of your personal data when it is no longer necessary for the purpose it was collected, or if you withdraw consent.Right to Restrict ProcessingYou may request that we temporarily limit or stop processing your data while accuracy or purpose is reviewed.Right to Data PortabilityYou can obtain a structured, machine-readable copy of your personal data and transfer it to another service provider.Right to ObjectYou have the right to object to data processing carried out on the basis of legitimate interests, or for direct marketing.Right to Withdraw ConsentYou may withdraw consent for optional features or communications at any time, without affecting prior lawful processing.Right to Non-DiscriminationYou will never be denied service or charged different prices for exercising your privacy rights.Right to Lodge a ComplaintIf you believe your data rights have been violated, you can file a complaint with a relevant data protection authority.
These rights apply in addition to any contractual or statutory protections already provided by your local laws.
5.2 How to Exercise Your Rights
We’ve made it easy to manage your data directly within your CashOnyx account.
Depending on the right you wish to exercise, you can:
Access & Review Your Data
Log into your account and review stored personal details, portfolio entries, and linked assets.
Use the “Download My Data” feature (available under Settings → Privacy) to export a complete copy of your stored information in JSON or CSV format.
Update or Correct Your Information
Edit your personal details (e.g., name, email, address) from the Profile Settings page.
Adjust financial data, such as assets, income, or expenses, in real time through the portfolio interface.
Delete Your Account and Data
You can permanently delete your account and all associated data through the Account Settings page.
Once confirmed, your personal information will be deleted from active databases within 30 days, and securely removed from backups within 90 days.
Some minimal records may be retained temporarily for legal or fraud-prevention reasons (see Section 6 on Data Retention).
Withdraw Consent or Manage Preferences
Manage marketing communications or optional analytics tracking via Privacy Preferences.
Toggle off non-essential cookies (on the web) or opt out of app-based telemetry.
If you previously consented to data sharing with a linked account or partner, you can revoke that access at any time.
Request Data Portability
Send an email to privacy@cashonyx.com specifying that you wish to receive a portable copy of your data.
We will provide your data in a structured, commonly used format within 30 days of verification.
Submit an Objection or Restriction Request
You can object to data processing based on legitimate interest (e.g., analytics or performance monitoring).
Contact us at privacy@cashonyx.com to request temporary suspension or review of processing activities.
We may ask for limited verification (such as email confirmation or ID validation) before processing certain requests, to protect your account and prevent unauthorized access.
5.3 Jurisdiction-Specific Rights
A. European Union (EU) and United Kingdom (UK)
If you reside in the EU, UK, or European Economic Area (EEA), CashOnyx acts as a data controller for your personal information.
Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the rights listed above.
You may contact our Data Protection Officer (DPO) for assistance or file a complaint with your national supervisory authority.
For example:
UK Residents: Information Commissioner’s Office (ICO) – www.ico.org.uk
EU Residents: You can find your local authority via edpb.europa.eu
Processing is based on the lawful bases outlined in Section 1.4, and CashOnyx ensures all international transfers meet GDPR Chapter V requirements (e.g., Standard Contractual Clauses).
B. California, Virginia, and Other U.S. States
If you are a resident of California, Virginia, Colorado, or similar U.S. jurisdictions with privacy laws (e.g., CCPA/CPRA, VCDPA, CPA), you have the following additional rights:
Right to Know: You may request to know what categories of personal information we have collected, the purposes for which it was used, and with whom it has been shared.
Right to Delete: You may request that we delete personal information collected about you, subject to certain exceptions (e.g., legal compliance or security obligations).
Right to Opt Out of “Sale” or “Sharing” of Data: CashOnyx does not sell personal data, but if any feature ever involves sharing for cross-context behavioral advertising, you will be able to opt out instantly.
Right to Correct: You may request correction of inaccurate or outdated information.
Authorized Agents: You may designate an authorized agent to submit a request on your behalf.
California residents can exercise these rights via privacy@cashonyx.com with “CCPA Request” in the subject line.
CashOnyx fully complies with the California Privacy Rights Act (CPRA) and honors Global Privacy Control (GPC) signals on the web.
C. Canada and Other International Regions
For users in Canada, your personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial laws.
You have the right to access, correct, and withdraw consent for processing at any time.
Requests can be made by contacting our Privacy Officer via privacy@cashonyx.com.
If you are located in a region not explicitly covered here, we will still apply the same high standard of privacy protection globally unless your local law requires stronger safeguards.
5.4 Response Time and Verification Process
We will acknowledge all verified privacy requests within 10 business days and aim to complete them within 30 calendar days.
If more time is required (e.g., for complex or multi-source data), we will notify you of the delay and expected completion date.
Before releasing or deleting any data, we will verify your identity using your account email, recent login data, or a secure one-time verification code.
We will never charge you a fee for exercising your privacy rights unless the request is manifestly unfounded, repetitive, or excessive.
5.5 Limitations to Privacy Requests
Certain data cannot be deleted, restricted, or modified if:
It is required for ongoing contractual obligations (e.g., maintaining your active subscription).
It must be retained to comply with legal, tax, or financial regulations.
It is needed to investigate fraud or enforce terms of service.
It has been anonymized or aggregated in a way that no longer identifies you.
If we cannot fulfill a specific request, we will explain the reason clearly and provide alternative solutions where possible.
5.6 Right to Lodge a Complaint
If you believe your privacy rights have not been properly respected, you may:
Contact us directly at privacy@cashonyx.com to resolve the issue promptly.
File a formal complaint with your local data protection authority or consumer protection agency.
In some jurisdictions, you may also have the right to seek legal remedy.
We are committed to cooperating fully with regulatory bodies and to resolving disputes fairly and transparently.
5.7 Summary
You remain in full control of your personal and financial data within CashOnyx.
We provide transparent, self-service tools and responsive support to help you:
Access and understand your data.
Correct or update information easily.
Delete or export your data when desired.
Control communications, sharing, and consent.
We believe your data belongs to you — and our responsibility is to protect it, honor your choices, and make managing it as easy as possible.
6. Data Retention
CashOnyx retains your personal and financial information only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to maintain the security and integrity of our systems.
We apply strict retention schedules and review them regularly to ensure that data is not kept longer than required.
6.1 General Retention Principles
We adhere to the following principles:
Purpose Limitation:
Data is retained only for the duration needed to provide services, meet legal or regulatory requirements, or protect legitimate interests.Data Minimization:
Only essential data is kept; redundant or obsolete records are systematically deleted or anonymized.Transparency:
Retention periods are defined by data category, explained below, and available to users upon request.Security During Retention:
All retained data remains encrypted, access-restricted, and stored in secure environments that comply with ISO/IEC 27001 and SOC 2 Type II standards.
6.2 Typical Retention Periods by Data Type
6.3 Secure Deletion and Anonymization
When data reaches the end of its retention period, we perform secure deletion or irreversible anonymization using approved methods:
Cryptographic Erasure: Encryption keys associated with the data are destroyed, rendering the information unrecoverable.
Secure Overwriting: Files and backups are overwritten following NIST SP 800-88 Rev. 1 standards.
Anonymization: Identifiers such as names, emails, and account IDs are removed or replaced with randomized values so individuals cannot be re-identified.
Anonymized data may continue to be used for analytics, benchmarking, or system-performance metrics, but it can no longer be linked back to any individual.
6.4 Legal and Regulatory Requirements
Certain laws require us to retain limited categories of data even after deletion requests. Examples include:
Financial and tax regulations that mandate retention of accounting or transaction records.
Anti-money-laundering (AML) or fraud-prevention obligations requiring short-term data archiving.
Litigation holds or regulatory investigations, where deletion must be temporarily suspended until the matter is resolved.
In such cases, access to retained data is restricted to authorized personnel only, and it is used strictly for compliance or defense purposes.
6.5 User-Initiated Deletion
When you delete your account or request data removal:
Personal data is immediately marked for deletion and removed from active databases within 30 days.
Encrypted backups containing your data are automatically overwritten within 90 days.
Confirmation of deletion is available upon written request to privacy@cashonyx.com.
You may also request expedited deletion of specific datasets (for example, an uploaded document or investment record), and we will process such requests promptly unless legal obligations require retention.
6.6 Data Retention for Research and Analytics
We may retain aggregated or anonymized data indefinitely for legitimate business and research purposes such as:
Improving calculation models and forecasting algorithms.
Conducting statistical analysis to enhance accuracy.
Understanding anonymized trends across the user base.
These datasets contain no personal identifiers and cannot reasonably be used to identify you.
6.7 Retention Review and Oversight
Our Data Protection Officer (DPO) oversees compliance with retention policies and conducts annual reviews to:
Validate that retention periods remain lawful and proportionate.
Confirm that expired data has been securely deleted or anonymized.
Update policies in response to changes in legislation or business practices.
6.8 Summary
CashOnyx keeps your data only for as long as necessary, never indefinitely.
When information is no longer required, it is securely deleted, anonymized, or archived in compliance with global data-protection standards.
This ensures that:
Your information is never stored longer than needed.
Legal obligations are satisfied responsibly.
You maintain transparency and control over the life cycle of your data.
7. Children’s Privacy
7.1 Policy Commitment
CashOnyx is committed to protecting the privacy of children and minors.
Our Services, tools, and content are designed for individuals 18 years of age or older and are not directed toward children under that age.
We do not knowingly collect, store, or process any personal data from minors without verified parental or legal guardian consent as required by applicable law.
If you are under 18, you are not authorized to create an account, input personal or financial data, or use the analytics and investment features provided by CashOnyx.
7.2 Compliance with Applicable Laws
CashOnyx complies with all laws governing children’s privacy, including:
United States – Children’s Online Privacy Protection Act (COPPA):
We do not knowingly collect personal information from children under 13 years of age.
If a user self-identifies as under 13 or we otherwise learn of such status, their account is immediately suspended pending parental verification or deletion.European Union – GDPR Article 8:
We do not knowingly process data from children under 16 in any EU member state (or the lower local age threshold, where permitted by law) without verified parental consent.United Kingdom – Age Appropriate Design Code:
We apply design principles that discourage the collection of data from minors and block registration from users under 18 without proof of age.Other Jurisdictions:
CashOnyx follows equivalent protections under international laws such as Canada’s PIPEDA and Australia’s Privacy Act 1988.
7.3 Age Verification and Access Controls
To prevent the accidental creation of accounts by minors, we use multiple safeguards:
Age confirmation during signup (requiring birth date entry and attestation that the user is 18 or older).
Verification emails or phone confirmations to ensure adult-level identity consistency.
Behavioral filters to flag accounts with incomplete or inconsistent information for review.
These measures help ensure that only eligible users can access financial-analysis tools.
7.4 Unintentional Collection of Children’s Data
Although we take precautions, it is possible that minors may inadvertently provide personal information—for example, by entering their name or uploading a document.
If we discover or are notified that a child under 18 has submitted personal data:
We will immediately restrict access to the account and investigate.
We will contact the registered email to verify the user’s age or obtain parental consent where legally valid.
If verification is not provided within 14 days, the data will be permanently deleted from our systems.
All backups containing that data will be purged within 90 days in accordance with Section 6 (Data Retention).
7.5 Parental or Guardian Rights
Parents or legal guardians who believe their child has used CashOnyx without consent may:
Request information about whether their child’s data has been collected.
Request deletion of any such information.
Provide verifiable consent for continued use (only where permitted by law).
Requests must be submitted in writing to privacy@cashonyx.com with the subject line “Minor Data Request.”
We will verify the guardian’s identity before releasing or deleting any data.
7.6 Educational or Demo Use
If CashOnyx introduces educational or demonstration tools in the future, they will operate on fully anonymized data and will not require any personal identifiers.
Such tools will comply with COPPA § 312.5(c)(7) (educational exception) and will contain clear age-appropriate disclaimers.
7.7 Security and Safeguards for Minor Data
In rare circumstances where limited minor data must be retained temporarily (for example, pending parental verification), it is:
Encrypted both in transit and at rest.
Access-restricted to authorized privacy officers only.
Automatically deleted after verification or expiration.
No minor data is ever used for analytics, personalization, or marketing.
7.8 Summary
CashOnyx does not target, market to, or knowingly collect data from users under 18.
If minor data is inadvertently received, it is securely deleted as soon as possible.
Parents and guardians have full authority to review or remove any information related to their children.
Our system architecture and onboarding design actively discourage underage registration.
8. International Data Transfers
8.1 Overview
Because CashOnyx operates as a global digital platform, your personal and financial data may be transferred to — and processed in — countries other than your own.
These transfers are necessary to provide seamless access to our services, operate infrastructure efficiently, and ensure business continuity across different geographic regions.
Regardless of where your information is processed, CashOnyx maintains the same high level of data protection and privacy safeguards worldwide.
All international transfers are performed in compliance with applicable data-protection laws and cross-border transfer requirements.
8.2 Why Data Transfers Occur
We may transfer your data internationally for the following legitimate purposes:
To store and manage data securely on global cloud infrastructure (e.g., Supabase, Google Cloud, or AWS).
To deliver services through distributed servers that improve speed and reliability.
To process analytics, security logs, or customer support operations hosted outside your region.
To collaborate with global partners or advisors assisting with compliance, auditing, or fraud prevention.
To back up and recover systems in the event of outages, disasters, or cyber incidents.
These transfers ensure that CashOnyx remains a fast, reliable, and secure platform regardless of your physical location.
8.3 Regions Involved
Depending on your country of residence, your data may be transferred to — or processed in — one or more of the following regions:
United States (primary data center and application hosting)
Canada (secondary backup and redundancy infrastructure)
European Union (EU-based mirrors for compliance and performance)
United Kingdom (UK compliance oversight and DPO operations)
Other regions where service providers maintain infrastructure (only when necessary and subject to contractual protections)
Each transfer is subject to a lawful transfer mechanism as described below.
8.4 Legal Mechanisms for Data Transfers
CashOnyx uses the following legal safeguards to ensure all international data transfers remain lawful and secure:
A. Standard Contractual Clauses (SCCs)
For transfers originating from the European Economic Area (EEA), UK, or Switzerland, we rely on:
The European Commission’s Standard Contractual Clauses (2021/914/EU), and
The UK International Data Transfer Addendum (IDTA),
to ensure that your personal information receives the same level of protection as it would within your home jurisdiction.
These contracts legally require all recipients to:
Protect personal data according to EU/UK standards.
Use it only for authorized purposes.
Implement appropriate security and confidentiality measures.
Notify CashOnyx promptly in the event of any breach or access request.
B. Adequacy Decisions
When data is transferred to countries recognized by the European Commission or UK Secretary of State as providing an adequate level of protection (e.g., Canada, Japan, New Zealand), no additional transfer mechanism is required.
C. Data Processing Agreements (DPAs)
All third-party vendors and processors engaged by CashOnyx — including Supabase, Google, AWS, and others — are contractually bound by Data Processing Agreements that:
Define their role as processors under our instruction.
Restrict use of data to essential service operations.
Require robust security measures, encryption, and confidentiality.
Include liability provisions for breaches or non-compliance.
D. APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP)
Where applicable, CashOnyx follows the APEC CBPR and PRP frameworks to ensure consistent protections for transfers among participating Asia-Pacific economies.
E. Binding Corporate Rules (BCRs) (Future Compliance Provision)
If CashOnyx establishes subsidiaries or affiliate entities in multiple regions, we intend to adopt Binding Corporate Rules approved by regulators to ensure intra-group transfers meet the highest standards of accountability.
8.5 Technical Safeguards During Transfers
To protect your data as it moves between jurisdictions, we implement strict technical and organizational safeguards:
End-to-end encryption for all transfers, using TLS 1.3 or higher.
AES-256 encryption at rest in all receiving environments.
Network segmentation between regions to isolate sensitive data.
Access control policies that restrict data access to authorized personnel only.
Ongoing monitoring and audit logs for all transfer events.
Automatic alerting for unauthorized cross-border transmission attempts.
These measures ensure that even if data passes through international routes, it remains protected from interception, misuse, or unauthorized access.
8.6 User Notification and Transparency
Whenever we introduce a new service provider or expand processing to a new country, we will:
Update this Privacy Policy to reflect the change.
Notify users via email or in-app notice (if the transfer materially affects their data).
Ensure any new transfer partner meets equivalent security and legal requirements.
You can always request a current list of CashOnyx’s approved third-country processors by emailing privacy@cashonyx.com.
8.7 Data Subject Rights in Cross-Border Transfers
Your rights under Sections 5 and 6 continue to apply regardless of where your data is stored or processed.
If your personal data is transferred internationally, you still retain the right to:
Request details of the transfer mechanism and safeguards in place.
Access or delete your information stored abroad.
File a complaint with your local data protection authority if you believe a transfer violates applicable law.
We will respond promptly and transparently to all such inquiries.
8.8 Government Access Requests
We take privacy seriously and do not provide foreign governments or authorities with direct access to CashOnyx databases.
If we ever receive a government or law enforcement request for user data:
We assess the legality and scope of the request.
We limit disclosure to what is strictly required by law.
We notify affected users (unless prohibited by legal order).
We maintain a written record of the disclosure for accountability and audit purposes.
CashOnyx does not participate in mass surveillance programs or voluntary data-sharing arrangements with any governmental body.
8.9 Transfers of Anonymized and Aggregated Data
Anonymized or aggregated data — which cannot identify you — may be transferred internationally for legitimate purposes such as:
Research and statistical analysis.
System optimization and feature performance measurement.
Market or trend reporting.
Such data is not subject to cross-border transfer restrictions, as it is no longer considered “personal data” under applicable laws.
8.10 Summary
CashOnyx ensures that all international data transfers are:
Lawful — conducted under approved mechanisms like SCCs, adequacy decisions, or DPAs.
Secure — protected by end-to-end encryption, strict access control, and continuous monitoring.
Transparent — users are informed of where their data resides and how it moves.
Accountable — every processor, affiliate, and partner is contractually bound to maintain CashOnyx’s privacy standards.
Your personal information receives the same level of care and protection, whether processed in your home country or abroad.
9. Third-Party Links and Services
9.1 Overview
To enhance your experience, CashOnyx integrates with selected third-party platforms and may include links, widgets, or embedded tools that connect you to other websites, applications, or APIs.
These external services help us deliver core functionality such as market data, geolocation, and account verification.
However, once you interact with a third-party service — whether by following a link, connecting an account, or using an embedded widget — your interaction is governed by that service’s own privacy policy and terms of use, not by CashOnyx.
We carefully vet all third-party partners, but we encourage users to review each provider’s privacy practices independently before sharing information.
9.2 Third-Party Categories We Integrate With
A. Financial and Market Data Providers
To generate accurate portfolio analytics and financial models, CashOnyx may query external market data APIs such as:
Yahoo Finance, Alpha Vantage, or equivalent financial data sources for securities prices, exchange rates, and benchmark returns.
Morningstar or Index-based APIs (if integrated) for ETF and mutual-fund performance data.
Only public ticker information (e.g., “AAPL,” “SPY,” “AGG”) is transmitted — never your personal identity or holdings.
B. Cloud and Storage Providers
We rely on secure, industry-leading providers including Supabase, Google Cloud, and AWS for hosting, encryption, authentication, and file storage.
These providers act as data processors under strict contractual agreements and do not use your data for their own purposes.
C. Geolocation and Mapping APIs
CashOnyx may use Google Maps, Google Places, and Google Geocoding APIs to:
Validate addresses and zip codes.
Calculate regional taxes or cost-of-living factors.
Display location-based investment data or benchmarks.
Only the search query or address string is transmitted to Google APIs, and results are returned directly to CashOnyx; personal identifiers are never shared.
D. Analytics and Performance Tools
We use privacy-respectful analytics tools to understand platform usage and stability (e.g., page load times, API latency, error logs).
These tools collect technical metrics such as device type, session duration, and anonymized identifiers — not financial or personal details.
Where tracking cookies or telemetry exist, they are optional and controlled by your privacy preferences.
E. Communication Services
Transactional communications such as verification emails, password resets, and account alerts are handled via secure email infrastructure (e.g., SendGrid, Mailgun, or similar).
These vendors are restricted from using contact data for marketing or unrelated purposes.
F. Payment Processors (if applicable)
If CashOnyx offers paid features, payments may be processed through Stripe, PayPal, or another PCI-DSS–compliant provider.
Such processors receive only the minimal information necessary to complete the transaction — typically your name, email, and billing details.
CashOnyx does not store or access your full credit-card number or banking information.
9.3 External Links and Embedded Content
Our website or app may include links to external websites, articles, or resources — for example:
Educational materials or investment resources.
Third-party partner programs.
Government or financial-regulation sites.
Once you leave CashOnyx or view embedded content from another domain, that external site’s own privacy policy applies.
CashOnyx is not responsible for the content, data handling, or security practices of third-party sites.
We strongly recommend reviewing the privacy notices of any linked site before submitting personal or financial information.
9.4 Authentication and Social Sign-In
If you choose to sign in using third-party credentials such as Google, Apple, or LinkedIn, these providers may share with us:
Your verified email address.
Your public profile name or avatar.
A secure authentication token (no password data).
We use this token solely to verify your identity and create your account.
You can revoke CashOnyx’s access to your social-sign-in account at any time via the respective provider’s settings.
CashOnyx will then remove all linked credentials immediately.
9.5 Third-Party Cookies and Tracking Technologies
Some third-party services (for example, analytics or embedded videos) may use their own cookies or tracking technologies.
CashOnyx does not permit third-party cookies for advertising or behavioral profiling.
When cookies are present, they are used only to:
Maintain your login session.
Store app preferences.
Measure aggregate performance statistics.
Users can disable or delete non-essential cookies through browser or in-app privacy settings without affecting essential functionality.
9.6 API and Data-Exchange Security
All data exchanges with third-party APIs occur through secure HTTPS endpoints protected by:
API keys and OAuth 2.0 tokens unique to CashOnyx.
Rate-limiting and signature verification to prevent abuse.
Strict data-scope limitations, ensuring that only minimal fields are transmitted.
Logging and audit trails for every external API call.
We do not permit third-party APIs to access your full profile or financial portfolio directly; all queries are proxied through CashOnyx servers.
9.7 Liability and User Responsibility
CashOnyx carefully selects third-party vendors based on security, reliability, and compliance certifications.
However, we cannot control how external websites or services process information once you interact with them directly.
By using those external services, you acknowledge and agree to their privacy terms and data-handling policies.
If you believe a third-party integration linked through CashOnyx is misusing data, please report it immediately to security@cashonyx.com so that we can investigate and, if necessary, suspend the connection.
9.8 Partner Vetting and Compliance Standards
Before onboarding any new service provider or integration, CashOnyx conducts:
Data-protection impact assessments (DPIAs) to evaluate privacy risk.
Security due diligence reviews, verifying compliance with GDPR, SOC 2, and ISO/IEC 27001.
Vendor agreements containing confidentiality clauses, data-processing terms, and breach-notification obligations.
Annual compliance audits to confirm ongoing adherence to CashOnyx’s privacy and security policies.
We maintain a register of all approved third-party vendors and review it regularly.
9.9 User Control over Third-Party Connections
You can manage, modify, or revoke any connected third-party integrations from within your account settings.
This includes:
Disconnecting linked accounts.
Revoking permissions to use your data.
Requesting that third-party-stored data be deleted.
If you revoke access, CashOnyx will no longer transmit or synchronize information with that service, and any retained tokens or credentials will be deleted immediately.
9.10 Summary
CashOnyx partners only with trusted, compliant, and secure third-party providers.
We share only the minimum necessary data required for functionality.
External sites and APIs are subject to their own privacy policies, and we encourage user awareness before engagement.
All integrations undergo technical, legal, and security review to ensure they meet our privacy standards.
Your trust and safety are our highest priority — and we will always ensure that every external connection to CashOnyx maintains the same high standard of data protection.
10. Updates to This Policy
10.1 Our Commitment to Transparency
CashOnyx is committed to keeping you informed about how your data is collected, used, and protected.
As technology, laws, and our services evolve, we may update this Privacy Policy to reflect:
New features or products introduced by CashOnyx.
Changes in legal or regulatory requirements.
Improvements to security, compliance, or transparency practices.
Feedback from users, regulators, or privacy authorities.
We will always ensure that any update maintains — or strengthens — your privacy protections.
10.2 Frequency and Version Control
We review this Privacy Policy at least once per year, or more frequently if required by law or operational changes.
Each version is dated and numbered for clear reference.
The “Effective Date” and “Last Updated” date at the top of this document reflect the most recent revision.
Prior versions are archived and accessible upon request for regulatory review or user transparency.
Significant changes are logged internally and may be documented in our Change Control Register maintained by the Data Protection Officer (DPO).
10.3 Types of Policy Changes
We classify policy updates as either material or non-material:
A. Material Changes
These are major modifications that significantly affect:
What personal data we collect.
How or why your data is processed.
Which third parties or partners receive information.
Your privacy rights or available choices.
When material changes occur, we will:
Provide advance notice via email or in-app notification at least 14 days before the changes take effect.
Highlight the key revisions in a summary notice or “What’s New” section.
Offer you an opportunity to review, consent, or object before the updated policy applies.
If you continue using CashOnyx after the effective date, your continued use constitutes acceptance of the updated terms.
B. Non-Material Changes
These are minor edits such as:
Clarifying language or improving readability.
Adding examples for better understanding.
Correcting typographical or formatting errors.
Reflecting changes in contact information or company structure.
Non-material changes take effect immediately upon publication and will not impact your substantive rights.
10.4 Notification Methods
Depending on the nature of the update, we may notify you through one or more of the following channels:
Email notification to your registered address.
In-app banner or message upon login.
Website announcement under “Legal” or “Privacy Updates.”
Push notification (for mobile users) if the change affects permissions or functionality.
For users who have unsubscribed from marketing emails, privacy-related notices are still sent because they form part of our legal obligations.
10.5 User Review and Acknowledgment
We encourage all users to review this Privacy Policy periodically.
Upon major updates, you may be prompted to:
Click “I Acknowledge” or “Accept Updated Policy” before continuing to use CashOnyx.
Review a summary comparing the new and previous versions.
This process ensures that you remain fully aware of — and agree to — how your information is used.
10.6 Continued Commitment to Privacy-by-Design
Every time we update this Policy, we also review our underlying systems and operations to ensure that:
Privacy-by-design and privacy-by-default principles remain embedded in all features.
New data-processing activities undergo a Data Protection Impact Assessment (DPIA).
Any new vendors or technologies meet the same high privacy standards.
We will never introduce features that compromise your privacy without obtaining your explicit consent.
10.7 Historical Versions
Users, auditors, or regulators may request access to prior versions of this Privacy Policy by emailing privacy@cashonyx.com.
Archived versions include:
Version number and date range of applicability.
Summary of substantive changes.
Record of how users were notified.
We maintain these archives for at least seven years for transparency and accountability.
10.8 Contact Regarding Updates
If you have questions about an update, or if you do not agree with the revised terms, you may:
Contact our Privacy Team at privacy@cashonyx.com for clarification.
Delete your account or withdraw consent (see Section 5) if you choose not to continue using our Services under the updated policy.
We value open communication and will address all privacy-related inquiries promptly and respectfully.
10.9 Summary
CashOnyx regularly updates this Privacy Policy to stay compliant and transparent.
Material changes will always be communicated in advance through clear notices.
You will never lose control over your information due to an unannounced policy change.
All updates reinforce our commitment to protecting your personal and financial data.
By continuing to use CashOnyx after a policy update, you acknowledge and agree to the most current version of this Privacy Policy — always available on www.cashonyx.com/privacy-policy.
11. Contact Us
11.1 General Privacy Inquiries
If you have questions, concerns, or feedback about this Privacy Policy or about how your personal data is handled, please contact us directly.
Our privacy team responds to all legitimate inquiries within 30 calendar days, and sooner whenever possible.
Primary Contact Email: privacy@cashonyx.com
Alternative Support Email: support@cashonyx.com
Subject Line: “Privacy Inquiry” or “Data Request”
We encourage you to include the following when contacting us:
Your full name and registered CashOnyx email address.
A clear description of your question or concern.
The specific right or issue you wish to address (e.g., data access, deletion, correction).
This helps us verify your identity and respond efficiently.
11.2 Data Protection Officer (DPO)
CashOnyx has appointed a Data Protection Officer (DPO) responsible for ensuring ongoing compliance with global privacy and data-protection regulations.
The DPO oversees:
Policy enforcement and regulatory correspondence.
Data-protection impact assessments (DPIAs).
Vendor and transfer compliance reviews.
Incident-response coordination and breach notifications.
Contact the DPO:
📧 dpo@cashonyx.com
(For regulatory, legal, or high-sensitivity matters only.)
11.3 Postal Correspondence
If you prefer to reach us by mail or are required to do so for legal reasons, you can write to:
CashOnyx Privacy Team
Attn: Data Protection Officer
1234 Market Street, Suite 900
San Francisco, CA 94103 USA
(If you are based outside the U.S., please note that international mail inquiries may take additional time to process.)
11.4 Regulatory Contacts and Escalation
If you believe that CashOnyx has not adequately addressed your concern, you may escalate your complaint to your regional data-protection authority:
United Kingdom: Information Commissioner’s Office (ICO) – www.ico.org.uk
European Union: Contact your local authority via edpb.europa.eu
United States (California): California Privacy Protection Agency (CPPA) – cppa.ca.gov
Canada: Office of the Privacy Commissioner of Canada (OPC) – priv.gc.ca
We will cooperate fully with any regulator or authority in resolving privacy complaints or investigations.
11.5 Effective Date and Version Information
This Privacy Policy is effective as of October 21, 2025.
The current version supersedes all prior versions and remains valid until replaced by an updated edition published on our official website.
11.6 Final Statement
Your privacy and trust are at the heart of everything we build.
CashOnyx pledges to continue evolving our systems, safeguards, and transparency practices to ensure that your data remains private, secure, and used solely for your benefit.
By using CashOnyx, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information as described herein.
Overview
Manage your wealth with our intuitive app.
Support
© 2025. All rights reserved.