Privacy Policy for ManualFlow: Cash Tracker

Effective Date: August 10, 2025

Introduction

Welcome to ManualFlow: Cash Tracker ("we", "our", or "the App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the application.

Information We Collect

1. Financial Data (100% Local Storage Only)

The following information is stored exclusively on your device and is NEVER transmitted to us or any servers:

• Account information (account names, balances, types)
• Transaction data (income, expenses, amounts, dates, categories)
• Budget information
• Financial goals and savings data
• Custom categories and tags you create
• User preferences and settings

We have no access to this data. It never leaves your device.

2. Third-Party Service Data Collection (Not Collected by Us)

While WE don't collect any data, the following third-party services collect anonymous technical data for app functionality:

Firebase Analytics (Google):

• App usage patterns (which screens viewed, features used)
• Session duration and frequency
• Device information (model, OS version, app version)
• Anonymous user engagement metrics

Firebase Crashlytics (Google):

• Crash reports and error logs
• Device state at time of crash
• App version and build information

Firebase Performance Monitoring (Google):

• App startup times and screen load performance
• Network request performance
• Memory and CPU usage patterns

Google AdMob (Advertising):

• Advertising ID for ad targeting
• IP address and general location (country/region)
• Ad interaction data (views, clicks)
• Device information for ad compatibility

Google User Messaging Platform (UMP):

• Consent status for personalized ads
• Privacy preference settings
• Regional compliance data

3. Local Security Features (No Data Transmitted)

These security features work entirely on your device and send no data anywhere:

• Biometric Authentication: Your fingerprint/face data never leaves your device
• App Lock: PIN/password stored locally in encrypted form
• Data Encryption: All local data encrypted using device security

4. Optional Google Drive Backup

If you choose to enable Google Drive backup (optional feature):

• Your encrypted backup files are stored in YOUR Google Drive
• We have no access to your Google Drive or backup files
• Google Drive access is managed entirely through Google's OAuth system
• You can disable and delete backups at any time

Important: Even with Google Drive backup, we never see your data. The backups are encrypted and stored in your personal Google Drive account.

How We Use Your Information

Third-party services use the anonymous technical data for:

• App Functionality: Ensuring the app works properly across different devices and OS versions
• Crash Prevention: Identifying and fixing bugs that cause app crashes
• Performance Optimization: Improving app speed and responsiveness
• Analytics: Understanding general usage patterns to improve the app (no personal data)
• Advertising: Displaying relevant ads through Google AdMob (based on anonymous advertising ID)
• Compliance: Meeting legal obligations for privacy regulations

What We Do NOT Do:

• ❌ We do NOT see your financial data
• ❌ We do NOT store your personal information
• ❌ We do NOT have any servers with your data
• ❌ We do NOT sell your data to anyone
• ❌ We do NOT track your personal identity
• ❌ We do NOT access your Google Drive backups

Data Storage and Security

Local Storage

• All financial data is stored locally using SQLite database on your device
• Data is protected by your device's security features (PIN, fingerprint, etc.)
• We recommend using device encryption and screen lock for additional security
• You can export/backup your data locally at any time

Cloud Services and Data Processing

We use the following third-party services that may process data according to their respective privacy policies:

• Firebase Analytics: Anonymous usage analytics, user engagement metrics, and conversion tracking
• Firebase Crashlytics: Crash reports, error logging, and stability monitoring
• Firebase Performance Monitoring: App performance metrics, network request monitoring, and optimization data
• Google AdMob: Advertisement delivery, ad performance tracking, and revenue optimization
• Google User Messaging Platform (UMP): Consent management for GDPR, CCPA, and other privacy regulations
• Google Drive API (Optional): Encrypted backup file storage and synchronization (only if user opts in)
• Google Play Services: App updates, authentication, and core Android functionality
• Google Play Core (In-App Review): In-app review prompts and rating collection

All data processed by these services is either anonymous or pseudonymous and cannot be traced back to individual users or their financial information.

Third-Party Services and Dependencies

Our App integrates with the following third-party services. Each service operates under its own privacy policy and terms of service:

Google Services

• Google Play Services - Core Android functionality, app updates, and security
• Google AdMob - Advertisement delivery and monetization
• Firebase Analytics - App usage analytics and user behavior insights
• Firebase Crashlytics - Crash reporting and error tracking
• Firebase Performance - Performance monitoring and optimization
• Google Drive API - Optional backup and file synchronization
• Google User Messaging Platform - Privacy consent management
• Google Play In-App Review - In-app rating and review collection

Additional Third-Party Libraries

• AndroidX Biometric: Device biometric authentication (fingerprint, face unlock)
• Material Design Components: UI components following Google's Material Design guidelines
• Kotlin Coroutines: Asynchronous programming framework (data processing only)
• Jetpack Compose: Modern UI toolkit for Android (no data collection)
• Realm Database: Local database for financial data storage (data remains on device)
• WorkManager: Background task scheduling (for local notifications and data maintenance)

Important: Only Google services listed above may collect and process user data. All other libraries operate locally on your device and do not transmit any information.

Data Sharing and Disclosure

What We Share: NOTHING

• ❌ We do NOT share your financial data (we can't access it)
• ❌ We do NOT sell any data to third parties
• ❌ We do NOT have any user data to share with law enforcement
• ❌ We do NOT provide data to marketing companies

What Third-Party Services Do:

• Firebase/Google: Processes anonymous technical data according to Google's privacy policy
• AdMob: Uses advertising ID for ad personalization according to Google's advertising policies
• Your Google Drive: Stores your encrypted backups in YOUR account (if you enable this feature)

All third-party data processing is governed by their respective privacy policies, not ours, because we are not involved in the data collection.

Your Rights and Choices

Data Control

• Access: View all your data within the app
• Export: Export your data in CSV format
• Delete: Delete any or all data directly in the app
• Backup: Create local backups of your data

Opt-Out Options

• Analytics: You can disable Firebase Analytics collection in app settings
• Crash Reports: You can opt-out of Firebase Crashlytics reporting in app settings
• Performance Monitoring: You can disable Firebase Performance monitoring in app settings
• Personalized Ads: You can opt-out of personalized ads through:
• Your device's advertising settings (Android: Google Settings > Ads)
• AdMob's consent dialog when prompted
• App settings for advertising preferences
• Google Drive Backup: You can disable and delete Google Drive backups at any time in app settings
• Biometric Authentication: You can enable/disable biometric authentication in app settings
• Complete Opt-Out: Uninstall the app to stop all data collection

Data Portability

• CSV Export: Export all your financial data in CSV format for use in other applications
• JSON Backup: Create complete backups in JSON format for data portability
• Print Reports: Generate PDF reports of your financial data
• Cloud Backup: Optional Google Drive backup for data synchronization across devices

Children's Privacy (COPPA Compliance)

Our App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

What We Do for Child Protection:

• No account creation or registration required (eliminating age verification needs)
• All data stored locally on device (no transmission to servers)
• Anonymous third-party data collection only (Firebase/AdMob)
• No social features or communication capabilities

For Parents and Guardians:

• If you believe your child has used this app, simply delete it from their device to remove all local data
• Contact us at appkadag@gmail.com if you have concerns about child data collection
• We will work with you to address any privacy concerns regarding your child
• Since we collect no personal data, there is no child data for us to delete from our servers

International Data Transfers

Since we don't collect personal data, we don't transfer any data internationally. However, third-party services may process data across borders:

Firebase/Google Services:

• Data Centers: Google operates data centers worldwide and may process anonymous technical data in various countries
• Transfer Safeguards: Google uses standard contractual clauses and adequacy decisions for international transfers
• Primary Locations: United States and European Union data centers
• Compliance: Google complies with GDPR, Privacy Shield successor frameworks, and other international privacy laws

Your Google Drive Backups (Optional):

• Stored in your personal Google Drive account according to your Google account settings
• You control the geographic location of your Google Drive data through your Google account preferences
• We have no involvement in where your encrypted backups are stored

Your financial data never participates in international transfers because it never leaves your device.

App Permissions and Their Purpose

Our app may request the following device permissions. Here's exactly why we need each one:

Required Permissions:

• INTERNET: Required for Firebase Analytics, AdMob ads, and Google Drive backup (if enabled)
• ACCESS_NETWORK_STATE: To check network connectivity before attempting cloud operations
• WAKE_LOCK: To prevent device sleep during backup/export operations
• BILLING: For future premium features (not currently used)

Optional Permissions:

• USE_BIOMETRIC: For fingerprint/face unlock (only if you enable app lock)
• WRITE_EXTERNAL_STORAGE: To save export files to your device (only when you export data)
• CAMERA: For future receipt scanning feature (not currently implemented)
• GET_ACCOUNTS: For Google Drive backup authentication (only if you enable backup)

What We DON'T Request:

• ❌ Location access (we don't track where you are)
• ❌ Contact access (we don't access your contacts)
• ❌ SMS access (we don't read your messages)
• ❌ Phone access (we don't make or monitor calls)
• ❌ Calendar access (we don't access your calendar)
• ❌ Microphone access (we don't record audio)

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by:

• Updating the "Effective Date" at the top of this policy
• Showing an in-app notification for significant changes
• Requiring your consent for material changes that affect your rights

Data Retention

Local Data (Stored on Your Device)

• Financial Transaction Data: Retained indefinitely on your device until you manually delete it
• Account and Category Data: Retained until you delete accounts or categories
• User Preferences and Settings: Retained until you reset app settings or uninstall
• Authentication Data: Biometric settings retained until you disable or change them

Third-Party Service Data

• Firebase Analytics Data: Automatically deleted after 14 months (Google's default retention)
• Firebase Crashlytics Reports: Automatically deleted after 90 days
• Firebase Performance Data: Automatically deleted after 90 days
• AdMob Advertising Data: Retained according to Google AdMob's data retention policies (typically 13 months)
• Google Drive Backups: Retained until you manually delete them from your Google Drive
• UMP Consent Records: Retained for up to 13 months to comply with privacy regulations

Data Deletion

• Immediate Deletion: Local data is deleted immediately when you use app's delete functions
• App Uninstall: All local data is deleted when you uninstall the app
• Account Deletion Request: Contact us to request deletion of any data associated with your Firebase installation ID
• Automatic Expiry: Third-party service data automatically expires according to each service's retention policies

Your Consent

By using ManualFlow: Cash Tracker, you consent to:

• The collection and use of anonymous analytics data
• The display of advertisements through AdMob
• The processing of crash reports for app improvement

Legal Basis for Processing (GDPR - EU Users)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for processing your information under GDPR includes:

• Consent (Article 6(1)(a)): For analytics data collection, personalized advertising, and optional features like Google Drive backup
• Contract Performance (Article 6(1)(b)): To provide core app functionality including financial tracking, budgeting, and account management
• Legitimate Interests (Article 6(1)(f)): For crash reporting, performance monitoring, security, and app improvement (where not overridden by your privacy rights)
• Legal Compliance (Article 6(1)(c)): To comply with applicable laws, regulations, and legal processes

Your GDPR Rights

• Right of Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data under certain circumstances
• Right to Restrict Processing: Request limitation of processing under certain circumstances
• Right to Data Portability: Request transfer of your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing that requires consent
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority

California Privacy Rights (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the right to:

• Know: Request disclosure of what personal information we collect, use, disclose, and sell
• Delete: Request deletion of your personal information (subject to certain exceptions)
• Correct: Request correction of inaccurate personal information
• Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell your data)
• Limit: Limit the use of your sensitive personal information
• Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

Categories of Personal Information (CCPA)

• Identifiers: Device identifiers, advertising ID, Firebase installation ID
• Internet Activity: App usage data, interaction with advertisements
• Geolocation: General location (country/region level only)
• Inferences: Usage patterns and preferences derived from your activity

Other Regional Privacy Rights

Brazil (LGPD)

Brazilian users have rights under Lei Geral de Proteção de Dados (LGPD) including access, rectification, deletion, and data portability.

Canada (PIPEDA)

Canadian users have rights under Personal Information Protection and Electronic Documents Act (PIPEDA) including access and correction of personal information.

Australia (Privacy Act)

Australian users have rights under the Privacy Act 1988 including access and correction of personal information.

Security Measures

• Local Data Encryption: All financial data is stored in encrypted SQLite databases on your device
• Biometric Authentication: Optional fingerprint, face unlock, or PIN protection for app access
• Network Security: All network communications use HTTPS encryption
• Code Obfuscation: App code is obfuscated to prevent reverse engineering
• Regular Security Updates: Frequent app updates to address security vulnerabilities
• Third-Party Security: All third-party services (Firebase, Google) maintain enterprise-grade security standards

Why Data Breaches Don't Apply to Us

Potential Third-Party Service Issues:

While we can't be breached, third-party services (Firebase/Google) could theoretically have security incidents affecting their anonymous technical data:

• Firebase/Google Responsibility: Any security incidents with anonymous analytics data would be handled by Google, not us
• No Financial Data at Risk: Your transaction data, account balances, and personal information are never involved
• Limited Impact: Only anonymous device/usage data could be affected
• Google's Response: Google has their own incident response procedures and would notify users directly if needed

© 2025 ManualFlow: Cash Tracker. All rights reserved.
Last updated: August 10, 2025