Privacy Policy
Last updated: 2026-04-23 · Effective: 2026-04-23
CASH.BOT ("we", "us", "our") respects your privacy. This policy explains what personal information we collect, why we collect it, who we share it with, and how you can exercise your rights under GDPR, CCPA/CPRA, and other applicable privacy laws.
1. Who We Are
CASH.BOT is operated as a sole proprietorship in the United States. For privacy questions, contact privacy@cash.bot or write to the postal address at the end of this policy.
2. Information We Collect
2.1 Information you give us
- Account: email address, password (hashed), tier, license key, billing status.
- Payments: transaction IDs, amounts, plan selected. Card numbers and bank details are handled entirely by our payment processors (Stripe, PayPal); we never store them.
- Support & communications: messages you send to support, community posts, WhatsApp/iMessage messages you send to our bridge.
- Workspace content: files, notes, conversations, terminal sessions, and any other content you create inside the CASH.BOT OS while logged in.
- BYOK keys (optional): if you connect your own Anthropic, OpenAI, OpenRouter, Vultr, Railway, Cloudflare, or similar keys, those values are stored encrypted at rest and used only on your behalf.
2.2 Information collected automatically
- Device & connection: IP address (for rate-limiting and fraud prevention), browser user-agent, approximate region from IP geolocation, referrer URL.
- Usage: pages viewed, buttons clicked, apps opened, feature usage counts, error logs.
- Cookies & local storage: session cookie (
cb_session), trial token (cb_trial_token), affiliate referral code (cb_ref), preference flags, A/B-test bucket assignments.
2.3 Information from third parties
- OAuth providers: if you sign in with Google or GitHub, we receive the email address and display name the provider returns; we never receive your password.
- Affiliates: if a referrer brought you to us, we receive their code so we can credit them.
3. How We Use Your Information
- To provide the CASH.BOT service, operate your account, and run the apps you open.
- To process payments, issue refunds, and detect fraud.
- To send transactional email (receipts, password resets, account alerts) — you cannot opt out of these as long as you have an active account.
- To send product updates and marketing email — you may opt out any time via the unsubscribe link in every message; we honour opt-outs within 10 business days (CAN-SPAM).
- To operate the AI orchestrator, which requires sending your prompts (and any attached content you choose to include) to the model provider you selected (Anthropic, OpenAI, OpenRouter, or a local/BYOK model).
- To improve the service (debug, analyse trends, tune models).
- To comply with legal obligations and enforce our Terms of Service.
4. Legal Bases (GDPR, UK GDPR)
Where GDPR applies, we rely on: (a) performance of a contract with you (to deliver the service you signed up for); (b) legitimate interests (to secure our systems, prevent fraud, improve the product); (c) your consent (for marketing email and non-essential cookies, where required); and (d) legal obligation (tax records, court orders).
5. Sharing & Sub-processors
We never sell your personal information. We share data only with vendors who process it on our behalf ("sub-processors") or when required by law.
| Sub-processor | Purpose | Data |
|---|---|---|
| Anthropic | AI model (Claude) | Prompts + attached content you send |
| OpenAI / OpenRouter | AI model fallback | Prompts + attached content you send |
| Railway | Application hosting | All data processed by the service |
| Cloudflare | CDN, DDoS protection, DNS | IP, user-agent, request metadata |
| Stripe | Card payments | Card details, billing address, email |
| PayPal | PayPal payments | Name, email, transaction amount |
| Resend | Transactional email | Email address, message body |
| Vultr | Optional customer VPS (if you BYO key) | Nothing — keys are yours |
We also disclose information when compelled by a subpoena, court order, or government request; and to protect rights, safety, or property.
6. International Transfers
We operate in the United States. If you use CASH.BOT from the EEA, UK, or Switzerland, your data is transferred to, and stored in, the US. We rely on Standard Contractual Clauses (SCCs) with sub-processors that support them.
7. How Long We Keep Data
- Account data: while your account is active, plus up to 24 months after closure.
- Workspace content: while your account is active. Deleted workspaces are purged within 30 days.
- Payment records: 7 years (tax law).
- Support tickets: up to 24 months.
- Server logs: up to 90 days for security and debugging.
8. Your Rights
Depending on where you live, you have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate information.
- Delete your account and personal data ("right to be forgotten" — some records kept for tax / fraud prevention).
- Port your data in a machine-readable format.
- Restrict or object to certain processing, including profiling.
- Opt out of sale/sharing — we do not sell personal information, so nothing to opt out of.
- Withdraw consent at any time where consent is the legal basis.
- Lodge a complaint with your supervisory authority (e.g., ICO in the UK, your state AG in the US).
To exercise a right, email privacy@cash.bot from the address on your account; we respond within 30 days (45 days for CCPA requests that require extension).
9. California Residents (CCPA / CPRA)
In the past 12 months we have collected the categories of personal information listed in Section 2, for the purposes listed in Section 3, from the sources listed in Section 2. We have not sold or shared personal information for cross-context behavioural advertising. California residents have the rights described in Section 8, plus the right to non-discrimination for exercising those rights.
10. Children
CASH.BOT is not for users under 13. We do not knowingly collect personal information from children under 13 (COPPA). If we learn we have collected such data, we delete it. If you believe a child under 13 has given us data, email privacy@cash.bot. Some features (e.g. the social casino at casino.cash.bot) require users to be 18 or older.
11. Security
We use TLS in transit, encryption at rest for sensitive fields (BYOK keys, session tokens), WAL-mode SQLite with nightly snapshots, rate-limiting, and tiered access controls. No system is perfectly secure; if a breach affects your data we will notify you without undue delay as required by law.
12. Do Not Track
We do not respond to browser "Do Not Track" signals because there is no industry consensus on how to interpret them. You can disable non-essential cookies in your browser; doing so will not affect essential session/auth functionality.
13. Changes to this Policy
If we make material changes, we will update the "Last updated" date at the top and, where required by law, notify you by email or in-product notice at least 7 days before the change takes effect.
Email: privacy@cash.bot
Support: cash.bot/support
Postal: CASH.BOT — mail the above address for the current postal contact.