Privacy Policy

How Cashy collects, uses, and protects your information across wallets, custody, swaps, and encrypted messaging.

Last updated: June 15, 2026

Quick summary

Your wallet seed phrase and message contents stay on your device and are encrypted. We collect account and identity data to run the app and comply with financial regulations. Custodial services are provided through Bridge, a regulated partner.

Introduction

Cashy ("we," "us," or "our") operates the Cashy mobile application and cashybank.com. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices you have.

Cashy combines:

  • Self-custody crypto wallets (you control your seed phrase)
  • Custodial fiat and USDC services powered by Bridge
  • Decentralized token swaps through third-party partners
  • End-to-end encrypted private messaging

By using Cashy, you agree to this Privacy Policy. If you do not agree, do not use the app.

Information we collect

2.1 Account and profile information

When you create an account, we may collect:

  • Email address
  • Username
  • Phone number
  • Legal name and date of birth (during onboarding)
  • Residential address (during onboarding or when enabling custody features)
  • Profile information you choose to add (bio, avatar, creator settings)
  • Sign-in method (Google or Apple)

2.2 Identity verification (KYC)

To access regulated custody and fiat features, you must complete identity verification through Didit, our third-party KYC provider. Through Didit and our systems, we may collect and process:

  • Government-issued identification documents
  • Selfie / liveness checks and face matching
  • Proof of address
  • Phone verification
  • AML (anti–money laundering) screening results
  • IP and device risk signals
  • NFC verification (where supported)
  • A short verification video you record in the app (camera and microphone)
  • KYC results are stored on our secure backend. You cannot edit KYC or Bridge-related fields directly in the app.

2.3 Custodial account and fiat services (Bridge)

If you use Cashy custody features, we collect and process information needed to operate fiat deposit and withdrawal services through Bridge, including:

  • Bridge customer ID and account status
  • Virtual account details (e.g. USD, EUR, GBP, BRL, MXN, COP — depending on eligibility)
  • Deposit and withdrawal transaction history
  • External payment account details you provide (e.g. bank account numbers, IBAN, routing numbers, PIX keys, beneficiary name)
  • Bridge Terms of Service acceptance status
  • Approved KYC data (name, date of birth, address, etc.) is shared with Bridge to create and maintain your custodial account.

2.4 Self-custody wallet information

For non-custodial wallet features:

  • Your seed phrase and private keys are generated and stored on your device. We do not receive or store your seed phrase or private keys on our servers.
  • We may store wallet-related preferences and account metadata tied to your Cashy account.
  • To display balances, transaction history, fees, and to broadcast transactions, the app sends public wallet addresses and transaction identifiers to third-party blockchain data providers.
  • Note: Activity on public blockchains is inherently public and permanent.

2.5 Swap and on-ramp activity

When you swap tokens or buy crypto:

  • Token pairs, amounts, chains, and wallet addresses may be shared with swap partners (Jupiter, LiFi, 0x, SwapKit, Squid, and similar) to obtain quotes and execute transactions.
  • If you use Stripe Crypto Onramp, payment and identity information is processed by Stripe under Stripe's own privacy policy.
  • We may log swap intents and transaction metadata on our servers for operations, fraud prevention, and fee processing.

2.6 Encrypted messaging

For private messaging:

  • We store your public encryption key, optional messaging username, profile description, and avatar.
  • We store encrypted message ciphertext and basic metadata (timestamps, sender/recipient IDs, thread IDs).
  • Message content is encrypted end-to-end using keys derived on your device from your wallet seed phrase. Cashy cannot read the contents of your encrypted messages.

2.7 Social and creator content

If you use social or creator features, we may collect and store:

  • Posts, stories, and videos you upload
  • Follower, subscriber, and following relationships
  • Audience and monetization settings
  • Media may be stored in Cloudflare R2 and/or Firebase Storage.

2.8 Device and app data

We may collect:

  • Device type, OS version, app version
  • App lock PIN (stored locally in secure device storage — not on our servers)
  • Biometric authentication usage (Face ID / fingerprint — processed by your device)
  • Crash reports and error logs (via Sentry)
  • API usage and rate-limit data for fraud prevention
  • Push notification tokens (for account alerts and messaging)

2.9 Information from third parties

We receive information from:

  • Google and Apple when you sign in
  • Didit when KYC completes or updates
  • Bridge for custody account status and transaction updates
  • Blockchain and swap partners for on-chain data

How we use your information

We use collected information to:

  • Create and manage your Cashy account
  • Verify your identity and comply with AML/KYC laws
  • Provide self-custody wallet, custody, fiat deposit/withdrawal, swap, and messaging features
  • Process transactions and display balances and history
  • Prevent fraud, abuse, duplicate accounts, and unauthorized access
  • Restrict or suspend accounts when required for compliance or security
  • Send transactional notifications (account status, custody updates, messages)
  • Improve app stability and fix bugs
  • Provide customer support
  • Enforce our terms and applicable law
  • We do not sell your personal information.

Self-custody vs custodial services

Cashy offers two distinct models. This matters for your privacy and security:

You may use one or both. They are separate products within the same app.

Self-custody walletCustodial services (Bridge)
Who holds fundsYou (via seed phrase on your device)Bridge (regulated custodian)
KeysOn your device onlyHeld by Bridge
Fiat railsNot applicableDeposits/withdrawals via bank rails
RecoveryOnly you can recover a lost seed phraseSubject to Bridge KYC/support processes
Data sharedPublic addresses to chain APIsFull KYC + payment account details to Bridge

How we share information

We share information only as needed to operate Cashy:

Identity and compliance

  • Didit — identity verification
  • Bridge — custodial accounts, fiat rails, virtual accounts, withdrawals

Payments and on-ramps

  • Stripe — crypto on-ramp payments

Blockchain and swaps

  • Moralis, Chainstack, and public blockchain APIs (Etherscan, mempool.space, blockchain.info, Blockscout, Routescan, etc.) — balances, history, broadcast
  • Jupiter, LiFi, 0x, SwapKit, Squid — swap quotes and execution

Infrastructure

  • Google Firebase — authentication, database, cloud functions, file storage, push notifications
  • Cloudflare R2 — media and avatar storage
  • Sentry — crash and error reporting
  • OneSignal / MailerSend — operational and alert communications

Sign-in providers

  • Google, Apple

Referral partners (user-initiated only)

  • Meanwhile.bm — if you tap the Bitcoin life insurance referral link, you leave Cashy and Meanwhile's privacy policy applies

We may also disclose information:

  • To comply with law, regulation, subpoena, or legal process
  • To protect the rights, safety, and security of Cashy, our users, or the public
  • In connection with a merger, acquisition, or sale of assets (with notice where required)

Device permissions

Cashy may request the following permissions:

You can manage permissions in your device settings. Some features will not work without required permissions.

PermissionPurpose
CameraQR code scanning, KYC verification (Didit), verification video
MicrophoneVerification video recording
Photo libraryUploading photos and videos
Face ID / biometricsApp lock and wallet security
NotificationsAccount alerts, custody updates, messages
Motion sensorsApp functionality

Data security

We use industry-standard measures to protect your information, including:

  • Encryption in transit (HTTPS/TLS)
  • End-to-end encryption for private messages (keys derived on-device)
  • Secure device storage for app lock PIN and local secrets
  • Server-side access controls on KYC, Bridge, and custody data
  • Fraud detection and account restriction systems
  • No method of transmission or storage is 100% secure. You are responsible for safeguarding your seed phrase, device, and app lock credentials.

Data retention

We retain information for as long as needed to:

  • Provide the services you use
  • Meet legal, regulatory, and AML/KYC obligations
  • Resolve disputes and enforce agreements
  • KYC and financial compliance data may be retained for years after account closure, as required by law.
  • Encrypted messages are stored as ciphertext; retention policies apply to the encrypted blobs and metadata.
  • Self-custody wallet keys on your device are deleted when you uninstall the app or clear app data (unless you have backed up your seed phrase elsewhere).
  • To request deletion of account data where legally permitted, use our account deletion request page or contact support@cashybank.com.

Your rights and choices

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Request deletion (subject to legal and compliance exceptions) via our account deletion request page
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent where processing is consent-based
  • California residents (CCPA/CPRA): You may have rights to know, delete, and opt out of sale/sharing. We do not sell personal information.
  • EEA/UK residents (GDPR): You may have additional rights including lodging a complaint with a supervisory authority.
  • To exercise rights, email support@cashybank.com. We may need to verify your identity. KYC and AML laws may limit what we can delete.
  • You can:
  • Revoke Google/Apple access via those providers' account settings
  • Disable notifications in device settings
  • Delete the app (self-custody keys on device are removed; back up your seed phrase first)

Children's privacy

Cashy is not intended for anyone under 18 (or the age of majority in your jurisdiction). We do not knowingly collect information from children. Contact us if you believe a child has provided information.

International data transfers

Cashy and our service providers (including Firebase/Google Cloud, Bridge, Didit, and swap partners) may process data in the United States and other countries. By using Cashy, you consent to transfer of your information to countries that may have different data protection laws than your own. Where required, we use appropriate safeguards.

Third-party privacy policies

Cashy links to or integrates services with their own privacy policies. You should review them:

Swap partners (Jupiter, LiFi, 0x, etc.) have their own policies governing on-chain transaction data.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on cashybank.com and update the "Last updated" date. Material changes may be communicated via the app or email where appropriate. Continued use after changes means you accept the updated policy.

Contact us

Cashy / cashybank.com

Email: support@cashybank.com

Bug reports: bug@cashybank.com

[PLACEHOLDER: insert legal entity name and registered address before go-live]

This Privacy Policy describes how Cashy collects and uses information. It is not legal advice. If you have questions, contact support@cashybank.com.

Privacy Policy | Terms of Service | Cookie Policy | Contact