Privacy Policy — MyCashDash

Name: MyCashDash
Price: 99 GBP
Author: CloudCoding Limited

Version: 1.2 Last Updated: June 2, 2026 Effective Date: June 2, 2026 Document Owner: CloudCoding Limited

Introduction

Welcome to the MyCashDash privacy policy.

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website at mycashdash.com and when you use the MyCashDash web application (collectively, the "Platform"), and tells you about your privacy rights and how the law protects you.

This privacy policy is provided in a layered format so you can navigate to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy policy.

Table of Contents:

Important Information and Who We Are
The Data We Collect About You
How Is Your Personal Data Collected?
How We Use Your Personal Data
Spaces, Sharing, and Multi-User Access
AI-Assisted Statement Extraction
Optional Client-Side Encryption
Disclosures of Your Personal Data
Data Storage and Location
Data Security
Data Retention
Your Legal Rights
Glossary

1. Important Information and Who We Are

Purpose of this privacy policy

This privacy policy aims to give you information on how we collect and process your personal data through your use of the MyCashDash Platform, including data you provide when you:

register your interest on our website before MyCashDash launches (by giving your name and email so we can tell you when you can sign up);
register for an account;
create and use Spaces (shared financial workspaces);
create accounts, transactions, counterparties, categories, projects, and assets within the Platform;
upload bank statements (PDF, image, or CSV) for processing;
invite other people to a Space or share an account with them;
subscribe to a paid plan; and
contact us for support.

MyCashDash is a personal finance tracking tool. MyCashDash is not a regulated financial services provider, does not provide financial, investment, tax, or legal advice, does not hold client money, and is not authorised or regulated by the Financial Conduct Authority (FCA). You remain solely responsible for your financial decisions and for the accuracy of the data you enter into or upload to the Platform.

The Platform and our services are not intended for individuals under the age of 18, and we do not knowingly collect personal data relating to children under 18. If we become aware that a person under 18 has provided us with personal data, we will promptly delete such information.

It is important that you read this privacy policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

Controller

CloudCoding Limited, a company registered in England and Wales, is the controller and responsible for your personal data (collectively referred to as "we", "us" or "our" in this privacy policy).

Registered Office: First Floor, Lipton House, Stanbridge Road, Leighton Buzzard, England, LU7 4QQ Company Number: 07435312

Contact details

If you have any questions about this privacy policy or our privacy practices, please write to us at the postal address in the "Contact Us" section at the end of this policy.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated on June 2, 2026.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your use of the Platform.

Third-party links

This Platform may include links to third-party websites, applications, and services. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Platform, we encourage you to read the privacy policy of every website you visit.

2. The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data includes first name, last name, display name, optional profile photograph, and other identifiers you provide or we assign.
Contact Data includes email address and any other contact information you provide, including the email addresses of people you invite to a Space or with whom you share an account.
Account Data includes your account creation date, subscription plan and status (trial, founding member, personal, household, etc.), billing interval (monthly, annual, lifetime), trial end date, renewal date, and (where applicable) household licence assignments and founding member number.
Payment Data is handled by our payment processor, Stripe. We do not store full payment card details on our systems. We store only the Stripe customer ID, the Stripe subscription ID, the Stripe price ID, and the timestamps of payment events necessary to manage your subscription.
Profile and Preference Data includes your display name, profile photograph, your default currency, your demo-mode status, and any preference settings stored against your account.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, operating system and platform, and other technology on the device you use to access the Platform.
Space Data includes the name and icon you give to each Space, the date the Space was created, the user who created it, the list of admin and member user IDs, the list of invited email addresses, and (where you have enabled encryption) the wrapped encryption keys for each member.
Financial Data You Enter or Upload is the core data of the Platform. It includes:
- Accounts you create (name, type, variant, currency, starting balance, ownership and sharing assignments).
- Transactions (date, amount in minor units, description, counterparty, category, type, payment method, project assignment, reference, reconciliation status, source of import, split-transaction relationships).
- Counterparties (the people or organisations you transact with — title, balance and running totals).
- Categories, Types, and Methods that you define for classifying transactions.
- Projects that group activity towards a financial goal (title, description, status, planned items, dates).
- Assets (title, asset type, currency, purchase date and value, valuation snapshots, anticipated sale date and value).
- Balance Anchors (manually reconciled balance points on an account).
- Matching Rules that the Platform learns from your past explanations of transactions in order to suggest defaults next time.
- Split Templates that you save to re-apply a recurring division of a transaction across multiple counterparties (for example, a household bill split between members).
Uploaded Documents includes any bank statement, CSV file, or image you upload to the Platform for processing. Uploaded documents are stored in Cloud Storage within the European Economic Area for the period required to extract their contents and to allow you to review and reconcile the result.
Sharing and Invitation Data includes the email addresses, roles, and timestamps recorded when you invite someone to a Space, share an account with another user, or accept or decline an invitation.
Usage Data includes information about how you use the Platform, including which pages you visit and the actions you take (for example, creating, editing, importing, or deleting records).
Analytics Data includes the pseudonymous identifiers and event data generated by Google Analytics on our marketing website (for example, pages viewed, approximate location derived from a truncated IP address, and device and browser type). We collect this only where you have accepted analytics cookies. See Section 3 and our Cookies Policy.
Waitlist Data includes the name and email address you give us if you register your interest on our website before launch, together with the date you registered, so that we can notify you when you can sign up.
Communication Data includes any correspondence, feedback, support requests, or messages you send to us.

We also collect, use, and share Aggregated Data such as statistical data for any purpose. Aggregated Data is not considered personal data in law because it does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data.

What we do not collect

We do not collect, and we do not have any technical ability to obtain, the credentials of your online banking accounts. You enter your financial information manually, upload statements yourself, or supply CSV exports yourself. MyCashDash does not connect to or read from your bank.

We do not collect your full payment card details. Card data is collected and processed directly by Stripe and never reaches our servers.

We do not use advertising, retargeting, or behavioural tracking technologies, and we do not build advertising profiles about you. On our marketing website we use one privacy-respecting analytics tool (Google Analytics, provided through Firebase), and only where you have accepted analytics cookies. This is described in Section 3 and in our Cookies Policy. We do not sell your personal data, and we do not share your personal data with advertising networks.

Special Categories of Personal Data

We do not intentionally collect any Special Categories of Personal Data about you. However, because the Platform allows free-text descriptions, counterparty names, and category labels, you may inadvertently include information that reveals such categories (for example, if a transaction description references a medical provider or a place of worship). Please be aware that any such content becomes part of your data within the Platform.

We do not collect any information about criminal convictions and offences.

If you believe we have collected special category data, please write to us at the postal address in the "Contact Us" section below so we can address this.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to register you for an account or provide you with full access to the Platform. In this case, we will notify you at the time.

3. How Is Your Personal Data Collected?

We use different methods to collect data from and about you, including:

Direct interactions

You may give us your Identity Data, Contact Data, Profile Data, and Financial Data by filling in forms on the Platform or by uploading documents. This includes personal data you provide when you:

register your interest on our website before launch, by giving your name and email address;
register for an account;
create or update your user profile;
create or rename a Space;
create accounts, transactions, counterparties, categories, projects, or assets;
upload a bank statement (PDF or image) or a CSV file;
invite another person to a Space, or share an account with another user;
accept or decline an invitation that someone else has sent to you;
subscribe to or change a paid plan;
assign household licences to other users (household plans only);
contact us with queries, feedback, or support requests; and
opt in to receive marketing or product-update emails from us.

Automated technologies or interactions

As you interact with the Platform, we will automatically collect Technical Data and Usage Data about your equipment and your actions. We collect this data via our application logs, our authentication system, and our backend (Cloud Functions). We also use a small amount of browser storage as set out in our Cookies Policy.

Analytics on the marketing website. Where you have accepted analytics cookies, our marketing website uses Google Analytics (provided through Firebase) to collect Analytics Data about how the site is used. We do not load Google Analytics, and we do not collect Analytics Data, unless and until you accept analytics cookies. You can decline or withdraw this at any time using the "Cookie settings" link in the website footer. Full details are in our Cookies Policy.

Fonts. Our marketing website loads one display font (Roboto Flex) from Google Fonts. When your browser requests that font from Google, your IP address is necessarily disclosed to Google as part of the request. This does not set a cookie. Google may receive this request on infrastructure outside the United Kingdom; the transfer is covered by Google's data processing terms (see Sections 8 and 9). Our other fonts are served from our own infrastructure and do not involve a third party.

Data we receive from third parties

We receive limited personal data about you from the following third parties:

Stripe — for subscription and payment processing. We receive the customer ID, subscription ID, price ID, subscription status, billing period, and payment event timestamps. We do not receive full payment card details.
Firebase Authentication (Google Cloud) — for managing your sign-in. We receive your authenticated user ID and confirmation of authentication events.

Data we receive from other users

If another user invites you to a Space or shares an account with you, we will receive your email address (so that we can route the invitation to you) and, if you accept the invitation, the role under which you have been granted access.

If you are an admin or member of a Space, you will see the names and email addresses of the other members of that Space. If you grant another user access to an account, that user will see the data within that account at the level of access you have granted.

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

Purpose	Type of Data	Lawful Basis
Account Management and Platform Access
To register you for an account and provide you access to the Platform	Identity, Contact, Account Data	Performance of contract
To manage your subscription, billing, and household licences	Account, Contact, Payment Data	Performance of contract / Legal obligation
To provide customer support and respond to your inquiries	Identity, Contact, Communication Data	Performance of contract / Legitimate interest
To send you transactional communications (account updates, password resets, subscription changes, invitations)	Identity, Contact Data	Performance of contract
Core Platform Functionality
To store and display the financial data you enter or upload, and the Spaces, accounts, transactions, counterparties, categories, projects, and assets you create	Financial Data, Space Data	Performance of contract
To process bank statements you upload and extract transactions from them using AI (see Section 6)	Uploaded Documents, Financial Data	Performance of contract
To learn matching rules from your past transaction explanations and suggest defaults for new transactions	Financial Data, Usage Data	Performance of contract / Legitimate interest
To manage Space membership, account sharing, invitations, and (where you have enabled it) per-Space encryption keys	Space Data, Sharing and Invitation Data	Performance of contract
Personalisation and Optimisation
To customise your Platform experience based on your preferences (default currency, theme, last-viewed Space)	Profile, Preference, Usage Data	Legitimate interest
To improve and optimise the Platform's features and functionality	Usage Data	Legitimate interest
To measure and improve how visitors use our marketing website, using Google Analytics (only where you have accepted analytics cookies)	Analytics, Technical Data	Consent
Communications and Marketing
To send you product updates, newsletters, and promotional content (only where you have opted in)	Contact, Identity Data	Consent
To respond to a pre-launch interest registration and tell you when you can sign up	Waitlist Data (name, email)	Consent
To notify you of changes to our terms, policies, or services	Contact Data	Legal obligation
Legal and Compliance
To comply with legal obligations, regulations, and regulatory requests	All Data	Legal obligation
To establish, exercise, or defend legal claims	All Data	Legal obligation / Legitimate interest
To enforce our Terms and Conditions and other agreements	All Data	Legitimate interest
To protect the security and integrity of the Platform and prevent fraud or abuse	Technical, Account Data	Legitimate interest / Legal obligation

Marketing

We will only send you marketing emails (such as product updates and newsletters) where you have explicitly opted in. You can withdraw your consent at any time by clicking the "unsubscribe" link in any marketing email or by writing to us at the postal address in the "Contact Us" section below. Withdrawing consent does not affect transactional emails that we send for the operation of your account (for example, password resets, billing notifications, and invitation responses).

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Legitimate Interest Assessment

Where we have relied on a Legitimate Interest as the lawful basis for processing your personal data, we have completed a Legitimate Interest Assessment (LIA). You can request details of our LIA for specific processing by writing to us at the postal address in the "Contact Us" section below.

5. Spaces, Sharing, and Multi-User Access

MyCashDash is built around the concept of a "Space" — a shared financial workspace that one or more people can use together.

Spaces

When you create a Space, you become an admin of that Space. You can invite other people to join the Space by email. Other Space members will be able to see and (depending on their role) edit the financial data within the Space, including accounts, transactions, counterparties, categories, projects, and assets.

You can rename a Space, change its icon, and add or remove members at any time. You can leave a Space at any time. If you are the sole admin of a Space, you must transfer admin rights or delete the Space before you can leave.

Account-level sharing

Within a Space, individual accounts can be shared at a more granular level. The sharing roles are:

Owner — full ownership of the account.
Joint — joint ownership with full access.
Joint (no access) — joint ownership recorded for reporting purposes, without access to the underlying transactions.
Editor — can view and edit the account.
Viewer — can view but not edit the account.
Pending — access has been invited but not yet accepted.

A grant of account-level access reveals the data within that account, at the level of access you have granted, to the user you have granted it to.

Invitations

When you invite someone to a Space or share an account with them, we will store the email address you provided, the role you assigned, the timestamp of the invitation, and (where the Space has encryption enabled) a wrapped encryption key staged for the invitee to redeem on first login.

If the invitee does not accept the invitation, we will retain the invitation record for a reasonable period to allow them to accept it later, and then delete it. You can revoke an outstanding invitation at any time.

Responsibilities of admins and members

Each Space admin is responsible for the appropriate management of that Space, including who is invited and what level of access they are granted. If you invite a person to a Space or share an account with them, you are responsible for ensuring you have any consent or authority required to share that data with them under applicable law.

6. AI-Assisted Statement Extraction

MyCashDash allows you to upload a bank statement (as a PDF or image) and uses an AI model to extract the transaction rows from it.

How it works

When you upload a statement for AI extraction:

The file is uploaded to Google Cloud Storage in the europe-west2 (London) region.
A Cloud Function processes the file by sending it to the Google Gemini 2.5 Flash model running on Google Vertex AI in europe-west2 (London).
The model returns a structured list of transactions (date, description, money in, money out, running balance).
The Platform reconciles the extracted balance against the running balance and flags any rows where the reconciliation does not match, so you can review and correct them.
The extracted rows are then made available to you within the Platform for review and reconciliation against your accounts.

Subprocessor relationship and data handling

Google Cloud (including Vertex AI) acts as a subprocessor for this feature. The processing takes place under Google Cloud's enterprise terms, which provide that customer data submitted to Vertex AI generative AI services is not used to train Google's foundation models and is not used to improve Google's services in a way that would expose your data to other customers.

The contents of the uploaded statement are processed solely for the purpose of extracting transaction data for your account. The original file is retained in Cloud Storage until the import is complete and reviewed, and is then deleted in accordance with the retention schedule in Section 11.

What we do not do

We do not use the contents of your statements to train any machine learning model.
We do not share the contents of your statements with any party other than the Vertex AI service used to extract the transaction data.
We do not use AI to categorise, classify, or otherwise interpret your financial data beyond row extraction. Suggested categories, counterparties, and methods are produced by deterministic matching rules learned from your previous explanations, not by an AI model.

Your alternatives

AI-assisted statement extraction is optional. You can use the Platform without it by:

importing a CSV export from your bank;
entering transactions manually; or
using the Platform purely for analysis of data you supply by other means.

7. Optional Client-Side Encryption

MyCashDash provides an optional feature that encrypts the monetary fields of your financial data on your device, before they are sent to our servers, so that the underlying numbers are not readable in our databases.

How it works

When you enable encryption for a Space:

A 256-bit symmetric encryption key is generated and used to encrypt monetary fields using AES-256-GCM.
That encryption key is wrapped (encrypted) under a wrapping key that is derived from your account password using PBKDF2 with 100,000 iterations and a per-user salt.
The wrapped key is stored in our database. Your password is never sent to our servers and we cannot recover it for you.
When other members are added to an encrypted Space, the encryption key is wrapped under a one-time share key, which is delivered to them by email; they then redeem it on first login using their own password.

What this means for you

If you enable encryption:

An attacker who obtained a copy of our database would not be able to read the monetary values within encrypted Spaces.
If you forget your password, we cannot recover your encrypted data. Recovery is not possible by us; we do not hold a copy of your password or your wrapping key.
Non-monetary fields (such as text descriptions and counterparty names) may still be stored in plain text.
Encryption is set at the Space level. Each Space can independently be encrypted or not.

Encryption is off by default. You can opt in to encryption when creating or configuring a Space.

8. Disclosures of Your Personal Data

We may share your personal data with the following parties for the purposes set out in Section 4:

Service providers (subprocessors)

Google Cloud Platform (including Firebase) — provides our cloud infrastructure, including Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, and Vertex AI. All MyCashDash data in this category is hosted in the europe-west2 (London) region (see Section 9).
Google (Google Analytics and Google Fonts) — used on our marketing website only. Google Analytics (provided through Firebase) processes Analytics Data, but only where you have accepted analytics cookies. Google Fonts receives your IP address when your browser requests a font. Unlike the rest of our infrastructure, these two Google services may process data on infrastructure outside the United Kingdom; that transfer is governed by Google's data processing terms and the safeguards described in Section 9.
Stripe — provides our payment processing. Stripe is the controller of the payment card data you submit to it; we receive only the limited identifiers and subscription metadata described in Section 2.
SendGrid (operated by Twilio Inc.) — our transactional and marketing email delivery provider. SendGrid receives the recipient's email address, the sender's email address, and the contents of the email (for example, an invitation, a password-reset link, or a billing notification). SendGrid is operated by Twilio Inc., a company incorporated in the United States, and processes email through its US-based infrastructure. The transfer of your personal data to Twilio Inc. is governed by the UK International Data Transfer Agreement (or, where applicable, the UK Addendum to the EU Standard Contractual Clauses) together with Twilio's standard Data Processing Addendum.

We require all third-party service providers to respect the security of your personal data, treat it in accordance with applicable law, and process it only for the specified purposes.

A current list of our subprocessors is available on request by writing to us at the postal address in the "Contact Us" section below.

Sharing with other users

If you invite another user to a Space, or share an account with another user, that user will be able to see the data you have shared with them, as described in Section 5.

Legal requirements

We may disclose your personal data where required by law, to comply with legal obligations, to enforce our agreements, to protect rights and safety, or to detect and prevent fraud.

Business transfers

If we are involved in a merger, acquisition, financing, or sale of all or part of our business, your personal data may be transferred to the relevant party as part of that transaction. We will give you notice (for example, by email) if your personal data becomes subject to a different privacy policy as a result.

What we do not do

We do not sell your personal data. We do not share your personal data with advertising networks or data brokers. We do not use your data to build advertising profiles.

9. Data Storage and Location

London, United Kingdom

All personal data collected by MyCashDash is stored and processed in the europe-west2 (London) region of Google Cloud Platform.

This applies to all account and profile data, financial data (accounts, transactions, counterparties, categories, projects, assets), Space and sharing data, uploaded documents (statements, CSVs), encryption keys, application logs, and the AI processing carried out by Vertex AI as described in Section 6.

No international transfers from MyCashDash's own infrastructure

We do not transfer your personal data outside the United Kingdom from MyCashDash's own infrastructure (Cloud Firestore, Cloud Storage, Cloud Functions, and Vertex AI): all of those services run exclusively in the europe-west2 (London) region. The limited transfers carried out by our subprocessors Stripe and SendGrid, and by Google Analytics and Google Fonts on our marketing website, are described separately below and are governed by the appropriate transfer mechanisms.

Payment processor, email provider, and website analytics

Stripe may process payment data through its global infrastructure under its own terms. Stripe operates a UK entity (Stripe Payments UK Ltd) and is regulated in the UK by the Financial Conduct Authority.
SendGrid (operated by Twilio Inc., headquartered in the United States) processes transactional and marketing emails through its US-based infrastructure. The associated UK→US transfer of personal data (limited to your email address, the sender's email address, and the email contents) is governed by the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses), supplemented by Twilio's standard Data Processing Addendum.
Google Analytics and Google Fonts (marketing website only) may process data, including a pseudonymous analytics identifier and your IP address, on Google infrastructure outside the United Kingdom. Analytics runs only where you have accepted analytics cookies. These transfers are governed by Google's data processing terms, which incorporate the UK International Data Transfer Agreement (or the UK Addendum to the EU Standard Contractual Clauses).

We will keep this section updated to reflect any changes to our subprocessor footprint.

10. Data Security

Security measures

We have put in place appropriate technical, physical, and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way; to protect against unauthorised alteration or disclosure; to maintain data integrity and availability; and to limit access to those who have a business need to know.

Encryption in transit and at rest

All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
All data at rest is encrypted using AES-256 via Google Cloud Platform's built-in encryption.
Where you have enabled per-Space client-side encryption (see Section 7), monetary fields within that Space are additionally encrypted on your device using AES-256-GCM before being stored.

Authentication and access control

Sign-in is provided by Firebase Authentication using email and password.
Access to backend functions is enforced through authenticated Cloud Functions and Firestore security rules.
Administrative access to our infrastructure is limited to authorised personnel on a need-to-know basis and is logged.

Payment data

Full payment card details are not stored on our systems. Card data is handled by Stripe, a PCI-DSS Level 1 compliant payment processor.

Breach notification

In the event of a breach affecting your personal data, we will notify the Information Commissioner's Office without undue delay (and in any event within 72 hours of becoming aware of the breach, where notifiable). We will notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

11. Data Retention

Typical retention periods

Data Type	Retention Period	Rationale
Account registration and authentication data	Duration of account + 30 days after deletion	Account recovery, legal compliance
Financial data you have entered or imported (transactions, accounts, projects, assets, etc.)	Duration of your account	Core service functionality
Uploaded statements and CSV files	Up to 30 days after the import is completed and reviewed	Reprocessing in case of extraction errors
AI extraction results (rows extracted from statements)	Stored as part of your financial data until you delete them	Reconciliation and review
Invitation records (Space invites, account share invites)	Until accepted, declined, or revoked, then deleted within 30 days	Allow invitee time to respond
Pre-launch interest registrations (waitlist name and email)	Until launch and for a reasonable period afterwards, or until you ask us to remove you or unsubscribe, whichever is sooner	Notify you when you can sign up
Website analytics data (Google Analytics)	Retained by Google for up to 14 months, only where you accepted analytics cookies	Site measurement and improvement
Encryption key wraps (where Space encryption enabled)	Duration of Space membership; pending wraps deleted on redemption or after 90 days unredeemed	Enable encrypted access
Payment and billing data	6 years (per HMRC requirements and the Limitation Act 1980)	Financial records compliance
Support communications	1 year (longer if active dispute)	Customer service, legal protection
Application logs	90 days	Debugging, security monitoring

Account deletion

You can request deletion of your account at any time by writing to us at the postal address in the "Contact Us" section below.

When you delete your account, all your personal data and the financial data you own is deleted within 30 days, except for data we are required to retain for legal, regulatory, accounting, or fraud-prevention purposes (such as payment and billing records, retained for 6 years).

If you are a member of a Space that you do not own, you can leave the Space at any time. Leaving a Space removes your access to the Space's data but does not delete the Space or its data, because that data is the responsibility of the Space's admin.

If you are the admin of a Space with other members, you should transfer admin rights or remove the other members before deleting your account, so that they retain or lose access to that Space as you intend.

Aggregated and anonymised data

Aggregated, anonymised data that cannot be used to identify you may be retained indefinitely for analytical and product-improvement purposes.

12. Your Legal Rights

Under data protection laws, you have the following rights:

Right of access — receive a copy of the personal data we hold about you.
Right to rectification — have incomplete or inaccurate data corrected.
Right to erasure — ask us to delete or remove personal data in certain circumstances.
Right to restrict processing — ask us to suspend processing in certain scenarios.
Right to object — object to processing based on legitimate interests, including direct marketing.
Right to data portability — receive your data in a structured, commonly used, machine-readable format.
Right to withdraw consent — withdraw consent at any time for processing that is based on consent (including marketing).
Right to lodge a complaint — complain to the Information Commissioner's Office (ICO).

To exercise any of these rights, write to us at the postal address in the "Contact Us" section below. We will respond within one month of receiving your request. If your request is complex or we receive many requests, we may extend this period by a further two months and will let you know within the first month.

We may need to verify your identity before processing certain requests. We will not charge a fee unless your request is clearly unfounded, repetitive, or excessive.

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: www.ico.org.uk

13. Glossary

Account — Within MyCashDash, a record representing a real-world financial account (such as a current account, credit card, or savings account).

Counterparty — A person or organisation that appears on one side of a transaction (for example, the payee of a payment).

Cloud Functions — Server-side functions hosted on Google Cloud that the Platform uses to perform privileged operations.

Cloud Storage — Google Cloud's object storage service, used by MyCashDash to store uploaded statements and CSV files.

Cloud Firestore — Google Cloud's NoSQL document database, used by MyCashDash to store financial and account data.

Consent — Your clear permission to process your personal data for a specific purpose.

Controller — The party that determines the purposes and means of processing personal data. CloudCoding Limited is the controller of your personal data within the Platform.

Firebase Authentication — Google Cloud's authentication service, used by MyCashDash to manage sign-in.

Legitimate Interest — The interest of our business in conducting and managing our business in a way that gives you the best service and most secure experience.

Performance of Contract — Processing your data where necessary for a contract to which you are a party.

Space — A shared financial workspace within MyCashDash. One or more users can belong to a Space and share its financial data.

Stripe — Our payment processor.

Subprocessor — A third party that processes personal data on our behalf.

Vertex AI — Google Cloud's managed AI platform, used by MyCashDash to extract transaction data from uploaded statements (see Section 6).

Regulatory Information

UK GDPR and Data Protection Act 2018

Your personal data is protected under the UK GDPR as supplemented by the Data Protection Act 2018. All personal data held in MyCashDash's own infrastructure is stored within the United Kingdom. The limited exceptions (our payment and email subprocessors, and the analytics and font services on our marketing website) are described in Section 9 and are covered by appropriate transfer safeguards.

Not a regulated financial services provider

MyCashDash is a personal finance tracking tool. MyCashDash is not authorised or regulated by the Financial Conduct Authority, does not hold or transmit client money, and does not provide financial, investment, tax, or legal advice.

Jurisdiction

This privacy policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact Us

You can contact us about this privacy policy or your personal data by writing to us at our registered office:

CloudCoding Limited, Privacy Department, First Floor, Lipton House, Stanbridge Road, Leighton Buzzard, England, LU7 4QQ

Response Time: We aim to respond to privacy enquiries within 10 business days of receipt. We expect to add an online contact form in future; until then, please use the postal address above.

Document Version: 1.2 Last Updated: June 2, 2026 Effective Date: June 2, 2026

For the most current version of this policy, please visit www.mycashdash.com/legal/privacy