Skip to main content
CT
CashTrack

Privacy Policy

Last updated: April 4, 2026

1. Data Controller

CashTrack ("we", "our", or "us") is the data controller responsible for the personal data processed through the CashTrack platform. CashTrack is operated by Israel Iyonsi, based in Lagos, Nigeria.

Data Controller

CashTrack

Lagos, Nigeria

Email: privacy@cashtrack.ng

CashTrack never touches your money. We are an invoicing, expense tracking, and record-keeping tool. All payment processing is handled by licensed third-party providers.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

  • Account Data: Full name, email address, password (stored as a bcrypt hash, never in plain text), phone number, and profile preferences.
  • Business Data: Business name, business address, state of operation, Tax Identification Number (TIN), RC number, business type, and industry sector.
  • Financial Data: Invoices, expenses, client records, payment records, tax calculations, and financial reports you create within the platform.
  • Bank Data (via Mono): When you link a bank account through Mono, we receive account balances, transaction history, and account holder details. We do not store your bank login credentials — authentication is handled entirely by Mono.
  • Payment Data: Subscription payment status and invoice payment confirmations received from Paystack and Flutterwave. We do not store credit card numbers, bank account details, or other sensitive payment credentials.
  • Client Data: Names, email addresses, phone numbers, and billing addresses of your customers that you enter into CashTrack.
  • Usage Data: Pages visited, features used, session duration, click events, and interaction patterns collected for analytics and service improvement.
  • Device and Technical Data: Browser type and version, operating system, IP address, device identifiers, screen resolution, and referring URLs.
  • Communication Data: Email and WhatsApp messages sent through our platform to your clients, and any communications between you and our support team.

3. Purpose and Legal Basis for Processing

We process your personal data only where we have a lawful basis to do so under the Nigeria Data Protection Act 2023 (NDPA, Section 25) and, where applicable, the EU General Data Protection Regulation (GDPR, Article 6). The table below describes each processing activity, its purpose, and its legal basis:

Account creation and authentication

Purpose: To create your account, verify your identity, and provide secure access to the platform.

Legal basis: Performance of contract (GDPR Art. 6(1)(b); NDPA S.25(b)).

Invoice and expense management

Purpose: To enable you to create invoices, track expenses, manage clients, and generate financial reports.

Legal basis: Performance of contract (GDPR Art. 6(1)(b); NDPA S.25(b)).

Bank account linking (Mono)

Purpose: To retrieve your bank transactions and balances for reconciliation and financial tracking.

Legal basis: Consent (GDPR Art. 6(1)(a); NDPA S.25(a)). You can withdraw consent at any time by unlinking your account.

Payment processing (Paystack / Flutterwave)

Purpose: To process subscription payments and facilitate invoice payments from your clients.

Legal basis: Performance of contract (GDPR Art. 6(1)(b); NDPA S.25(b)).

Tax calculations

Purpose: To estimate your tax obligations based on the Nigeria Tax Administration Act 2025 rates.

Legal basis: Performance of contract (GDPR Art. 6(1)(b); NDPA S.25(b)).

Transactional communications

Purpose: To send invoice reminders, payment confirmations, and service notifications via email or WhatsApp.

Legal basis: Performance of contract (GDPR Art. 6(1)(b); NDPA S.25(b)).

Analytics and service improvement

Purpose: To understand usage patterns, improve features, and enhance the user experience.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f); NDPA S.25(c)). We only use aggregated and anonymised data for analytics.

Legal compliance

Purpose: To comply with Nigerian tax law, anti-money laundering regulations, and other legal obligations.

Legal basis: Legal obligation (GDPR Art. 6(1)(c); NDPA S.25(d)).

Security and fraud prevention

Purpose: To detect and prevent fraudulent activity, unauthorised access, and security threats.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f); NDPA S.25(c)).

4. Recipients and Third-Party Services

We share your personal data with the following categories of recipients, strictly for the purposes described above:

  • Paystack (Stripe company) — Payment processing for subscriptions and invoice payments. PCI DSS Level 1 certified. Paystack Privacy Policy.
  • Flutterwave — Alternative payment processing for invoice payments. CBN-licensed. Flutterwave Privacy Policy.
  • Mono — Bank account linking and transaction retrieval. CBN-licensed. Mono Privacy Policy.
  • Supabase — Database hosting, authentication infrastructure, and data storage. SOC 2 Type II compliant. Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Vercel — Application hosting, deployment, and content delivery. SOC 2 Type II compliant.
  • Email provider — Transactional email delivery for invoices, reminders, and notifications.

Each provider operates under their own privacy policies and data processing agreements. We do not sell, rent, or trade your personal data to any third party for marketing purposes.

5. International Data Transfers

Some of our third-party service providers (Supabase, Vercel) process data in the United States and other countries outside Nigeria. When your data is transferred internationally, we ensure adequate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We rely on EU-approved SCCs where data is transferred to countries without an adequacy decision.
  • Adequacy decisions: Where applicable, we rely on adequacy decisions issued by the European Commission or the Nigeria Data Protection Commission (NDPC).
  • Data processing agreements: All third-party providers have signed data processing agreements that include appropriate data protection obligations.
  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), regardless of where it is stored.

You may request a copy of the safeguards we rely on by contacting us at privacy@cashtrack.ng.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. The specific retention periods are:

Account dataDuration of account + 2 years after deletion
Financial records (invoices, expenses, tax data)6 years (Nigerian tax law requirement)
Bank transaction data (Mono)Duration of account + 2 years after deletion
Payment records6 years (Nigerian tax law requirement)
Usage and analytics data12 months (then anonymised)
Server logs90 days
Communication recordsDuration of account + 1 year

Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law. Aggregated, anonymised data may be retained indefinitely for analytics purposes.

7. Your Data Rights

Under the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR), and where applicable the EU General Data Protection Regulation (GDPR), you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you. We will respond within 30 days.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations (e.g., 6-year tax records).
  • Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to Restrict Processing: Request that we limit how we use your data while a complaint or dispute is being resolved.
  • Right to Object: Object to processing based on legitimate interest, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal effects. CashTrack does not currently make such decisions.

To exercise any of these rights, email us at privacy@cashtrack.ng. We will verify your identity before processing any request and respond within 30 days.

8. Consent and Right to Withdraw

Where we rely on your consent as the legal basis for processing (such as bank account linking via Mono or optional marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

You can withdraw consent by:

  • Unlinking your bank account in your CashTrack account settings.
  • Updating your communication preferences in account settings.
  • Contacting us at privacy@cashtrack.ng.

9. Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority:

Nigeria

Nigeria Data Protection Commission (NDPC), formerly under NITDA

Website: https://ndpc.gov.ng

European Union

If you are an EU data subject, you may lodge a complaint with your local Data Protection Authority (DPA).

We encourage you to contact us first at privacy@cashtrack.ng so we can try to resolve your concern before you escalate to a supervisory authority.

10. Nigeria Data Protection Act (NDPA) Compliance

CashTrack is committed to full compliance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR) 2019, both administered by the Nigeria Data Protection Commission (NDPC), established under the Nigeria Information Technology Development Agency (NITDA).

  • We process personal data lawfully, fairly, and transparently (NDPA S.24).
  • We collect data only for specified, explicit, and legitimate purposes (NDPA S.26).
  • We implement appropriate technical and organisational security measures (NDPA S.39).
  • We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
  • We have appointed a Data Protection Officer to oversee our compliance efforts.
  • We maintain a record of processing activities as required under the NDPA.
  • We report data breaches to the NDPC within 72 hours of becoming aware of a breach that is likely to result in risk to data subjects.

11. California Consumer Privacy Act (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights regarding your personal information:

  • Right to Know: You may request details about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements).
  • Right to Opt Out of Sale: CashTrack does not sell personal information. We do not share personal information for cross-context behavioural advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to Correct: You may request correction of inaccurate personal information.

To exercise your CCPA rights, email us at privacy@cashtrack.ng with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

12. Children's Privacy

CashTrack is a business tool designed for use by adults. We do not knowingly collect personal data from anyone under the age of 16. If you are a parent or guardian and believe that your child has provided personal data to CashTrack, please contact us immediately at privacy@cashtrack.ng. We will take steps to delete such information promptly.

13. Data Storage and Security

Your data is stored securely using Supabase, a cloud database platform with enterprise-grade security. We implement the following security measures:

  • All data encrypted at rest using AES-256 encryption.
  • All data encrypted in transit using TLS 1.2+.
  • Passwords hashed using bcrypt and never stored in plain text.
  • Role-based access controls with the principle of least privilege.
  • Regular security audits and vulnerability assessments.
  • CSRF protection on all forms and API endpoints.
  • Rate limiting on authentication and API endpoints.
  • Automated monitoring for suspicious activity.

14. Cookies

CashTrack uses essential cookies to provide authentication and security functionality. We do not use third-party analytics or advertising cookies. For full details, please see our Cookie Policy.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Provide at least 30 days' notice before the changes take effect.
  • Notify you via email and/or a prominent notice within the platform.
  • Update the "Last updated" date at the top of this page.

Your continued use of CashTrack after the updated Privacy Policy takes effect constitutes your acceptance of the revised terms. If you do not agree with the changes, you should stop using the Service and delete your account.

16. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us:

CashTrack — Data Protection

Email: privacy@cashtrack.ng

Lagos, Nigeria

Back to Registration
Secured with 256-bit encryption
← Back to Home