1. Who We Are

Cash Counter is a business finance tracking application developed and operated by VBook Enterprise ("we", "us", or "our"). We are registered in Nigeria and are the data controller responsible for your personal information under Nigeria's Data Protection Act 2023 (NDPA).

You can reach us at any time at v.bookenterprise@gmail.com.

2. Information We Collect

2.1 Information you provide directly

• Name and email address — collected when you register via email/password or Google Sign-In.
• Business name, industry, and phone number — collected during the onboarding process after signup.
• Business branding preferences — tagline, logo, colour preferences you configure in Settings.
• Financial records — income amounts, expense amounts, categories, dates, and notes you enter into the App.
• Budget data — budget names, date ranges, and per-category income and expense targets (Pro users).
• Support messages — any messages you send us by email.

2.2 Information collected automatically

• Device and browser information — device type, browser, operating system, and screen resolution, collected by Sentry to diagnose technical issues.
• Error and performance data — crash reports, error logs, and session replays generated during your use of the App, collected by Sentry.
• Usage analytics — pages visited, features used, and interactions within the App, collected by Google Analytics 4. This data is anonymised and aggregated.
• Approximate location — country-level only, inferred from your IP address, used for analytics. We do not collect your precise location.
• IP address — used temporarily for security rate limiting via Upstash Redis to prevent abuse. IP addresses used for this purpose are not stored permanently.

2.3 Payment information

If you subscribe to the Pro plan, your payment is processed by Paystack. We do not store your card number, bank account details, or any sensitive payment credentials. We receive only a payment reference, subscription code, and confirmation of successful payment from Paystack.

3. How We Use Your Information

• To create and manage your account and verify your identity when you sign in.
• To store and sync your financial records securely across your devices in real time.
• To generate reports, exports, and summaries that you request within the App.
• To personalise your experience based on your business name, industry, and preferences.
• To process Pro plan subscription payments and manage your subscription status.
• To send transactional emails — email verification, password reset, and subscription receipts.
• To detect, diagnose, and fix bugs, errors, and performance issues.
• To analyse usage patterns and improve the App's features and design.
• To protect the App from abuse, fraud, and unauthorised access through rate limiting.
• To comply with applicable legal and regulatory obligations under Nigerian law.

4. Legal Basis for Processing

Under the NDPA 2023 and GDPR (for EU/UK users), we process your personal data on the following legal bases:

5. How We Store Your Data

Your data is stored using the following infrastructure:

• Firebase Authentication — manages your account credentials and login sessions. Operated by Google LLC.
• Google Firestore — stores your financial records, settings, onboarding data, and subscription status. Data is hosted in the European Union (europe-west1) region.
• Vercel — hosts the App and processes API requests including payment callbacks. Servers are located in the United States and globally distributed.
• Sentry — processes error reports and session replays for debugging. Servers are located in the European Union.
• Google Analytics 4 — collects anonymised usage data. Processed by Google LLC with servers in the United States.
• Paystack — processes subscription payments. Operated by Paystack Payments Limited, registered in Nigeria.
• Upstash Redis — stores temporary rate limiting counters by IP address to prevent abuse. Data expires automatically within minutes to hours.

We implement Firestore security rules ensuring only you — authenticated with your own account — can read or write your data. No other user can access your records.

6. Data Retention

• Account and financial data — retained for as long as your account is active.
• Account deletion — upon your request, all personal data and financial records will be permanently deleted within 30 days.
• Sentry error logs — retained for 90 days before automatic deletion.
• Google Analytics data — retained for 14 months in accordance with Google's default retention settings.
• Upstash Redis rate limit counters — expire automatically within 15 minutes to 1 hour.
• Paystack payment records — retained by Paystack in accordance with their own retention policy and Nigerian financial regulations.

7. Sharing Your Information

We do not sell, rent, or trade your personal information. We share data only with the following trusted service providers, strictly to operate the App:

Each provider is bound by their own privacy policy and applicable data protection law. We do not permit any provider to use your data for their own commercial purposes beyond the stated service.

We may also disclose your information if required to do so by law, court order, or Nigerian regulatory authority.

8. International Data Transfers

As a Nigerian-based service, your data may be processed in the European Union (Firestore and Sentry servers) and the United States (Vercel, Google Analytics). Where such transfers occur, we rely on:

• Standard contractual clauses and data processing agreements provided by each service provider.
• The European Union's adequacy mechanisms, which apply to Firestore and Sentry data stored within the EU.
• Paystack's compliance with Nigerian financial regulations and the NDPA 2023.

These safeguards ensure your data receives adequate protection regardless of where it is processed.

9. Your Rights

Depending on your location, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data. You can update your business name, industry, and phone number directly in the App under Settings → Account.
• Deletion — request that we delete your account and all associated data. We will complete deletion within 30 days.
• Portability — request your financial data in a structured, machine-readable format. CSV export is available directly within the App at any time.
• Objection — object to certain types of processing, including analytics and profiling.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

10. Children's Privacy

Cash Counter is not directed at or intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has created an account or provided us with their personal data, please contact us immediately at v.bookenterprise@gmail.com and we will delete the data promptly.

11. Cookies and Tracking

Cash Counter does not use advertising cookies or third-party tracking pixels. The following essential session identifiers are used to operate the App:

• Firebase Authentication tokens — required to keep you securely logged in. Expire automatically and are refreshed on each session.
• Sentry session identifiers — used to link error reports to a browser session for debugging. These do not identify you personally and contain no financial data.
• Google Analytics cookies — used to collect anonymised usage statistics. These do not contain personal financial data. You can opt out via browser settings or a Google Analytics opt-out extension.

These are strictly necessary or legitimate interest cookies. No cookie consent banner is displayed because we do not use non-essential advertising cookies.

12. Security

We take the following technical and organisational measures to protect your data:

• Encrypted data transmission using HTTPS/TLS on all connections.
• Firebase Authentication tokens with automatic expiry and refresh.
• Firestore security rules restricting each user's data to their own authenticated account.
• Server-side rate limiting via Upstash Redis to prevent brute force and abuse.
• Input validation and CORS restrictions on all API endpoints.
• Continuous error and anomaly monitoring via Sentry with EU-based data storage.
• Password strength enforcement requiring minimum 8 characters with uppercase, lowercase, and a number.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security. We will notify affected users promptly in the event of a data breach as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will revise the Effective Date at the top of this page.

For material changes — particularly those affecting how we use your data or your rights — we will notify you by email at least 7 days before the changes take effect. Continued use of the App after changes are posted constitutes your acceptance of the updated Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

• Email: v.bookenterprise@gmail.com
• App: cashcounter.vbookng.com
• Company: VBook Enterprise, Nigeria

We aim to respond to all privacy enquiries within 2 business days.