Privacy Policy and Personal Data Processing Policy

Cashverse Mobile Application

Publication date: April 3, 2026

Effective date: April 3, 2026

Document version: 1.1

This Privacy Policy explains how personal data is processed in the Cashverse mobile application ("Application") and describes the measures used to protect that data.

1. Terms and Definitions

• Operator means the person who organizes and/or performs personal data processing for Application users.
• Personal data means any information relating directly or indirectly to an identified or identifiable user.
• Processing means any action or set of actions performed with personal data, including collection, recording, organization, storage, update, use, transfer, blocking, deletion, and destruction.
• User means an individual using the Application.
• Service means the Cashverse server infrastructure used for application functionality, synchronization, and backup.

2. Operator and Contacts

Operator: individual registered as a professional income taxpayer (self-employed).

Name: Dmitrii Sergeevich Pavlukhin

Email for personal data, content, and rights-holder requests: feedback@cashback-universe.ru

3. Categories of Data Subjects

The Operator processes personal data of:

• Application users;
• persons who contact support;
• rights holders or authorized representatives who contact us about content, logos, descriptions, MCC data, or similar materials.

4. Categories of Personal Data Processed

4.1. Account and contact data

• Email is required for account access, server synchronization, and backup.

4.2. Optional profile data

The user may voluntarily provide:

• first and last name;
• Telegram contact, such as a username or link;
• avatar URL. The image file itself may not be uploaded or stored by the Operator unless the user sends it through Application functionality.

4.3. User content added to the Application

Depending on how the Application is used, the following user-provided data may be processed:

• selected and added cashback categories;
• information about banks/cards in the form entered by the user, such as bank or product names;
• transactions added by the user, such as date, amount, currency, merchant/description, category, MCC code, and notes, if entered by the user.

4.4. Technical data

When the Application communicates with the server, the following technical data may be processed:

• IP address, request date and time;
• minimal device and application parameters, such as OS/application version;
• technical logs used for error diagnostics, security, and abuse prevention.

4.5. Advertising and diagnostic data (Yandex)

The Application may use Yandex advertising and analytics technologies, including Yandex Metrica, to display ads, diagnose errors, analyze stability, and improve Application quality. This may involve technical and diagnostic data, such as advertising identifier, ad impressions/clicks, application/OS version, error events, and technical parameters. Yandex processes such data according to its own documents and the device/platform settings.

4.6. Voice input and transcripts for AI features

When AI parsing features are used, for example transaction recognition or cashback category recognition, the following data may be processed:

• audio file uploaded by the user for voice input;
• transcript generated from the audio;
• text prompt entered manually by the user for AI parsing.

These data are used only to perform the AI action requested by the user, improve processing stability, and diagnose errors.

5. Purposes of Processing

The Operator processes data to the extent necessary for:

1. Providing Application functionality

• managing cashback categories;
• recording and displaying transactions entered by the user;
• matching and displaying MCC codes and categories.

2. Server synchronization and backup

• transmitting to and storing on the server Application data, including cashback categories, selected categories, added transactions, and related user fields.

3. Local backup on the device

• creating and restoring local backups controlled by the user.

4. Support and request handling

• responding to user and rights-holder requests sent to `feedback@cashback-universe.ru`.

5. Security and service stability

• error diagnostics;
• protection against unauthorized access and abuse.

6. AI parsing of voice and text input

• converting voice input to text;
• parsing transcripts/text into structured data, such as amount, category, and currency;
• returning parsed results to the Application interface.

7. Advertising and diagnostics

• displaying ads in the Application through Yandex;
• collecting technical and diagnostic data about Application stability through Yandex Metrica.

8. Legal compliance, where applicable.

6. Legal Bases

Depending on the scenario, processing is based on:

• user consent, where required or when data is provided voluntarily;
• performance of the user agreement/contract, including functionality, synchronization, and backup requested by the user;
• the Operator's legitimate interest in service security and reliability, balanced against user rights;
• legal obligations, where applicable.

7. Storage and Processing Territory

Users' personal data are stored and processed on servers located in the Russian Federation.

Cross-border transfer of personal data is not performed.

8. Retention Periods

Personal data are stored:

• for the period of Application use and/or account existence;
• until processing purposes are achieved or until account/data deletion by the user, if such functionality is available, or upon user request, unless there are grounds for further retention;
• longer in specific cases if required by law or necessary to protect the Operator's rights and legitimate interests, for example in disputes.

For AI voice input:

• audio files and technical transcription artifacts are stored for a limited period necessary to process the request and perform technical diagnostics, after which they are deleted or anonymized;
• parsed text results are stored as part of user data only if the user confirms or saves them in the Application.

9. Transfer to Third Parties

9.1. Payments and subscriptions (YooKassa)

Payments for subscriptions and in-app purchases are processed through YooKassa. The Operator does not receive bank card details. Only technical data required to create, process, and verify a payment are transferred to YooKassa, without transferring Application user data such as categories, transactions, notes, or other user records.

9.2. Advertising and diagnostics (Yandex)

Yandex technologies, including Yandex Metrica, are used for advertising, error diagnostics, and stability analysis. Relevant technical and diagnostic data may be processed by Yandex according to its rules and the user's device settings.

9.3. Infrastructure and hosting

The Operator may use infrastructure providers, including data centers, hosting, network connectivity, and backup services.

10. Security

The Operator applies reasonable organizational and technical measures to protect personal data, including:

• access control and role separation;
• protection of data transmission channels;
• backups and recovery procedures;
• monitoring and incident response.

11. Local and Server Backup

• Local backup is stored on the user's device and controlled by the user.
• Server backup/synchronization involves transmitting Application data to the server, including categories, selected categories, transactions, and related fields. This is used to preserve, restore, and synchronize data between devices.

12. Advertising Controls

The user may limit ad personalization and/or manage the advertising identifier through operating system settings, depending on the OS version.

13. User Rights and Requests

The user may:

• obtain information about personal data processing;
• request correction of personal data;
• request blocking or deletion of personal data where there are grounds;
• withdraw consent where processing is based on consent;
• challenge the Operator's actions before the competent authority according to applicable procedure.

13.1. How to submit a request

Requests may be sent to feedback@cashback-universe.ru or through the public `/forget-me` page.

It is recommended to include:

• the email used in the Application, for account identification;
• the request type: access/export, correction, account/data deletion, or consent withdrawal;
• any additional information that helps identify the data, such as registration date, if necessary.

13.2. Response period

The Operator reviews requests and responds within 30 calendar days after receipt, unless another period is required by law or the nature of the request.

13.3. Account and data deletion

Upon user request, the Operator:

• deletes or anonymizes, where applicable, account data and server-stored data within a reasonable period, usually within 30 calendar days;
• updates backups within backup cycles, taking technical retention periods into account, unless there are legal grounds for longer storage.

14. Content, Logos, MCC Codes, and Open Sources

The Application may use:

• bank/merchant logos, names, and other visual identifiers;
• reference information about MCC codes, categories, and merchants obtained from open sources and/or user input.

If you are a rights holder or authorized representative and believe that any information or image:

• infringes your rights;
• is incorrect;
• should be changed or removed,

please contact: feedback@cashback-universe.ru

Specify the object, such as logo/name/description/MCC, the requested action, such as change/removal/correction, and, if necessary, proof of rights or authority. The Operator will review the request and take appropriate action where justified.

15. Children

The Application is not intended for persons who have not reached the age at which they may independently consent to personal data processing under applicable law. If you become aware that a child has provided data without the required consent, contact us at `feedback@cashback-universe.ru`.

16. Changes to this Policy

The Operator may update this Policy. A new version becomes effective when published in the Application or on the website, unless otherwise specified. Users are encouraged to periodically review the current version.

Short Privacy Policy (TL;DR)

Cashverse

Publication date: April 3, 2026

Version: 1.1

Contact: feedback@cashback-universe.ru

We process personal data so that the Application can work: account access, synchronization, and backup.

What we collect

• Email is required for the account and synchronization.
• Optional data: first/last name, Telegram contact, avatar URL.
• Data you add to the Application: cashback categories and transactions, including amount, date, description, merchant, category, MCC, and similar fields.
• Technical data: IP address, request time, application/OS version, and error logs.
• AI features: voice input audio, transcript, and text prompts used for parsing.

Where we store data

• Personal data are stored on servers located in the Russian Federation.
• Cross-border transfer of personal data is not performed.

Ads, diagnostics, and payments

• The Application may use Yandex technologies, including Yandex Metrica, for advertising, error diagnostics, and stability analysis.
• Subscription payments are processed through YooKassa. We do not receive card details; only technical data required to process and verify a payment are transferred to YooKassa, without Application user data.

Backups

• Local backups are stored on the device.
• Server backups/synchronization are used for data preservation, restoration, and synchronization.

AI voice processing

• Voice and transcripts are used only to perform the requested AI parsing action for transactions or cashback categories.
• Audio and technical transcription artifacts are stored for a limited period for processing and diagnostics, then deleted or anonymized.

Logos and MCC data

• MCC/merchant information and logos may be obtained from open sources.
• Rights holders may request a change or removal at feedback@cashback-universe.ru.

Your rights

• You may request access, correction, deletion, or consent withdrawal at feedback@cashback-universe.ru.
• You may also submit a deletion request through `/forget-me`.
• Response time is usually up to 30 calendar days.

Personal Data Processing Consent

Cashverse

Publication date: April 3, 2026

Document version: 1.1

Contact: feedback@cashback-universe.ru

I, as a user of the Cashverse application, freely and voluntarily give the Operator (an individual registered as a professional income taxpayer/self-employed person, the Operator) my consent to process my personal data under this consent and the Privacy Policy.

1. Operator

Operator: self-employed individual

Name: Dmitrii Sergeevich Pavlukhin

Email: feedback@cashback-universe.ru

2. Personal Data Covered by This Consent

2.1. Required data

• Email

2.2. Optional data

• First and last name
• Telegram contact, such as username or link
• Avatar URL

2.3. Data generated when using the Application

• Cashback categories and selected categories
• Transactions and related user fields, such as date, amount, currency, merchant/description, category, MCC code, and notes, if entered by the user
• When AI voice features are used: voice audio fragment, recognized text transcript, and structured parsing result

2.4. Technical data

• IP address, request date/time
• OS/application version
• Technical error and security logs

3. Processing Purposes

• Registration/identification and access to Application functionality
• Server synchronization and backup
• Local backup on the device
• User support and request handling
• Security and service stability
• Advertising, error diagnostics, and stability analysis through Yandex technologies, including Yandex Metrica
• Speech recognition and AI parsing for adding transactions and cashback categories
• Compliance with legal requirements, where applicable

4. Processing Actions

Collection, recording, organization, accumulation, storage, updating, retrieval, use, transfer where applicable, blocking, deletion, and destruction.

5. Data Storage and No Cross-Border Transfer

Personal data are stored and processed on servers located in the Russian Federation.

Cross-border transfer of personal data is not performed.

6. Transfer to Third Parties

• YooKassa for payment/subscription processing. The Operator does not receive bank card details; only technical data required to process and verify a payment are transferred to YooKassa, without Application user data.
• Yandex for advertising, error diagnostics, and stability analysis, including Yandex Metrica.
• Technical contractors that provide speech recognition/AI components on behalf of the Operator, if such components are used in server-side processing.
• Infrastructure/hosting providers, where necessary, on behalf of the Operator to operate the Service.

7. Consent Term

This consent is valid from the moment it is given until:

• account/data deletion, where available;
• withdrawal of consent by the user;
• achievement of processing purposes, where applicable,

unless otherwise required by law.

8. Withdrawal and Requests

I understand that I may withdraw this consent by contacting feedback@cashback-universe.ru or through `/forget-me`.

The Operator stops processing and/or deletes data within a reasonable period, usually within 30 calendar days, unless there are legal grounds for continued processing.