Privacy Policy

Last updated: February 2, 2026

1. Introduction

Cadus Labs LLC ("we," "our," or "us") operates the Cadus mobile application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and ensuring you have a positive experience using our expense tracking application.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and password when you create an account
  • Business Information: Business name, address, and tax identification for invoicing and tax reporting
  • Financial Data: Expense records, income records, receipt images, and transaction details you manually enter
  • Mileage Data: Trip information including start/end locations when you use mileage tracking

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, unique device identifiers
  • Usage Data: Features used, time spent in app, crash reports
  • Location Data: GPS coordinates only when mileage tracking is actively enabled by you

2.3 Information from Third-Party Services

  • Bank Account Data (via Plaid): When you connect bank accounts, we receive transaction data including merchant names, amounts, dates, and categories. We do not store your bank login credentials.
  • Gmail Data: When you connect your Gmail account, we access emails containing receipts and invoices using read-only access. We only scan for financial documents and do not read personal correspondence.

3. Plaid Data Handling (Bank Connections)

We use Plaid Inc. to connect your bank accounts securely. When you connect an account:

  • Authentication: Your bank credentials are entered directly into Plaid's secure interface. We never see, receive, or store your bank username or password.
  • Data received: We receive transaction data (merchant name, amount, date, category), account balances, and account metadata.
  • Data storage: Transaction data is stored encrypted at rest using AES-256 encryption in our Supabase database.
  • Data in transit: All data transfers use TLS 1.3 encryption.
  • Access tokens: Plaid access tokens are stored securely and are revoked immediately when you disconnect an account.
  • Data deletion: When you disconnect a bank account or delete your Cadus account, all associated transaction data is permanently deleted within 30 days.
  • No data selling: We never sell, rent, or share your financial data with third parties for marketing purposes.

Your use of Plaid is also subject to the Plaid End User Privacy Policy.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our expense tracking services
  • Process and categorize your expenses automatically
  • Generate tax reports and financial summaries
  • Scan receipts and extract transaction data using AI/OCR technology
  • Track mileage for business trips
  • Create and send invoices on your behalf
  • Send you service updates and important notifications
  • Respond to your support requests
  • Detect and prevent fraud or abuse

5. Gmail Data Usage (Google API Disclosure)

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, regarding Gmail data:

  • What we access: We only request gmail.readonly scope to read emails containing receipts, invoices, and order confirmations
  • What we scan for: Emails from known merchants (Amazon, Uber, airlines, etc.) containing purchase confirmations and receipts
  • What we DO NOT do: We do not read personal emails, send emails on your behalf, or share your email content with third parties
  • Data storage: We extract and store only transaction data (merchant, amount, date) - not the full email content
  • Disconnecting: You can disconnect Gmail access at any time through Settings → Connected Emails

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information with:

  • Service Providers: Third-party companies that help us provide our services (cloud hosting, payment processing)
  • Plaid: For bank account connections (governed by Plaid's privacy policy)
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

7. Data Security

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication with encrypted password storage
  • Regular security audits and monitoring
  • Limited employee access to personal data
  • Row-level security ensuring users can only access their own data

8. Data Retention and Disposal

We retain your data according to the following schedule:

  • Transaction and expense data: Retained for 7 years to comply with IRS record-keeping requirements
  • Bank connection tokens (Plaid): Refreshed automatically; revoked immediately upon user disconnect request
  • User account data: Retained while account is active; permanently deleted within 30 days of account deletion request
  • Receipt images: Retained for 7 years or until account deletion, whichever is sooner
  • Encrypted backups: Retained for 90 days, then permanently deleted
  • Audit logs: Retained for 2 years for security purposes

Upon account deletion, all personal and financial data is permanently removed from production systems immediately and from backup systems within 30 days. We use hard deletes (not soft deletes) for financial data to ensure complete removal.

9. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Export your data in a portable format
  • Opt out of certain data processing
  • Withdraw consent for optional features

To exercise these rights, contact us at privacy@caduslabs.com

10. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, please contact us: