Privacy Policy

Last updated: May 30, 2026

This Privacy Policy describes how Taze Balbosa (“we”, “us”, “our”) collects, uses, shares, and protects information about you when you use the Cue Cashback mobile application (the “App”), and the rights you have over your data. The summary in Section 2 covers the essentials.

1. About Us

We do not run a website you can browse, sell anything outside the Apple App Store, or operate any service other than the App and its supporting backend. If you contact us, we treat what you send as confidential and use it only to respond.

Contact: feedback@cuecashback.com

2. Summary at a Glance

We have intentionally kept the App’s data footprint small:

• We do not use analytics SDKs, crash reporting services, advertising identifiers, ad networks, or any cross-app tracking technology.
• We do not show Apple’s App Tracking Transparency prompt because we do not track you across apps or websites.
• We do not sell your data, ever.
• We use your location to show you nearby cashback opportunities, and (optionally) to alert you when you arrive at places you have saved as favorites.
• You can delete your account and all associated data from within the App at any time.

3. Information We Collect

3.1 Account Information

When you first launch the App, we create an anonymous account on our backend (Supabase) — a randomly generated identifier with no personal information attached. You can use the App in this mode without providing any personal details.

If you choose to create a permanent account (to back up your data or sync across devices), we collect:

• Your email address (for email/password sign-in) or your Apple ID information (for Sign in with Apple).
• A password (only for email/password sign-in). Passwords are hashed and stored by our authentication provider; we never see your plain-text password.
• Your name, only if you choose to share it when signing in with Apple. Sign in with Apple lets you share a real name or a relay name; we treat whatever you share as your display name.
• If you use Apple’s “Hide My Email” feature, we only receive the private relay address (@privaterelay.appleid.com); we never see your real email address.

3.2 Location Data

The App requests “While Using the App” location permission to show nearby places on the map.

If you enable favorite-place notifications (the “bell” on a saved place), we ask for “Always” location permission so the App can wake briefly in the background and alert you when you arrive at a saved location. You can disable this at any time in iOS Settings → Privacy → Location Services.

Where your location data goes:

• Google Maps and Google Places APIs — When the App searches for nearby places to display on the map, your current latitude and longitude are sent to Google. Google’s processing of this data is governed by Google’s Privacy Policy.
• Our backend (Supabase) — When you cross into a saved favorite place’s geofence, the App sends your latitude, longitude, and Firebase Cloud Messaging token to our backend so the backend can deliver a push notification. We do not store a history of your locations beyond the notification record described below.

We do not store your location on our servers. Foreground location is used on-device for nearby place search (with queries sent to Google as described above); background location is only transmitted to our backend when you cross into a saved geofence.

3.3 Card and Cashback Data

To deliver the App’s core feature, we store:

• Which credit cards you have activated in the App (selected from our curated card catalog).
• Which cashback categories you have toggled on or off for each card.
• Custom credit cards you create — card name, bank/issuer name, and the cashback categories and percentages you assign.

This data is used to compute which places to show you and which card to recommend.

3.4 Favorite Places

When you save a place as a favorite, we store its name, address, latitude/longitude, place identifier (from Google Places), and whether you have notifications enabled for it. Up to 50 favorites are allowed per account.

3.5 Push Notification Tokens and History

To deliver push notifications, the App registers a Firebase Cloud Messaging (FCM) token with our backend. We use this token only to send you notifications for places you have explicitly saved and enabled.

When a notification is sent, we store a record (the place involved, the notification text, and the timestamp) so the App can show you a “Recent Notifications” list. This history is tied to your account and deleted when you delete your account.

3.6 Subscription Status

If you purchase a subscription, the transaction is processed entirely by Apple through StoreKit. We never receive your credit card number, billing address, or payment details. We only see whether your subscription is currently active (so we can unlock subscriber features). Apple’s processing is governed by Apple’s privacy policies.

3.7 What We Do Not Collect

We do not collect, and the App does not have permission to access:

• Your contacts, photos, camera, microphone, calendar, reminders, or health data.
• Your advertising identifier (IDFA) or any other tracking identifier.
• Crash reports or analytics events (we do not link any analytics or crash-reporting SDK).
• Bluetooth, motion, or sensor data.

4. How We Use Your Information

We use the data described in Section 3 only to:

1. Operate the App’s features — show you nearby cashback opportunities, save your favorite places, sync your settings across your signed-in devices, and deliver notifications you have asked for.
2. Authenticate you and keep you signed in.
3. Process subscription purchases through Apple.
4. Communicate with you about your account — verification, password reset, email change, account deletion. We do not send marketing email.
5. Protect the App from abuse (rate limiting, fraud detection, account caps).

We do not use your data to train AI models, build advertising profiles, or share with any data broker.

5. Who We Share Your Data With

We share data only with service providers (“sub-processors”) that we need to operate the App. Each one processes data only on our instructions for the purposes listed below.

Provider	What they process	Why
Apple Inc.	Sign in with Apple identifiers, App Store purchase transactions, Push Notification Service tokens	Authentication, in-app purchases, push delivery
Supabase Inc.	Account identifier, email, hashed password, card/category selections, favorite places, notification history, FCM tokens	Backend database, authentication, real-time sync, account deletion
Google LLC	Your current latitude/longitude when the App searches for nearby places; map tile requests	Map rendering and nearby-place search via Google Maps and Google Places APIs
Firebase (Google LLC)	FCM push notification token; outgoing push notification content	Push notification delivery
Resend	Your email address and the contents of transactional emails (verification, password reset, email change, account-related notices)	Sending account-related emails
Cloudflare, Inc.	DNS lookups, transactional email routing for the cuecashback.com domain, hosting of legal and authentication pages	Domain hosting, email routing, static page delivery

We do not sell personal data, and we do not share data with advertisers, data brokers, or any party for cross-context behavioral advertising.

If we are ever legally compelled to disclose data (subpoena, court order), we will comply only to the extent required and, where legally permitted, notify you.

6. Data Retention

• Anonymous accounts that have not been used for 90 consecutive days are automatically deleted from our backend, along with all data tied to them, by a scheduled cleanup job.
• Permanent accounts are retained until you delete your account.
• Notification history is retained until you delete your account.
• Apple Sign-In refresh tokens — as required by Apple’s guidelines, we retain Sign in with Apple refresh tokens until you delete your account, at which point we revoke them with Apple and remove them from our systems.
• Account-deletion bookkeeping records (used to make deletion safe to retry) are kept for 7 days and then automatically purged.
• Server logs are retained by our service providers according to their standard policies and used only for operational diagnostics.

7. Your Choices and Rights

Regardless of where you live, you can:

• Access and edit most of your account data directly within the App (cards, categories, favorites, notifications, email address, password).
• Disable location access at any time via iOS Settings → Privacy → Location Services. The App’s core map features will not function without location, but you remain in control.
• Disable push notifications at any time via iOS Settings → Notifications → Cue Cashback, or by removing individual favorites’ notification toggles inside the App.
• Delete your account and all associated data at any time from within the App (Settings → Account → Delete Account). See Section 8.
• Contact us at feedback@cuecashback.com to request a copy of your data or to ask questions about this policy.

If you are in the European Union, United Kingdom, or another jurisdiction granting you statutory rights to access, correct, delete, port, restrict, or object to processing of your personal data, you may exercise those rights by contacting feedback@cuecashback.com. We will respond within the time required by applicable law (typically 30 days).

If you are a California resident, you have the right to know what categories of personal information we collect, the right to delete your personal information, the right to opt-out of “sales” or “sharing” of personal information (we do not engage in either), and the right to non-discrimination for exercising your rights. Contact feedback@cuecashback.com to exercise any of these rights.

8. Account Deletion

You can delete your account at any time from within the App: open the side menu → Account → Delete Account. You will be asked to confirm your password (or re-authenticate with Apple if you signed in with Apple).

When you confirm deletion:

1. Your authentication record is removed.
2. Every database row tied to your account (favorites, card activations, category toggles, custom cards, notification history, device tokens) is deleted via cascade.
3. If you signed in with Apple, we attempt to revoke our access with Apple’s /auth/revoke endpoint so the App no longer appears in your “Apps Using Apple ID” list.
4. A short-lived record is kept solely to make the deletion idempotent and safely retriable; this record is purged within seven days.

Deletion is permanent and immediate. We cannot recover a deleted account.

9. Children’s Privacy

The App is not directed to children under 13 (or the equivalent minimum age in your jurisdiction) and is not designed to attract their use. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact feedback@cuecashback.com and we will delete it.

10. Security

We protect your data with industry-standard measures:

• Transport encryption — all communication between the App and our backend uses HTTPS/TLS.
• At-rest encryption — our backend provider encrypts stored data at rest.
• Authentication — passwords are hashed with bcrypt before storage; we never see your plain-text password.
• Access control — row-level security on the database ensures one user cannot read or modify another user’s data.
• Token revocation — Apple Sign-In refresh tokens are revoked on account deletion.
• No analytics or third-party trackers — there is no external pipeline of behavioral data leaving your device beyond what is required to deliver the App’s core features.

No security measure is perfect. If we ever discover a breach affecting your data, we will notify you in accordance with applicable law.

11. International Data Transfers

Our backend providers (Supabase, Firebase, Google, Resend, Cloudflare, Apple) operate data centers in multiple countries, including the United States. If you access the App from outside the United States, your data will be transferred to and processed in countries that may have different data-protection laws than your own. Where required by law, we rely on standard contractual clauses or equivalent transfer mechanisms with our providers to safeguard your data during these transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date at the top of this document and post the new version at https://cuecashback.com/privacy. Material changes (changes that expand the categories of data collected, change who we share data with, or otherwise reduce your rights) will be communicated to you via an in-app notice or email before they take effect.

13. Governing Law

This Privacy Policy is governed by the laws of the State of New Jersey, United States, without regard to its conflict-of-laws provisions.

14. Contact Us

If you have any questions about this Privacy Policy or your data, please email us at feedback@cuecashback.com.