Last updated: February 13, 2026
At STEPlus, we take your privacy seriously. This policy explains what data Cashbox collects, how we use it, how we protect it, and what rights you have. By using Cashbox, you agree to the practices described below.
When you create an account, we collect your name, email address, and a securely hashed password. We never store your password in plain text.
You may enter business names, party (customer/supplier) details, transaction amounts, notes, and related financial records. This data is stored encrypted at rest using AES-256-GCM encryption and is accessible only to you.
We automatically collect limited technical data such as browser type, device type, IP address, pages visited, and timestamps. This helps us maintain service reliability and improve the product.
We use essential cookies and local storage to maintain your session (JWT tokens) and preferences. We do not use third-party advertising or tracking cookies.
We use your information solely to provide and improve the Cashbox service:
• Authenticate your identity and maintain your session securely. • Store, display, and organize your financial records as you direct. • Generate reports, analytics, and exports that you request. • Send transactional emails (password resets, welcome emails) — never marketing emails without your consent. • Monitor service health and prevent abuse or unauthorized access. • Improve product features based on aggregated, anonymized usage patterns.
Protecting your financial data is our top priority. We employ enterprise-grade security measures:
• AES-256-GCM encryption for all sensitive data at rest, including API keys and connection credentials. • Passwords are hashed using bcrypt with salt rounds. • JWT-based authentication with short-lived access tokens and secure refresh token rotation. • All data transmitted between your browser and our servers is encrypted via TLS 1.2+. • CORS policies restrict API access to authorized origins only. • Input sanitization and parameterized queries (via Prisma ORM) to prevent injection attacks.
We do not sell, rent, or trade your personal or financial data to any third party. Period.
We may share data only in the following limited circumstances: • With your explicit consent (e.g., shared chat links you generate). • To comply with legal obligations, such as a valid court order or subpoena. • To protect the rights, property, or safety of STEPlus, our users, or the public.
Your data is retained for as long as your account is active. If you delete your account, we permanently erase all associated personal and financial data within 30 days, except where retention is required by law.
Anonymized, aggregated analytics data (which cannot be linked back to any individual) may be retained indefinitely to improve the service.
You have the right to: • Access all data we hold about you — available anytime from your dashboard. • Export your data in CSV or PDF format from the application. • Correct inaccurate information via your profile settings. • Delete your account and all associated data by contacting us. • Withdraw consent for non-essential processing at any time.
Cashbox is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the application. Your continued use of Cashbox after changes take effect constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or your data, contact us.
© 2026 STEPlus Technologies. All rights reserved.