Privacy Policy
Last Updated: April 25, 2026
1. Who We Are
CoreCash™ is a mobile app developed by Building Irrelevance, based in Dothan, Alabama, United States. CoreCash helps auto mechanics and DIY car enthusiasts track core deposit return deadlines by scanning parts-store receipts using AI.
This app is intended for use only in the United States. It is distributed on the Google Play Store with a US-only geographic restriction.
Questions or privacy requests: buildingirrelevance@gmail.com
2. What Information We Collect
2.1 Information stored on your device
- Core deposit records you create — part name, store name, dollar amount, return date, photo of the receipt, and notes. Stored locally using Android's app-preferences storage and included in Android Auto Backup if you have it enabled in your Google account settings.
- App preferences — your notification settings and local app state.
2.2 Information stored on our servers
To enforce purchase entitlements, prevent abuse, and operate paid features, we store the following on Google Cloud servers (Firebase Firestore, US region):
- Anonymous App User ID — a randomly generated identifier created by our billing partner (RevenueCat) when you first open the app. It is not linked to your name, email, phone number, or any other personal identifier.
- Entitlement state — what tier you are on (Free, Pro Unlock, or Shop Plan), how many free-tier cores you have created, how many AI scans you have used, your remaining bundled-scan balance, and your current Shop Plan cycle counters.
- Rate-limit records — short-lived counters of recent requests from your device, used to throttle abuse.
- Cloud Function logs — server-side request logs that may include your App User ID for debugging and security monitoring. These are auto-deleted after 30 days.
2.3 Information transmitted but not stored by us
- Receipt images — when you use the AI scanner, the receipt photo is transmitted from your device through our servers to Anthropic's Claude API for text extraction. The image is held in memory only for the duration of the scan and is not written to permanent storage by us or by Anthropic.
- Device attestation tokens — when you take an action that costs an entitlement (such as scanning a receipt or saving a core), your device generates a Play Integrity token that is sent to our servers and to Google for fraud verification. The token is verified and discarded; it is not stored.
2.4 Information we do NOT collect
- Your name, email address, phone number, or mailing address
- Your location or GPS data
- Your payment card information (Google Play handles all billing)
- Account passwords or login credentials (CoreCash has no user accounts)
- Advertising identifiers
- Browsing or behavioral data
- Contacts, photos other than receipts you choose, or messages
3. How We Use Your Information
- Receipt scanning: When you tap "Take Photo" or "Upload from Gallery," the receipt image is sent to our backend, which forwards it to Anthropic's Claude API. The API returns extracted text (store name, part name, dollar amounts, return date) which is sent back to your device for you to review and save.
- Entitlement enforcement: Before each scan or core save, your device sends your App User ID and a Play Integrity token to our backend. Our backend checks your tier, scan balance, and rate-limit status and either allows the action or returns a paywall response.
- Deadline reminders: If you enable notifications, return dates you save trigger local push notifications generated entirely on your device. No data is sent to any server to schedule these.
- Abuse prevention: Rate-limit records and Play Integrity tokens are used solely to detect and block automated abuse of the AI scanning service.
- Service operation: Anonymous App User IDs allow us to honor your purchases across reinstalls and (for Shop Plans) across multiple devices.
4. Service Providers and Subprocessors
We do not sell, rent, share, or trade your information for marketing or advertising purposes. The third parties listed below process limited data on our behalf solely to operate the app. None of them receive your name, email, or other personally identifying information from us.
| Provider | Purpose | Data Received |
|---|---|---|
| Google Cloud / Firebase Privacy Notice |
Hosts our backend servers (Cloud Functions and Firestore database) in the United States. | App User ID, entitlement state, rate-limit records, server logs. |
| Anthropic, PBC Privacy Policy |
Performs AI text extraction on receipt images you scan. | Receipt image (in memory during the scan only). Anthropic does not retain the image or use it to train models, per their commercial API terms. |
| RevenueCat, Inc. Privacy Policy |
Manages subscriptions, entitlements, and the SCAN virtual currency for Top-Up purchases. | App User ID, subscription status, purchase history, virtual-currency balance. |
| Google Play (Google LLC) Privacy Policy |
Processes all in-app purchases and provides Play Integrity device attestation. | Your Google Play purchase data and device attestation tokens. CoreCash never sees your payment card information. |
5. Data Storage, Location, and Retention
5.1 Where data is stored
All servers and data storage operated by us are located in the United States (Google Cloud us-central1 region). RevenueCat operates in the United States. Anthropic processes API requests on US-based infrastructure.
5.2 How long we keep data
| Data | Retention |
|---|---|
| Local core records and preferences on your device | Until you delete them in the app or uninstall |
| Entitlement state in Firestore | Kept while your account is active. Deleted within 30 days after a deletion request, or automatically purged after 24 months of inactivity. |
| Rate-limit records | Auto-expire within 24 hours. |
| Cloud Function server logs | Auto-deleted after 30 days. |
| RevenueCat subscription / purchase history | Retained by RevenueCat per their own retention policy. Required by tax and accounting law for transaction records. |
| Google Play purchase history | Retained by Google per their policy. Required for refund processing and tax records. |
6. How We Keep Your Information Safe
- All network traffic between your device, our servers, and our subprocessors is encrypted using HTTPS (TLS).
- API keys for our subprocessors are stored in Google Cloud Secret Manager and are never shipped in the app.
- Server-side data is keyed only by the anonymous App User ID. There is no name, email, or other personal identifier attached.
- We use Google Play Integrity attestation to verify that requests come from a legitimate, unmodified copy of the app on a real Android device.
- We follow least-privilege access controls within Google Cloud and require multi-factor authentication for all administrative access.
No system is perfectly secure. If we ever discover a security breach affecting your data, we will notify affected users through the app and/or via Google Play update notes as soon as reasonably possible.
7. Device Permissions
- Camera: Required only if you choose to take a new photo of a receipt for AI scanning. You may revoke camera access in your device settings at any time — manual entry of cores still works without it.
- Photos / Gallery: CoreCash does not request broad photo library access. When you tap "Upload from Gallery," Android's system Photo Picker opens and lets you choose a single image to share with the app. We never see other photos in your library.
- Notifications: Optional. Required only to send local return-deadline reminders. You may disable notifications at any time in your device settings or in the CoreCash Settings screen.
- Internet: Required to perform AI scans, validate purchases, and check entitlements. Manual core entry works offline; scans and purchases do not.
8. Children's Privacy
CoreCash is intended for users 18 years and older and is not directed at children. We do not knowingly collect any information from anyone under 18. We are compliant with the Children's Online Privacy Protection Act (COPPA), which prohibits collection of information from children under 13 without parental consent. If you believe a minor has used the app or that we have inadvertently collected information from a minor, contact us at buildingirrelevance@gmail.com and we will delete the relevant records.
9. Your Privacy Rights (US State Laws)
Residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have specific privacy rights under their state's privacy laws. We extend these rights to all CoreCash users regardless of their state of residence. You have the right to:
- Know what information we collect about you and how we use it (this Privacy Policy provides that disclosure)
- Access the information we have about you
- Correct inaccurate information
- Delete the information we have about you
- Opt out of sale or sharing of your personal information for cross-context behavioral advertising — we do not sell or share, but you have the right regardless
- Limit the use of sensitive personal information — we do not collect sensitive personal information as defined by California law
- Non-discrimination — we will not deny you service, charge you a different price, or provide you a different level of quality for exercising your rights
- Appeal any denial of these rights by replying to our denial notice
9.1 How to exercise these rights
- Delete your data from inside the app: Open CoreCash → Settings → "Delete My Data" → confirm. This wipes your server-side entitlement records, scan counts, and rate-limit records. Local data on your device is also cleared.
- Delete your data after uninstalling: Visit our Data Deletion page for instructions.
- Access, correct, or appeal: Email buildingirrelevance@gmail.com with the subject line "Privacy Request." Because CoreCash uses anonymous identifiers, you will need to provide your App User ID (visible in Settings) or a Google Play order number from any CoreCash purchase so we can locate your records. We will respond within 45 days.
9.2 Authorized agents
You may designate an authorized agent to make a privacy request on your behalf. We will require written authorization from you and verification of the agent's identity before acting on the request.
10. California-Specific Disclosures
10.1 Categories of personal information collected
In the past 12 months, we have collected the following categories of personal information as defined by the California Consumer Privacy Act (CCPA):
- Identifiers: Anonymous App User ID. Not linked to name, email, IP address, or government identifier.
- Commercial information: Records of in-app purchases (which tier, when purchased) maintained by our billing processors.
- Internet or other electronic network activity information: Server request logs, rate-limit counters.
- Inferences: None.
10.2 Categories disclosed to third parties for a business purpose
We share the categories above with the service providers listed in Section 4, solely for the business purposes described there.
10.3 Sources of personal information
All personal information is collected directly from you when you use the app or make a purchase. We do not purchase or acquire personal information from data brokers or other third parties.
10.4 Sale or sharing of personal information
We do not and will not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not done so in the past 12 months.
10.5 Sensitive personal information
We do not collect sensitive personal information as defined by California law (such as Social Security numbers, financial account access credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric identifiers, or health information).
10.6 California "Shine the Light" Law
California Civil Code §1798.83 entitles California residents to request once per calendar year a disclosure of the personal information shared with third parties for those parties' direct marketing purposes. We do not share personal information with third parties for direct marketing purposes. California residents may confirm this by emailing buildingirrelevance@gmail.com.
11. Do Not Track and Global Privacy Control
CoreCash is a mobile app and does not respond to web-browser Do Not Track signals or Global Privacy Control signals because we do not perform any tracking, profiling, advertising, or sale of personal information that those signals are designed to opt out of.
12. Updates to This Policy
We may update this Privacy Policy when we add new features, change our subprocessors, or when required by law. Updates will be noted by a revised date at the top of this page. Material changes will additionally be communicated through release notes on the Google Play store listing.
13. Contact Us
Building Irrelevance
PO Box 195
Dothan, AL 36302
United States
Email: buildingirrelevance@gmail.com