Who we are
JH App Group LLC ("JH App Group," "Company," "we," "us," or "our") is a Colorado limited liability company registered in the State of Colorado and headquartered in Colorado Springs. We design, build, and maintain software — including the products we ship under our own name and custom work for clients.
This policy applies to every website, mobile app, desktop app, and back-end service we operate. Our products are currently in development:
- CaseFlow — USCIS immigration case status tracker (Android)
- MailMoney — AI-powered email intelligence (Android)
The data practices described below explain how these products are designed to work and apply once each one is publicly released. Until you install a product and connect it, it collects no data from you.
Where a specific product has additional privacy terms, they're linked from that product's settings screen and take precedence for that product. By using any of our applications, you agree to the practices described here.
What we collect
We collect two kinds of information: what you tell us directly, and what our servers need to run. How much we collect depends on how you use the app:
- Without an account (anonymous). CaseFlow can be used for manual case lookups with no email, name, or user account. Cases you save are stored only on your device. A manual lookup still sends the USCIS receipt number needed to perform the lookup, and an anonymous per-install device identifier may be used for rate limiting, lookup quota, and abuse prevention.
- With an account (optional). Creating an account adds your email and enables background case checks, status-change alerts, cross-device sync, and account recovery if you change phones. CaseFlow accounts use emailed verification codes instead of passwords.
2.1 Information you provide
- Email address — only if you create an account (sign-in and account recovery).
- Sign-in is passwordless — CaseFlow accounts don't use passwords. To sign in or create an account, you enter your email, we send a one-time verification code, and you enter that code. Email is used for these authentication codes (and account recovery) only.
- App-specific data — content you enter into our apps (e.g., USCIS receipt numbers in CaseFlow, authorized email accounts in MailMoney).
- Contact details you submit through our contact form (name, email, the product you're asking about, and your message).
2.2 Information collected automatically
- Anonymous device identifier — anonymous mode uses a random per-install device identifier for rate limiting and abuse prevention. During anonymous use, we do not create a user account or store that identifier as an account record. If you later create an account, the same device identifier may be associated with that account as a device fingerprint.
- IP address — for security, rate limiting, and abuse prevention. Kept in server logs for 30 days.
- Device notification tokens (account mode) — to deliver account-mode status-change alerts to your device.
- App version and device model — for troubleshooting and crash reporting.
- Basic crash reports — stack trace and device model, no user identifiers. Kept 90 days.
2.3 Information we do NOT collect
- Geolocation or GPS data.
- Financial or payment information (handled by third-party payment processors).
- Contact lists, photos, or media.
- Browsing history.
- Advertising identifiers.
2.4 App-specific data practices
CaseFlow can be used without an account for manual case lookups; cases you save are stored only on your device. Receipt numbers you enter are treated as personally identifiable information (PII). A lookup sends the receipt number to retrieve case status from the official USCIS Torch API on your behalf. Creating an account is optional and enables background case checks, status-change alerts, cross-device sync, and account recovery; accounts use emailed verification codes instead of passwords. CaseFlow is not affiliated with, endorsed by, or connected to USCIS or the U.S. government.
MailMoney is in development. When it launches, it will connect only to email accounts you authorize via OAuth (Gmail, Outlook), and process email content locally and via AI to classify financial transactions and surface opportunities. Full email content will not be stored on our servers — only extracted transaction metadata. Email OAuth tokens will be encrypted at rest and can be revoked at any time. Until you install MailMoney and connect an account, no inbox data is collected.
We do not use advertising identifiers, session replay, data brokers, or cross-site advertising trackers.
How we use it
We use your information to operate the service you're using and for nothing else. Specifically:
- To create and manage your account.
- To provide the core functionality of each app (look up a case, fetch your inbox, run your dashboard).
- To authenticate you and keep your account secure.
- To send status-change alerts about cases you track (account mode only).
- To maintain security, prevent abuse, and enforce rate limits.
- To diagnose and fix bugs using anonymized crash reports.
- To communicate important changes to the service or this policy.
- To reply to you when you email us.
We do NOT sell your data. We do NOT share your data with third parties for marketing. We do NOT use your data for advertising. We do not profile you, segment you for advertising, or train any machine-learning model on your content.
3.1 Email communications
We send email only in the following narrow categories, and only to recipients who either initiated contact with us or explicitly opted in:
- Support replies. A human reply from us when you email
support@jhappgroup.comor submit our contact form. Sent only to the address that contacted us first. - Account / security events. Sign-in verification codes, sign-in confirmations, and security alerts. Triggered only by an action you took on your own account.
- Optional product alerts (if offered). If a product offers optional email alerts in the future, they will require opt-in and will include an opt-out path — through that product's settings where available, or by contacting support.
- Service-policy notices. Material changes to our Terms of Service, this Privacy Policy, or your account status. Required for legal compliance and cannot be disabled while you maintain an account.
We do not send marketing newsletters, promotional broadcasts, drip campaigns, cross-product cross-sells, or any unsolicited email. All transactional mail is dispatched through our transactional email provider, Resend (see §4). To stop non-essential email, use the in-app settings where available or contact privacy@jhappgroup.com. We will add the address to our suppression list (see §5.4).
How we store it
We use encryption and access controls to protect stored data, but protection methods vary by data type and system. We limit access to production systems to authorized personnel.
5.1 On your device
- App data on your device is kept in encrypted local storage.
- If you use the app without an account, saved cases are stored only on your device. Anonymous users can delete saved cases one at a time in the app. To remove all anonymous local data, use the device's app-storage controls or uninstall the app.
- An optional biometric lock is available where the app offers it.
5.2 On our servers
- Data is stored on U.S.-based cloud infrastructure (see §4).
- CaseFlow accounts are passwordless — we don't use or store account passwords; sign-in uses short-lived, single-use email verification codes instead.
- Traffic between our apps and servers is sent over HTTPS.
- USCIS receipt numbers are treated as personal information and protected with technical and access controls. Some operational systems may retain receipt numbers where needed to perform USCIS polling.
5.3 Data breach notification
If a data breach affects your personal information, we will notify you via email and in-app notification within 72 hours of discovery. The notification will describe the breach, the data affected, and the steps we are taking.
5.4 Bounce and complaint handling (email deliverability)
We maintain an internal suppression list and check it before sending, so a message addressed to a suppressed recipient is not sent. Addresses are added to that list through user opt-out requests and admin action.
Your rights
Whether or not you live somewhere with a formal data-protection statute, you have these rights with us:
- Deletion — account deletion applies once you've created an account: delete your account and its associated data from within the app (Settings → Account → Delete My Account), or ask us to do it for you. Deletion is irreversible; backup copies may persist until backup rotation completes. If you use the app without an account, your saved cases are stored only on your device (see §5.1).
- Access & correction — email privacy@jhappgroup.com to request access to or correction of your information. We will respond and tell you what we can provide based on the product and legal requirements.
- Objection — tell us to stop processing your data for any purpose you didn't explicitly opt into.
- Device notifications — you can control device notifications through your operating system settings. Where an app offers local refresh-notification settings, those controls apply to that local notification path.
- Email — email is currently used for authentication codes, account-security events, policy-change notices, and support replies. Non-essential email, if offered, can be stopped by contacting privacy@jhappgroup.com; we will add your address to our suppression list (see §3.1 and §5.4). Authentication-code, account-security, and policy-change emails remain in effect while you keep an active account.
To exercise any of these, email privacy@jhappgroup.com. We respond personally, within one business day.
6.1 Data retention periods
| Data type | Retention period |
|---|---|
| Active account data | Retained while your account is active |
| Login history | 90 days |
| Server request logs | 30 days |
| Error / crash reports | 30–90 days |
| Device notification tokens | 90 days after last activity |
| Dormant accounts | We may delete dormant accounts after notice, subject to implementation and legal requirements. |
6.2 California privacy rights (CCPA/CPRA)
If you live in California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you specific rights. We extend these to every user, not just California residents:
- Know and access — ask for the categories and the specific pieces of personal information we hold about you.
- Delete — ask us to delete your personal information (see the deletion steps earlier in this section).
- Correct — ask us to fix personal information that is wrong.
- Opt out of sale or sharing — tell us not to "sell" or "share" your personal information, as those terms are defined by California law.
- Non-discrimination — we will not deny you service, charge you a different price, or lower your quality of service for using any of these rights.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we do not sell or share it in those ways, there is nothing to opt out of today — but the choice stays yours if that ever changes, and we would tell you first. To make a request, email privacy@jhappgroup.com. We confirm the request against your account and respond within 45 days. You may use an authorized agent to make a request for you.
Children's privacy
Our apps are not intended for children under 13 and we do not knowingly collect information from children under 13. Contact us at privacy@jhappgroup.com if you believe a child has provided us with personal information, and we will delete it promptly.
Ownership transfer
If JH App Group LLC is acquired, merged with another company, or sells substantially all of its assets, this policy and your data will be handled as follows:
- On-device data stays yours. CaseFlow tracks cases locally; that data lives on your device and is not part of any corporate transfer.
- Account data (email, backend-side records) may be transferred to the acquiring entity as part of the sale.
- You will be notified by email and in-app notice at least 30 days before any transfer takes effect, so you have time to delete your account or request access to available account information first.
- No change in practices without notice. The acquiring entity must honor the privacy commitments in this policy until superseded by a materially different policy, which itself requires a fresh 30-day notice and your continued use to take effect.
Changes to this policy
We may update this policy from time to time. When we materially change it, we'll update the "Last updated" date at the top and — for anyone with an account — send an email and an in-app notice at least 30 days before the change takes effect. That notice will include a plain-language summary of what changed and why, so you can see what is different without re-reading the whole policy. Non-material edits (fixing a typo, clarifying wording) may be made at any time. Continued use of our apps after changes are posted constitutes acceptance.
June 29, 2026 — updated account-access wording to reflect passwordless emailed sign-in codes. CaseFlow accounts now sign in with a one-time code emailed to you, instead of a password.
This policy is designed to meet WCAG 2.1 Level AA standards. If you have difficulty accessing it, contact us for an alternative format.
Contact
For any privacy question, data request, or complaint:
- Email: privacy@jhappgroup.com
- Website: https://jhappgroup.com
- Mail: JH App Group LLC, Colorado Springs, CO 80910, United States
For product support or general questions, email support@jhappgroup.com.
We read every message ourselves and reply within one business day.