Document/ Privacy Policy
Last updatedApril 7, 2026
Applies toAll JH App Group products & services

Privacy Policy

Plain English. We don't sell your data. We don't track you around the internet. We collect the minimum we need to run our products — and we tell you exactly what that is below.

§ 01

Who we are

JH App Group LLC ("JH App Group," "Company," "we," "us," or "our") is a Colorado limited liability company registered in the State of Colorado and headquartered in Colorado Springs. We design, build, and maintain software — including the products we ship under our own name and custom work for clients.

This policy applies to every website, mobile app, desktop app, and back-end service we operate, including but not limited to:

  • CaseFlow — USCIS immigration case status tracker (Android)
  • MailMoney — AI-powered email intelligence (Android)
  • CashBrain — personal finance manager (Android)
  • Command Center — Windows system monitoring dashboard

Where a specific product has additional privacy terms, they're linked from that product's settings screen and take precedence for that product. By using any of our applications, you agree to the practices described here.

§ 02

What we collect

We collect two kinds of information: what you tell us directly, and what our servers need to run.

2.1 Information you provide

  • Email address — account creation and login.
  • Password — stored only as a one-way cryptographic hash (bcrypt, 12 rounds). We never store or see your plaintext password.
  • App-specific data — content you enter into our apps (e.g., USCIS receipt numbers in CaseFlow, authorized email accounts in MailMoney, account and budget data in CashBrain).
  • Contact details you submit through forms (name, email, company, message).

2.2 Information collected automatically

  • Device identifier — for push notifications, session management, and security.
  • IP address — for security, rate limiting, and abuse prevention. Kept in server logs for 30 days.
  • Push notification tokens — to deliver notifications to your device.
  • App version and device model — for troubleshooting and crash reporting.
  • Basic crash reports — stack trace and device model, no user identifiers. Kept 90 days.

2.3 Information we do NOT collect

  • Geolocation or GPS data.
  • Financial or payment information (handled by third-party payment processors).
  • Contact lists, photos, or media.
  • Browsing history.
  • Advertising identifiers.

2.4 App-specific data practices

CaseFlow

Collects USCIS receipt numbers you voluntarily enter to track. Retrieves case status data from the official USCIS Torch API on your behalf. Receipt numbers are treated as personally identifiable information (PII). CaseFlow is not affiliated with, endorsed by, or connected to USCIS or the U.S. government.

MailMoney

Connects to email accounts you authorize via OAuth (Gmail, Outlook). Processes email content locally and via AI to classify financial transactions and surface opportunities. Full email content is not stored on our servers — only extracted transaction metadata. Email OAuth tokens are encrypted at rest and can be revoked at any time.

What we don't

No Google Analytics. No Facebook Pixel. No Firebase Analytics. No session replay. No cross-site trackers. No advertising identifiers. No data brokers.

§ 03

How we use it

We use your information to operate the service you're using and for nothing else. Specifically:

  • To create and manage your account.
  • To provide the core functionality of each app (look up a case, fetch your inbox, run your dashboard).
  • To authenticate you and keep your account secure.
  • To send push notifications relevant to your tracked data.
  • To maintain security, prevent abuse, and enforce rate limits.
  • To diagnose and fix bugs using anonymized crash reports.
  • To communicate important changes to the service or this policy.
  • To reply to you when you email us.

We do NOT sell your data. We do NOT share your data with third parties for marketing. We do NOT use your data for advertising. We do not profile you, segment you for advertising, or train any machine-learning model on your content.

§ 04

Who we share it with

We share data only with the small set of infrastructure providers needed to run our products. Each is bound by a data-processing agreement that limits their use of your data to providing the service to us.

ProviderPurposeData category
Microsoft Azure (US data centers)Application hosting, website, admin, and ops control planeAll
Oracle CloudData plane — USCIS API integration, scanner, application database (PostgreSQL with TLS)All
Firebase Cloud MessagingAndroid push notification deliveryDevice push token
USCIS Torch APICase status lookups (CaseFlow only)Receipt number
Google / Microsoft OAuthEmail account authorization (MailMoney only)OAuth consent
Google Gemini AIEmail classification (MailMoney only)Email snippets during classification
PlaidBank account aggregation (CashBrain only; future)Account metadata

We do not share your data with advertising networks or data brokers. We do not sell, rent, or license your personal data to third parties. If that ever changes, this page will say so and we will notify you directly before it takes effect.

§ 05

How we store it

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems requires a hardware security key and a time-based one-time password (TOTP) and is limited to authorized engineers. We rotate secrets on a 90-day schedule and audit our access logs quarterly.

5.1 On your device

  • Local databases encrypted with AES-256 via SQLCipher.
  • Authentication tokens stored in EncryptedSharedPreferences backed by the Android Keystore.
  • Biometric lock available as an additional security layer.
  • On Windows, credentials use the Data Protection API with per-user scope.

5.2 On our servers

  • PostgreSQL with SSL/TLS hosted on Microsoft Azure and Oracle Cloud (U.S. data centers only).
  • Passwords hashed with bcrypt (12 rounds). We never store plaintext passwords.
  • All API communication over HTTPS with TLS 1.3.
  • Server disks encrypted at rest (platform encryption).
  • Anomaly detection on all login activity.
  • Automatic account locking after high-risk security events.
  • USCIS receipt numbers are encrypted at rest in the database, per USCIS developer guidelines.

5.3 Data breach notification

If a data breach affects your personal information, we will notify you via email and in-app notification within 72 hours of discovery. The notification will describe the breach, the data affected, and the steps we are taking.

§ 06

Your rights

Whether or not you live somewhere with a formal data-protection statute, you have these rights with us:

  • Access — ask us what we have on you. We'll reply within 30 days with a full export.
  • Correction — fix anything that's wrong. Most fields you can edit yourself from your account settings.
  • Deletion — delete your account and all associated data at any time from within each app: Settings → Account → Delete My Account. This is immediate and irreversible; removal from production completes within 7 days and from encrypted backups on the next rotation cycle (maximum 35 days).
  • Portability — get a copy of your data in a machine-readable format (JSON).
  • Objection — tell us to stop processing your data for any purpose you didn't explicitly opt into.
  • Push notifications — disable at any time through your device settings or within each app's settings.

To exercise any of these, email support@jhappgroup.com. We respond personally, within one business day.

6.1 Data retention periods

Data typeRetention period
Active account dataRetained while your account is active
Login history90 days
Server request logs30 days
Error / crash reports30 — 90 days
Push notification tokens90 days after last activity
Dormant accountsDeleted after 12 months of inactivity (with prior email notice)
§ 07

Children's privacy

Our apps are not intended for children under 13 and we do not knowingly collect information from children under 13. Contact us at support@jhappgroup.com if you believe a child has provided us with personal information, and we will delete it promptly.

§ 08

Ownership transfer

If JH App Group LLC is acquired, merged with another company, or sells substantially all of its assets, this policy and your data will be handled as follows:

  • On-device data stays yours. CaseFlow tracks cases locally; that data lives on your device and is not part of any corporate transfer.
  • Account data (email, password hash, backend-side records) may be transferred to the acquiring entity as part of the sale.
  • You will be notified by email and in-app notice at least 30 days before any transfer takes effect, so you have time to export or delete your data first.
  • No change in practices without notice. The acquiring entity must honor the privacy commitments in this policy until superseded by a materially different policy, which itself requires a fresh 30-day notice and your continued use to take effect.
§ 09

Changes to this policy

We may update this policy from time to time. When we materially change it, we'll update the "Last updated" date at the top and — for anyone with an account — send an email and an in-app notice at least 30 days before the change takes effect. Non-material edits (fixing a typo, clarifying wording) may be made at any time. Continued use of our apps after changes are posted constitutes acceptance.

Accessibility

This policy is designed to meet WCAG 2.1 Level AA standards. If you have difficulty accessing it, contact us for an alternative format.

§ 10

Contact

For any privacy question, data request, or complaint:

We read every message ourselves and reply within one business day.