Document/ Privacy Policy
Last updatedJune 29, 2026
Applies toAll JH App Group products & services

Privacy Policy

Plain English. We don't sell your data. We don't track you around the internet. We collect the minimum we need to run our products — and we tell you exactly what that is below.

§ 01

Who we are

JH App Group LLC ("JH App Group," "Company," "we," "us," or "our") is a Colorado limited liability company registered in the State of Colorado and headquartered in Colorado Springs. We design, build, and maintain software — including the products we ship under our own name and custom work for clients.

This policy applies to every website, mobile app, desktop app, and back-end service we operate. Our products are currently in development:

  • CaseFlow — USCIS immigration case status tracker (Android)
  • MailMoney — AI-powered email intelligence (Android)

The data practices described below explain how these products are designed to work and apply once each one is publicly released. Until you install a product and connect it, it collects no data from you.

Where a specific product has additional privacy terms, they're linked from that product's settings screen and take precedence for that product. By using any of our applications, you agree to the practices described here.

§ 02

What we collect

We collect two kinds of information: what you tell us directly, and what our servers need to run. How much we collect depends on how you use the app:

  • Without an account (anonymous). CaseFlow can be used for manual case lookups with no email, name, or user account. Cases you save are stored only on your device. A manual lookup still sends the USCIS receipt number needed to perform the lookup, and an anonymous per-install device identifier may be used for rate limiting, lookup quota, and abuse prevention.
  • With an account (optional). Creating an account adds your email and enables background case checks, status-change alerts, cross-device sync, and account recovery if you change phones. CaseFlow accounts use emailed verification codes instead of passwords.

2.1 Information you provide

  • Email address — only if you create an account (sign-in and account recovery).
  • Sign-in is passwordless — CaseFlow accounts don't use passwords. To sign in or create an account, you enter your email, we send a one-time verification code, and you enter that code. Email is used for these authentication codes (and account recovery) only.
  • App-specific data — content you enter into our apps (e.g., USCIS receipt numbers in CaseFlow, authorized email accounts in MailMoney).
  • Contact details you submit through our contact form (name, email, the product you're asking about, and your message).

2.2 Information collected automatically

  • Anonymous device identifier — anonymous mode uses a random per-install device identifier for rate limiting and abuse prevention. During anonymous use, we do not create a user account or store that identifier as an account record. If you later create an account, the same device identifier may be associated with that account as a device fingerprint.
  • IP address — for security, rate limiting, and abuse prevention. Kept in server logs for 30 days.
  • Device notification tokens (account mode) — to deliver account-mode status-change alerts to your device.
  • App version and device model — for troubleshooting and crash reporting.
  • Basic crash reports — stack trace and device model, no user identifiers. Kept 90 days.

2.3 Information we do NOT collect

  • Geolocation or GPS data.
  • Financial or payment information (handled by third-party payment processors).
  • Contact lists, photos, or media.
  • Browsing history.
  • Advertising identifiers.

2.4 App-specific data practices

CaseFlow

CaseFlow can be used without an account for manual case lookups; cases you save are stored only on your device. Receipt numbers you enter are treated as personally identifiable information (PII). A lookup sends the receipt number to retrieve case status from the official USCIS Torch API on your behalf. Creating an account is optional and enables background case checks, status-change alerts, cross-device sync, and account recovery; accounts use emailed verification codes instead of passwords. CaseFlow is not affiliated with, endorsed by, or connected to USCIS or the U.S. government.

MailMoney

MailMoney is in development. When it launches, it will connect only to email accounts you authorize via OAuth (Gmail, Outlook), and process email content locally and via AI to classify financial transactions and surface opportunities. Full email content will not be stored on our servers — only extracted transaction metadata. Email OAuth tokens will be encrypted at rest and can be revoked at any time. Until you install MailMoney and connect an account, no inbox data is collected.

What we don't

We do not use advertising identifiers, session replay, data brokers, or cross-site advertising trackers.

§ 03

How we use it

We use your information to operate the service you're using and for nothing else. Specifically:

  • To create and manage your account.
  • To provide the core functionality of each app (look up a case, fetch your inbox, run your dashboard).
  • To authenticate you and keep your account secure.
  • To send status-change alerts about cases you track (account mode only).
  • To maintain security, prevent abuse, and enforce rate limits.
  • To diagnose and fix bugs using anonymized crash reports.
  • To communicate important changes to the service or this policy.
  • To reply to you when you email us.

We do NOT sell your data. We do NOT share your data with third parties for marketing. We do NOT use your data for advertising. We do not profile you, segment you for advertising, or train any machine-learning model on your content.

3.1 Email communications

We send email only in the following narrow categories, and only to recipients who either initiated contact with us or explicitly opted in:

  • Support replies. A human reply from us when you email support@jhappgroup.com or submit our contact form. Sent only to the address that contacted us first.
  • Account / security events. Sign-in verification codes, sign-in confirmations, and security alerts. Triggered only by an action you took on your own account.
  • Optional product alerts (if offered). If a product offers optional email alerts in the future, they will require opt-in and will include an opt-out path — through that product's settings where available, or by contacting support.
  • Service-policy notices. Material changes to our Terms of Service, this Privacy Policy, or your account status. Required for legal compliance and cannot be disabled while you maintain an account.

We do not send marketing newsletters, promotional broadcasts, drip campaigns, cross-product cross-sells, or any unsolicited email. All transactional mail is dispatched through our transactional email provider, Resend (see §4). To stop non-essential email, use the in-app settings where available or contact privacy@jhappgroup.com. We will add the address to our suppression list (see §5.4).

§ 04

Who we share it with

We share data only with the small set of infrastructure providers (sub-processors) needed to run our products. Each one may use your data only to provide its service to JH App Group. They may not use, disclose, sell, or repurpose your information — including any de-identified, anonymized, or pseudonymized version of it — for their own purposes or without your active consent. Each is bound by written confidentiality and data-processing terms that hold them to the commitments in this policy.

ProviderPurposeData category
Microsoft Azure (U.S. data centers)Application and website hostingAll
Oracle Cloud (U.S. data centers)Application database and USCIS case-status integrationAll
Firebase Cloud MessagingAndroid device notification delivery for account-mode status-change alertsDevice notification token
ResendOutbound transactional email delivery (support replies, account events, optional product alerts, if offered). Resend may process delivery, bounce, and complaint metadata for delivery and reputation management.Recipient email address, message body
USCIS Torch APICase status lookups (CaseFlow only)Receipt number
Google / Microsoft OAuthEmail account authorization (MailMoney only; planned, active at launch)OAuth consent
Google Gemini AIEmail classification (MailMoney only; planned, active at launch)Email snippets during classification

We do not share your data with advertising networks or data brokers. We do not sell, rent, or license your personal data to third parties. If that ever changes, this page will say so and we will notify you directly before it takes effect.

§ 05

How we store it

We use encryption and access controls to protect stored data, but protection methods vary by data type and system. We limit access to production systems to authorized personnel.

5.1 On your device

  • App data on your device is kept in encrypted local storage.
  • If you use the app without an account, saved cases are stored only on your device. Anonymous users can delete saved cases one at a time in the app. To remove all anonymous local data, use the device's app-storage controls or uninstall the app.
  • An optional biometric lock is available where the app offers it.

5.2 On our servers

  • Data is stored on U.S.-based cloud infrastructure (see §4).
  • CaseFlow accounts are passwordless — we don't use or store account passwords; sign-in uses short-lived, single-use email verification codes instead.
  • Traffic between our apps and servers is sent over HTTPS.
  • USCIS receipt numbers are treated as personal information and protected with technical and access controls. Some operational systems may retain receipt numbers where needed to perform USCIS polling.

5.3 Data breach notification

If a data breach affects your personal information, we will notify you via email and in-app notification within 72 hours of discovery. The notification will describe the breach, the data affected, and the steps we are taking.

5.4 Bounce and complaint handling (email deliverability)

We maintain an internal suppression list and check it before sending, so a message addressed to a suppressed recipient is not sent. Addresses are added to that list through user opt-out requests and admin action.

§ 06

Your rights

Whether or not you live somewhere with a formal data-protection statute, you have these rights with us:

  • Deletion — account deletion applies once you've created an account: delete your account and its associated data from within the app (Settings → Account → Delete My Account), or ask us to do it for you. Deletion is irreversible; backup copies may persist until backup rotation completes. If you use the app without an account, your saved cases are stored only on your device (see §5.1).
  • Access & correction — email privacy@jhappgroup.com to request access to or correction of your information. We will respond and tell you what we can provide based on the product and legal requirements.
  • Objection — tell us to stop processing your data for any purpose you didn't explicitly opt into.
  • Device notifications — you can control device notifications through your operating system settings. Where an app offers local refresh-notification settings, those controls apply to that local notification path.
  • Email — email is currently used for authentication codes, account-security events, policy-change notices, and support replies. Non-essential email, if offered, can be stopped by contacting privacy@jhappgroup.com; we will add your address to our suppression list (see §3.1 and §5.4). Authentication-code, account-security, and policy-change emails remain in effect while you keep an active account.

To exercise any of these, email privacy@jhappgroup.com. We respond personally, within one business day.

6.1 Data retention periods

Data typeRetention period
Active account dataRetained while your account is active
Login history90 days
Server request logs30 days
Error / crash reports30–90 days
Device notification tokens90 days after last activity
Dormant accountsWe may delete dormant accounts after notice, subject to implementation and legal requirements.

6.2 California privacy rights (CCPA/CPRA)

If you live in California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you specific rights. We extend these to every user, not just California residents:

  • Know and access — ask for the categories and the specific pieces of personal information we hold about you.
  • Delete — ask us to delete your personal information (see the deletion steps earlier in this section).
  • Correct — ask us to fix personal information that is wrong.
  • Opt out of sale or sharing — tell us not to "sell" or "share" your personal information, as those terms are defined by California law.
  • Non-discrimination — we will not deny you service, charge you a different price, or lower your quality of service for using any of these rights.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we do not sell or share it in those ways, there is nothing to opt out of today — but the choice stays yours if that ever changes, and we would tell you first. To make a request, email privacy@jhappgroup.com. We confirm the request against your account and respond within 45 days. You may use an authorized agent to make a request for you.

§ 07

Children's privacy

Our apps are not intended for children under 13 and we do not knowingly collect information from children under 13. Contact us at privacy@jhappgroup.com if you believe a child has provided us with personal information, and we will delete it promptly.

§ 08

Ownership transfer

If JH App Group LLC is acquired, merged with another company, or sells substantially all of its assets, this policy and your data will be handled as follows:

  • On-device data stays yours. CaseFlow tracks cases locally; that data lives on your device and is not part of any corporate transfer.
  • Account data (email, backend-side records) may be transferred to the acquiring entity as part of the sale.
  • You will be notified by email and in-app notice at least 30 days before any transfer takes effect, so you have time to delete your account or request access to available account information first.
  • No change in practices without notice. The acquiring entity must honor the privacy commitments in this policy until superseded by a materially different policy, which itself requires a fresh 30-day notice and your continued use to take effect.
§ 09

Changes to this policy

We may update this policy from time to time. When we materially change it, we'll update the "Last updated" date at the top and — for anyone with an account — send an email and an in-app notice at least 30 days before the change takes effect. That notice will include a plain-language summary of what changed and why, so you can see what is different without re-reading the whole policy. Non-material edits (fixing a typo, clarifying wording) may be made at any time. Continued use of our apps after changes are posted constitutes acceptance.

Most recent update

June 29, 2026 — updated account-access wording to reflect passwordless emailed sign-in codes. CaseFlow accounts now sign in with a one-time code emailed to you, instead of a password.

Accessibility

This policy is designed to meet WCAG 2.1 Level AA standards. If you have difficulty accessing it, contact us for an alternative format.

§ 10

Contact

For any privacy question, data request, or complaint:

For product support or general questions, email support@jhappgroup.com.

We read every message ourselves and reply within one business day.