Privacy Policy - cashfish.me

Account Registration Information

When you create an account using email and password, we collect:

• Email address
• Username (chosen by you)
• Password (stored as a cryptographic hash, never in plaintext)
• Email verification status
• Account creation timestamp

When you sign in using third-party authentication providers (such as Google), we collect:

• Your unique identifier from the provider
• Your email address
• Your public display name
• Your public profile picture URL

Profile and Account Data

• Display name (customizable)
• Profile picture (uploaded by you or from authentication provider)
• Coins balance and transaction history
• Fragments balance and transaction history
• User level and earned badges
• Verification status
• Account settings (language, currency, theme preferences)
• Profile privacy settings (public/private)
• Newsletter subscription preference
• Last online timestamp

Referral Program Data

• Your unique referral code
• Referral relationships (who referred you, who you referred)
• Referral commission earnings
• Referral statistics and counts

Communication Data

Public Chat:

• Your display name and profile picture
• Message content (maximum 250 characters)
• Timestamp of each message
• User level and status indicators

Important: All chat messages are stored unencrypted in our database and are visible to all users. Do not share personal, sensitive, or confidential information in public chat.

Support Chat:

• Your display name and profile picture
• Message content (maximum 1,000 characters)
• Conversation history with support staff
• Timestamp of each message

Support chat messages are stored unencrypted and accessible to you and our support team.

Technical and Usage Data

• IP address (see "IP Addresses and Geolocation" section below)
• Device identifiers (collected by third-party offer providers for fraud prevention)
• Browser type and version
• Operating system
• Pages visited and features used
• Login and logout timestamps
• Activity logs (offers completed, bonuses claimed, withdrawals requested)

Transaction and Financial Data

• Coin earnings from all sources (offers, bonuses, referrals)
• Offer completion records (offer ID, provider, amount, timestamp)
• Withdrawal history (product, amount, currency, recipient email)
• Transaction metadata (status, timestamps, forex rates)
• Chargeback and reversal records
• Fraud detection flags and ban records

1. Security and Fraud Prevention

• Your IP address is recorded and stored with login timestamps
• Retained for up to 1 year after your last login
• Used to identify location inconsistencies and suspicious patterns
• Used to flag potential VPN, proxy, or emulator usage
• Used to detect and prevent fraudulent activity
• Used to enhance account security and prevent unauthorized access

2. Geographic Service Localization

• Your IP address is sent to a third-party geolocation service to determine your country
• This occurs automatically when you visit the withdrawal page
• Used to display country-specific withdrawal products and gift cards
• Only the country code is stored, not your full IP address for this purpose
• You can manually select a different country if the auto-detection is incorrect

3. Third-Party Offer Provider Data

• When you complete offers through external survey and task providers, they may send us your IP address
• Stored in transaction metadata for fraud detection and dispute resolution
• Used by providers' fraud detection systems
• We do not control how third-party providers collect or use your IP address

What Device Information is Collected:

• Device IDs from third-party offer and survey providers
• Browser fingerprints (device type, browser version, screen resolution)
• Operating system information
• Unique identifiers assigned by offer providers for fraud detection

Purpose of Device Tracking:

• Detect and prevent multi-account abuse
• Identify emulator or virtual machine usage
• Enforce bans issued by offer providers
• Prevent fraudulent offer completions
• Comply with third-party provider anti-fraud requirements

HTTP Cookies

We use cookies for:

• Identifying your computer and browser
• Associating requests with your user account (session management)
• Maintaining your login session
• Tracking your session for security purposes

Session Cookie: A cookie named "SESSION" is set when you log in and deleted when you log out or close your browser.

Local Storage

We use browser local storage for:

• Remembering your UI preferences (sidebar expanded/collapsed, display modes)
• Storing withdrawal form inputs (email addresses for convenience)
• Saving theme preferences (light/dark mode)
• Remembering language and currency settings
• Enhancing site performance by reducing redundant server requests

Session Storage

We use browser session storage (cleared when tab closes) for:

• Temporary session validation flags
• Referral code tracking during signup flow
• Temporary transaction states (pending claims, bonus redemptions)

Third-Party Cookies (Analytics)

We use Google Analytics 4 to gain insights into how users interact with our site. Google Analytics is:

• Optional and disabled by default — it only loads after you accept the cookie banner shown on your first visit (opt-in consent, Art. 6(1)(a) GDPR)
• Setting cookies named _ga and _ga_* (used to distinguish visitors) only after you consent
• Configured with IP anonymization
• Used only for anonymous usage statistics (page views, session duration, navigation patterns)
• Withdrawable at any time via the "Cookie Settings" link in the footer (declining removes no functionality)
• Subject to Google's Privacy Policy: https://policies.google.com/privacy

Service Provision and Account Management

• Create and manage your user account
• Authenticate your identity when you log in
• Track your coins, fragments, and transaction history
• Process withdrawals and send rewards to your specified recipient
• Display your profile information (publicly or privately based on your settings)
• Enable participation in the referral program

Fraud Prevention and Security

• Verify user identity and prevent unauthorized access
• Detect and prevent fraudulent activity, multi-accounting, and abuse
• Monitor for suspicious patterns and location inconsistencies
• Enforce bans and restrictions issued by us or third-party providers
• Comply with anti-money laundering and fraud prevention regulations

Communication

• Respond to your support inquiries via support chat
• Send transactional emails (account verification, withdrawal confirmations)
• Send promotional communications and newsletters (only if you opt-in)
• Notify you of important changes to our services or policies

Service Improvement and Analytics

• Analyze usage patterns and trends to improve our services
• Understand which features are most popular
• Optimize user experience and platform performance
• Develop new features and earning opportunities

Legal Compliance

• Comply with legal obligations (tax reporting, financial regulations)
• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Resolve disputes and investigate complaints

Contract Performance (GDPR Art. 6(1)(b))

Processing is necessary to provide our services and fulfill our contractual obligations to you:

• Account creation and management
• Tracking coins and rewards
• Processing withdrawal requests
• Providing chat and support features
• Enabling referral program participation

Legitimate Interest (GDPR Art. 6(1)(f))

Processing is necessary for our legitimate business interests, which include:

• Fraud prevention and security monitoring
• Enforcing our Terms of Service
• Improving our platform and services
• Analyzing usage patterns
• Maintaining audit logs and transaction records

We balance our legitimate interests against your privacy rights and only process data where our interests do not override your fundamental rights.

Consent (GDPR Art. 6(1)(a))

Processing based on your explicit consent:

• Marketing communications and newsletters (opt-in required)
• Optional analytics cookies (when implemented)
• Sharing profile information publicly (can be disabled in settings)

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Legal Obligation (GDPR Art. 6(1)(c))

Processing required to comply with legal obligations:

• Tax reporting and financial record keeping
• Anti-money laundering (AML) compliance
• Responding to lawful requests from authorities
• Data retention requirements under Swiss and EU law

Categories of Data Shared with Third Parties

Survey and Offer Providers:

• Your unique user identifier (not your email or username)
• Secure verification hashes to prevent fraud
• IP address (sent by providers back to us in completion callbacks)
• Device identifiers (collected by providers for fraud detection)
• Completion status and reward amounts

Payment and Withdrawal Processors:

• Your email address (for gift card delivery)
• Your display name
• Withdrawal amount and selected product
• Currency selection and forex conversion rates
• Recipient email address (which you provide)

Authentication Providers (e.g., Google):

• When you use third-party login (Google), you authorize them to share your profile information with us
• We receive: user ID, email, display name, profile picture URL
• Subject to the provider's privacy policy (see Google Privacy Policy for details)

Bot Protection (Cloudflare Turnstile):

• During registration we use Cloudflare Turnstile to verify that you are a real person and to prevent automated account creation
• For this purpose, Cloudflare, Inc. (USA) processes your IP address, browser characteristics (such as the user agent), and interaction signals
• Turnstile does not use tracking cookies and does not profile you for advertising purposes
• Legal basis: our legitimate interest in platform security and abuse prevention (Art. 6(1)(f) GDPR)
• Subject to Cloudflare's Privacy Policy: https://www.cloudflare.com/privacypolicy/

Image Hosting Services:

• Profile pictures you upload are stored on third-party cloud storage
• Images are publicly accessible via URL
• We do not control the provider's data retention or security practices

Geolocation Services:

• Your IP address is sent to a geolocation API to determine your country
• Used to display country-specific withdrawal options
• No other personal information is shared

Analytics Services (Google Analytics 4):

• Google Analytics receives anonymous usage data (page views, session duration, navigation patterns) — but only after you opt in via the cookie banner
• IP addresses are anonymized
• You can withdraw your consent at any time via the "Cookie Settings" link in the footer

Third-Party Responsibility

We are NOT responsible for:

• How third-party providers collect, use, or store your data
• Third-party provider privacy policies or security practices
• Data breaches or security incidents at third-party providers
• Provider errors, failures, or service interruptions
• Bans, restrictions, or chargebacks issued by providers

Each third-party provider has its own terms of service and privacy policy. You are responsible for reviewing and complying with their policies when you interact with their services through our platform.

Where Your Data is Stored

• Primary Data Storage: Our servers are located in Falkenstein, Germany
• Third-Party Services: Some third-party providers may store or process data in the United States or other countries
• Backups: Database backups may be stored in multiple geographic locations for disaster recovery

Transfers Outside Switzerland and the EEA

When we transfer personal data to countries outside Switzerland or the European Economic Area (EEA), we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission and Swiss FDPIC
• Adequacy Decisions: Transfers to countries recognized as providing adequate data protection
• Provider Certifications: Third-party providers certified under frameworks like EU-U.S. Data Privacy Framework or Swiss-U.S. Privacy Shield (where applicable)
• Explicit Consent: In some cases, we may ask for your explicit consent for specific data transfers

Your Rights Regarding International Transfers

You have the right to:

• Request information about which countries your data is transferred to
• Obtain copies of the safeguards in place (such as SCCs)
• Object to transfers in certain circumstances

To exercise these rights, contact us at admin(at)cashfish.me.

Specific Retention Periods

• Active User Accounts: Retained while your account remains active and for 30 days after account deletion (grace period)
• IP Addresses: Up to 1 year after your last login
• Public Chat Messages: Stored indefinitely (visible to all users)
• Support Chat Messages: Retained for 2 years after the last message
• Transaction Records: 7 years (tax and financial audit compliance)
• Withdrawal Records: 10 years (financial regulations and anti-money laundering requirements)
• Session Data: 15 minutes (automatic expiration after access token expiry)
• Device IDs and Fraud Detection Data: Retained indefinitely for security and fraud prevention
• Email Verification Records: Retained while account is active
• Activity Logs: 2 years for security monitoring and dispute resolution

Account Deletion

When you delete your account:

• Your account is deactivated immediately and login access is revoked
• Personal data (email, username, profile) is marked for deletion after 30 days
• Transaction and financial records are retained for the periods specified above (legal requirement)
• Public chat messages remain visible (cannot be retroactively deleted)
• After the retention period, data is permanently deleted from our systems

Legal Hold

We may retain data beyond the specified periods if:

• Required by law or regulation
• Necessary for ongoing legal proceedings or investigations
• Needed to enforce our Terms of Service or protect our rights
• Requested by law enforcement or regulatory authorities

Right to Access (GDPR Art. 15)

• You have the right to access and receive a copy of your personal information
• Request details about how we process your data
• Request to know what categories of data we hold about you

Right to Rectification (GDPR Art. 16)

• You have the right to correct or update inaccurate or incomplete personal information
• Update your profile, email address, or other account details

Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

• You have the right to request deletion of your personal information
• Subject to legal retention requirements (financial records, tax obligations)
• Public chat messages cannot be retroactively deleted
• Transaction records may be retained for compliance purposes

Right to Data Portability (GDPR Art. 20)

• You have the right to receive your personal data in a structured, machine-readable format (e.g., JSON, CSV)
• Request to transfer your data to another service (where technically feasible)

Right to Restriction of Processing (GDPR Art. 18)

• You have the right to request that we restrict processing of your data in certain circumstances
• For example, while we verify the accuracy of contested data

Right to Object (GDPR Art. 21)

• You have the right to object to processing based on legitimate interests
• You can object to direct marketing at any time (newsletter unsubscribe)
• You can object to automated decision-making and profiling

Right to Withdraw Consent (GDPR Art. 7(3))

• Where processing is based on consent, you may withdraw consent at any time
• Withdrawal does not affect the lawfulness of processing before withdrawal
• For example: unsubscribe from newsletters, disable analytics cookies

Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with a supervisory authority:

• Swiss Residents: Federal Data Protection and Information Commissioner (FDPIC)
  Feldeggweg 1, 3003 Bern, Switzerland
  Website: https://www.edoeb.admin.ch/
• EU Residents: Your local Data Protection Authority
  Full list: https://edpb.europa.eu/about-edpb/board/members_en

How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

• Email: admin(at)cashfish.me
• Subject line: "Data Privacy Request"
• Include: Your username, email address, and specific request

We will respond to your request within 30 days (or as required by applicable law). We may request additional information to verify your identity before processing your request.

Automated Decisions We Make

1. Fraud Detection Systems:

• Automated analysis of IP addresses, device IDs, and activity patterns
• Flagging accounts for suspicious behavior (VPN usage, rapid offer completion, location inconsistencies)
• May result in account restrictions or withdrawal holds

2. Withdrawal Approval Process:

• Unverified users: All withdrawals automatically flagged for manual administrator review
• Verified users: Withdrawals processed automatically if they pass fraud checks
• High-value withdrawals may trigger additional verification requirements

3. Offerwall Ban Enforcement:

• Automatic enforcement of bans issued by third-party offer providers
• Device ID matching to prevent circumvention
• Permanent restrictions applied automatically

4. Max Offer Value Limits:

• New and unverified users have maximum offer value limits enforced automatically
• Offers exceeding the limit are automatically withheld pending review
• Limits may be adjusted based on account history and trustworthiness

Your Rights Regarding Automated Decisions

You have the right to:

• Request human review: Ask an administrator to manually review any automated decision
• Contest decisions: Challenge automated decisions you believe are incorrect
• Provide context: Submit additional information or explanation for suspicious activity
• Appeal restrictions: Request reconsideration of account restrictions or bans

To request human review or contest an automated decision, contact us at admin(at)cashfish.me with details of the decision and your grounds for appeal.

Profiling

We do not engage in extensive profiling or behavioral targeting for marketing purposes. However, we do analyze user behavior patterns to:

• Detect fraud and abuse
• Improve platform security
• Optimize user experience
• Understand platform usage trends

Age Requirements

You may only use cashfish.me if you meet one of the following criteria:

• You are 16 years of age or older
• You are 13 years of age or older with verifiable parental or legal guardian consent

Parental Consent (Ages 13-15)

If you are between 13 and 15 years old, your parent or legal guardian must:

• Review and agree to our Terms of Service and Privacy Policy on your behalf
• Supervise your use of the service
• Take responsibility for all activities on your account
• Provide consent verification if requested by us

Children Under 13

We do not knowingly collect personal information from children under the age of 13. If we discover that a child under 13 has provided us with personal information without verifiable parental consent, we will:

• Delete the account immediately
• Remove all personal information from our systems
• Notify the user of the account termination

Parental Rights

If you are a parent or guardian and believe your child has created an account or provided personal information without your consent, please contact us immediately at:

• Email: admin(at)cashfish.me
• Subject: "Child Privacy Concern"

Parents and guardians have the right to:

• Review the personal information we have collected from their child
• Request deletion of their child's personal information
• Refuse further collection or use of their child's information

Immediate Account Termination

We reserve the right to immediately terminate access to our services if we have reasonable evidence or suspicion that:

• The account holder is under the permitted age
• Parental consent was not properly obtained or verified
• Age information provided during registration was falsified

Consent and Opt-In

• Newsletter subscription is optional
• You can enable or disable newsletter subscription in your account settings
• Your email address will be used for promotional communications only if you opt-in
• We will never sell your email address to third parties for marketing purposes

What We May Send You

If you opt-in to newsletters, you may receive:

• Promotional offers and bonus codes
• Announcements about new earning opportunities
• Platform updates and new features
• Special events and contests
• Tips and guides for maximizing earnings

Transactional Emails (Non-Marketing)

You will receive certain transactional emails regardless of newsletter subscription, including:

• Email verification (account activation)
• Withdrawal confirmations
• Security alerts (password changes, suspicious login attempts)
• Important policy updates
• Support ticket responses

These transactional emails are necessary for service operation and cannot be opted out of.

How to Unsubscribe

You can unsubscribe from marketing communications at any time by:

• Account Settings: Toggle the newsletter preference in your user settings
• Email Unsubscribe Link: Click the "unsubscribe" link at the bottom of any marketing email
• Contact Support: Email admin(at)cashfish.me with subject "Unsubscribe from Newsletter"

Your unsubscribe request will be processed within 48 hours. You may still receive emails that were already queued before your request was processed.

Security Measures We Implement

• Password Security: Passwords are hashed using industry-standard cryptographic algorithms (never stored in plaintext)
• Session Management: Secure session tokens with automatic expiration (15-minute access token lifetime)
• HTTPS Encryption: All data transmitted between your browser and our servers is encrypted using SSL/TLS
• Database Security: Access to databases restricted to authorized personnel only
• Regular Monitoring: Continuous monitoring for suspicious activity and security threats
• Access Controls: Role-based access control (RBAC) for administrative functions
• Third-Party Verification: Secure hash verification for third-party API callbacks

What is NOT Encrypted

For transparency, please note the following data is not encrypted at rest in our database:

• Email addresses (stored in plaintext)
• Display names and usernames
• Chat messages (public and support chat)
• IP addresses
• Transaction records and metadata
• User settings and preferences

However, all data transmission to and from our servers is encrypted using HTTPS.

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of becoming aware of the breach (as required by GDPR)
• Describe the nature of the breach, including categories of data affected
• Explain the likely consequences and potential risks
• Detail the measures taken to address the breach and mitigate harm
• Provide recommendations for protecting your account (e.g., password reset)
• Notify the Swiss FDPIC and relevant EU supervisory authorities if required by law

Your Responsibility

You are responsible for:

• Choosing a strong, unique password
• Keeping your password confidential and not sharing it with others
• Logging out after using shared or public computers
• Notifying us immediately if you suspect unauthorized access to your account
• Not sharing sensitive personal information in public chat

Limitations

While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You use our services at your own risk.

How We Notify You of Changes

• The "Last updated" date at the top of this policy will be changed
• Material changes that significantly impact your rights will be communicated via email or prominent site notification at least 30 days in advance
• Minor operational changes may be implemented without advance notice
• We encourage you to review this Privacy Policy periodically

Your Rights Regarding Changes

• If you disagree with material changes, you have the right to close your account and request data deletion before the changes take effect
• Continued use of cashfish.me after the notice period constitutes acceptance of the updated Privacy Policy
• You may contact us at any time with questions about policy changes

Privacy Inquiries

• Email: admin(at)cashfish.me
• Subject Line: Use a clear subject (e.g., "Privacy Request", "Data Deletion Request", "GDPR Inquiry")
• Support Chat: Use the Support tab in the right sidebar for general questions

Company Information

For complete company details including registered address and commercial register number, please see our Imprint page.

Response Time

We aim to respond to all privacy-related inquiries within 30 days (or as required by applicable law). Complex requests may require additional time, in which case we will notify you of the delay and expected resolution timeframe.