Privacy Policy — CentZero
Last updated: 2026-04-12
Summary (plain English)
- We ask for: your email + password to sign in; the card names, annual fee amounts, and fee months you choose to track; optional camera access for card scanning.
- We do NOT ask for: your card number, CVV, PIN, account balance, or any bank credentials.
- We do NOT connect to your bank. We do NOT see your transactions.
- Card scanning (OCR) runs on your device. Images are never uploaded.
- We use Supabase (EU-hosted) for auth and data sync, PostHog for anonymous usage analytics, and RevenueCat for subscription billing. That's it.
- You can delete your account and all associated data at any time from Settings.
1. Who we are
CentZero ("we", "us", "our") is operated by Sai Chun Christopher Tang in Hong Kong. If you have questions about this policy, email us at scctang12@gmail.com.
2. What we collect
You give us directly
- Account: email address, password (stored hashed by Supabase Auth; we never see plain text).
- Apple Sign-In: if you use Apple Sign-In, we receive the opaque user ID and, if you choose to share it, your email.
- Card data you enter: card name (free-text you choose), annual fee amount, fee charge month, bank/card type selection.
- Waiver activity: when you tap "Call Hotline" or mark a waiver outcome, we record the action and timestamp.
- Points/miles data: program name, balance, expiry date — information you enter manually or capture via OCR.
Collected automatically
- Device identifiers for push notifications (Expo push tokens) — only used to deliver reminders you've subscribed to.
- Usage analytics via PostHog: anonymized events such as "opened add-card flow", "tapped call hotline". No identifiable content (card names, bank names) is sent.
- Crash reports via Expo: stack traces without personal content.
What we do NOT collect
- Card numbers, CVV, expiry dates printed on the card, PINs.
- Bank account balances, transaction history, or any banking credentials.
- Location, contacts, calendar, or other device data not listed above.
- Camera images. OCR runs entirely on-device; the captured image is processed and discarded in memory, never uploaded.
3. Why we collect it
- Reminders: schedule fee-alert notifications based on your fee month.
- Sync: let you access your data across devices if signed in.
- Service quality: analytics tell us which flows work; crash logs help us fix bugs.
- Billing: RevenueCat processes subscription purchases through Apple/Google.
We do not sell or share your personal data for advertising.
4. Third parties
| Provider |
Purpose |
Data sent |
| Supabase |
Auth, database, file storage |
Email, hashed password, card & points records |
| PostHog |
Product analytics |
Anonymized event names, device OS/version |
| RevenueCat |
Subscription billing |
Anonymous user ID, purchase receipts |
| Apple / Google |
Push notifications |
Device push token |
| Expo |
Build & crash reporting |
Stack traces without content |
Each provider has its own privacy policy. We choose vendors who process data in EU or US regions with GDPR-level protections.
5. Your rights
Wherever you are, you can:
- Access your data — via Settings > Export.
- Correct your data — edit any card or points entry in-app.
- Delete your data — Settings > Delete Account wipes everything within 30 days. Backups purge within 90 days.
- Opt out of analytics — Settings > Privacy > Turn off usage analytics.
- Opt out of push — iOS / Android system Settings.
If you're in the EU / UK, GDPR applies — you also have the right to data portability and to lodge a complaint with your data authority.
If you're in Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) applies. You can make a Data Access Request by emailing scctang12@gmail.com.
6. How long we keep data
- Active account: as long as you have one.
- Deleted account: purged from primary storage within 30 days, from backups within 90 days.
- Analytics: anonymized events retained for 24 months then deleted.
- Crash logs: 12 months.
7. Children
CentZero is not for users under 18. We do not knowingly collect data from children. If you believe we have, email us and we'll delete it.
8. Changes to this policy
We'll notify you in-app before material changes take effect. Continuing to use CentZero after the effective date means you accept the updated policy.
9. Contact
Email: scctang12@gmail.com
Location: Hong Kong SAR