1. Introduction
SplitUp ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.
2. Information We Collect
2.1 Information You Provide to Us
- Account Information: Name, email address, phone number, and profile picture
- Group Data: Group names, member lists, and group settings you create or join
- Expense Data: Transaction details, amounts, descriptions, receipts, and related metadata
- Communication Data: Messages, comments, and other communications within groups
- Support Data: Information you provide when contacting customer support
2.2 Information Collected Automatically
- Device Information: Device type, operating system, device identifiers, and mobile network information
- Usage Data: App interactions, feature usage, session duration, and performance metrics
- Location Data: Approximate location based on IP address (precise location only with explicit consent)
- Log Data: Error logs, crash reports, and diagnostic information
2.3 Information from Third Parties
- Social Media: If you connect social media accounts, we may receive profile information
- Payment Processors: Transaction confirmation data (we do not store payment card details)
- Analytics Providers: Aggregated usage statistics and performance metrics
3. How We Use Your Information
3.1 Service Provision
- Create and manage your account
- Enable group creation and expense sharing functionality
- Process transactions and settlements
- Synchronize data across your devices
- Provide customer support and respond to inquiries
3.2 Service Improvement
- Analyze usage patterns to improve user experience
- Develop new features and functionality
- Conduct research and analytics
- Perform quality assurance and testing
3.3 Communication
- Send service-related notifications and updates
- Provide important security and policy updates
- Send promotional communications (with your consent)
3.4 Legal and Security
- Comply with legal obligations and regulatory requirements
- Detect, prevent, and address fraud and security issues
- Enforce our Terms of Service and other policies
- Protect the rights and safety of users and the public
4. Information Sharing and Disclosure
We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:
4.1 With Your Consent
We may share information when you explicitly consent to such sharing.
4.2 Service Providers
We may share information with trusted third-party service providers who assist us in operating our Service, including:
- Cloud hosting and storage providers
- Analytics and performance monitoring services
- Customer support platforms
- Payment processing services (for transaction confirmations only)
4.3 Group Members
Within groups you join, certain information is shared with other group members, including:
- Your name and profile information
- Expenses you add or are included in
- Payment status and settlement information
4.4 Legal Requirements
We may disclose information if required by law or in response to:
- Valid legal process (subpoenas, court orders)
- Government investigations or regulatory requests
- Protection of our rights, property, or safety
- Prevention of fraud or illegal activities
4.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction.
5. Data Security
We implement industry-standard security measures to protect your information:
- Encryption: Data is encrypted in transit using TLS and at rest using AES-256
- Access Controls: Strict authentication and authorization protocols
- Regular Security Audits: Ongoing vulnerability assessments and penetration testing
- Data Minimization: We collect and retain only necessary information
- Employee Training: Regular security awareness training for all personnel
- Incident Response: Established procedures for security breach detection and response
6. Data Retention
We retain personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this Privacy Policy:
- Account Data: Retained until account deletion or termination
- Expense Data: Retained for 7 years for financial record-keeping purposes
- Communication Data: Retained for 2 years for support purposes
- Log Data: Retained for 12 months for security and diagnostic purposes
Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law.
7. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights:
7.1 Access and Portability
- Request access to your personal information
- Receive a copy of your data in a portable format
7.2 Correction and Update
- Correct inaccurate or incomplete information
- Update your account information and preferences
7.3 Deletion and Erasure
- Request deletion of your personal information
- Exercise your "right to be forgotten" where applicable
7.4 Restriction and Objection
- Restrict processing of your information
- Object to processing for direct marketing purposes
7.5 Withdrawal of Consent
- Withdraw consent for data processing where consent is the legal basis
To exercise these rights, please contact us using the information provided in Section 12.
8. International Data Transfers
Our Service operates globally. Your information may be transferred to and processed in countries other than your country of residence, including the United States and European Union. We ensure appropriate safeguards are in place for international transfers:
- Adequacy Decisions: Transfers to countries with adequate data protection laws
- Standard Contractual Clauses: EU-approved contractual protections
- Privacy Shield: Compliance with applicable privacy frameworks
- Binding Corporate Rules: Internal data protection policies for group companies
9. Children's Privacy
Our Service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected information from a child under 16, we will take steps to delete such information promptly.
10. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience:
- Essential Cookies: Required for basic functionality and security
- Analytics Cookies: Help us understand how you use our Service
- Preference Cookies: Remember your settings and preferences
You can control cookie settings through your browser or device settings.
11. Third-Party Links and Services
Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party practices. We encourage you to review the privacy policies of any third-party services you access.
12. Contact Information
13. Updates to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes through:
- In-app notifications
- Email notifications to registered users
- Website announcements
The updated Privacy Policy will be effective upon posting, and your continued use of our Service constitutes acceptance of the changes.
14. Legal Basis for Processing (EU Users)
For users in the European Union, our legal basis for processing personal information includes:
- Contract Performance: Processing necessary to provide our Service
- Legitimate Interests: Improving our Service and ensuring security
- Legal Compliance: Meeting regulatory and legal obligations
- Consent: Where you have provided explicit consent
15. Governing Law
This Privacy Policy is governed by and construed in accordance with applicable data protection laws, including:
- General Data Protection Regulation (GDPR) for EU users
- California Consumer Privacy Act (CCPA) for California residents
- Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users
- Other applicable local privacy laws