Privacy Policy

Effective April 28, 2026 · Last updated April 28, 2026

Short version: Splivo is local-first. Your groups, expenses, and receipts live on your device. When you sign in, a minimal profile syncs to our server so friends can find you by phone. We never sell your data. You can export everything as JSON or permanently delete your account from inside the app — deletion completes in 30 days.

1. Who we are

Splivo ("Splivo", "we", "us") is operated by the maker of the Splivo mobile app. You can reach us at [email protected] for any privacy question, subject-access request, or deletion request.

2. What we collect

On your device (local-first)

Profile: name, avatar color, language, currency, preferences.
Groups & members: group names, member names & phone numbers (if you add them), avatars you pick.
Expenses & settlements: titles, amounts, dates, splits, optional receipt photos (stored as local files), voice notes.
Chat & shopping lists: messages, reactions, pinned items, grocery items.
Invoices & clients (Pro): invoice titles, amounts, line items, tax/tip, recipient contact fields (name, optional email, optional phone, optional company), saved templates, auto-incrementing invoice number, uploaded business logo, and — when you fill them in via Settings → Business profile — your optional business name and business email (which appear as the sender identity on invoices you send to clients, v0.3.0+).
Support ticket contents: if you send feedback via Settings → Help, your message plus app version, locale, and device model travel to our Supabase support table. Nothing else.
Wallets: payment handles you enter (Venmo/Cash App/Zelle/PayPal usernames; crypto addresses). We never see private keys — wallet connection is handled entirely by WalletConnect v2 on your device.
Analytics events: a local buffer of events like app_open, expense_created, deep_link_tapped. This is for local-only debugging today. If and when we wire a real analytics service (PostHog), the opt-out toggle in Settings → Privacy & data controls it.

On our website (getsplivo.com)

Web error telemetry (Sentry browser SDK): when getsplivo.com loads, the Sentry browser SDK is initialized and captures uncaught JavaScript exceptions plus a 5%-sampled trace of page-load + navigation events. The capture includes the error stack, the page URL, the user-agent, and the IP at TLS termination — nothing you have typed into the page. Mobile crash reporting is not yet active — the Sentry mobile SDK is a stub and does not currently transmit. Web telemetry can be suppressed by browsers that send DNT: 1 (Do-Not-Track), which we honor. This bullet will be expanded when the mobile SDK ships.

On our servers (only when you sign in)

Your phone number, hashed, so contacts of yours who already use Splivo can find you.
Your display name, avatar color, and handle list (payment usernames you’ve publicly associated with your profile).
Auth state: a Supabase-issued session token. We do not store your SMS one-time code.
Referral attribution: if a friend sent you an invite link, we record which code was used, so the referrer can earn credit.
Cloud sync (rolling out v0.3+): your groups, expenses, and chat will optionally sync so you can log in on a new device. You can turn this off. When on, our servers store the same fields listed above, encrypted in transit, stored at rest on managed PostgreSQL (Supabase).
Pay-link tokens (Pro, opt-in per invoice): when you generate a pay-link for an invoice, a snapshot of the invoice (title, sender name, line items, totals, due date, note) travels to a pay_tokens row so the web pay page can render it to your recipient. A rendered PDF is stored behind a 7-day signed URL in a private Supabase Storage bucket. Both are purged when you delete the invoice (see §6).
Public profile row (opt-in): if you enable the public profile toggle (Settings → Privacy & data), Splivo publishes your handle, display name, avatar color, and payment handle list to a public_profiles table that backs getsplivo.com/@handle. Disabling the toggle deletes the row immediately.
Pro entitlement source (proSource): when your Splivo Pro status turns on, we record how it turned on — purchase (via RevenueCat & the Apple App Store or Google Play), referral (earned from a completed referral reward), or manual (granted by us for support/testing). This one short label lets the app decide what to show you (for example, a “manage subscription” deep link only appears for purchase-based Pro). The field is stored alongside your profile row.
Weekly digest content (Pro, opt-in, v0.3+): if you turn on Settings → Notifications → “Weekly digest,” once a week our server reads your synced balances, recent expenses, and group activity to generate a summary email addressed to you. The summary exists in memory only for the duration of dispatch; we do not retain a copy after it is sent.

v0.3.0 data surfaces (consolidated)

v0.3.0 (the first major-version milestone) consolidates several earlier-added data surfaces into a single enumeration so you can see at a glance what Splivo now stores or touches on your behalf:

Invoices — line items, client details, the business name & business email you optionally set in Settings.
Payment-rail metadata — Stripe webhook events for auto-mark-paid reconciliation (in-progress; scaffolded, not yet live — see §4 Stripe reservation).
Notification preferences — overdue-invoice reminder thresholds (invoiceOverdueThresholdDays), last-sent timestamp (lastAutoReminderAt), and the 7-day dedup tracker that prevents the same reminder from firing repeatedly.
FX rate cache — USD-referenced exchange rates fetched from exchangerate.host once every 24 hours when you enable “Show both currencies.” See §4 for the sub-processor relationship.
Business identity — optional businessName and businessEmail fields, used only when set, used as invoice sender + reply-to, visible to B2B recipients only when you send an invoice to them.

What we never collect

Your bank credentials. We use Plaid; Splivo never sees your bank login.
Your crypto private keys.
Your contacts without permission. If you grant contacts access to auto-fill a friend’s phone number, we use it on-device only and do not upload your address book.
Location data.
Browsing history outside the app.

3. How we use it

To run the app — splits, balances, reminders, notifications.
To help your friends find you when they invite you by phone.
To send payment links on your behalf (we build the URL; the actual payment happens in Venmo/Cash App/Zelle/PayPal/your crypto wallet).
To render the invoice your Pro pay-link points to, so the recipient can see what they’re paying for before routing to their chosen payment app.
To send you push notifications you enabled (new expenses in a group, settlement reminders, chat messages).
To detect duplicate expenses and suggest templates based on patterns — this runs locally, on your device.
To compute and send your weekly digest, if you opted in, summarizing your unsettled balances, the last 7 days of expenses, and any groups that have been inactive that week.
To calculate referral rewards.

4. Who we share it with

We do not sell your data. We share data only with the third parties we rely on to operate the app, and only the minimum each one needs:

Supabase — managed PostgreSQL + authentication + Storage. Hosts your profile row, (optionally) cloud-synced app data, and — for Pro users who generate an invoice pay-link — the rendered PDF behind a 7-day signed URL in a private Storage bucket.
Twilio — delivers SMS one-time codes when you sign in.
Expo Push — delivers push notifications to your device.
Plaid (Pro, opt-in) — if you enable bank-linked duplicate detection, Plaid securely connects to your bank and returns categorized transactions to you. Splivo receives transaction metadata (merchant, amount, date) but never your banking credentials.
WalletConnect v2 — standard protocol for pairing your crypto wallet. Runs device-to-wallet; our servers don’t intermediate the payment.
PayPal — if you link PayPal via OAuth, PayPal returns a read-only profile id we use to populate your handle.
Google Drive — only if you opt in to cloud backups of receipts; files are stored on your own Drive.
exchangerate.host — public FX-rate API. When you turn on "Show both currencies" (free), Splivo fetches USD-referenced exchange rates once every 24 hours. No account, no API key, no user data leaves your device; only the request itself hits their server.
Resend (Pro, opt-in via weekly-digest preference; scaffolded, not yet dispatching) — will deliver the weekly digest email (unsettled balances, 7-day expense summary, untouched groups) to Pro users who have opted in via Settings → Notifications → “Weekly digest.” Resend receives only your email address, the digest subject line, and the rendered digest body; nothing else. The dispatcher is deployed today in a gated state — it returns early until our Supabase Edge environment holds a Resend API key. This policy bullet will be promoted from “scaffolded” to “active” on the same date the key lands.
Sentry (web only — live since v0.4.74) — the Sentry browser SDK runs on getsplivo.com and ingests uncaught JavaScript exceptions plus a 5%-sampled trace of page-load + navigation events. Sentry receives the error stack, page URL, user-agent, and the IP at TLS termination — never form input or content you have typed. Sentry is hosted in the United States, is SOC 2 Type II certified, and executes a GDPR Art. 28 Data Processing Addendum with Splivo. The Sentry mobile SDK at lib/crash-reporting.ts is a stub today and does not transmit; this bullet will expand to cover mobile crash reporting on the same date the mobile SDK is wired and re-reviewed.
RevenueCat (Pro subscription mediation — live as of v0.2.90) — mediates Splivo Pro subscription state across iOS and Android. When you open the app and a Pro purchase is active (or when you tap Buy Pro), the following fields travel to RevenueCat: (a) appUserID — your Splivo user UUID, used as the stable cross-device identifier so your Pro entitlement follows you between iPhone and Android; (b) the Apple / Google purchase token returned by the App Store or Play Store at purchase time; (c) receipt metadata — platform (ios / android), SKU / product identifier (pro.monthly or pro.annual), original purchase date, and renewal / expiration timestamps; (d) subscription entitlement state (the boolean “is Pro active” that RevenueCat returns to the app on each cold boot). RevenueCat sits downstream of the Apple App Store (iOS) and Google Play Billing (Android) sub-processor chain — the store is the payment processor of record; RevenueCat is our reconciliation layer on top of it. RevenueCat is SOC 2 Type II certified and executes a GDPR Art. 28 Data Processing Addendum with Splivo. No payment-card numbers, bank credentials, or device contact lists ever reach RevenueCat; only the fields listed above. If you are a Pro-via-referral or Pro-via-manual-grant user (see proSource above), no data is sent to RevenueCat on your behalf — the SDK is configured but only transacts when a real purchase flow runs.
Law enforcement — if compelled by valid legal process. We will push back on overbroad requests and notify you unless a gag order prevents it.

5. Where we store it

App data sits in Supabase (US-East PostgreSQL). Receipt photos stay on your device unless you enable Drive backup. The local analytics buffer sits in AsyncStorage and never leaves the phone unless you uploaded a debug bundle to us yourself.

6. How long we keep it

While your account is active: for as long as you use Splivo.
After you delete your account: local state is wiped on device immediately. Server-side rows enter a 30-day purge window — during that window, you can sign back in and cancel deletion. On day 30, we permanently delete your profile, groups, expenses, chat, settlements, invoices, clients, pay-link tokens, and any stored invoice PDFs.
Invoice delete (Pro): when you hard-delete an individual invoice, the corresponding pay-link token is soft-deleted (the public pay page 404s immediately) and the associated PDF is removed from our private Storage bucket within 24 hours.
Audit logs: security-relevant events (failed sign-in attempts, deletion confirmations) are retained for 90 days for fraud investigation.
RevenueCat on account deletion: when you delete your Splivo account, the app calls RevenueCat.logOut() as part of the local wipe, unbinding your device from your RevenueCat appUserID. RevenueCat itself retains subscription-event telemetry (purchase history, renewal events) tied to the deleted appUserID for up to 24 months under its Data Processing Addendum — required for Apple / Google chargeback handling, tax reporting, and fraud investigation. You can request deletion of that residual RevenueCat record directly via [email protected] and we will forward your request to RevenueCat’s data-subject-rights pipeline. Your Splivo profile itself follows the 30-day purge window above regardless of RevenueCat’s separate retention.

7. Your rights

Whether the rights below are guaranteed by law depends on where you live (GDPR if you’re in the EEA/UK, CCPA/CPRA if you’re in California, similar regimes elsewhere). We extend most of them globally as a matter of policy.

Right to access (Art. 15 GDPR): Settings → Privacy & data → "What we store" lists every category on your device and server.
Right to portability (Art. 20 GDPR / CCPA): Settings → Privacy & data → "Export everything (JSON)" hands you a complete machine-readable dump.
Right to erasure (Art. 17 GDPR / CCPA): Settings → Privacy & data → "Delete my account." Local wipe is immediate; cloud purge completes in 30 days.
Right to rectification (Art. 16 GDPR): edit your profile at any time. If you need something corrected on our server that the app doesn’t let you change, email us.
Right to object / opt out of analytics (Art. 21 GDPR / CPRA): Settings → Privacy & data → "Opt out of analytics." Disables both the local buffer and any future server-side analytics.
Right to lodge a complaint: EEA/UK users can file with their national data protection authority. California users can contact the CA Attorney General.

To exercise any right we don’t expose in-app, email [email protected]. We aim to respond within 7 days and complete the action within 30 days (GDPR-aligned).

8. Children

Splivo is for users 13 and up. We do not knowingly collect data from children under 13. If you believe a child gave us data, email us and we will delete it.

9. Security

Transport: TLS 1.2+ for every network call.
Auth: Supabase JWTs + rotating refresh tokens.
At rest: managed PostgreSQL encryption, row-level security (RLS) default-deny on every table, service-role access limited to server-side Edge Functions.
Secrets: client bundle ships only the public Supabase anon key. The service role key lives on the server.

No system is unbreachable. If a breach occurs, we will notify affected users as soon as reasonably possible, and within 72 hours for users in the EEA/UK as required by GDPR Art. 33.

10. International transfers

If you’re outside the United States, your data is transferred to the US where Supabase is hosted. For EEA/UK users we rely on Standard Contractual Clauses (SCCs) with our sub-processors.

11. Do Not Track & Global Privacy Control

Our website honors GPC signals. In the app, the in-Settings analytics opt-out is the authoritative control.

12. Changes to this policy

If we change anything material, we’ll update the "Last updated" date at the top and notify you in-app before the change takes effect. The app’s "What’s new" screen (Settings → About → What’s new) also flags privacy changes.

13. Contact

Privacy questions, subject-access requests, or anything else: [email protected].

Splivo settles it.