SPLIVO

Security

Splivo is built local-first, does not custody funds, and pushes the industry's best-practice encryption down every network hop.

Local-first

No held funds

TLS 1.2+ in transit

Row-level security

30-day delete window

On-device OCR

Local-first architecture

Your groups, expenses, chat, receipts, and invoices live in a local database on your device. The app is fully usable with no network connection and no account. Cloud sync is opt-in — enable it in Settings → Privacy & data when you want multi-device support.

This means a bad server day doesn't take down your ability to split a dinner. It also means your primary threat model is device theft, not a remote breach.

Splivo does not custody funds

Splivo is not a bank or payment processor. Payments route through Venmo, Cash App, Zelle, PayPal, or wallet apps — the apps you already use. Splivo generates pay links and tracks who's settled; we don't touch a dollar.

Consequence: there's no Splivo cash balance to hack, no routing numbers to leak, and no hidden payment account to manage.

Encryption

In transit: TLS 1.2+ for every network call. HSTS on getsplivo.com.
At rest (cloud, opt-in): Supabase-managed encryption on Postgres + Storage. Row-level security (RLS) ensures users can only read/write their own data.
Phone OTP: short-lived codes via Twilio, never stored in plaintext.
OAuth tokens (Plaid, PayPal): stored server-side with service-role key isolation.

Receipt OCR runs on your device

The receipt scan feature uses ML Kit text recognition running locally on your phone. We never upload the image of your receipt to Splivo or to Google. The parsed text stays on device — you control what makes it into an expense.

Sub-processors

The canonical, full sub-processor list lives in Privacy Policy §4. We don’t duplicate it here to avoid drift — check Privacy for the always-current list (Supabase, Twilio, Expo Push, Plaid, WalletConnect, PayPal, Google Drive, exchangerate.host, Resend, RevenueCat, etc.). Each entry there cites the data category received and any DPA / SOC 2 status.

Data categories you control

Per the v0.3.0 milestone Privacy §2 enumeration, Splivo stores the following data categories for you:

Invoices — line items, client details, optional business name & business email.
Payment-rail metadata — Stripe webhook events for auto-mark-paid reconciliation (in-progress; scaffolded, not yet live).
Notification preferences — overdue-invoice reminder thresholds, last-sent timestamp, and the 7-day dedup tracker that prevents the same reminder from firing repeatedly.
FX rate cache — USD-referenced exchange rates fetched from exchangerate.host once every 24 hours when "Show both currencies" is enabled.
Business identity — optional businessName and businessEmail fields, used as invoice sender + reply-to.

For the canonical Privacy §2 enumeration with full retention + sub-processor citations, see Privacy §2.

Security audit log

Last security-relevant policy change: Privacy effective date 2026-04-28 (v0.3.0 milestone §2 inline LOW landing per the v0.2.99 legal-review batch). Version-stable security review cadence: every milestone ship (v0.X.0) gets a fresh legal-review pass per Privacy + Terms. Non-milestone ships honor the cadence trigger (5+ entries OR 12h since last batch).

GDPR + CCPA

Right to access: In-app Export (Settings → Privacy & data) produces a full JSON of your Splivo state — every group, expense, chat, invoice, settlement. Article 20 portability satisfied.

Right to delete: "Delete my account" wipes your local data immediately and queues cloud-side deletion with a 30-day grace window. Sign in within 30 days to cancel. After T+30, all user-owned rows hard-delete via a scheduled cron job.

Right to object / opt-out: Analytics opt-out lives in Settings → Privacy & data → "Opt out of analytics." Toggle on; we stop emitting events from your device.

Bug bounty + responsible disclosure

Found a vulnerability? Email [email protected] with reproduction steps. We respond within 48 hours and coordinate public disclosure after a fix ships. We're a small team — thoughtful reports get acknowledged in our changelog. For non-security questions, see Support.

Section 1 — Data at rest

User data lives in Supabase Postgres (encrypted at rest). Payment handles never leave the device unencrypted. Local-first means the canonical copy of your groups, expenses, chat, and receipts is on your device; Supabase only sees what you opt to sync. Encryption keys are managed by Supabase per the platform’s standard at-rest controls; we do not have access to the underlying disk.

Section 2 — Data in transit

All API requests use HTTPS; the realtime channel uses WSS. Splivo never accepts payment card data — Stripe handles the full PCI scope when it activates. We don’t store credit card numbers, ACH routing numbers, or wallet seed phrases at any point in the pipeline. TLS 1.2+ is enforced on every Splivo-controlled endpoint; HSTS is enabled on getsplivo.com.

Section 3 — Chat security — the honest answer

Chat messages are encrypted in transit and at rest. Splivo (and Supabase, our Postgres provider) can technically decrypt server-side messages. We do NOT claim end-to-end encryption. We’re working on E2EE for v1.x; group key management is the harder half of that problem and we’ll ship it when it’s actually correct, not when it’s convenient. The same honest framing lives on /about — if you need true E2EE today, use Signal or another E2EE-by-default app for that conversation.

Section 4 — What we don’t store

Bank account numbers.
Credit card data (Stripe handles full PCI scope when active).
Wallet seed phrases (we never see them; WalletConnect handles signing on-device).
Social security numbers (only EIN tax IDs, with last-4 redaction in CSV exports per Privacy).
Receipt photos uploaded to a server (OCR runs on-device per ML Kit).

Section 5 — Incident reporting + response

If you believe your data is at risk, email [email protected]. We respond within 48h (per the Support SLA). GDPR data-controller obligations apply — we’ll notify affected users within 72h of a confirmed incident. We’re a small team; thoughtful reports are acknowledged in the changelog and influence priority for the next ship.

Section 6 — Sub-processor table (deeper enumeration)

Comprehensive table of all sub-processors. The canonical, regulator-facing list lives in Privacy Policy §4; this table is a public-facing summary with purpose, data shared, region, and DPA reference. Best-effort accuracy — report inconsistencies at [email protected].

Vendor	Purpose	Data shared	Region	DPA
Supabase	Postgres + Realtime + Auth	Phone, payment-rail handles, expenses, chat, invoices	US	Yes
PostHog	Product analytics (opt-in)	Anonymized event names + screen views (no PII)	EU	Yes
Sentry	Error tracking (opt-in)	Crash stack traces (no PII payloads)	US	Yes
RevenueCat	iOS/Android IAP routing	Subscription state + receipt validation	US	Yes
Expo Push	Push notification dispatch	Push token + payload routing	US	Yes
exchangerate.host	Multi-currency FX rates	Currency-pair queries (no user data)	EU	No DPA needed (no PII)
Resend (reserved)	Transactional email (env-gated; not yet live)	Recipient email + invoice metadata (when activated)	EU	Reserved
Google Fonts	Inter font CDN (web pages only)	User IP at render time	Global	Mitigation pending — bundle Inter locally
Stripe (reserved)	Subscription billing (env-gated; not yet live)	Card data direct to Stripe (PCI scope on Stripe)	US	Reserved
Plaid (reserved)	Bank-link aggregation (post-launch; conditional on user pursuing Connect-Bank)	Account-link tokens + transaction sync (when activated)	US	Reserved (NEW v0.4.3 row)

Section 7 — Vulnerability disclosure

Found a vulnerability? Email [email protected] with reproduction steps. Best-effort triage SLA: 48h initial response.

Responsible disclosure ladder:

Day 0: report received; we acknowledge within 48h.
Days 1-7: triage; severity classification; affected-user scope determination.
Days 7-30: fix dispatched in regular ship cadence (or expedited for HIGH severity).
Day 30+: public disclosure post-fix-ship; reporter acknowledged in changelog.

For non-security questions, see support.

Section 8 — Transparency log

Splivo publishes a public-facing subset of the internal legal-risk-register at transparency log (NEW v0.4.3). The transparency log enumerates 6 ACTIVE risks (R-001 through R-006) with current state, mitigations in place, and §Archive of closed risks. Cross-link changelog for ship-by-ship verifiable narrative + about for honest mission framing + privacy for data posture.

The transparency log is best-effort honesty — not a regulatory filing, not a SOC 2 audit attestation. We document what we know to be true and update when state changes. If you believe an entry is inaccurate, email [email protected].

→ Full Privacy Policy
→ Terms of Service
→ Integrations + data scopes
→ About Splivo — chat security honest answer + mission
→ Transparency log (NEW v0.4.3)

Splivo settles it.