Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account information: Your first and last name, email address, phone number, and password (stored as a one-way cryptographic hash — we never store your plaintext password).
• Profile information: Optional profile photo you choose to upload.
• Expense and group data: Expenses, expense splits, group memberships, and related notes or descriptions you enter into the App.

1.2 Financial Information via Plaid

When you link a bank account, we use Plaid Technologies, Inc. ("Plaid") to connect to your financial institution. Through Plaid, we receive:

• Bank account names, types, and last-four-digit masks
• Account balances (current and available)
• Transaction history (merchant name, amount, date, category, and location)
• A Plaid Item ID and access token used to retrieve your data

Your bank credentials are entered directly into Plaid's secure interface and are never transmitted to or stored by SwiftSplit. Plaid's use of your data is governed by Plaid's Privacy Policy, available at plaid.com/legal.

1.3 Information Collected Automatically

• Device information: Device ID, device name, and device type, used solely to manage your login sessions and push notification delivery.
• Push notification tokens: An Expo push token associated with your device, used to send you in-app notifications.
• Authentication tokens: Short-lived JWT access tokens (15-minute expiry) and refresh tokens (30-day expiry) stored securely on your device.
• Application logs: Server-side logs that may include IP addresses, request timestamps, and error details, retained for operational and security purposes.

1.4 Information We Do Not Collect

• We do not collect Social Security numbers, government-issued ID numbers, or full payment card numbers.
• We do not collect precise GPS location (transaction location data comes from your bank via Plaid and reflects where a transaction occurred, not your real-time location).
• We do not sell your personal information to third parties.

2. How We Use Your Information

We use your personal information for the following purposes:

• Providing the App: Creating and managing your account, connecting bank accounts, syncing transactions, calculating expense splits, and delivering notifications.
• Communications: Sending transactional emails (password reset, account verification) via Mailgun, and push notifications about group activity and expense updates.
• Security and fraud prevention: Detecting unauthorized access, managing authentication sessions, rotating cryptographic tokens, and monitoring for abuse.
• Legal compliance: Meeting our obligations under applicable law, including responding to lawful requests from regulatory authorities.
• Service improvement: Diagnosing technical issues and improving App performance using anonymized operational logs.

We process your data on the following legal bases under GDPR: performance of a contract (providing the App), legitimate interests (security, fraud prevention, service improvement), compliance with legal obligations, and your consent where required (e.g., push notifications).

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:

3.1 Service Providers

We share data with the following sub-processors who act on our instructions:

• Plaid Technologies, Inc. — Financial account connection and transaction data retrieval. Data is processed pursuant to Plaid's End User Privacy Policy.
• Microsoft Azure — Cloud hosting (App Service), database storage (Azure SQL), and infrastructure. Data is stored in the United States (East US region). Microsoft's Data Processing Addendum governs this processing.
• Expo (by Expo Technologies, Inc.) — Push notification delivery. Only your device push token and the notification content are shared.
• Mailgun Technologies, Inc. — Transactional email delivery. Only your email address and the email content are shared.

3.2 Other Users

When you participate in a shared expense group, certain information is visible to other group members: your display name, profile photo, expense amounts you have added or split, and your group membership status.

3.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of SwiftSplit, our users, or the public.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections described in this policy. We will notify you of any such change.

4. Data Retention

We retain your personal information for the following periods:

• Personal account data: Retained for the duration of your account. Upon account deletion, your profile, linked bank accounts, personal transactions, personal expenses, group memberships, authentication tokens, notification settings, and push tokens are permanently and irreversibly deleted immediately.
• Shared group expense history: Expenses and expense splits you contributed to a shared group are retained in anonymized form to preserve the financial records of other group members. Your name and account are removed from these records; they are attributed to "Deleted User." This limited retention is permitted under GDPR Article 17(3)(b) (legitimate interests of third parties) and equivalent CCPA exceptions for data necessary to complete a transaction with another consumer. If you do not wish your contribution history to be retained in any form, please remove all of your group expenses before deleting your account.
• Server logs: Operational and security logs are retained for up to 90 days for security monitoring and troubleshooting purposes, then deleted.
• Backups: Encrypted database backups may retain your data for up to 35 days after deletion as part of our disaster recovery process, after which they are permanently overwritten.

5. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information:

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is protected by Azure SQL Transparent Data Encryption (TDE).
• Plaid access tokens and item identifiers are encrypted at the field level using AES-256 before storage in our database.
• Passwords are stored as one-way cryptographic hashes and are never recoverable in plaintext.
• Authentication uses short-lived JWT tokens (15-minute expiry) with device-bound refresh tokens.
• Our production infrastructure is monitored continuously by Microsoft Defender for Cloud.

Despite these measures, no system is completely secure. In the event of a data breach that affects your rights or freedoms, we will notify you and the applicable regulatory authorities as required by law (within 72 hours under GDPR where feasible).

6. Your Privacy Rights

6.1 Rights for All Users

Regardless of your location, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information in your profile
• Delete your account and all associated data (via Settings → Delete Account)
• Withdraw consent for push notifications at any time via your device settings
• Unlink any connected bank account at any time (via Settings → Linked Accounts)

6.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (financial data) only to provide the App's core functionality. You may limit this use by unlinking your bank account.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a California rights request, contact us at privacy@swiftsplit.app with the subject line "California Privacy Request." We will respond within 45 days.

6.3 Other US State Residents

Residents of Virginia, Colorado, Connecticut, Texas, Florida, and other states with comprehensive privacy laws have rights similar to those described in Section 6.2, including the right to access, correct, delete, and obtain a portable copy of your data, and to opt out of targeted advertising and profiling. We do not conduct targeted advertising or sell personal data. To exercise your rights, contact us at privacy@swiftsplit.app. We will respond within the timeframe required by your state's law (generally 45 days, extendable by an additional 45 days with notice).

6.4 EEA, UK, and Swiss Residents (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to:

• Access (Article 15): Obtain a copy of the personal data we hold about you.
• Rectification (Article 16): Correct inaccurate or incomplete data.
• Erasure (Article 17): Request deletion of your data ("right to be forgotten") where no overriding legal basis exists.
• Restriction of Processing (Article 18): Request that we restrict how we use your data in certain circumstances.
• Data Portability (Article 20): Receive your data in a structured, machine-readable format.
• Object (Article 21): Object to processing based on legitimate interests.
• Automated Decision-Making (Article 22): We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise your GDPR rights, contact us at privacy@swiftsplit.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member state's supervisory authority).

7. International Data Transfers

SwiftSplit is operated from the United States and your data is stored on servers located in the US (Azure East US region). If you are accessing the App from outside the United States, your personal information will be transferred to and processed in the United States, which may not have data protection laws equivalent to those in your country.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, where applicable, or other lawful transfer mechanisms. Our cloud service providers (Microsoft Azure, Mailgun) maintain SCCs and participate in approved data transfer frameworks.

8. Age Requirement

You must be at least 18 years old to use SwiftSplit. The App involves linking bank accounts and managing financial transactions, which requires the legal capacity to enter into contracts. By creating an account, you confirm that you are 18 years of age or older.

The App is not directed to children under the age of 13 (or under 16 in the EEA where applicable). We do not knowingly collect personal information from anyone under 18. If we become aware that an account was created by someone under 18, we will promptly delete that account and all associated data. If you believe a minor has provided us with personal information, please contact us at privacy@swiftsplit.app.

9. Third-Party Links and Services

The App may contain links to third-party websites or services (e.g., Plaid's bank connection interface). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

10. Cookies and Tracking

The App is a native mobile application and does not use browser cookies. We do not use cross-app tracking, advertising identifiers, or behavioral analytics platforms. Authentication state is managed through encrypted tokens stored locally on your device using platform-native secure storage (iOS Keychain / Android Keystore).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page and, for material changes, notify you via email or an in-app notice at least 30 days before the change takes effect. Your continued use of the App after the effective date constitutes acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the App and may request deletion of your account.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to report a privacy concern, please contact us at:

We aim to respond to all privacy-related inquiries within 10 business days, and will complete any required action within the timeframe mandated by applicable law.