Privacy Policy

1 Information We Collect

We collect information that you provide directly and data generated through your use of SplitWise:

• Account Information — Full name, email address, and password (stored securely hashed with bcrypt; we never store plain-text passwords)
• Profile Data — Preferred currency, profile picture, and display preferences
• Financial Data — Expenses, group memberships, payment records, settlement history, and reminder schedules that you create within the app
• Authentication Data — If you sign in via Google or Facebook OAuth, we receive your name, email, and profile picture from the provider. We do not receive or store your social media passwords
• Technical Data — IP address, browser type, device information, and access timestamps for security monitoring and abuse prevention
• Support Data — Ticket submissions, messages, and contact form entries sent to our support team

2 How We Use Your Data

We use the information we collect for the following purposes:

• Service Delivery — To provide, operate, and maintain SplitWise features including expense tracking, group management, payment settlements, and PDF/CSV report generation
• Authentication & Security — To verify your identity via email OTP, manage sessions with JSON Web Tokens (JWTs), and detect unauthorised access attempts
• Transactional Communication — To send OTP verification codes, payment reminders, expense notifications, and password reset emails via Resend API
• Product Improvement — To analyse usage patterns, debug issues, and develop new features that improve your experience
• Support — To respond to your support tickets, contact form submissions, and help requests
• Legal Compliance — To comply with applicable laws, regulations, and legal processes

3 Third-Party Services

We do not sell, rent, or trade your personal information to any third party. We integrate with the following trusted services strictly to operate SplitWise:

• Google OAuth & Facebook OAuth — For social login authentication only
• MongoDB Atlas — Cloud database hosting with encryption at rest
• Cloudflare — DNS, CDN, and DDoS protection for our frontend at splitwise.space
• Render — Backend API hosting at api.splitwise.space with secure HTTPS
• Resend — Email delivery service for sending OTP codes, notifications, and support replies

Each provider is bound by their own privacy policies and industry-standard security practices.

4 Cookies & Local Storage

SplitWise does not use third-party tracking cookies or advertising trackers. We use browser localStorage to store:

• Your authentication token (JWT) for session management
• User preferences (preferred currency, sidebar state, theme settings)
• Cached user profile data for faster page loads

You can clear all stored data at any time by logging out or manually clearing your browser storage. No data is shared with third-party advertisers.

5 Data Security

We implement multiple layers of security to protect your data:

• Password Hashing — All passwords are hashed with bcrypt (12 salt rounds) before storage
• HTTPS Everywhere — All API communication is encrypted with TLS/SSL
• JWT Expiration — Authentication tokens expire after 7 days and must be refreshed
• CORS Protection — API access is restricted to authorised domains only
• Input Validation — All user inputs are validated and sanitised server-side
• Rate Limiting — API endpoints are rate-limited to prevent brute-force attacks
• OAuth2 Security — Social login uses industry-standard OAuth2 flows with PKCE where supported

While no system is 100% secure, we continuously monitor and update our security practices.

6 Data Retention & Deletion

We retain your personal data only for as long as your account is active and as needed to provide our services. When you delete your account:

• All personal data (profile, expenses, groups, payments) is permanently deleted from our database within 30 days
• Anonymised, aggregated data may be retained for analytics purposes but cannot be linked back to you
• Backup copies are purged according to our retention schedule

You can delete your account at any time via the Settings page in your dashboard.

7 Your Rights

You have the following rights regarding your personal data:

• Right to Access — Request a copy of the personal data we hold about you
• Right to Rectification — Update or correct inaccurate data via the Settings page
• Right to Deletion — Delete your account and all associated data at any time
• Right to Data Portability — Export your expense data as PDF or CSV reports from the Reports section
• Right to Object — Opt out of non-essential communications

To exercise any of these rights, contact us at support@splitwise.space. We will respond within 48 hours.

8 Children's Privacy

SplitWise is not intended for children under the age of 13. We do not knowingly collect personal data from children. If we discover that a child under 13 has created an account, we will promptly delete the account and all associated data. If you believe a child has provided us with personal data, please contact us immediately.

9 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will update the “Last updated” date at the top and, where appropriate, notify you via email or in-app notification. Your continued use of SplitWise after changes constitutes acceptance of the updated policy.