Privacy Policy for Splitrate

Splitrate was developed according to the principles of Privacy-by-Design and Privacy-by-Default:

• Fully local processing: All your data is stored and processed exclusively on your own iOS device. There is no server-side processing.
• No data collection: We do not collect, receive, store, or process any personal data from you.
• No tracking: There are no analytics tools, tracking SDKs, advertising networks, or similar technologies in the app.
• No user accounts: The app does not require a user account, registration, or login.
• No data transfer: The app does not transfer any data to our servers or third parties (except for the optional iCloud synchronization, which you can activate yourself and which is entirely controlled by Apple).
• No profiling: No user profiles are created.

This privacy policy takes into account the requirements of the following data protection laws, insofar as they are applicable to you:

• EU/EEA: General Data Protection Regulation (GDPR)
• UK: UK GDPR and Data Protection Act 2018, Data (Use and Access) Act 2025
• Switzerland: Federal Act on Data Protection (nDSG/revDSG)
• USA: State Privacy Laws (CPRA, VCDPA, CPA, CTDPA, UCPA, MCDPA, OCPA, TDPSA, and others)
• Brazil: Lei Geral de Protecao de Dados (LGPD)
• Canada: PIPEDA and provincial laws (Quebec Law 25, BC PIPA, Alberta PIPA)
• Australia: Privacy Act 1988 (Australian Privacy Principles)
• New Zealand: Privacy Act 2020
• Japan: Act on Protection of Personal Information (APPI)
• South Korea: Personal Information Protection Act (PIPA)
• Singapore: Personal Data Protection Act (PDPA)
• India: Digital Personal Data Protection Act, 2023 (DPDPA)
• China: Personal Information Protection Law (PIPL)
• South Africa: Protection of Personal Information Act (POPIA)
• Israel: Privacy Protection Law, 5741-1981
• UAE: UAE Data Protection Law, DIFC Data Protection Law
• Turkey: KVKK (Law No. 6698)
• Mexico: LFPDPPP
• Argentina: Ley de Proteccion de Datos Personales 25.326
• Chile: Ley 19.628 sobre Proteccion de Datos de Caracter Personal
• As well as all other applicable national, regional, or local data protection laws of your place of residence.

The following data is stored and processed exclusively locally on your iOS device:

• Expense data (amounts, categories, descriptions, date/time)
• Budgets and savings goals that you create
• Notes and comments on transactions
• Photos of receipts (if you use this feature)
• Settlement information between household members
• App settings and preferences

This data is processed to provide you with the app's features: managing personal expenses, budget planning and tracking, visualizing your financial data, and settling accounts with household members.

Processing is based on the performance of a contract (EU/EEA: Art. 6(1)(b) GDPR; UK: Art. 6(1)(b) UK GDPR; Switzerland: Art. 6(1) nDSG; Brazil: Art. 7 V LGPD; other jurisdictions: performance of contract or corresponding legal basis under applicable local law).

You can export your data from the app at any time in the following formats: CSV (Comma-Separated Values) and JSON (JavaScript Object Notation). This export function ensures your right to data portability pursuant to GDPR Art. 20, UK GDPR Art. 20, LGPD Art. 18 V, CPRA, and corresponding provisions of other applicable data protection laws.

Camera permission is only requested when you want to take a receipt photo for the first time. Purpose: Photographing receipts to document your expenses. The captured photo is stored exclusively locally on your device. There is no transfer to servers or third parties, no image analysis or OCR processing by us. Legal basis: Your explicit consent (GDPR Art. 6(1)(a) and corresponding provisions of other applicable laws). Revocation: iOS Settings, Splitrate, Camera, Disable.

Permission is only requested when you want to select an existing photo from your media library as a receipt. The app uses the Photo Picker API, which allows you to select individual photos without granting the app full access to your photo gallery. ONLY the photos you select are copied into the app and stored exclusively locally. There is no transfer to servers or third parties. Splitrate does not access your video or audio library.

Notifications are generated entirely locally on your device for payment reminders, budget alerts, and recurring expense reminders. No push notifications are sent via external services. All reminders are local iOS notifications. There is no data transfer to our or external servers and no analysis of notification behavior. Revocation: iOS Settings, Splitrate, Notifications, Disable.

This feature is only requested when you activate the optional app lock, to protect your financial data from unauthorized access. Biometric data is processed exclusively by iOS. Neither the app nor we ever have access to your biometric data. The app only receives from iOS the information whether authentication was successful. There is no storage, transfer, or processing of biometric data by the app. Revocation: Splitrate App, Settings, Security, Disable app lock.

Splitrate does not operate any servers, databases, or backend infrastructure for data processing. There is no data collection, no central data storage, no data transfer to us, and no server-side processing.

The app contains no tracking or analytics technologies: no web analytics, no crash reporting services, no advertising networks or ad SDKs, no behavioral analytics, no A/B testing tools, no user IDs, device IDs, or tracking identifiers, no cookies, web beacons, or similar technologies, and no fingerprinting techniques.

We do not share any data with third parties, sell or rent any data, as we simply do not receive or process any data from you. Exception: Apple Inc. as an independent controller if you activate iCloud synchronization (see Section 6).

No user profiles are created. We have no information about your usage behavior, financial habits, spending patterns, demographic data, or any other personal information.

Splitrate offers you the optional ability to synchronize your app data across multiple devices via Apple iCloud. This feature is entirely voluntary, disabled by default, must be actively enabled by you in iOS system settings, and can be disabled at any time. You can use the app entirely without iCloud.

If you activate iCloud synchronization, your data is uploaded directly from your device to your private iCloud. We (Splitrate) are not a processor of this data. Apple Inc. is the independent controller of your iCloud data. We have no access to your iCloud data whatsoever. For the processing of your iCloud data, Apple's own privacy and usage terms apply exclusively: https://www.apple.com/legal/privacy/

You can revoke your consent at any time: Go to iOS Settings, [Your Name], iCloud, Manage Storage, Splitrate and disable or delete the data. Data already stored in iCloud will remain there until you manually delete it. Local data on your device remains unaffected.

There is no joint controllership between us (Splitrate/Marcel Baklouti) and Apple Inc. We have no access to your iCloud data, make no decisions about processing in iCloud, and Apple acts entirely independently.

If you use iCloud synchronization, you have data protection rights against Apple as independent controller. You can exercise these through Apple's Data & Privacy Portal: https://privacy.apple.com/

When you send us an email to support@splitrate.app, we process the following data: your email address, your name (if you provide it), the content of your message, date and time of the inquiry, and technical metadata (email headers).

Support emails are retained during active processing and stored for a maximum of 6 months after the last communication. After expiration, all emails are completely and irreversibly deleted. You can request immediate deletion of your support correspondence at any time.

For sending and receiving emails, we use a self-hosted mail server located in Germany. There is no data processing agreement with an external email service provider.

The app is provided through the Apple App Store. Apple independently processes data related to the download and installation (Apple ID, download history, device information). Legal basis: Your contractual relationship with Apple. Apple Privacy Policy: https://www.apple.com/legal/privacy/

If you leave a rating or review in the App Store, it is published and processed by Apple. We have no access to your Apple ID or contact details and no ability to delete or edit your review.

We do not collect any usage statistics ourselves. Apple offers an optional feature where you can allow Apple to collect anonymized usage and diagnostic data. You can disable this under: iOS Settings, Privacy & Security, Analytics & Improvements. We only receive aggregated, anonymized statistics without individual user IDs or personal data.

You have the right to know what personal data we process about you. Local app data: You always have full access to all your data directly in the app. iCloud data: Contact Apple. Support emails: Send a request to support@splitrate.app.

You have the right to have inaccurate or incomplete data corrected. You can edit local app data yourself in the app at any time.

You have the right to have your personal data deleted. You can delete individual entries directly in the app. All data is automatically deleted when you uninstall the app. iCloud data: See Section 6. Support emails: Request to support@splitrate.app (deletion within 30 days).

You can stop using the app at any time, disable iCloud synchronization, or contact us regarding support emails.

You have the right to receive your data in a structured, commonly used, and machine-readable format. Use the export function in the app for this (Settings, Export Data, CSV or JSON).

You have the right to object to processing based on legitimate interests. Request to support@splitrate.app.

Where processing is based on your consent, you can withdraw it at any time with future effect: Camera/Photos via iOS Settings, Push notifications via iOS Settings, iCloud Sync see Section 6. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Contact: support@splitrate.app. We will respond to your request typically within 30 days (or according to the deadlines of your applicable local data protection law). Exercising your rights is generally free of charge.

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the country of your habitual residence. See Section 10 for contact details of supervisory authorities in your region.

Applicable law: Regulation (EU) 2016/679 (GDPR). All rights described in Section 9 apply in full (Art. 15-22 GDPR). Response time: One month, with possible extension of up to two additional months for complex requests. Right to complain: You can complain to any EU data protection authority. List of all EU data protection authorities: https://edpb.europa.eu/about-edpb/board/members_en. Germany: Federal Commissioner for Data Protection (BfDI), https://www.bfdi.bund.de. Austria: Austrian Data Protection Authority, https://www.dsb.gv.at. France: CNIL, https://www.cnil.fr. Further authorities at the EDPB link above.

Applicable law: UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025. The UK GDPR grants essentially the same rights as the EU GDPR. Response time: One month. The EU-UK Adequacy Decision was renewed in December 2025 until December 2031, ensuring seamless data transfers. Supervisory authority: Information Commissioner's Office (ICO), https://ico.org.uk, Phone: 0303 123 1113.

Applicable law: Federal Act on Data Protection (nDSG), in force since September 1, 2023. Your rights under nDSG: Right of access (Art. 25), Right to rectification or destruction (Art. 32), Withdrawal of consent (Art. 6(7)). Response time: 30 days. Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch.

The USA does not have a uniform federal privacy law. As of 2026, 20 states have enacted their own comprehensive data protection laws.

Applicable law: Lei Geral de Protecao de Dados Pessoais (LGPD). Your rights under Art. 18 LGPD: Confirmation of processing, access to your data, correction, anonymization/blocking/deletion, data portability, withdrawal of consent. Legal bases: Art. 7 V LGPD (performance of contract), Art. 7 I LGPD (consent), Art. 7 IX LGPD (legitimate interest). Response time: 15 days under Art. 18 LGPD. Supervisory authority: Autoridade Nacional de Protecao de Dados (ANPD), https://www.gov.br/anpd/.

Applicable laws: PIPEDA (federal level), Loi 25 (Quebec), BC PIPA, Alberta PIPA. Your rights: Right to access, correct, withdraw consent, and file complaints. Quebec has had one of Canada's strictest data protection laws since 2023, with right to data portability and mandatory privacy impact assessments. Response time: 30 days. Supervisory authorities: Office of the Privacy Commissioner of Canada (OPC), https://www.priv.gc.ca/. Commission d'acces a l'information du Quebec (CAI), https://www.cai.gouv.qc.ca/.

Applicable law: Privacy Act 1988 (Australian Privacy Principles). Your rights: Right to access (APP 12), Right to correct (APP 13), Right to make a complaint. Australia is currently undergoing a reform process with stricter rules for children's privacy and privacy impact assessments. Response time: 30 days. Supervisory authority: Office of the Australian Information Commissioner (OAIC), https://www.oaic.gov.au/, Phone: 1300 363 992.

Applicable law: Privacy Act 2020. Your rights: Right to access (IPP 6), Right to correct (IPP 7), Right to complain. Response time: 20 working days. Supervisory authority: Office of the Privacy Commissioner, https://www.privacy.org.nz/, Phone: 0800 803 909.

Applicable law: Act on Protection of Personal Information (APPI). Your rights: Right of disclosure (Art. 33), Right to correction (Art. 34), Right to demand suspension (Art. 35), Right to erasure (Art. 37). Response time: Within 2 weeks. Supervisory authority: Personal Information Protection Commission (PPC), https://www.ppc.go.jp/.

Applicable law: Personal Information Protection Act (PIPA) with current amendments to access rights and security expectations. Your rights: Right to access (Art. 35), Right to correction and deletion (Art. 36), Right to restriction of processing (Art. 37), Right to withdraw consent (Art. 22). Response time: 10 days. Supervisory authority: Personal Information Protection Commission (PIPC), https://www.pipc.go.kr/.

Applicable law: Personal Data Protection Act 2012 (PDPA). Your rights: Right to access (Section 21), Right to correct (Section 22), Right to withdraw consent (Section 13). Response time: 30 days. Supervisory authority: Personal Data Protection Commission (PDPC), https://www.pdpc.gov.sg/.

Applicable law: Digital Personal Data Protection Act, 2023 (DPDPA). Phase 2 takes effect on November 13, 2026. Your rights: Right to access (Section 11), Right to correction and erasure (Section 12), Right to grievance redressal (Section 13), Right to nominate (Section 6). Contact: support@splitrate.app. Supervisory authority: Data Protection Board of India (under establishment). Until then: Ministry of Electronics and Information Technology (MeitY), https://www.meity.gov.in/.

Applicable law: Personal Information Protection Law (PIPL). Your rights: Right to know and decide (Art. 44), Right to access and copy (Art. 45), Right to correct and supplement (Art. 46), Right to erasure (Art. 47), Right to explanation of automated decisions (Art. 48). Response time: 15 working days. Supervisory authority: Cyberspace Administration of China (CAC), http://www.cac.gov.cn/. Note: The international transfer of personal data from China is subject to strict requirements under Art. 38 PIPL. For more information about iCloud in China, see Apple's privacy policy for China: https://www.apple.com.cn/legal/privacy/

Applicable law: Protection of Personal Information Act, 2013 (POPIA), in force since July 1, 2021. Your rights: Right to access (Section 23), Right to correct or delete (Section 24), Right to object (Section 11). Response time: 30 days. Supervisory authority: Information Regulator South Africa, https://inforegulator.org.za/, Email: complaints.IR@justice.gov.za.

Applicable law: Privacy Protection Law, 5741-1981. Your rights: Right to access, correct, request deletion. Response time: 30 days. Supervisory authority: Privacy Protection Authority (PPA), https://www.gov.il/en/departments/the_privacy_protection_authority. Israel has an EU adequacy decision.

Applicable laws: Federal Decree-Law No. 45 of 2021 and DIFC Data Protection Law No. 5 of 2020. Your rights: Right to access, rectification, erasure, restriction, data portability, objection. Response time: 30 days. Supervisory authorities: UAE Data Office and DIFC Commissioner of Data Protection, https://www.difc.ae/business/operating/data-protection/.

Applicable law: KVKK (Law No. 6698). Your rights under Article 11: Right to information, rectification, deletion, objection, and compensation for unlawful processing. Response time: 30 days. Supervisory authority: Kisisel Verileri Koruma Kurumu, https://www.kvkk.gov.tr/.

Applicable law: LFPDPPP. Your ARCO rights: Acceso (Access), Rectificacion (Rectification), Cancelacion (Deletion), Oposicion (Objection). Response time: 20 working days. Supervisory authority: Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales (INAI), https://home.inai.org.mx/.

Applicable law: Ley de Proteccion de Datos Personales 25.326. Your rights: Access, rectification, deletion, objection. Response time: 10 days. Supervisory authority: Agencia de Acceso a la Informacion Publica (AAIP), https://www.argentina.gob.ar/aaip. Argentina has an EU adequacy decision.

Applicable law: Ley 19.628 sobre Proteccion de Datos de Caracter Personal. Your rights: Right to information, access, rectification and deletion, objection. Response time: 30 days. Supervisory authority: Consejo para la Transparencia, https://www.consejotransparencia.cl/.

Since your data is stored on your device, we recommend: Activate device lock (Face ID, Touch ID, or strong passcode), keep iOS up to date, enable backups (iCloud backup or Finder backup), and enable "Find My iPhone" in case of loss.

For support emails: Encrypted email transmission (TLS/SSL), access restriction to authorized persons, strong passwords and two-factor authentication, regular security updates, and secure deletion procedures. For app development: Secure coding practices, regular security reviews, use of current iOS security features, no integration of insecure third-party SDKs, and code signing via the App Store.

In the event of a data breach, we will notify the competent supervisory authority without delay (EU/EEA and UK: within 72 hours, other jurisdictions: according to local deadlines) and inform affected users if there is a high risk to your rights. Due to our local architecture, the risk of a data breach by us is minimal, as we do not operate any central databases.