Last updated: April 10, 2026
This privacy policy explains which personal data we process when you use the mobile app "SplitBuddies", for what purposes, and which rights you have as a data subject. It applies to all versions of the app available in the Apple (iOS) and Google (Android) app stores within the European Union.
1. Controller according to Art. 4 No. 7 GDPR
Name / Provider
Simon Buchholz
Füssener Str. 11
87600 Kaufbeuren
Germany
E-Mail: splitbuddies.appbench@gmail.com
2. Categories of Data, Purposes, and Legal Bases
| Processing Activity | Categories of Data | Purpose | Legal Basis |
|---|---|---|---|
| Account Registration & Login (via Auth0) | Email address; Auth0 user ID; if applicable, social login provider ID; display name; profile picture URL | Provision and management of your user account; authentication (passwords are processed exclusively
by Auth0 and are not stored by SplitBuddies) |
Art. 6(1)(b) GDPR (Contract) |
| App Usage (managing expenses) | Expenses, amounts, group and contact names entered by you | Core function of the app: recording, calculating, and displaying shared expenses | Art. 6(1)(b) GDPR |
| System Logs & Error Reports | IP addresses, device type, operating system, timestamps, request IDs, error messages | Stability, error analysis, abuse detection | Art. 6(1)(f) GDPR (legitimate interest in app security) |
| Contact via Email | Email address, content of your message | Support, response to inquiries | Art. 6(1)(f) GDPR |
| Transactional Emails (via AhaSend) | Recipient email address, sender display name | Delivering transactional emails: account verification, password reset, and invitation emails | Art. 6(1)(b) GDPR (Contract) |
We do not use tracking or analytics SDKs for advertising purposes and do not integrate any advertising networks.
3. Minors
SplitBuddies is not specifically directed at children. Users under the age of 16 may only use the app with the consent of their legal guardians (Art. 8 GDPR). We will request proof of age or consent if we become aware that an account is operated by a minor without the necessary consent.
4. Storage Location and Recipients of Data
| Service | Role | Processing Location | Safeguards |
|---|---|---|---|
| Google Cloud | Hosting of server application and access logs | Data centers in Belgium | Data Processing Agreement (DPA) incl. EU Standard Contractual Clauses, ISO 27001 |
| CockroachDB Cloud | Database for app data | Data centers in Belgium | DPA, encryption at rest/in transit |
| Auth0 (Okta) | Identity provider (login, token management) | EU region | DPA, Standard Contractual Clauses, ISO 27018 |
| AhaSend B.V. | Transactional email delivery (account verification, password reset, invitation emails) | EU (Hetzner data centers in Germany and Finland; DA International Group in Bulgaria) | DPA, email content deleted after 14 days |
No data is transferred to third countries outside the European Economic Area.
5. Storage Period and Deletion
Account data is stored as long as your user account exists. You can delete your account at any time via the app settings.
After account deletion, we remove personal data from our active systems within 30 days.
To maintain the integrity of existing group calculations, expense entries remain in anonymized form (without reference to your person).
Server logs and backup copies are automatically deleted after a maximum of 90 days.
5a. Local Storage on Your Device (§ 25 TDDDG)
The app stores a small amount of data locally on your device. This storage is strictly necessary for the service you explicitly requested (§ 25(2) No. 2 TDDDG) and does not require separate consent:
- Authentication session: A flag that records whether you have a valid login session, so you do not have to re-authenticate on every app start. Stored via SharedPreferences (Android) / UserDefaults (iOS).
- Last-used currency: The most recently selected currency per friend or group, so the app can pre-fill the correct currency when you add an expense. Stored via SharedPreferences (Android) / UserDefaults (iOS).
- Login credentials: Access tokens and user profile information are stored in platform-native secure storage (iOS Keychain / Android Keystore) by the Auth0 SDK.
- Avatar cache: Profile pictures are cached locally to reduce network traffic. The cache is limited to 200 images and automatically expires after seven days.
None of this data is shared with third parties. You can clear all locally stored data by deleting the app from your device.
6. Security of Processing (Art. 32 GDPR)
We implement appropriate technical and organizational measures, including: TLS encryption of all connections (App ↔ Backend ↔ Database), encryption of stored data ("at rest"), role-based access control for authorized personnel only, and regular security updates.
7. Rights of Data Subjects
You have the right at any time to:
- Obtain information about the data we store about you (Art. 15 GDPR),
- Request rectification of inaccurate data (Art. 16 GDPR),
- Request erasure or exercise the "right to be forgotten" (Art. 17 GDPR),
- Request restriction of processing (Art. 18 GDPR),
- Object to processing based on legitimate interest for reasons arising from your particular situation (Art. 21 GDPR); this applies in particular to the processing described in § 2 under Art. 6(1)(f) GDPR,
- Request data portability (Art. 20 GDPR),
- Withdraw consent at any time (Art. 7(3) GDPR).
To exercise these rights, please contact splitbuddies.appbench@gmail.com.
8. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. The competent authority for the provider is:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27, 91522 Ansbach, Germany
https://www.lda.bayern.de
9. Obligation to Provide Data
Providing an email address is required to create a SplitBuddies account and use the service. Without this information, the app cannot be operated. All other data (e.g., profile picture) is voluntary.
10. Automated Decision-Making / Profiling
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
11. Changes to this Privacy Policy
We reserve the right to amend this privacy policy if the app or the legal situation changes. We will inform you of any material changes in the app or by email.
12. Language
The German version of this privacy policy is legally binding. Translations into other languages are provided solely for convenience. In case of discrepancies, the German version shall prevail.