splitt — Privacy Policy

01 · Overview

What this policy is.

This policy explains what data splitt collects from you, why we collect it, where we keep it, and what you can do about it. It applies to the splitt mobile app, splitt.app, and any service that links to this policy.

splitt is operated by splitt labs private limited, with its registered office in Bangalore, India. In this document, "splitt", "we", "us", and "our" mean splitt labs private limited.

✓

The plain-English summary:

We only collect data we need to split bills, settle payments, and improve splitt.
We never sell your data to anyone.
Your contacts live on your device. We only see the ones you choose to invite or split with.
You can export or delete everything from inside the app, anytime.

02 · What we collect

Data we collect, by category.

Category	Examples	Why
Account	Phone number, name, profile photo, UPI handle (optional)	Identify your account, send OTPs, attribute splits
Split data	Expenses, group memberships, who paid whom, settlement status	The core product — splitting bills
Receipts	Photos you scan, line items detected by OCR	Receipt scanning (Pro feature)
Contacts	Phone numbers you choose to sync	Match friends already on splitt; invite the ones who aren't
Device	Device model, OS version, app version, anonymous device ID	Diagnostics, crash reports, push notifications
Usage	Screens viewed, features used, errors hit	Aggregate analytics to improve the product
Payments	UPI transaction reference, amount, timestamp — not your bank or card numbers	Auto-mark transfers as settled

What we do not collect

Your bank account number, debit/credit card details, or UPI PIN. UPI payments go through your bank app, never through us.
The contents of your SMS, calls, or messages.
Your precise location. We use approximate city-level location for currency defaults only, with permission.
Anything related to your sensitive personal data — religion, caste, biometrics, political opinions, sexual orientation, etc.

03 · How we use it

What we do with your data.

Run the product. Maintain your account, compute balances, sync across your devices.
Send notifications. "Priya settled ₹600", "Aarav added an expense" — only the kind you've opted into.
Reconcile payments. When you settle over UPI, we read the transaction reference your bank app shares back to mark the split closed.
Detect fraud and abuse. Block spam invites, throttle accounts behaving suspiciously.
Improve splitt. Anonymous, aggregated analytics — never linked to your name or phone number.
Support. When you write to us, we keep the thread to answer follow-ups.

We do not use your data to train third-party large language models. Receipt OCR runs on a dedicated model we operate; line items leave your device encrypted and are deleted from our servers within 30 days.

04 · Who we share with

Sub-processors and partners.

We share the minimum data needed with the following categories of partners. We don't share data for advertising or for sale.

Partner type	What they get	Why
Cloud hosting	Encrypted database, files	AWS Mumbai (ap-south-1) — primary storage
SMS / OTP	Your phone number, OTP code	One-time login
Push notifications	Anonymous device token, notification text	Apple APNs, Google FCM
UPI payment partners	Beneficiary handle, amount	Generate UPI intents you tap-to-pay
Analytics	Anonymous event data, no PII	Aggregate product usage
Crash reporting	Stack traces, OS / device, app version	Fix bugs faster

A current list of sub-processors is maintained at splitt.app/sub-processors and updated when it changes.

05 · Retention

How long we keep things.

Account data: As long as your account is active.
Split history: For the lifetime of the account; you can delete individual splits anytime.
Receipt images: 30 days after upload, then permanently deleted from our servers.
Diagnostics & crashes: 90 days, then aggregated and anonymized.
Support tickets: 24 months after resolution.
Deleted account: Hard-deleted within 30 days. Some payment-reference records may be retained up to 8 years to satisfy Indian tax law (Section 44AA, Income Tax Act).

06 · Your rights

What you can do with your data.

Under the Digital Personal Data Protection Act, 2023, you have the right to:

Access the personal data we hold about you.
Correct anything inaccurate or out of date.
Erase your data, subject to legal retention obligations.
Withdraw consent for any optional processing (analytics, push, contact-sync).
Nominate a person to act on your behalf in the event of your death or incapacity.
Lodge a grievance with our Data Protection Officer (see Contact).

Most of these you can do yourself from Settings → Privacy & data inside the app. Export and delete are instant; we'll email a confirmation.

07 · Security

How we protect it.

The short version is on our Security page. The principles:

TLS 1.3 for everything in transit. AES-256 at rest.
Phone-number based sign-in with rotating OTPs; biometric lock on device.
Receipts and contacts encrypted end-to-end where you choose to opt in.
Least-privilege access internally — engineers see anonymized aggregates by default.
Yearly third-party audits; CERT-In incident response within 6 hours.

08 · Children

Age limits.

splitt is for users aged 18 and above. We don't knowingly collect data from anyone under 18. If you believe a minor has created an account, write to privacy@splitt.app and we'll close it within 7 days.

09 · Changes

When we update this policy.

If we make a material change, we'll notify you in-app and by email at least 30 days before it takes effect, and link to a diff of what changed. Minor edits (typos, clarifications) are logged on this page but don't get a notification.

10 · Contact

Get in touch.

Data Protection Officer: Mehak Pillai · dpo@splitt.app
Privacy queries: privacy@splitt.app
General support: hello@splitt.app
Grievance: If unresolved within 30 days, you may escalate to the Data Protection Board of India at dpdpa.gov.in