Privacy Policy

Last updated: May 27, 2026

Last reviewed: 2026-05-27

1. Data We Collect

When you use Olik Split, we may collect the following information:

2. Data Stored Only on Your Device

The following data is stored exclusively on your device and is never transmitted to our servers:

3. How We Use Your Data

4. Third-Party Services

We use the following third-party services. Each is subject to its own privacy policy, linked below.

4a. v1.1 Engagement & Premium Features (effective May 24, 2026)

The following features were introduced in Olik Split v1.1. They are processed on data you already provide under section 1 and do not introduce new third-party processors beyond those listed in section 4. This section exists for explicit auditability.

None of the v1.1 features changes our data retention policy (section 8). You can request deletion of all v1.1 feature data (achievement progress, mastery counters, advisor history, referral attribution) along with your account at any time by following the deletion process in section 8.

5. Data Storage & Security

Your data is stored on a PostgreSQL database hosted on a secure server. Passwords are hashed using bcrypt. All communication between the app and server uses HTTPS/TLS encryption. Receipt images uploaded for AI scanning are stored in a private Cloudflare R2 bucket, signed-URL access only, and deleted after the OCR job completes.

Private payment methods use AES-GCM-256 encryption (CommonCrypto AES on iOS, WebCrypto AES-GCM on the web build). The encryption key is generated on first use and stored in your device's hardware-backed keystore (Android Keystore, iOS Keychain) or — on the web — in localStorage isolated to the oliksplit.app origin. The same value is encrypted again on the server with a separate server-managed key. Public payment methods shared within groups are encrypted server-side only.

Offline data is stored locally using SQLDelight and syncs automatically when connectivity is restored.

6. Data Sharing & Our No-Sale Commitment

We do not sell, rent, or trade your personal data to anyone for any purpose. This includes receipt data, expense entries, payment-method identifiers, and any other personal information you provide. Data is only shared with the third-party processors listed in section 4, and only for the limited purposes of operating the app (authentication, push delivery, AI receipt extraction, ad serving on the free tier, crash reporting, and subscription billing). We will not sell aggregated or anonymized receipt data either, unless and until we update this policy with at least 30 days' advance notice and provide an explicit opt-out.

Within a group, the following is visible to other group members: your display name, username, email, expense/income entries, balances, and public payment methods. Private payment methods are never shared.

7. Access by Authorized Personnel

As the operator of Olik Split, our small operations team may access your account data strictly for the following limited operational purposes:

All administrative access is subject to the following safeguards:

You may request a copy of any administrative actions performed on your account by contacting support@oliksplit.app.

8. Data Retention

Your data is retained as long as your account is active. You may request deletion of your account and all associated data at any time via the in-app "Delete Account" option or by contacting us. Upon deletion, all server-side data (expenses, groups, payment methods, device tokens, notifications) is permanently removed.

9. Data Export & Portability

You can export your expense and balance data in CSV or PDF format at any time from within the app.

10. Your Regional Privacy Rights

Your privacy rights vary by jurisdiction. The subsections below describe the rights guaranteed to residents of specific regions. Anywhere else, you may exercise the rights listed in any subsection — we apply the most generous applicable standard to every account.

10a. EEA, United Kingdom & Switzerland (GDPR / UK GDPR / Swiss FADP)

10.1 Controller & Representative

The controller for your personal data is olikbobik (Olik Split). Contact: support@oliksplit.app. Pending: EU Representative under Article 27 GDPR. Until appointed, EEA users may contact support@oliksplit.app directly.

10.2 Legal Bases for Processing

ProcessingLegal basis (GDPR Art. 6)
Account creation, authentication, expense/group sync, subscription billingContract (Art. 6(1)(b))
Server-side AI receipt OCR (Anthropic)Consent (Art. 6(1)(a))
Firebase Analytics product analyticsConsent (Art. 6(1)(a))
Private payment-method storage (encrypted handles)Consent (Art. 6(1)(a))
AdMob ad serving on the free tierConsent via UMP / IAB TCF v2.2 (Art. 6(1)(a))
Crashlytics crash reporting, server logs, incident reports, abuse preventionLegitimate interest (Art. 6(1)(f))
Compliance with legal obligations (tax, court orders)Legal obligation (Art. 6(1)(c))

10.3 Recipients & International Transfers

RecipientLocationTransfer mechanism
Anthropic, PBCUnited StatesEU-US Data Privacy Framework + SCCs
Google LLC (Firebase + AdMob)United StatesEU-US Data Privacy Framework + SCCs
Cloudflare, Inc. (R2)United States / globalStandard Contractual Clauses (SCCs)
Apple Distribution International Ltd.IrelandIntra-Apple SCCs (no third-country transfer)

10.4 Retention Periods

Data categoryMaximum retention
Account, expenses, groups, payment-method handlesUntil deletion request + 30 days backup purge
Receipt images in Cloudflare R2Up to 90 days (actually deleted shortly after OCR processing)
Firebase Analytics events14 months (GA4 maximum)
Crashlytics crash logs90 days
Support tickets24 months
Incident reports (in-app "Report an issue")12 months
Server access logs (IP, User-Agent)90 days

10.5 Your Rights

Under GDPR / UK GDPR you have the right to: (1) access your personal data, (2) rectification of inaccurate data, (3) erasure ("right to be forgotten"), (4) restriction of processing, (5) data portability, (6) object to processing based on legitimate interest, (7) withdraw consent at any time without affecting the lawfulness of prior processing, and (8) the right not to be subject to solely automated decisions producing legal or significant effects. We respond to verified requests within 30 days.

10.6 Withdraw Consent

You can withdraw consent for OCR, Analytics, and Ads from the in-app Settings → Privacy screen. Some granular toggles will land in v1.2; until then you may also email support@oliksplit.app to revoke any consent immediately.

10.7 Right to Lodge a Complaint

EEA residents may lodge a complaint with their national data-protection authority — see the list at edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office at ico.org.uk.

10.8 Automated Decision-Making

We do not engage in solely automated decision-making producing legal or similarly significant effects on you (GDPR Article 22). The AI Advisor produces written insights only; it does not make eligibility, pricing, or account-status decisions.

10.9 Children

See section 11.

10.10 Switzerland (FADP)

The rights above extend to Swiss residents under the Federal Act on Data Protection (revFADP). Complaints may be filed with the Federal Data Protection and Information Commissioner (FDPIC).

10b. United States (CCPA / CPRA / Multi-State)

If you reside in California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Jersey, or any other U.S. state with a comprehensive consumer-privacy law, you have the following rights:

Minors. We do not knowingly sell or share the personal information of California consumers under 16 or Connecticut consumers under 18 without affirmative opt-in consent.

How to exercise your rights. Email support@oliksplit.app or use the in-app Settings → Privacy → Submit Privacy Request flow Pending in-app form.. We respond within 45 days (extendable by 45 days for complex requests, with notice). We may verify your identity by confirming control of the email on the account.

DNT / GPC. Our website honors Do Not Track and Global Privacy Control browser signals (see section 13). The mobile app does not contain a browser engine; the equivalent in-app control is the Limit Ad Tracking toggle in Settings → Privacy.

10c. Brazil (LGPD)

Esta política também é regida pela LGPD para usuários no Brasil. Versão em português brasileiro disponível.

The controller (controlador) under the Lei Geral de Proteção de Dados (Lei 13.709/2018) is olikbobik. Privacy contact: privacy@oliksplit.app.

Article 18 rights. Brazilian residents (titulares) have the right to: (1) confirmation of processing, (2) access, (3) correction of incomplete, inaccurate, or outdated data, (4) anonymization, blocking, or deletion of unnecessary or excessive data, (5) data portability, (6) deletion of personal data processed with consent, (7) information about public and private entities with which we shared data, (8) information about the possibility of refusing consent and its consequences, and (9) revocation of consent.

Article 7 legal bases. We process personal data under: execution of contract (Art. 7, V), consent (Art. 7, I) for OCR / Analytics / Ads, legitimate interest (Art. 7, IX) for fraud prevention and crash reporting, and compliance with legal obligations (Art. 7, II).

International transfers. Transfers to Anthropic (US), Google LLC (US), and Cloudflare (US/global) occur under Brazilian Standard Contractual Clauses adopted by ANPD Resolution CD/ANPD 19/2024.

Sensitive data. Biometric authentication (fingerprint, Face ID) is processed exclusively on-device by the operating system's secure enclave and never reaches our servers, so we do not process sensitive personal data under LGPD Article 11.

Minors. For users in Brazil specifically, Olik Split is restricted to users aged 18 or older. We do not knowingly process the personal data of children or adolescents in Brazil.

DPO / Encarregado. As a small processing agent, we rely on the exemption from formal DPO appointment provided by ANPD Resolution CD/ANPD 2/2022. Our designated communication channel for LGPD matters is privacy@oliksplit.app.

Complaints. You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

11. Children

Olik Split is intended for users aged 13 and older (16 in the European Economic Area where higher digital-consent ages apply; 18 in Brazil). By creating an account, you represent that you meet the applicable minimum age. We do not knowingly collect personal information from anyone below the applicable threshold. If you are a parent or guardian and believe a minor has created an account, contact support@oliksplit.app and we will delete the account and all associated data promptly upon verification. For California residents, we do not knowingly sell or share personal information of consumers under 16 without affirmative opt-in consent.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

13. Website Analytics

We run a small, self-hosted analytics pipeline for our marketing pages (the consumer landing, the developer landing, the pricing calculator, and the docs site). It exists so we can answer two questions: which docs work, and which links convert. No third-party processor ever sees this data — it lives in the same EU-hosted Postgres database as the rest of the product.

14. Contact

If you have questions about this policy, contact us at support@oliksplit.app.