Privacy Policy

Last updated: April 11, 2026

1. Data We Collect

When you use Olik Split, we may collect the following information:

• Account data — email address, display name, optional username, and avatar URL (provided during sign-up via Google Sign-In or email/password registration).
• Expense & income data — amounts, descriptions, categories, dates, group associations, recurring expense/income schedules, budget settings, and attached photos or notes that you create within the app.
• Payment method data — payment service identifiers (e.g. PayPal, Revolut, Monobank, IBAN) that you add to facilitate settlements. Private payment methods are encrypted end-to-end on your device and never stored in plaintext on our servers. Public (shared with group members) payment methods are encrypted server-side.
• Group & invite data — group names, membership, invite codes, and QR invite links you create or redeem.
• Device tokens — Firebase Cloud Messaging (FCM) tokens used to deliver push notifications to your device.
• Notification history — records of push notifications sent to your account (title, body, read status), including payment reminders.
• Audit logs — we log certain account actions (e.g. creating or modifying expenses, groups, and settlements) along with your IP address for security and abuse prevention purposes.

2. Data Stored Only on Your Device

The following data is stored exclusively on your device and is never transmitted to our servers:

• Biometric data — fingerprint or Face ID templates used to unlock the app (managed by the operating system's secure enclave).
• PIN & recovery code — your app-lock PIN hash and one-time recovery code hash are stored in local app settings only.
• Receipt images — photos scanned by OCR are processed on-device and are not uploaded.
• Bank notification content — parsed amounts and descriptions from banking notifications are extracted on-device; raw notification content is not sent to our servers.
• Encryption keys — private payment method encryption keys are stored in the platform keystore (Android Keystore / iOS Keychain) and never leave your device.

3. How We Use Your Data

• To provide core functionality: creating groups, tracking expenses and income, calculating balances, simplifying debts, and managing budgets.
• To send push notifications about group activity (new expenses, settlements, payment reminders).
• To enable data export (CSV/PDF) of your expenses and balances.
• To maintain audit logs for security, fraud prevention, and debugging purposes.
• To synchronize your data across devices via our server when you are online.

4. Third-Party Services

We use the following third-party services:

• Google Sign-In — for authentication via your Google account (using Android Credential Manager / Sign In with Apple on iOS).
• Firebase Cloud Messaging — for push notifications and payment reminders.
• Google ML Kit / Apple Vision — for on-device receipt OCR in multiple languages (Latin, Chinese, Japanese, Korean, Devanagari). Images are processed locally and never sent to our servers or to Google/Apple cloud services.

5. Data Storage & Security

Your data is stored on a PostgreSQL database hosted on a secure server. Passwords are hashed using bcrypt. All communication between the app and server uses HTTPS/TLS encryption.

Private payment methods use end-to-end encryption (AES-GCM on Android/JVM, AES-CBC on iOS) with keys stored in the platform's hardware-backed keystore. Public payment methods shared within groups are encrypted server-side using a dedicated server key.

Offline data is stored locally using SQLDelight and syncs automatically when connectivity is restored.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is only shared with the third-party services listed above, solely to provide app functionality.

Within a group, the following is visible to other group members: your display name, username, email, expense/income entries, balances, and public payment methods. Private payment methods are never shared.

7. Access by Authorized Personnel

As the operator of Olik Split, our small operations team may access your account data strictly for the following limited operational purposes:

• Technical support — investigating issues you report to us, such as missing expenses, sync problems, or billing errors.
• Incident response — debugging server errors, database issues, or data corruption.
• Abuse and fraud prevention — investigating spam, harassment, or fraudulent activity reported by other users.
• Legal requests — complying with valid requests under applicable law (including GDPR data access/deletion requests, subpoenas, or court orders).
• Account recovery — assisting you if you lose access to your account.

All administrative access is subject to the following safeguards:

• Logged — every administrative action (such as granting or revoking premium, force-expiring a subscription, or deleting an account) is recorded in an immutable audit log with the administrator's IP address, timestamp, and action type.
• Authenticated — the administrative interface is protected by a strong secret, with automatic IP blocking after repeated failed attempts.
• Minimized — administrators have routine visibility only into account metadata (email, username, group names, subscription status, member and expense counts). Individual expense amounts, categories, notes, attached receipts, and personal payment methods are not routinely viewed and are accessed only when required to resolve a specific support ticket or legal request.
• Not used for profiling or marketing — administrative access is strictly for operational purposes. Your personal data is never analyzed, aggregated, or shared for advertising or commercial profiling.

You may request a copy of any administrative actions performed on your account by contacting support@oliksplit.app.

8. Data Retention

Your data is retained as long as your account is active. You may request deletion of your account and all associated data at any time via the in-app "Delete Account" option or by contacting us. Upon deletion, all server-side data (expenses, groups, payment methods, device tokens, notifications) is permanently removed.

9. Data Export & Portability

You can export your expense and balance data in CSV or PDF format at any time from within the app.

10. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Export your data in a portable format.
• Request a log of administrative actions performed on your account.

To exercise any of these rights, contact us at support@oliksplit.app.

11. Children

Olik Split is not intended for children under 13 years of age. We do not knowingly collect data from children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

13. Contact

If you have questions about this policy, contact us at support@oliksplit.app.