splitfree

Privacy Policy

Last updated: June 3, 2026

This Privacy Policy explains what personal data splitfree (the "Service", "we", "us") collects and how we use it. We collect only what the Service needs to let you split expenses and settle up — there is no advertising, profiling, or cross-site tracking.

1. What we collect

We collect and store the following personal data:

  • Your email address — provided when you sign in. It identifies your account and is where we send sign-in codes.
  • An optional display name — if you set one, it is shown to the other people you share expenses with instead of your email. You can change or clear it at any time in Settings.
  • Passkey public keys — if you choose to register a passkey, we store its public credential (used to verify sign-in). This never includes any private key or biometric data, which stays on your device.
  • Your shared-expense data — the bills you record (title, amount, currency and date), who paid and who owes what, and the settle-up payments you record (amount, date and an optional free-text note). This is the core of the Service. Note that a bill title or payment note is free text and may contain whatever you type into it, so avoid putting sensitive details there.
  • Contacts you add — the email address (and a name, if you provide one) of each person you add to a bill or payment, so the Service can track who owes whom. See §2.
  • Security logs — to protect accounts and prevent abuse, we keep an audit log of security-relevant events (such as sign-ins, failed sign-ins, and creating or deleting bills and payments). These entries record a timestamp, the event type, the account involved, and the IP address the request came from.

We do not collect phone numbers, payment-card details, or bank-account information, and we use no advertising or tracking cookies. The only cookie we set is the essential one that keeps you signed in.

2. People you add to expenses

splitfree only works if it knows who shared an expense. When you add someone to a bill or a payment, you give us their email address (and optionally a name), and we store it as a contact. If that person does not already have an account, we send them a one-time email letting them know they were added and inviting them to sign in to see what they owe.

Please only add people who expect to share expenses with you. If you are added to an expense and would like your data removed, contact us at the address in §11 — even if you never create an account — and we will handle your request.

3. How we use your data

  • To run the Service — store your bills and payments and compute balances and the simplified settle-up plan.
  • Login — sending one-time sign-in codes and authenticating you.
  • Security and abuse prevention — the audit log (including IP addresses) lets us investigate suspicious activity and rate-limit abuse, such as someone adding many unknown people in a short time.
  • Updates — occasional emails about meaningful changes to the Service. You can opt out of update emails at any time, and doing so will not affect your ability to log in.

We never sell your data or share it for marketing by others.

4. Legal bases (where GDPR applies)

We process your account email and your shared-expense data to provide the Service you asked for (performance of a contract). We keep security logs, including IP addresses, and process the details of the people you add on the basis of our legitimate interest in keeping accounts secure, preventing abuse, and making the Service work as intended. We send update emails on the basis of legitimate interest or your consent, depending on your jurisdiction, and you can withdraw at any time.

5. Who we share it with

We use Resend as our email delivery provider to send sign-in codes, invite emails, and update emails. The relevant email addresses (and, in an invite, the inviter's name and the bill title) are shared with Resend only to deliver those messages, under a data processing agreement that limits Resend to processing them on our instructions.

Resend processes this data in the United States, so this involves a transfer of personal data outside the EU/EEA. That transfer is covered by the European Commission's Standard Contractual Clauses under Resend's data processing terms — an approved safeguard for transfers to countries without an EU adequacy decision.

We may also disclose data if required by law. We do not otherwise share your personal data with third parties.

6. How long we keep it

We keep your account email, display name, passkey credentials, and your shared-expense data for as long as your account is active. Security-log entries (including IP addresses) are kept for a limited period for security and abuse-prevention purposes and may be retained longer where we need them to comply with a legal obligation or to establish or defend legal claims.

When you delete your account or ask us to erase your data, we remove or anonymize your personal data. Some records that are part of an expense shared with other people may be retained in anonymized form so that those other people's balances stay accurate, and we may retain limited information where the law requires it.

7. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict its processing, and to unsubscribe from update emails. You can edit or clear your display name and manage your passkeys yourself in Settings. For everything else — including account deletion, a copy of your data, or any other request above — email us at code@dreschner.eu and we will action it. You also have the right to complain to your local data-protection authority.

8. Children

The Service is not directed to children under 16 (or the age of digital consent in your country), and we do not knowingly collect their personal data.

9. Self-hosting

splitfree is open source and can be self-hosted. If you use an instance run by someone else, the operator of that instance — not us — controls your data and is responsible for its own privacy practices. This Policy covers only the instance operated by us.

10. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email.

11. Contact

For any privacy question or to exercise your rights — including requesting account deletion or a copy of your data — email us at code@dreschner.eu.

Terms·Privacy·Impressum·Back to sign in