Privacy Policy

1. Data Controller

The controller of your personal data is the creator and operator of the "Let's Settle Up!" application (hereinafter: the "App"). For data protection inquiries, contact: michal.salwin@gmail.com.

2. Data We Collect

• First and last name (provided during registration or from your Google account)
• Email address
• Profile photo (if you sign in with Google)
• Expense and settlement data within the groups you belong to

3. Purpose and Legal Basis for Processing

We process your data for the following purposes:

• Service provision — enabling expense tracking within groups (Art. 6(1)(b) GDPR — performance of a contract / provision of a service under the Terms of Service)
• User identification — login and account management (Art. 6(1)(b) GDPR)
• Push notifications — informing you about events in your groups, such as new expenses, settlements or invitations (Art. 6(1)(b) GDPR). Notifications are delivered via Firebase Cloud Messaging (FCM); you can disable system notifications for the App at any time in your device settings, and you may toggle the relevant notification categories within the App (Profile → Notifications).
• Crash diagnostics — collecting technical information about application crashes to identify and fix bugs (Art. 6(1)(a) GDPR — your consent). See section 9 below.

4. Data Recipients

• Google LLC (Firebase) — as a data processor. Google processes data in accordance with its Data Processing Addendum.
• Other members of your group — they can see your name, email, and expenses and settlements within the shared group.

5. Data Storage

• Data is stored in Cloud Firestore in the europe-central2 (Warsaw, Poland) region.
• Some Google services may process data in the USA — Google participates in the EU-U.S. Data Privacy Framework (DPF), which is recognized by the European Commission as a valid basis for data transfers.

6. Data Retention and Account Deletion

We retain your data until you delete your account. You can delete your account in the app settings (Profile → Delete Account). Upon account deletion:

• Personal data (first name, last name, email, profile photo) is permanently deleted.
• Authentication account (Firebase Authentication) is permanently deleted.
• Expense and settlement records in groups are anonymized — attributed to a "Deleted User" label — to preserve the integrity of settlements for remaining group members (Art. 17(3)(b) GDPR — legitimate interest of third parties).
• Anonymized data does not constitute personal data within the meaning of the GDPR (Recital 26), as it does not allow identification of a natural person.

7. Your Rights

Under the GDPR, you have the following rights:

• Right of access to your data (Art. 15 GDPR)
• Right to rectification of your data (Art. 16 GDPR)
• Right to erasure — "right to be forgotten" (Art. 17 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland

To exercise any of these rights, contact us at: michal.salwin@gmail.com.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Data transmission encryption (TLS/HTTPS)
• Firebase Security Rules (Firestore Security Rules)
• User authentication (Firebase Authentication)

9. Crash Diagnostics (Firebase Crashlytics)

On the Android version of the App we use Firebase Crashlytics to collect technical information about application crashes (stack traces, device model, Android version, application state at the time of the crash). Crash reports do not contain the content of your expenses, group names, or other personal data you entered into the App.

• Legal basis: your consent (Art. 6(1)(a) GDPR). Crash reporting is disabled by default and may be enabled in Profile → Crash reporting inside the App, after reviewing an informed-consent dialog. You can withdraw your consent at any time using the same toggle; withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Retention period: up to 90 days (Firebase Crashlytics default).
• Processor: Google LLC. Crash reports may be processed in the USA on the basis of the EU-U.S. Data Privacy Framework (DPF).
• Web version: Crashlytics is not active in the web version of the App.

10. Cookies and Analytics

The App: uses only technical cookies necessary for the service to function (authentication session). We do not use marketing or advertising cookies.

The website (letssettleup.com): we use Google Analytics 4 (measurement ID G-33RZE0998D) to measure traffic on the landing page and clicks on the “Open app” and “Google Play” buttons. Measurement uses cookies and is enabled only after you give consent (consent banner shown on first visit) — by default we apply Google Consent Mode v2 with storage denied. IP addresses are anonymised (anonymize_ip parameter). Data is processed by Google LLC and may be transferred to the USA under the EU-U.S. Data Privacy Framework (DPF). You can withdraw your consent at any time by clearing the site's browser data (key landing_analytics_consent in localStorage) or by declining the consent banner. Legal basis: your consent (Art. 6(1)(a) GDPR).

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy. Users will be notified of significant changes via an in-app notification.

Last updated: June 1, 2026