Privacy Policy
This Privacy Policy explains how sarussilberg ("KupaPay", "we", "us"), operating from Israel, collects, uses, and discloses information when you use the KupaPay mobile application and related services (the "Service"). For questions, contact sarussilberg@gmail.com.
1. Who We Are (Data Controller)
KupaPay is the controller of your personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the Israeli Privacy Protection Law, 5741-1981, where applicable.
2. Information We Collect
2.1 Information you provide
When you create an account or use the Service, you provide:
- Profile data received from Google sign-in: your name, email address, and profile image.
- Optional profile data you may add later: phone number, default currency, language preference.
- Content you create: groups (name, description, image), expenses (description, amount, category, date, receipt image), settlements, friendships, and group memberships.
2.2 Information generated by your use of the Service
- Activity data: the groups you belong to, the expenses and settlements you create, your friendships and blocks.
- Invite tokens: short URL slugs we generate so you can share invites to friends and groups.
2.3 Information collected automatically
- Technical logs from our infrastructure provider (Supabase): IP address, timestamps of requests, error logs. These are retained for a limited operational period (see Section 7).
2.4 What we do NOT collect
We do not collect: precise location, device advertising identifiers (IDFA / Android Ad ID), push-notification tokens, third-party analytics events, microphone or contact data. If we add any of these in the future, we will update this Policy and, where required, request your consent in advance.
3. How We Use Information
We process your information for the following purposes, on the legal bases listed:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Service (account, groups, balances, settlements) | Contract performance (1)(b) |
| Authenticating you via Google | Contract performance (1)(b) |
| Securing the Service and preventing fraud or abuse | Legitimate interest (1)(f) |
| Communicating about your account (e.g., security alerts) | Contract performance (1)(b) |
| Improving the Service | Legitimate interest (1)(f) |
| Complying with legal obligations | Legal obligation (1)(c) |
4. How We Share Information
4.1 With other users
By design, when you join a group, the following becomes visible to all current and future members of that group:
- Your name and profile image.
- The expenses, settlements, and group activity you create or participate in.
When you generate an invite link, anyone with the link can see limited public information (your name and profile image, or the group name) before they join. You can rotate the link at any time to invalidate it.
4.2 With service providers (processors)
We use the following service providers to operate the Service:
- Supabase (Postgres database, authentication, file storage) — our infrastructure provider.
- Google — only for authenticating you via Google Sign-In. We do not receive your Google password, contacts, or any data beyond your basic profile.
- Apple App Store / Google Play — for delivering the app and handling any future in-app purchases.
These providers act on our behalf under written data-processing agreements and are not permitted to use your data for their own purposes.
4.3 For legal reasons
We may disclose information when we are required to do so by a valid legal process (subpoena, court order), or when necessary to protect the rights, safety, or property of KupaPay, our users, or the public.
4.4 We do not sell your personal information
We do not sell your personal information and have no plans to do so.
5. Cookies and Tracking
The KupaPay mobile app does not use cookies and does not engage in cross-site or cross-app tracking. The Google Sign-In flow may involve Google's own cookies/policies; please review Google's privacy notices.
6. International Data Transfers
Your information is processed and stored by Supabase, which hosts data in regions outside Israel. If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses (SCCs) to lawfully transfer your data outside the EEA. You can request a copy of the SCCs from us.
7. Data Retention
We retain your information only as long as necessary for the purposes described in this Policy:
- Active account: as long as your account exists.
- After account deletion: when you delete your account, we mark your profile inactive and hide your name, email, and profile image from group members (you appear as "Deleted user"). The expense records, settlements, and group activity you created remain visible to other group members so that historical balance calculations remain accurate. This is based on our legitimate interest (GDPR Art. 6(1)(f)) in preserving the integrity of shared expense history for the benefit of the other group members. You can request full erasure by contacting us; we will assess each request and inform you which data we are legally able to delete.
- Technical logs: typically 30–90 days, depending on the log type.
- Database backups (Supabase Point-in-Time Recovery): up to 7 days.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — ask us to delete your data, subject to the retention exceptions in Section 7.
- Portability — request a machine-readable export of your data (JSON).
- Objection / restriction — object to certain processing or ask us to restrict it.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Lodge a complaint with a supervisory authority:
- Israel: Privacy Protection Authority (Rashut Le-Haganat Ha-Pratiut).
- EU/EEA: your local Data Protection Authority.
- UK: the Information Commissioner's Office (ICO).
If you are a California resident, you also have rights under the CCPA/CPRA: the right to know what we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" (we do neither), and the right to non-discrimination for exercising these rights.
To exercise any of these rights, contact sarussilberg@gmail.com. We will respond within 30 days (or sooner where required by law).
9. Security
We protect your data with appropriate technical and organizational measures, including:
- TLS encryption for data in transit.
- Supabase Row-Level Security policies that restrict who can read which rows.
- Authentication via Google (we do not store your password).
- Limited internal access on a need-to-know basis.
No security measure is perfect. If you suspect unauthorized access to your account, contact us immediately.
10. Minors
The Service is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe that a person under 16 has provided us with personal data, contact us and we will take steps to delete it.
11. Future Features That May Affect Your Privacy
We are transparent about features that are not yet active but may be introduced in the future:
- Advertising. We may display third-party ads in the future. Before doing so, we will update this Policy to disclose ad partners, identifiers used (such as IDFA / Android Ad ID), and we will request your consent where required by law.
- Paid subscriptions. If we introduce paid features, payment is handled by Apple or Google. We do not see your full payment-card details — we only receive your subscription status.
- Analytics. We do not use any third-party analytics today. If we add an analytics provider, we will update this Policy beforehand.
12. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide notice in the Service at least 14 days before the changes take effect. The "Effective date" at the top reflects the current version.
13. Contact
To contact us about this Policy or to exercise your rights, write to:
sarussilberg@gmail.com sarussilberg, Israel