KupaPay

Privacy Policy

Version 1.0.0 · Effective June 2, 2026

Privacy Policy

This Privacy Policy explains how sarussilberg ("KupaPay", "we", "us"), operating from Israel, collects, uses, and discloses information when you use the KupaPay mobile application and related services (the "Service"). For questions, contact sarussilberg@gmail.com.

1. Who We Are (Data Controller)

KupaPay is the controller of your personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and the Israeli Privacy Protection Law, 5741-1981, where applicable.

2. Information We Collect

2.1 Information you provide

When you create an account or use the Service, you provide:

2.2 Information generated by your use of the Service

2.3 Information collected automatically

2.4 What we do NOT collect

We do not collect: precise location, device advertising identifiers (IDFA / Android Ad ID), push-notification tokens, third-party analytics events, microphone or contact data. If we add any of these in the future, we will update this Policy and, where required, request your consent in advance.

3. How We Use Information

We process your information for the following purposes, on the legal bases listed:

Purpose Legal basis (GDPR Art. 6)
Providing the Service (account, groups, balances, settlements) Contract performance (1)(b)
Authenticating you via Google Contract performance (1)(b)
Securing the Service and preventing fraud or abuse Legitimate interest (1)(f)
Communicating about your account (e.g., security alerts) Contract performance (1)(b)
Improving the Service Legitimate interest (1)(f)
Complying with legal obligations Legal obligation (1)(c)

4. How We Share Information

4.1 With other users

By design, when you join a group, the following becomes visible to all current and future members of that group:

When you generate an invite link, anyone with the link can see limited public information (your name and profile image, or the group name) before they join. You can rotate the link at any time to invalidate it.

4.2 With service providers (processors)

We use the following service providers to operate the Service:

These providers act on our behalf under written data-processing agreements and are not permitted to use your data for their own purposes.

4.3 For legal reasons

We may disclose information when we are required to do so by a valid legal process (subpoena, court order), or when necessary to protect the rights, safety, or property of KupaPay, our users, or the public.

4.4 We do not sell your personal information

We do not sell your personal information and have no plans to do so.

5. Cookies and Tracking

The KupaPay mobile app does not use cookies and does not engage in cross-site or cross-app tracking. The Google Sign-In flow may involve Google's own cookies/policies; please review Google's privacy notices.

6. International Data Transfers

Your information is processed and stored by Supabase, which hosts data in regions outside Israel. If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses (SCCs) to lawfully transfer your data outside the EEA. You can request a copy of the SCCs from us.

7. Data Retention

We retain your information only as long as necessary for the purposes described in this Policy:

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

If you are a California resident, you also have rights under the CCPA/CPRA: the right to know what we collect, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" (we do neither), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, contact sarussilberg@gmail.com. We will respond within 30 days (or sooner where required by law).

9. Security

We protect your data with appropriate technical and organizational measures, including:

No security measure is perfect. If you suspect unauthorized access to your account, contact us immediately.

10. Minors

The Service is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe that a person under 16 has provided us with personal data, contact us and we will take steps to delete it.

11. Future Features That May Affect Your Privacy

We are transparent about features that are not yet active but may be introduced in the future:

12. Changes to This Policy

We may update this Policy from time to time. For material changes, we will provide notice in the Service at least 14 days before the changes take effect. The "Effective date" at the top reflects the current version.

13. Contact

To contact us about this Policy or to exercise your rights, write to:

sarussilberg@gmail.com sarussilberg, Israel