Privacy Policy

Overview

WhoOwes ("we", "us", "our") is an independent mobile application that helps individuals track and settle shared expenses with friends and groups. WhoOwes is operated by the WhoOwes Team — an independent developer working on the app as a personal project. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the rights you have over your data.

By using WhoOwes, you agree to the practices described in this Policy. If you do not agree, please do not use the app.

Data we collect

Information you provide directly

• Account information. When you sign up, we collect your name, email address, and (if you use that sign-in method) your phone number. Profile photo URLs may be received from your sign-in provider.
• Authentication identifiers. Depending on the sign-in method you choose: a Google account ID, an Apple Sign-In identifier, a Firebase user ID for email/password sign-in, or a WhatsApp-verified phone number. We do not receive or store your passwords for Google, Apple, or WhatsApp sign-in.
• Payment references (optional). If you add a UPI Virtual Payment Address (VPA) to your profile, we store the VPA string so you can be paid by other users. We never see, process, or store actual payment amounts or bank credentials — settlements happen in your UPI app, not in WhoOwes.
• Expense data you create. Expense descriptions, amounts, dates, categories, attachments (receipts), the people involved, who paid, how the cost is split, and any notes on settlements.
• Group and friendship data. Groups you create or join, the members of those groups, and the friend relationships you establish.
• Support communications. If you email support, we retain the message and our reply.

Information collected automatically

• Device push notification token. When you allow notifications, we receive and store an Expo / FCM / APNs push token tied to your device so we can send you alerts about new expenses, settlements, and group activity.
• Session tokens. A randomly generated session token is stored locally on your device and on our server to keep you signed in.
• Basic technical data. When the app calls our backend, our hosting provider receives standard request metadata (IP address, request time, user-agent). We do not use this for tracking or profiling.

Information from your device (with permission)

• Contacts (optional). If you use the "Add from Contacts" feature, the app reads contact entries on your device only at the moment you tap the picker. Phone numbers you select are sent to our backend to look up existing WhoOwes users or to invite new ones. Other contacts in your address book are not uploaded.
• Camera and photos (optional). If you attach a receipt to an expense, you can capture a photo with the camera or pick an image from your library. Only the file you select is uploaded.
• Notifications. If you grant notification permission, you will receive push notifications about activity relevant to you.

Information we do not collect

• We do not collect your precise location.
• We do not include third-party advertising SDKs or trackers.
• We do not sell your data.
• We do not use cookies on the app (only on this website, where they are limited to functional purposes — see Cookies).

How we use it

• To operate the app: sign you in, save your expenses, calculate balances, settle debts, send invitations, and sync data across your devices.
• To send notifications: alert you to new expenses, settlements, and group activity (only via push, only if enabled).
• To match contacts: when you use the contacts picker, to find friends who are already on WhoOwes.
• To support you: respond to questions and resolve account issues.
• To keep the service safe: detect abuse and prevent unauthorized access.
• To comply with the law: respond to valid legal requests where required.

We rely on the following legal bases under the EU/UK GDPR, where applicable: contract (to provide the service you signed up for), legitimate interests (to keep the service secure and improve it), consent (for optional features like notifications and contacts access), and legal obligation (where required).

Sharing

We share your information only in these specific cases:

• Other users you interact with. Friends and group members see your name, profile photo, and the shared expenses, settlements, and balances between you. Your email and phone number are visible to friends you are connected to.
• Service providers we rely on. We use third-party processors strictly to operate the app:
  • Convex — our backend database and serverless function host. Your account data, expenses, and settlements are stored on Convex's infrastructure.
  • Firebase Authentication (Google) — for email/password sign-in.
  • Google Identity Services — for Sign in with Google.
  • Apple — for Sign in with Apple (iOS).
  • WhatsApp Business Platform (Meta) — for WhatsApp sign-in via OTP. The phone number you verify is shared with Meta only for the purpose of delivering the verification message.
  • Expo / FCM / APNs — to deliver push notifications.
  • Cloudflare — to host this website.
  Each processor handles your data under its own privacy terms. We share with them only what is necessary to operate the feature involved.
• Legal requests. If we receive a valid legal order, we may disclose information to the extent required by law.
• Corporate transactions. If WhoOwes is sold or merged, your data may transfer to the successor entity. We will notify you before any such transfer.

We do not share your data with advertisers, data brokers, or for marketing purposes.

Retention

• Account data is retained for as long as your account is active.
• Expense and settlement records are retained for as long as the related group or friendship exists, since other users may rely on the same record.
• Session tokens expire on their own and are removed when you sign out.
• Push tokens are removed when you disable notifications, sign out, or uninstall the app.
• Support emails are retained for up to two years.
• Backups may persist for up to 30 days after deletion.

When you delete your account (see "Your rights"), we delete your personal profile and disconnect you from groups. Shared expense records remain accessible to the other participants who created or settled them, with your identity anonymized.

Security

We use industry-standard technical and organizational measures to protect your data, including TLS encryption in transit, encrypted storage on our backend infrastructure, and access controls limiting who can reach production systems.

No system is perfectly secure. You are responsible for keeping your sign-in credentials safe. If you believe your account has been compromised, please contact us immediately.

Your rights

Depending on where you live, you may have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — fix inaccurate or incomplete information. You can edit your name and UPI VPA directly in the app under Account.
• Deletion — request that we delete your account and the personal data associated with it.
• Restriction or objection — ask us to limit how we use your data.
• Portability — receive your data in a portable format.
• Withdraw consent — turn off notifications, revoke contacts permission, or stop using the app at any time.
• Complaint — lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@whoowes.app from the email address on your account. We respond within 30 days.

If you are a California resident, you also have the rights described under the CCPA/CPRA, including the right to know what we collect, the right to delete, the right to correct, and the right to opt out of sale or sharing of personal information (we do not sell or share your personal information for cross-context behavioral advertising).

Children

WhoOwes is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us their information, contact us and we will delete it.

International transfers

Your data may be processed in countries other than where you live. We rely on standard contractual clauses and our processors' compliance frameworks where required by applicable law (including GDPR Article 46 safeguards).

Cookies (this website)

This website (whoowes-legal.pages.dev) uses no cookies and no analytics. Cloudflare, our hosting provider, may log standard request metadata at the network level — see Cloudflare's privacy policy for details.

Changes

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. If we make a material change, we will notify you in-app or by email before it takes effect.

Contact

If you have any questions about this Policy or your data:

Email: support@whoowes.app
Operated by: WhoOwes Team