Privacy Policy

Last updated: May 2026

1. Who We Are

ChitPact ("we", "us", "our") operates the expense splitting service available at chitpact.com. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service. If you have questions, contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

Account Information

• Full name
• Email address
• City and country (optional, used for currency defaults)
• Password (stored as a secure hash — we never store your plain-text password)
• Google account identifier (if you sign up via Google)

App Usage Data

• Expenses you create: descriptions, amounts, categories, dates, splits
• Groups you belong to and their members
• Receipt images you upload to the Receipt Vault
• Statement PDFs you upload for bulk expense import (extracted transactions are stored linked to your account)
• Recurring expense configurations
• Your notification and privacy preferences

Technical Data

• IP address at the time of login or registration
• Browser type, device type, and operating system
• Login method and session timestamps (for security and fraud detection)

3. How We Use Your Data

We use your personal data to:

• Provide and operate the ChitPact service
• Send account-related emails (email confirmation, password resets, group invitations)
• Send optional notification emails about group activity (which you can disable)
• Detect and prevent fraud, abuse, and unauthorised access
• Improve and develop the service through aggregated, anonymised usage analysis

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

4. Legal Basis for Processing (GDPR / UK GDPR)

If you are located in the UK or European Economic Area, our legal bases for processing your data are:

• Contract: processing necessary to provide the service you signed up for
• Legitimate interests: security monitoring, fraud prevention, service improvement
• Consent: optional notification emails (you can withdraw consent at any time)

5. Third-Party Services

We use the following third-party services that may process your data:

• Google OAuth — if you sign in with Google, your name and email are shared with us by Google
• Resend — transactional email delivery (confirmation emails, password resets, notifications)
• Azure AI Document Intelligence — OCR processing of receipt images and statement PDFs
• Microsoft Azure (Australia East — Sydney) — all data is hosted in Azure Australia East

Each of these providers processes data on our behalf under data processing agreements. We do not sell your personal data to any third party.

6. Data Sharing

Beyond the third-party services above, we share your data only in the following circumstances:

• Group members: your name and expense data is visible to other members of any group you join — this is core to how the service works
• Legal obligations: we may disclose data if required by law or to protect the rights and safety of users

7. Data Retention

• We retain your account data for as long as your account is active.
• If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance reasons.
• Anonymised, aggregated data (e.g. usage statistics) may be retained indefinitely as it cannot identify you.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate data
• Deletion: request deletion of your personal data ("right to be forgotten")
• Portability: request your data in a machine-readable format
• Objection: object to processing based on legitimate interests
• Withdraw consent: withdraw consent for optional processing (e.g. notification emails) at any time via account settings

These rights apply under the Australian Privacy Act 1988 and Australian Privacy Principles (APPs), the UK GDPR, and equivalent laws in other jurisdictions. To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

9. Cookies and Tracking

ChitPact uses the following cookies and local storage:

• Authentication token: a session token stored in local storage to keep you signed in. This is strictly necessary and cannot be disabled.
• Preferences: theme (light/dark) and UI preferences stored in local storage.

We do not use advertising or third-party tracking cookies.

10. Data Security

All data is encrypted in transit (HTTPS) and at rest. Passwords are hashed using bcrypt and never stored in plaintext. We do not store bank credentials. If you believe your account has been compromised, contact us immediately at [email protected].

11. International Data Transfers

ChitPact serves users across multiple countries. Your data is hosted in Azure Australia East (Sydney). Where data is processed by third-party services outside Australia, we ensure appropriate safeguards are in place in accordance with applicable data protection law.

12. Children's Privacy

ChitPact is not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of ChitPact after changes take effect constitutes your acknowledgement of the revised policy.

14. Contact and Complaints

For privacy-related questions or requests: [email protected]

If you are in the UK or EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK). Australian users may contact the Office of the Australian Information Commissioner (OAIC).