Privacy Policy

1. Introduction

EvenUp ("we", "our", or "us") operates the EvenUp web application available at https://even-up.com(the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using EvenUp, you agree to the collection and use of information in accordance with this policy.

We are committed to protecting your privacy. This policy complies with applicable data protection laws including the California Consumer Privacy Act (CCPA) and, to the extent applicable, the General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, and password when you register
• Profile information: display name and optional avatar image
• Expense data: expense descriptions, amounts, dates, categories, split configurations, and notes you enter
• Group information: group names, member lists, and settings you configure
• Communications: feedback or support messages you send us
• Receipt images: photos you optionally upload for expense receipts

2.2 Information Collected Automatically

• Usage data: pages visited, features used, and interaction patterns (via Vercel Analytics — cookie-free)
• Performance data: Core Web Vitals and page load times (via Vercel Speed Insights — cookie-free)
• Device information: browser type, operating system, and screen resolution
• Log data: IP addresses, access timestamps, and error logs retained by our infrastructure providers

2.3 Information from Third Parties

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google
• Splitwise CSV imports: Expense and payment data you voluntarily import from Splitwise exports

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account and provide the Service
• Calculate expense splits, balances, and settlements between you and your groups
• Send transactional emails (account confirmation, password resets, group invitations)
• Send push notifications about expense activity (only if you enable them)
• Respond to your support requests and feedback
• Monitor and improve Service performance, reliability, and security
• Detect and prevent fraudulent or abusive activity
• Comply with legal obligations

We do not sell your personal data. We do not use your expense data for advertising, profiling, or any purpose beyond operating the Service.

4. Data Storage and Security

Your data is stored in Supabase (PostgreSQL database hosted on AWS), protected by:

• Row-Level Security (RLS) — you can only access your own data
• TLS/SSL encryption in transit
• AES-256 encryption at rest
• CSRF protection and rate limiting on all API endpoints
• Password hashing using bcrypt

Receipt images are stored in Supabase Storage (S3-compatible). No payment card numbers or bank credentials are ever stored — EvenUp only tracks who owes whom, not financial account details.

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We may share your information only in the following circumstances:

• With group members: Expense details, your name, and balance information are visible to other members of groups you join. This is core to the Service.
• Service providers: We use Supabase (database/auth), Vercel (hosting/analytics), and Resend (transactional email). These providers process data only as necessary to provide the Service and are bound by data processing agreements.
• Legal requirements: We may disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of EvenUp, our users, or the public.
• Business transfers: If EvenUp is acquired or merged, your data may be transferred as part of that transaction. We will notify you via email before your data is transferred.

6. Cookies and Tracking

EvenUp uses no advertising cookies or third-party trackers. We use essential session cookies required for authentication (managed by Supabase Auth). Our analytics (Vercel Analytics and Speed Insights) are cookie-free and do not track individual users across sessions or sites. We do not use Google Analytics, Facebook Pixel, or any advertising networks.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. You may delete your account at any time from Settings → Account. Upon deletion:

• Your profile and authentication credentials are permanently deleted
• Expense records where you are the sole member are permanently deleted
• Expense records in shared groups retain anonymized data to preserve the integrity of other members' records
• Backup copies may be retained for up to 30 days in automated backups before permanent deletion

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your data in a machine-readable format
• Objection: Object to certain types of processing (e.g. direct marketing)
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@even-up.com. We will respond within 30 days. California residents may have additional rights under the CCPA.

9. Children's Privacy

EvenUp is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you believe a child under 13 has provided us with personal data, please contact us at privacy@even-up.com.

10. International Data Transfers

EvenUp is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place for any international transfers of personal data.

11. Third-Party Services

Our Service integrates with the following third-party services, each with their own privacy policies:

• Supabase — database, authentication, file storage
• Vercel — hosting and analytics
• Resend — transactional email delivery
• Google — OAuth sign-in (optional)

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will also send an email notification to registered users. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: