Legal
Privacy Policy
Last updated: March 8, 2026
This Privacy Policy explains how Divvy collects, uses, discloses, and stores information when you use the Divvy mobile app, the godivvy.app website, the public receipt demo, and related services. It also describes your choices and how to contact us.
By using Divvy, you acknowledge that we may process your information as described in this Privacy Policy and our Terms of Service.
1. Information We Collect
The information we collect depends on how you use Divvy, which features you enable, and whether you use the mobile app, the authenticated website experience, or the public receipt demo.
Account and profile information
- Email address and/or phone number used for one-time-passcode authentication.
- Profile details such as display name, username, avatar, and optional payment handles like Venmo, Cash App, PayPal.me, and Zelle identifiers.
- Contact details you provide when you reach out for support or send feedback.
Expense, trip, and social data
- Trips, divvys, ledgers, expenses, receipt claims, settlements, wishlists, polls, activity feed entries, invite codes, and related collaboration data.
- Participant information you add to a split, including placeholder participants and phone numbers when you create invite-based or ephemeral members.
- Notification preferences, in-app notifications, and payment history shown inside the product.
Contacts data
- If you grant contacts access, Divvy reads contact names and phone numbers from your device to help you find existing users and invite other people.
- Phone numbers are normalized and compared against Divvy user records through our backend matching flow.
- The current release is built to read phone/contact properties for matching and invitations, not contact photos.
Photos, camera, and receipt data
- If you use receipt scanning or profile-photo features, Divvy can access your camera and photo library to capture or import images.
- Receipt images may be stored locally on your device, uploaded to Divvy storage, and processed to extract merchant name, line items, totals, tax, service fees, claim actions, corrections, and related telemetry.
- For the public website receipt demo, uploaded receipts, parsed output, feedback, and review artifacts may be retained for abuse prevention, quality review, debugging, analytics, and product improvement.
Device, usage, and diagnostic information
- Platform details, app session identifiers, route/screen activity, app lifecycle events, and product usage analytics.
- Analytics profile data associated with your mobile usage, such as email address, display name, username, avatar status, payment-handle status, and account creation date, when analytics is enabled in the app.
- Push-notification device tokens, notification interactions, and notification preference state.
- Website request metadata such as auth-cookie state, receipt-demo session identifiers, and IP-derived hashes used for security and rate limiting.
2. Permissions And Device Access
The current production code requests the following mobile-device permissions when you use the related features:
| Permission | Why We Ask |
|---|---|
| Contacts | Used to find people already on Divvy and help you invite others by phone number. |
| Camera | Used to capture receipt images and optionally take a profile photo. |
| Photos / media library | Used to import receipt images and select profile photos from your device. |
| Notifications | Used to send settlement reminders, expense updates, social activity, and other product notifications, including background remote notifications on supported platforms. |
The current release does not request precise location or microphone permissions in its primary production flows, and the current mobile app code does not include a third-party advertising SDK.
3. How We Use Information
- Provide authentication, account management, and product features.
- Create, maintain, and display trips, balances, expenses, settlements, notifications, and collaboration history.
- Process receipts, improve receipt parsing accuracy, investigate failures or abuse, and review parser quality through restricted internal admin tools.
- Help you find contacts, invite other people, and manage placeholder or claimed participants.
- Deliver push notifications and support external payment, sharing, and invite flows that you initiate.
- Measure product usage, improve performance, debug issues, and operate the website and mobile app safely.
- Comply with legal obligations, enforce our terms, and protect Divvy, our users, and the public.
4. Receipt Parsing, AI Processing, And Demo Uploads
Divvy offers receipt-processing features inside the mobile app and a public receipt demo on the website. These flows involve image uploads and structured extraction of receipt content.
- In the mobile app, receipt images can be captured or imported, stored locally, uploaded to private Supabase storage, and sent to a Divvy-controlled receipt parsing service that uses Google Gemini to extract line items, merchant name, totals, tax, and service fees.
- The app also logs parse events, corrections, claims, thumbnails, and thumbs-up/down feedback to improve the receipt experience and help diagnose failures.
- On the website demo, uploaded receipts may be processed with Cloudflare Turnstile, rate-limited with a session cookie and IP-derived hash, parsed through Divvy backend services, and retained with associated telemetry, feedback, and admin-review artifacts.
- Restricted Divvy administrators may review parse events, thumbnails, and related quality signals in internal dashboards to monitor parser performance and investigate operational issues.
5. Cookies, Local Storage, And Similar Technologies
- The website uses Supabase-managed authentication cookies to keep you signed in across server-rendered and client-rendered requests.
- The public receipt demo uses an HTTP-only receipt_demo_session cookie with a 30-day lifetime to enforce demo-session limits and related abuse controls.
- The mobile app stores local data on your device, including offline cache data, receipt drafts, receipt images saved in app storage, onboarding state, and contacts-sync preference state.
6. How We Share Information
We do not sell personal information or share it for cross-context behavioral advertising. We do share information in the following categories when needed to run Divvy:
Infrastructure and backend
Supabase provides authentication, database, storage, server-side functions, and some operational services.
Analytics and product telemetry
PostHog is used for in-app analytics and product-usage measurement.
Push notifications
Firebase Cloud Messaging and platform push services are used to deliver mobile notifications.
Receipt parsing and abuse controls
Google Gemini is used through Divvy-controlled backend services for receipt parsing. Cloudflare Turnstile and Upstash are used on the website demo for bot prevention and rate limiting.
User-initiated external flows
If you choose to use payment, invite, share, SMS, email, or browser-launch features, data you send through Venmo, Cash App, PayPal, Zelle, share sheets, mail clients, or SMS providers is governed by those third parties.
Legal and business transfers
We may disclose information if required by law, to protect rights and safety, or in connection with a merger, financing, acquisition, or asset sale.
7. Data Retention
- We retain account, expense, trip, settlement, and related records for as long as needed to provide the service, maintain accurate financial history, comply with legal obligations, and resolve disputes.
- Mobile draft receipts are currently limited in-app to a maximum of five saved drafts and are cleaned up when they become stale; draft cleanup targets items older than 30 days.
- Signed receipt URLs generated for in-app access currently expire after one hour.
- Push-notification device tokens are retained until removed, replaced, or deleted during logout/device-token cleanup.
- Receipt-demo session cookies currently expire after 30 days unless cleared sooner.
- We may keep telemetry, thumbnails, logs, and security records for debugging, analytics, abuse prevention, and operational review for as long as reasonably necessary.
8. Your Choices And Rights
Permission controls
You can decline or revoke contacts, camera, photo, and notification permissions through your device settings. Some features will not work without the required access.
Notification settings
You can manage notification preferences in the app and through your device notification settings.
Contacts sync
You can choose whether to enable contacts sync. Divvy stores local sync-preference state and last-sync timestamps on your device.
Website cookies
If you block or clear cookies, login state and receipt-demo session controls may stop working correctly.
Access, correction, and deletion requests
Depending on where you live, you may have rights to access, correct, delete, or export your information. Contact us to submit a request.
9. Security
We use administrative, technical, and organizational safeguards designed to protect personal information, including authenticated access controls, backend authorization rules, signed URLs for some stored files, and environment-based secret management. No system is perfectly secure, so we cannot guarantee absolute security.
10. Children's Privacy
Divvy is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Divvy, contact us so we can review and address the issue.
11. International Transfers
Divvy and the service providers we use may process information in the United States and other countries where privacy laws may differ from those in your jurisdiction.
12. Changes To This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and may provide additional notice if the changes are material.
13. Contact Us
If you have questions, requests, or concerns about this Privacy Policy or Divvy's privacy practices, contact us at hello@godivvy.app.