Divvy — Privacy Policy

Last updated: April 2026

1. Who We Are

Divvy ("we", "us", "our") is a mobile application that facilitates bill splitting. This policy explains how we collect, use, and protect your personal information.

We are incorporated in South Africa and comply with the Protection of Personal Information Act (POPIA). For users outside South Africa, we also adhere to applicable local privacy regulations including the GDPR (EU/EEA), UK GDPR, and other relevant data protection laws.

2. Information We Collect

We collect the following personal information:

• Account information: email address, display name, password (stored as a secure hash)
• Optional: phone number and country code (for SMS verification)
• Optional: profile photo
• Receipt data: scanned receipt images and extracted item data for bill splitting. Receipt photos are sent to Google's Gemini AI service for text extraction (OCR) and are not stored by Google beyond the processing request. Extracted data (item names, prices, totals) is stored on our servers for bill management.
• Push notification tokens: device push notification identifiers for sending bill-related notifications
• Device information: device type, operating system (for biometric authentication support)

3. How We Use Your Information

• To create and manage your account
• To facilitate bill splitting features
• To send verification codes via email or SMS
• To improve our services and user experience

4. Third-Party Services

We use the following third-party services that may process your data:

• Resend — transactional email delivery
• Twilio — SMS delivery for phone verification
• Google Gemini — receipt OCR processing. Receipt images are transmitted to Google's API solely for text extraction. Images are processed in real-time and are not retained by Google after processing. No personal information from your account is sent with the image.
• Google Sign-In / Apple Sign-In — authentication services that provide your name and email for account creation
• Expo Push Notifications — delivery of push notifications to your device

5. Data Security

We implement industry-standard security measures including:

• Passwords are hashed using bcrypt
• All API communication uses HTTPS/TLS
• JWT tokens with short expiry for session management
• Rate limiting on authentication endpoints

6. Data Retention

We retain your personal information for as long as your account is active. Transaction records are retained for a minimum of 5 years for regulatory compliance. You may request deletion of your account and associated data by contacting us.

7. Your Rights

Depending on your location, you have rights regarding your personal data under applicable privacy laws:

• Access your personal information
• Request correction of inaccurate information
• Request deletion of your personal information
• Object to the processing of your personal information
• Data portability (export your data)
• Lodge a complaint with your local data protection authority

South African users may contact the Information Regulator. EU/EEA users may contact their national Data Protection Authority. To exercise any of these rights, contact us at the address below.

8. Children's Privacy

Divvy is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via the app or email.

10. Contact Us

For privacy-related inquiries, contact us at: privacy@divvyapp.co.za