SPLITO

Last updated: June 2026

Splito helps groups track and split shared expenses. You can use it as a native app (Google Play, Apple App Store), as a web application, or both — connected to our API. This notice explains what personal data is involved, why we process it, and what rights you have. It also covers the marketing site at splito.de, invite links (e.g. /event/…), and the servers behind the API.

Controller

Splito.de
c/o Sven Antwertinger

Email:

Data processing in the app, web app, and API

When you create or join a group, or add expenses, we process data you and other participants enter or upload in Splito. Most of this lives on your device first (offline-first); when you sync or use server features, data is sent to our API and stored there.

  • Device identifier: API clients send a device ID in a header (Device-ID). We use it to issue API tokens and associate requests with a device — without a classic email-based account.
  • Access tokens: After requesting a token, we store a personal API token (Laravel Sanctum). You can replace it by requesting a new one.
  • Groups & participants: Group name, optional description and image, participant display names, and links between people, expenses, and payments.
  • Expenses & splits: Amounts, descriptions, dates, currency, who paid and who owes, recurring expense templates, and calculated balances.
  • Payments: Settlement payments recorded between participants in a group.
  • Currencies: Exchange rates you set for a specific group.
  • Receipts: Receipt photos you upload. Images are stored on our server and linked to an expense.
  • Receipt analysis (OCR/AI): If you use analysis, we forward the receipt image to a configured AI service (typically Google Gemini via Laravel AI). Amount, merchant, date, and similar fields may be extracted. A temporary copy is used for analysis and deleted afterwards; we store the result on the receipt or expense.
  • Synchronisation: Clients can send batched changes through the sync endpoint (offline-first).
  • Push notifications: You may optionally register a Firebase Cloud Messaging (FCM) token per group. We store the token and preferred locale on the group guest record. The web app may use web push as well. We only send pushes when you enable them in the app — not for marketing on splito.de.
  • Logs: Technical error and operations logs on the server (not the contents of group chats if no chat feature exists).

How long we keep data

Group, expense, and receipt data remain until you or others with permission delete them or remove the group. You can revoke API tokens and FCM registration by signing out or deleting them in the app. Website and API access logs are usually rotated after about 30 days unless we need longer retention to investigate an incident. Statutory retention duties (e.g. tax or commercial law) still apply where relevant.

Marketing website (splito.de)

  • When you visit our pages we process technically necessary data (IP address, time, URL, user agent, referrer) in server log files — for operation, stability, and abuse detection (HTTPS/TLS).
  • Light/dark mode: Your theme choice is stored locally in the browser (localStorage, key splito-theme), not on our server.
  • Contact email: The address is obfuscated in the page source and assembled in the browser when you click — we do not run a separate contact form database.
  • These informational pages do not use analytics or third-party marketing cookies. Laravel session cookies may apply for technical security (CSRF) where needed.
  • Marketing fonts are served from our own server (Bauhaus Std), not via Google Fonts.
  • Store badges and external links (Google Play, App Store, web app if offered) lead to providers outside our control.

Recipients and service providers

We use hosting and infrastructure providers that process data on our behalf (processors under Art. 28 GDPR where required). Push notifications go through Google Firebase (FCM). Receipt analysis uses whichever AI provider is configured (e.g. Google). Where personal data is processed in third countries (especially the USA), we rely on appropriate safeguards (e.g. EU–US Data Privacy Framework and/or Standard Contractual Clauses).

Legal bases

  • Contract or steps prior to a contract and performance of app features (Art. 6(1)(b) GDPR) when you actively use the services.
  • Legitimate interests (Art. 6(1)(f) GDPR), e.g. secure operation, API abuse prevention, log files, and technically necessary website functions.
  • Consent (Art. 6(1)(a) GDPR) where we ask for it — e.g. for push if your device requires it.

Your rights

Under the GDPR you have rights including access, rectification, erasure, restriction, portability, and objection to processing based on legitimate interests. You may withdraw consent at any time with future effect. You may lodge a complaint with a supervisory authority.

Changes

If features or providers change, we update this notice. The date above reflects the current version.