Privacy Policy

1. Information We Collect

When you sign up or use AllSquare, we collect:

• Name and email address via Google OAuth or email/password authentication
• User-generated content, like group names, expense notes, descriptions, and avatars
• Session interaction data (e.g. clicks, scrolls, page visits, session recordings) for product improvement purposes via PostHog
• Device information (browser type, operating system, screen resolution)
• Usage analytics (feature usage, error logs, performance metrics)

We do not collect:

• Precise location data
• Credit card or payment details (handled directly by Stripe)
• Third-party advertising cookies

2. How We Use Your Data

We use your information to:

• Authenticate and sign you into the app
• Send transactional or account-related emails
• Personalize your experience and remember your preferences
• Provide customer support
• Process expense data using AI for natural language parsing
• Improve our services through analytics
• Ensure security and prevent fraud

3. Data Sharing and Third-Party Services

We share your data with these and similar service providers:

• Supabase: Authentication, database, and file storage (US-based)
• Resend: Transactional email service for invitations and notifications
• PostHog: Product analytics and session recording (may include interaction data)
• OpenAI: GPT-4o-mini for AI expense parsing (processes expense descriptions and member names)
• Google AI: Gemini AI as alternative for expense parsing
• Stripe: Payment processing (planned for future paid features - we will never store payment details)
• Vercel: Hosting and infrastructure (processes requests)

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

All service providers are bound by data processing agreements and are required to protect your data in accordance with this policy.

4. AI Data Processing

When you use our AI-powered expense entry feature:

• Your expense descriptions and group member names are sent to OpenAI or Google AI
• The AI processes this data to create structured expense entries
• We don't store your raw data with AI providers beyond processing
• AI providers may temporarily process data according to their policies
• You can opt out by manually entering expenses instead

The AI-generated suggestions are not guaranteed to be accurate. You are responsible for reviewing and confirming all entries.

5. Cookies and Tracking Technologies

AllSquare uses the following types of cookies and tracking:

• Essential cookies: Required for authentication and core functionality
• Analytics cookies: PostHog analytics to understand usage patterns
• Session recording: PostHog may record user sessions for product improvement
• Local storage: To save preferences and improve performance

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using AllSquare.

6. Data Retention

We retain your data according to the following schedule:

• Account data: Retained while account is active
• Expense data: Retained for 7 years for financial records
• Avatar images: Deleted 30 days after removal from profile
• Analytics data: Aggregated and anonymized after 90 days
• Session recordings: Deleted after 30 days
• Inactive accounts: Deleted after 24 months of inactivity

Upon account deletion, personal data is removed within 30 days, except where retention is required for legal compliance.

7. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Deletion: Request deletion of your account and data
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Object: Opt out of certain data processing activities

Residents of certain U.S. states (including, but not limited to, California, Virginia, Colorado, Connecticut, Utah, and Texas) may have additional privacy rights under applicable state privacy laws. Depending on where you reside, these rights may include:

• Right to Know/Access: You may request to confirm whether we process your personal data and to access such data.
• Right to Correction: You may request that we correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of processing.
• Right to Deletion: You may request deletion of personal data that we hold about you, subject to certain exceptions (such as if we must keep the data to comply with legal obligations).
• Right to Data Portability: You may request to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt-Out: You may request to opt out of: (i) targeted advertising, (ii) the sale of your personal data, and/or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your state privacy rights.

For California residents (CCPA): You have additional rights to know what personal information we collect, request deletion, opt-out of sale (we don't sell data), and non-discrimination.

For EU/EEA residents (GDPR): You have the right to lodge a complaint with your supervisory authority and withdraw consent where processing is based on consent.

For more information about your state privacy rights, you may visit the following official state resources:

• California (CCPA/CPRA) – https://oag.ca.gov/privacy/ccpa
• Virginia (VCDPA) – https://www.oag.state.va.us/consumer-protection
• Colorado (CPA) – https://coag.gov/resources/data-privacy/
• Connecticut (CTDPA) – https://portal.ct.gov/AG/Sections/Privacy/Privacy
• Utah (UCPA) – https://dcp.utah.gov/
• Texas (TDPSA) – https://www.texasattorneygeneral.gov/divisions/consumer-protection/data-privacy
• Oregon (OCPA) – https://www.doj.state.or.us/consumer-protection/
• Delaware (DPDPA) – https://attorneygeneral.delaware.gov/fraud/consumer-protection/

These resources are maintained by the respective state authorities and may provide additional guidance on your privacy rights and how to exercise them.

To exercise your rights, email support@allsquare.app

8. Data Security

We implement industry-standard security measures:

• Encryption in transit (TLS/SSL) and at rest
• Row-level security in Supabase for data isolation
• Regular security audits and updates
• Limited access controls for team members
• Secure password hashing (bcrypt)

In case of a data breach affecting your personal information, we will notify you within 72 hours via email and provide information about the incident and steps to protect yourself.

However, no system is 100% secure. Use AllSquare at your own risk.

9. Children's Privacy

AllSquare is not intended for children under 13 (or 16 in some jurisdictions), and we do not knowingly collect data from minors. If we learn we have collected data from a child, we will delete it promptly.

10. International Data Transfers

Your data may be transferred to and processed in the United States where our service providers are located. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses with service providers
• Compliance with Privacy Shield principles where applicable
• Data processing agreements with all third parties

By using AllSquare, you consent to the transfer and storage of your data in the United States.

11. Changes to This Policy

We may update this policy periodically. If changes are significant, we'll notify you by email or through the app at least 30 days before the changes take effect. Continued use after notification constitutes acceptance of the updated policy.

12. Data Controller and Access

AllSquare is the data controller for personal information collected through our service.

Currently, only authorized team members have access to user data, and only when necessary—for example, to investigate a bug, respond to a support request, or maintain the service. Access is limited, logged, and handled with care.

13. Contact

For privacy questions, data requests, or to exercise your rights:

📧 support@allsquare.app

Response time: We aim to respond to all privacy-related requests within 30 days.