Privacy Policy

1. Controller

Paul Methfessel, Zeppelinstr 73, 14471 Potsdam DE, contact@split.paulmethfessel.com

2. Overview

Split is a tool for managing shared expenses in groups. We process only the data necessary to provide the service. There is no tracking, analytics, or advertising.

3. Categories of personal data

• Account data: email address, name (freely chosen), preferred currency, locale.
• Authentication data: session tokens managed by our processor Clerk.
• If you choose to sign in with Google: data received from Google via OAuth 2.0 / OpenID Connect under the scopes openid, email, and profile — your Google account identifier, email address and its verification status, and basic profile information (name, profile picture, locale).
• Content data: groups, expenses, amounts, settlements, notes, and timestamps that you create.
• Invitation data: email addresses you supply to invite someone to a group, plus a one-time invitation token.
• Server logs (collected by the upstream nginx): IP address, date, time, user agent, requested resource. Automatically deleted after at most 14 days.

4. Purposes and legal bases

• Providing the service (account, groups, expenses): Art. 6(1)(b) GDPR (contract / pre-contractual steps with you as the user).
• Sign-in via Google (only if you choose this option): Art. 6(1)(b) GDPR (necessary to create or sign you into your account at your request).
• Sending invitation emails: Art. 6(1)(b) GDPR towards the inviting user and Art. 6(1)(f) GDPR (legitimate interest in a working invitation flow) towards the invited person.
• IT security and stability (server logs, error handling): Art. 6(1)(f) GDPR (legitimate interest).

5. Recipients / processors

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — hosting (server, database). Data processing agreement under Art. 28 GDPR in place.
• Clerk, Inc., 660 King Street, San Francisco, CA 94107, USA — authentication and session management. Transfer to the USA based on the EU-US Data Privacy Framework (Commission adequacy decision of 10 July 2023); additional data processing agreement in place.
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — sign-in via Google, only if you choose this option. We request the OAuth scopes openid, email, and profile. Transfer to the USA based on the EU-US Data Privacy Framework. See policies.google.com/privacy.
• Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — sending invitation emails. Transfer to the USA based on the EU-US Data Privacy Framework and a data processing agreement.
• frankfurter.app (public European Central Bank exchange-rate API). No personal data is transmitted — only currency codes and a date.

6. Cookies and local storage

We use exclusively strictly necessary cookies required for sign-in and secure operation (specifically Clerk's session cookies). Consent under § 25(1) TTDSG is not required (§ 25(2) no. 2 TTDSG). No tracking takes place.

7. Retention

• Account and content data: until you delete your account.
• Invitations: until accepted or until the token expires, then automatically deleted.
• Server logs: at most 14 days.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21 GDPR). Please send requests to contact@split.paulmethfessel.com.

You may delete your account at any time (Profile → Delete account — if the self-service flow is not yet available, request deletion by email).

You have the right to lodge a complaint with a supervisory authority, usually the data protection authority of your residence or of our seat. Our competent authority is: Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg, Stahnsdorfer Damm 77, 14532 Kleinmachnow, www.lda.brandenburg.de.

9. No automated decision-making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

10. Changes to this policy

We update this policy when the service or the legal situation changes.

Last updated: 2026-06-20. This English version is provided for convenience. The German Datenschutzerklärung is legally authoritative.