HalfHalf app iconHalfHalf

Open website privacy policy

Privacy Policy (App)

Last updated: 2026-04-10

This Privacy Policy explains how HalfHalf ("we", "us", "our")

collects, uses, discloses, and protects personal data when you use our mobile app

and related app services (collectively, the "App Service").

1. Controller and Contact

  • Controller legal name and postal address: Konstantin Maurer, Mozartstr. 51, 72762 Reutlingen, Germany
  • Contact email: kjm.application@gmail.com
  • Website: https://halfhalf.app
  • Imprint/legal notice is available in the in-app Imprint section.

2. Scope

This policy applies to personal data processed through:

  • The HalfHalf mobile app (iOS/Android)
  • In-app legal/account-related flows
  • Support and account communications related to the app

Website-specific processing is described separately at:

  • https://halfhalf.app/website-privacy

3. Data We Process

We process the following categories of data:

3.1 Account and identity data

  • Firebase user ID (UID)
  • Account type (anonymous, Google sign-in, or Apple sign-in)
  • Name/display name
  • Email address (if available from your account)

3.2 Group and collaboration data

  • Group name, group currency, join code, join code timestamps
  • Member list, member roles, member names
  • Group image and member profile image URLs

3.3 Expense and activity data

  • Expense descriptions, amounts, categories, dates, creators
  • Split data (paid by/paid for allocations)
  • Receipt line items and related metadata
  • Activity history entries (for example: user joined, role changed, expense changed/deleted)

3.4 Receipt scan data (premium feature)

  • Receipt images uploaded to cloud storage
  • Receipt analysis output (merchant, date, items, totals, warnings)
  • Receipt file paths and download URLs linked to expenses

3.5 Subscription and billing verification data

  • Product ID, plan, status, platform, expiry, auto-renew status
  • Verification identifiers such as purchase token, transaction ID, and original transaction ID
  • Subscription webhook linking records used to map store notifications to user entitlements

3.6 Notifications data

  • Push notification permission state
  • Firebase Cloud Messaging (FCM) device token(s)

3.7 Diagnostics and analytics data (optional)

  • App analytics events
  • Crash/error reports and technical diagnostics
  • Pseudonymous technical attributes used for debugging and quality monitoring

3.8 Device/app operation data

  • App state flags stored locally (for example onboarding and preference flags)
  • Security/integrity signals used by Firebase App Check

3.9 Communications and requests

  • Messages, requests, or documents you send us (for example privacy requests or support requests)

4. Data We Do Not Intend to Process

  • We do not intentionally sell personal data.
  • We do not intentionally process precise geolocation for core app functionality.
  • We do not process payment card numbers directly; purchases are handled by Apple/Google.

5. Purposes and Legal Bases (GDPR/EEA/UK/Switzerland)

Depending on context, we rely on one or more of these legal bases:

5.1 Contract performance (Art. 6(1)(b) GDPR)

  • Creating and managing your account
  • Operating groups and expense sharing features
  • Providing subscription and premium functionality
  • Processing receipt scans when you request scanning

5.2 Legal obligations (Art. 6(1)(c) GDPR)

  • Compliance with legal, tax, accounting, and law-enforcement obligations
  • Responding to valid legal requests

5.3 Legitimate interests (Art. 6(1)(f) GDPR)

  • Service security, abuse prevention, fraud prevention, and system integrity
  • Ensuring stable operation, auditing changes, and defending legal claims
  • Preserving shared group history integrity (for example role/name snapshots in activity history)

5.4 Consent (Art. 6(1)(a) GDPR)

  • Optional analytics and crash reporting where consent is required
  • Any processing for which we explicitly ask consent and where no other legal basis applies

You may withdraw consent at any time for consent-based processing. Withdrawal does not

affect processing already carried out before withdrawal.

6. Germany-Specific Notes (including TDDDG context)

For users in Germany:

  • We apply GDPR and applicable German data protection law (including BDSG).
  • Where required for storage/access to information on end-user devices, we follow

Section 25 TDDDG consent-or-necessity requirements.

  • Optional analytics/crash collection is designed as opt-in and can be changed in Settings.

7. How We Share Data

We share data only as needed to operate the App Service:

7.1 With other users you collaborate with

  • Group members can see shared group/expense/activity information according to role/access controls.

7.2 Service providers/processors

  • Google Firebase and Google Cloud services (Auth, Firestore, Cloud Functions, Storage, Messaging,

App Check, Analytics, Crashlytics)

  • Google Vertex AI for receipt image analysis
  • Apple App Store and Google Play for subscription handling and purchase verification

7.3 Legal and safety disclosures

  • Where required by law, court order, or to protect rights, safety, and security

7.4 Corporate transactions

  • In a merger, acquisition, financing, or asset transfer context, subject to lawful safeguards

8. International Data Transfers

Your data may be processed in multiple regions. Current technical setup includes:

  • Firestore database location configured in Europe (`eur3`)
  • Cloud Functions processing in `europe-west1`
  • Receipt analysis processing in `europe-west1` (Vertex AI), with a `global` endpoint fallback for model availability

Where personal data is transferred outside your jurisdiction (including outside the EEA/UK/Switzerland),

we use legally recognized transfer mechanisms as applicable, such as:

  • Adequacy decisions, where available
  • Standard Contractual Clauses (SCCs) and supplementary measures, where required
  • Other lawful transfer mechanisms under applicable law

9. Data Retention

We keep personal data only as long as necessary for the purposes in this policy, including:

  • Account/profile data: while the account is active and as needed for compliance or disputes
  • Group/expense/activity data: until deleted by authorized users or until group deletion workflows remove data
  • Removed-member snapshots/history references: may be retained to preserve shared expense history integrity
  • Receipt images and receipt scan metadata: until deleted by users or cleanup workflows
  • Push tokens: until refreshed, removed, or no longer needed
  • Subscription verification/linking data: as long as needed for entitlement integrity, fraud prevention, and compliance
  • Request/complaint records: as needed to comply with legal obligations and document responses

10. Account Deletion and Consequences

If you delete your account:

  • Your user profile document is deleted.
  • You are removed from active group membership.
  • Ownership transfer and cleanup workflows run when required.
  • Some historical group records may remain (for example activity history and expense references)

to preserve accounting integrity for other group members.

11. Security

We implement technical and organizational security measures appropriate to risk, including:

  • Authentication and access control
  • Firestore and storage security rules
  • Server-side validation for sensitive operations
  • Logging and monitoring for reliability and abuse prevention

No system can guarantee absolute security.

12. Your Rights (GDPR/EEA/UK/Switzerland)

Subject to applicable law, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Delete data
  • Restrict processing
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent for consent-based processing
  • Lodge a complaint with a supervisory authority

We may need to verify your identity before fulfilling requests. We aim to respond within

applicable legal timelines (for GDPR requests, typically within one month, subject to lawful extensions).

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have rights to:

  • Know/access categories and specific pieces of personal information
  • Delete personal information (subject to legal exceptions)
  • Correct inaccurate personal information
  • Know categories of personal information disclosed/sold/shared and to whom (if applicable)
  • Opt out of sale/sharing of personal information (we do not currently sell/share for cross-context advertising)
  • Limit use/disclosure of sensitive personal information where applicable
  • Non-discrimination for exercising privacy rights

You may submit requests by emailing kjm.application@gmail.com. We may verify your identity

before responding. Authorized agent requests are handled as required by law.

14. Other Regions

Depending on your location, additional rights may apply under local privacy laws

(for example in the UK, Switzerland, Canada, Brazil, Australia, and other jurisdictions).

We will honor applicable rights as required by law.

15. Children

The App Service is not directed to children below the minimum age required by applicable law.

If we learn we collected personal data from a child unlawfully, we will take steps to delete it.

16. Automated Decision-Making

We do not use solely automated decisions that produce legal or similarly significant effects

on users in the meaning of GDPR Art. 22. Receipt scan outputs are assistive and user-controlled.

17. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will update

the "Last updated" date and provide additional notice where required by law.

18. Contact and Complaints

For privacy questions or requests:

  • kjm.application@gmail.com

You also have the right to contact your local supervisory authority. For Germany, this can be

the authority competent for your federal state, or (where applicable) the BfDI.