Privacy Policy for the “BillPalls” App

Privacy Policy

Last Updated: November 20, 2025

This Privacy Policy explains how personal data is processed when using the mobile application “BillPalls” (iOS/Android) and its web version. It clarifies what information we collect, why we collect it, how it is used, and which rights users hold under the GDPR.


1. Data Controller

Slin App Agentur
Owner: Nils Jerschke
Margeritenweg 16
04179 Leipzig
Germany

Phone: +49 157 5045 7093
Email: n.jerschke@slinapp.com

A Data Protection Officer has not been appointed, as this is not legally required.


2. Purpose and Scope of the Service

BillPalls provides tools to create, split and manage shared expenses. Users can create bills, assign items to participants, record payments and optionally extract data from images using optical text recognition.

A user account is required to use the service.


3. Categories of Personal Data Processed

3.1 Account & Profile Information

  • Email address

  • Display name

  • Optional: first and last name

  • Profile image URL (if provided)

  • Firebase User ID (UID)

  • Authentication provider data (Google/Apple Sign-In)

Apple Sign-In is used without “Hide My Email”.

3.2 Billing & Expense Data

  • Bill title, amount, date

  • Line items (name, quantity, price, VAT if applicable)

  • Assignment of participants and payment status

  • Visibility only within shared bill groups

3.3 Image Processing (OCR)

  • Uploaded or captured bill images

  • Local compression to reduce data volume

  • Transmitted to OpenAI solely for text extraction

  • Images are not permanently stored by us or in Firebase

3.4 Analytics & Crash Data (only if consented)

  • Firebase Analytics events

  • Interaction patterns

  • Crash reports via Firebase Crashlytics

3.5 Technical & Device Data

  • IP address (transmitted automatically when connecting)

  • Device and OS information

  • Firebase Cloud Messaging token

  • Advertising ID (only when ads are enabled)

3.6 Purchase Information

  • Product ID and transaction reference (for premium access)

  • Payments are processed exclusively by Apple or Google

3.7 App Preferences

  • Language, currency, theme

  • Notification and privacy settings

  • Consent choices for analytics/advertising


4. Legal Basis for Processing

4.1 Provision of the Core Service

Processing of account and billing data is necessary to provide the app.
Legal Basis: Art. 6(1)(b) GDPR — performance of a contract

4.2 Shared Bills Between Users

Data is visible only to participants of the respective bill.
Legal Basis: Art. 6(1)(b) GDPR

4.3 Optical Character Recognition (OCR)

Images are processed by OpenAI solely to extract text and then discarded.
Legal Basis: Art. 6(1)(b) GDPR

4.4 Push Notifications

Functional system messages or optional alerts.
Legal Basis: Art. 6(1)(b) and/or Art. 6(1)(a) GDPR

4.5 In-App Purchases

Required to enable premium features.
Legal Basis: Art. 6(1)(b) GDPR


5. Advertising (Google AdMob & Consent Dialog)

We use Google AdMob to display advertisements.
No advertising identifiers, cookies or similar technologies are activated until users have made a choice in the Google Consent Dialog, in compliance with EU user consent requirements.

If consent is granted, the following data may be processed:

  • Advertising ID (AAID / IDFA)

  • Device information

  • Cookies or similar identifiers

  • IP address and technical ad delivery metrics

Users may choose between personalized or non-personalized advertising. If personalized ads are refused, only non-personalized ads will be shown, or ads may be disabled entirely where required.

Consent can be withdrawn at any time inside the application’s privacy settings.

The Consent Dialog includes a full list of advertising technology partners involved in ad delivery.

Legal Basis: Art. 6(1)(a) GDPR — voluntary consent


6. Data Recipients

Personal data may be shared with the following categories of recipients, only to the extent necessary:

  • Google Firebase — authentication, database, push delivery, optional analytics and crash reporting

  • Google AdMob — ad delivery subject to prior consent

  • OpenAI — OCR processing of images without storage

  • Apple App Store / Google Play — processing of payments

  • Other Bill Participants — visibility only within shared bills

Data is not sold or shared with third parties outside the scope of this policy.


7. International Data Transfers

Data may be transferred to service providers in the United States (Google, OpenAI).
Such transfers rely on:

  • The EU-US Data Privacy Framework where applicable

  • Standard Contractual Clauses (SCC)

  • Additional technical and organizational safeguards

Despite these protections, residual risk from governmental access cannot be fully eliminated.


8. Storage Location and Retention

  • Account and billing data are retained until the user deletes their account.

  • Images used for OCR are processed in real time and not stored.

  • Analytics and crash data are retained only while consent remains active.

  • Purchase-related data may be stored as required by commercial law.

Deleting the user account removes all associated personal data.


9. Permissions Used by the App

iOS

Camera · Photo library · Push notifications · Face ID / Touch ID

Android

Camera · Media access · Internet · Biometric authentication · Notifications

Some functions are unavailable if permissions are denied.


10. Data Security

We implement multiple protective measures including:

  • TLS encryption for all data transmission

  • Firebase Authentication

  • Strict Firestore security rules

  • Limited access rights & data minimization

  • No retention of images processed through OCR


11. User Rights Under GDPR

Users have the right to:

  • Access their data

  • Request correction or deletion

  • Restrict or object to processing

  • Obtain a copy of their data (portability)

  • Withdraw consent at any time

Data export and account deletion are available directly within the app.


12. Online Dispute Resolution

EU platform for online dispute resolution:
https://consumer-redress.ec.europa.eu

We are not obliged nor willing to participate in a consumer arbitration procedure.


13. Changes to This Policy

We may update this Privacy Policy as our services evolve.
The latest version is always accessible within the app and on our website.