TallyUp Privacy Policy

Split bills, not your privacy

Effective date: 2026-05-20 · Last updated: 2026-06-13

TallyUp ("the App") is a shared-expense / bill-splitting application operated by the maintainers of github.com/cyriacapps-cloud/tallyup. This policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data.

This policy is written to match the actual behavior of the production app at version 1.4.0+64. If the policy ever appears to contradict app behavior, the app's actual data practices govern and we will update this policy to match.

1. Data we collect

1.1 Account data

1.2 Expense data

You enter these directly or scan them from a receipt:

1.3 Receipt photos

When you scan a receipt:

1.4 Receipt processing data (AI providers)

Scanning a receipt runs on-device ML Kit OCR by default — free, local, and not sent anywhere. AI Enhance is optional and manual: it only runs when you explicitly tap to improve a scan and you have an available AI Enhance credit (§ 1.11). When you use it, TallyUp may send data to Google Cloud AI services:

These providers process the data on Google's infrastructure under Google's data-processing terms. TallyUp does not train models on your receipts and we do not retain copies of receipt content beyond what § 1.3 describes. You can disable AI repair entirely via a server-side Remote Config flag.

1.5 Scan usage metering

We count your monthly scan submissions to support a future per-user soft cap. Counts are stored per-month: photo-receipt scans (future quota basis) and pasted-receipt-text imports (analytics only, never quota-counted). There is currently no quota enforcement — counts only.

1.6 Diagnostics

When a scan fails or you explicitly tap "Send Diagnostics" in Settings, we collect the raw OCR text, the local parser's output, receipt metadata (currency, totals, item count), and your device model + OS version + app version. These bundles are stored only on your device until you choose to upload them. Diagnostic bundles never include share tokens, invite codes, or payment links.

1.7 Feedback

When you submit feedback from Settings → Send Feedback, we collect the feedback body text, the category (bug / feature / general), your Firebase UID, and the app version + device model. Only you and the app maintainers can read your feedback.

1.8 Crash reports

Firebase Crashlytics collects crash stack traces, device model, OS version, app version, and your Firebase UID. Crash reporting is on by default and can be disabled in Settings.

1.9 Analytics

Firebase Analytics collects anonymous usage events (for example: scan_started, scan_completed, finalize_success, feedback_submitted) tagged with your Firebase UID. Analytics is on by default for closed-test users. Firebase Analytics itself does not use the Advertising ID; for advertising use of the Advertising ID, see § 1.12.

1.10 Scan diagnostics + device context

To help us notice when receipt scanning misbehaves on a specific phone model or Android version, every scan and repair analytics event is tagged with a small set of non-personal device + app fields:

We use these fields strictly for diagnostics, reliability monitoring, and capacity planning. They are never used to gate or route features differently for different devices — a 2018 phone and a 2026 flagship are handled identically by the scanner.

These fields are explicitly NOT included in any analytics event:

The diagnostic fields are attached as event parameters tagged to your Firebase UID, alongside the same analytics events listed in § 1.9, and follow the same retention rules.

1.11 AI Enhance credits (paid + rewarded)

AI Enhance is optional and runs only when you ask for it (§ 1.4). Using it consumes an AI Enhance credit. Credits come from three sources, all tracked under your account on our server:

Rewarded-credit terms: 1 credit per completed rewarded ad; rewarded credits expire after 30 days; a daily cap of 3 and a total earned cap of 100 unexpired rewarded credits apply; rewarded credits have no cash value, are non-transferable, and are not refundable. A reward is granted only after Google's server-side ad verification confirms a genuine completed view — the app cannot grant a rewarded credit on its own. Local scanning and manual editing always work without any credits.

1.12 Rewarded ads, AdMob, and Advertising ID

TallyUp may show an optional, user-initiated rewarded video ad ("Watch ad for 1 AI Enhance") using Google AdMob / the Google Mobile Ads SDK. You are never required to watch an ad. The app declares the com.google.android.gms.permission.AD_ID permission.

When you choose to watch a rewarded ad, Google Mobile Ads (AdMob) may collect and process your device's Advertising ID and ad impression/interaction data to serve the ad and to support advertising, fraud prevention (including the server-side reward verification in § 1.11), frequency capping, and reporting. Google processes this data under Google's policies. TallyUp does not join the Advertising ID to your account identity. Rewarded ads are off by default, are not shown on money-decision screens, and we do not show banner or interstitial ads.

2. How we use your data

We do not sell your data to third parties. The only advertising in TallyUp is an optional, user-initiated rewarded video ad via Google AdMob (§ 1.12) that lets you earn AI Enhance credits; we show no banner or interstitial ads, and no ads on money-decision screens.

3. Who we share data with

RecipientWhyData
Google Firebase (Authentication, Firestore, Storage, Crashlytics, Analytics, Remote Config, Cloud Functions)Operate the AppAll account + expense + scan data
Google Cloud Vertex AI (Gemini)Item extraction + correction (only when you use AI Enhance)OCR text + parsed items + optionally image bytes
Google Cloud VisionOCR on receipt photos (currently disabled)Receipt image bytes
Google Play BillingProcess in-app purchases of AI Enhance creditsPurchase token + product id (Google handles payment; we never receive card data)
Google AdMob (Google Mobile Ads)Serve the optional rewarded ad + verify the rewardAdvertising ID + ad impression/interaction signals (only when you watch a rewarded ad)
Other invited bill participantsPublic bill-share linkExpense title, items, totals, participant names, payment statuses
Group members in your shared groupsGroup balance + historyGroup expenses you participate in

Bill data is shared only with participants you explicitly invite via share links or who are members of the same group. A share link grants access to that one bill — never to the broader group.

4. Data retention

DataRetention
Active expenses + groupsIndefinite while your account exists
Soft-deleted expenses + groups30 days, then hard-deleted by a scheduled function
Cloud receipt images90 days after finalize, then deleted by a scheduled function
Local receipt images on your deviceRetained at the OS's discretion (TallyUp does not delete them automatically today)
Scan-report bundles you uploadRetained for engineering review; deletable on request
Crashlytics records90 days (Firebase default)
Analytics events2 months by default (Firebase Analytics)

5. Deleting your account

5.1 In-app self-service

Settings → AccountDelete Account. Your account enters a 30-day grace window — if you sign back in within 30 days, your account and data are automatically restored. After 30 days a scheduled function hard-deletes your Firebase Auth record, all bills + groups you own (and their subcollections), all scan-usage data + feedback + scan reports tied to your UID, and all Storage objects under your UID's paths.

5.2 By email

Email us at the address in § 8. We will execute the same deletion within 30 days of receiving the request.

6. Children's privacy (COPPA)

TallyUp is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us (§ 8).

7. Security

8. Contact

Earlier versions of this policy listed privacy@tallyup.app; that domain is not operated by us and that mailbox does not deliver. Please use the channels above.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. When material changes happen, we will publish a release note and update the policy URL referenced from the app.