TallyUp ("the App") is a shared-expense / bill-splitting application operated by the maintainers of github.com/cyriacapps-cloud/tallyup. This policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data.
This policy is written to match the actual behavior of the production app at version 1.4.0+64. If the policy ever appears to contradict app behavior, the app's actual data practices govern and we will update this policy to match.
1. Data we collect
1.1 Account data
- Google Sign-In account: email address, display name, and profile photo URL provided by Google. We do not see your Google password.
- Firebase UID: an opaque identifier generated for your account by Firebase Authentication.
- Anonymous-guest UID: when you launch the app without signing in, Firebase issues an anonymous UID. No personal information is attached. If you later sign in with Google, your anonymous data (bills, groups, scan history) is migrated to the Google-signed account.
1.2 Expense data
You enter these directly or scan them from a receipt:
- Expense (bill) title, total, currency, status, timestamps.
- Merchant / restaurant name and receipt type.
- Itemized line items: name, price, quantity, category.
- Participant names and their amounts owed.
- Payment records: who paid whom, when, and the payment method (cash / Venmo / PayPal / other).
- Optional payment handle (PayPal username) saved to your user profile so other group members can reach you for settlement.
- Adjustments (tax, tip, fees, discounts).
1.3 Receipt photos
When you scan a receipt:
- The photo is captured via your device camera or gallery (your choice).
- The image is stored locally on your device in TallyUp's app-private storage. No other app on your device can read it.
- When cloud upload is enabled (default: on), the image is uploaded to Firebase Storage so you can view the original receipt from any device signed into the same account.
- Cloud copies are automatically deleted 90 days after the bill is finalized. The retention window is currently hard-coded.
- You can disable cloud upload entirely via a server-side Remote Config flag.
1.4 Receipt processing data (AI providers)
Scanning a receipt runs on-device ML Kit OCR by default — free, local, and not sent anywhere. AI Enhance is optional and manual: it only runs when you explicitly tap to improve a scan and you have an available AI Enhance credit (§ 1.11). When you use it, TallyUp may send data to Google Cloud AI services:
- Vertex AI (Gemini family): we send the raw OCR text, the provisional parsed items, the receipt type, and — only when a specific Remote Config flag is on (default: off) — the receipt image bytes. We receive a corrected item list + merchant name.
- Cloud Vision OCR: an additional image-OCR path that is currently disabled (server flag off). If it is enabled in a future release it would receive receipt image bytes for OCR; this policy will be updated before that happens.
These providers process the data on Google's infrastructure under Google's data-processing terms. TallyUp does not train models on your receipts and we do not retain copies of receipt content beyond what § 1.3 describes. You can disable AI repair entirely via a server-side Remote Config flag.
1.5 Scan usage metering
We count your monthly scan submissions to support a future per-user soft cap. Counts are stored per-month: photo-receipt scans (future quota basis) and pasted-receipt-text imports (analytics only, never quota-counted). There is currently no quota enforcement — counts only.
1.6 Diagnostics
When a scan fails or you explicitly tap "Send Diagnostics" in Settings, we collect the raw OCR text, the local parser's output, receipt metadata (currency, totals, item count), and your device model + OS version + app version. These bundles are stored only on your device until you choose to upload them. Diagnostic bundles never include share tokens, invite codes, or payment links.
1.7 Feedback
When you submit feedback from Settings → Send Feedback, we collect the feedback body text, the category (bug / feature / general), your Firebase UID, and the app version + device model. Only you and the app maintainers can read your feedback.
1.8 Crash reports
Firebase Crashlytics collects crash stack traces, device model, OS version, app version, and your Firebase UID. Crash reporting is on by default and can be disabled in Settings.
1.9 Analytics
Firebase Analytics collects anonymous usage events (for example: scan_started, scan_completed, finalize_success, feedback_submitted) tagged with your Firebase UID. Analytics is on by default for closed-test users. Firebase Analytics itself does not use the Advertising ID; for advertising use of the Advertising ID, see § 1.12.
1.10 Scan diagnostics + device context
To help us notice when receipt scanning misbehaves on a specific phone model or Android version, every scan and repair analytics event is tagged with a small set of non-personal device + app fields:
- The phone's platform (Android / iOS), Android API level / SDK version, manufacturer, and model (e.g. "Google Pixel 3 XL", "motorola moto g power 2021").
- The TallyUp app version and build number you have installed.
- Whether the build is a release, profile, or debug build.
- For each receipt-repair call: how long it took (in milliseconds), whether the result was accepted, and whether the call was text-only, image-only, or text-and-image (so we can tell text repairs apart from Gemini Vision rescues without inspecting your receipt).
We use these fields strictly for diagnostics, reliability monitoring, and capacity planning. They are never used to gate or route features differently for different devices — a 2018 phone and a 2026 flagship are handled identically by the scanner.
These fields are explicitly NOT included in any analytics event:
- The raw OCR text from your receipt.
- The receipt image itself or any image bytes.
- Any item name, total, subtotal, tax, or tip amount.
- The merchant or restaurant name.
- The exact pixel size of your receipt image (we use bucketed size labels like "≤ 512 KB" instead).
The diagnostic fields are attached as event parameters tagged to your Firebase UID, alongside the same analytics events listed in § 1.9, and follow the same retention rules.
1.11 AI Enhance credits (paid + rewarded)
AI Enhance is optional and runs only when you ask for it (§ 1.4). Using it consumes an AI Enhance credit. Credits come from three sources, all tracked under your account on our server:
- Free starter credits granted on first use.
- Paid credits you may buy through Google Play Billing. Google Play handles the payment — TallyUp never sees or stores your card or bank details; we receive only a purchase token (stored as a hash) and product id, which our server verifies with Google Play to grant the credits. Paid credits expire per the product terms (currently ~30 days).
- Rewarded credits you may optionally earn by watching a rewarded ad (§ 1.12).
Rewarded-credit terms: 1 credit per completed rewarded ad; rewarded credits expire after 30 days; a daily cap of 3 and a total earned cap of 100 unexpired rewarded credits apply; rewarded credits have no cash value, are non-transferable, and are not refundable. A reward is granted only after Google's server-side ad verification confirms a genuine completed view — the app cannot grant a rewarded credit on its own. Local scanning and manual editing always work without any credits.
1.12 Rewarded ads, AdMob, and Advertising ID
TallyUp may show an optional, user-initiated rewarded video ad ("Watch ad for 1 AI Enhance") using Google AdMob / the Google Mobile Ads SDK. You are never required to watch an ad. The app declares the com.google.android.gms.permission.AD_ID permission.
When you choose to watch a rewarded ad, Google Mobile Ads (AdMob) may collect and process your device's Advertising ID and ad impression/interaction data to serve the ad and to support advertising, fraud prevention (including the server-side reward verification in § 1.11), frequency capping, and reporting. Google processes this data under Google's policies. TallyUp does not join the Advertising ID to your account identity. Rewarded ads are off by default, are not shown on money-decision screens, and we do not show banner or interstitial ads.
2. How we use your data
- Expense splitting: to calculate, display, and share expense splits among participants.
- Account management: to authenticate you and associate expenses with your account.
- Receipt parsing: to extract items from scanned receipts.
- Crash reporting: to identify and fix bugs.
- Analytics: to understand which features are used and improve the app.
- Abuse / cost protection: Cloud Functions log per-user usage to detect runaway costs on third-party services.
We do not sell your data to third parties. The only advertising in TallyUp is an optional, user-initiated rewarded video ad via Google AdMob (§ 1.12) that lets you earn AI Enhance credits; we show no banner or interstitial ads, and no ads on money-decision screens.
3. Who we share data with
| Recipient | Why | Data |
|---|---|---|
| Google Firebase (Authentication, Firestore, Storage, Crashlytics, Analytics, Remote Config, Cloud Functions) | Operate the App | All account + expense + scan data |
| Google Cloud Vertex AI (Gemini) | Item extraction + correction (only when you use AI Enhance) | OCR text + parsed items + optionally image bytes |
| Google Cloud Vision | OCR on receipt photos (currently disabled) | Receipt image bytes |
| Google Play Billing | Process in-app purchases of AI Enhance credits | Purchase token + product id (Google handles payment; we never receive card data) |
| Google AdMob (Google Mobile Ads) | Serve the optional rewarded ad + verify the reward | Advertising ID + ad impression/interaction signals (only when you watch a rewarded ad) |
| Other invited bill participants | Public bill-share link | Expense title, items, totals, participant names, payment statuses |
| Group members in your shared groups | Group balance + history | Group expenses you participate in |
Bill data is shared only with participants you explicitly invite via share links or who are members of the same group. A share link grants access to that one bill — never to the broader group.
4. Data retention
| Data | Retention |
|---|---|
| Active expenses + groups | Indefinite while your account exists |
| Soft-deleted expenses + groups | 30 days, then hard-deleted by a scheduled function |
| Cloud receipt images | 90 days after finalize, then deleted by a scheduled function |
| Local receipt images on your device | Retained at the OS's discretion (TallyUp does not delete them automatically today) |
| Scan-report bundles you upload | Retained for engineering review; deletable on request |
| Crashlytics records | 90 days (Firebase default) |
| Analytics events | 2 months by default (Firebase Analytics) |
5. Deleting your account
5.1 In-app self-service
Settings → Account → Delete Account. Your account enters a 30-day grace window — if you sign back in within 30 days, your account and data are automatically restored. After 30 days a scheduled function hard-deletes your Firebase Auth record, all bills + groups you own (and their subcollections), all scan-usage data + feedback + scan reports tied to your UID, and all Storage objects under your UID's paths.
5.2 By email
Email us at the address in § 8. We will execute the same deletion within 30 days of receiving the request.
6. Children's privacy (COPPA)
TallyUp is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us (§ 8).
7. Security
- All network traffic uses HTTPS/TLS.
- Authentication is handled by Firebase Authentication; TallyUp never sees your Google password.
- Firestore Security Rules restrict reads and writes to authorized users only.
- Firebase Storage rules restrict receipt-image writes to authenticated users with size + content-type caps.
- App Check (Google Play Integrity on Android) is being rolled out for Cloud Functions hardening.
8. Contact
- GitHub: github.com/cyriacapps-cloud/tallyup/issues
- In-app feedback: Settings → Send Feedback.
- Email: support@tallyupapp.com
Earlier versions of this policy listed privacy@tallyup.app; that domain is not operated by us and that mailbox does not deliver. Please use the channels above.
9. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. When material changes happen, we will publish a release note and update the policy URL referenced from the app.