Privacy policy

Last updated: April 12, 2026

1. Introduction

We respect your privacy and process personal data in line with applicable laws, in particular Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll., on personal data processing. This document describes what data we process, for what purposes, with whom we share it, how long we keep it, and what rights you have.

The data controller is Lidmila Maršálková, Czech company ID: 05684447, registered office at Jindice 115, 285 04 Rašovice-Uhlířské Janovice, Czech Republic (hereinafter also the "controller" or "we").

This policy applies to the Kvitta mobile app (Android) and the web app at kvitta.app.

2. Categories of data we process

  • User account (if you sign in): email, display name — for authentication and sync.
  • Expense and group data: amounts, currencies, categories, splits, group roles, comments, group names, member lists, settlement history — for the app to function.
  • Push notification tokens (FCM, Android only): to send notifications within groups.
  • Activity logs: overview of group changes (who added/edited what) — for the Activity Feed feature.
  • Technical and operational data from the web: IP address, cookie identifiers, device and browser information — for running the website, security, and analytics (Google Analytics only with consent).
  • OCR data (Google ML Kit): receipt scanning — processing happens locally on your device; no data is sent to our servers.

3. Legal basis for processing

  • Contract performance (Art. 6(1)(b) GDPR): providing the app features and data sync.
  • Legitimate interest (Art. 6(1)(f) GDPR): diagnostics, security, abuse prevention, and support.
  • Consent (Art. 6(1)(a) GDPR): analytics cookies on the web (Google Analytics).

4. How we use the data

  • Providing web and app features (expense tracking, calculations, notifications).
  • Syncing your data across devices (if enabled).
  • Sending push notifications about group activity (expenses, settlements).
  • Improving reliability, performance, and security (error detection, abuse prevention).
  • Fulfilling legal obligations and handling customer-support requests.

5. Sharing data with third parties

We do not sell your data and do not share it for marketing purposes. We show ads through Google AdMob in the free version of the Kvitta Android app.

For running the app we use Google Firebase as a processor:

  • Firebase Authentication (sign-in)
  • Cloud Firestore (data storage)
  • Firebase Storage (file storage)
  • Remote Config (remote configuration)
  • App Check (abuse protection)

We also use the following processors:

  • Firebase Cloud Messaging – FCM (Kvitta Android): sending push notifications about group activity.
  • Google ML Kit (Kvitta Android): OCR receipt scanning — processing happens locally on the device; no data is sent to our servers.
  • Google Analytics (web): traffic measurement — enabled only after consent in the cookie banner.
  • Google AdMob (Kvitta Android free): ad serving; governed by Google's privacy policy.

Group members see shared expense and balance data within their own groups.

6. Retention and security

  • App data (Firestore): for the duration of an active account; we will export/delete on request.
  • Google Analytics (web): 14 months; enabled only with consent.
  • Data is transmitted over TLS. We regularly update software and apply access controls on a need-to-know basis.

7. International transfers

Firebase runs in the nam5 region. For transfers outside the EEA we apply the appropriate safeguards, in particular the Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR. Google Analytics follows Google's own terms.

8. Cookies and consent

The web app uses essential cookies for sign-in and session management (Firebase Authentication). These cookies are necessary for the site to work and do not require consent.

Analytics cookies (Google Analytics) are loaded only after your consent via the cookie banner. You can withdraw consent anytime in your browser cookie settings or by clicking ; analytics scripts will then stop loading.

We do not use tracking cookies or third-party advertising cookies on the website.

9. Your rights

Within the limits of applicable law you have the right to:

  • access your personal data and obtain a copy of it,
  • have inaccurate or incomplete data corrected,
  • erasure ("right to be forgotten") and restriction of processing,
  • object to processing,
  • data portability (where technically feasible),
  • withdraw consent (e.g. by uninstalling the app or deleting your account),
  • lodge a complaint with the Czech Office for Personal Data Protection (ÚOOÚ).

To delete your account and the related data, use the Account & data deletion page.

10. Changes to this policy

Updates will be published on this page with a new revision date. We will notify you about significant changes through the app.

11. Contact

Got a question or want to exercise your rights? Write to us:

12. Closing note

This document is the privacy policy for the Kvitta Android app and the Kvitta web app at kvitta.app. Technical details and contact information reflect the current implementation.