Legal

Privacy Policy

Effective 2026-04-27

Last updated Apr 27, 2026 by The EvenRound team.

Pre-launch template

This document is template content drafted by the EvenRound team and will be reviewed by counsel before public launch. Treat it as best-effort, not legal advice.

EvenRound ("we", "our") respects your privacy. This policy describes what data we collect, why, and what control you have over it.

1. What we collect

Group data

When you create or join a group, we store the group name, currency, members (display names, optional emails), expenses (description, amount, date, category, payer, splits), comments, and receipt attachments you upload.

Magic-link tokens

Each member is identified per-group by a magic-link token stored as a cookie. We do not require an account or password.

Optional email

You may attach an email to your member record to receive monthly settle-up reminders. Email is never required.

Server logs

We keep request logs (IP, user-agent, path, timestamp) for up to 30 days for security and abuse prevention.

2. What we do not collect

No third-party tracking cookies, no analytics fingerprinting.
No advertising IDs.
No location data beyond IP-derived country (for FX defaults).

3. Where data is stored

All group data is stored in our managed Supabase Postgres instance located in the European Union (Frankfurt). Receipt attachments are stored in Vercel Blob, also in EU regions.

4. Retention

Group data is retained until you delete the group or your account. When you delete a group, we cascade-delete all expenses, members, shares, and receipt attachments within 24 hours from primary storage and within 30 days from backups.

Server logs are retained for 30 days.

5. Third parties

Vercel - hosting and edge infrastructure (data processor).
Supabase - database and authentication infrastructure (data processor, EU region).
Resend - transactional email delivery for invite and reminder emails (data processor).
OpenAI / Anthropic - receipt OCR and line-item extraction. We send only the receipt image; we do not send any other group data, and providers do not retain inputs for training.

6. Your rights (GDPR)

If you're in the EU, the UK, or a similar jurisdiction, you have:

The right to access - request a copy of all data tied to you.
The right to rectification - correct inaccurate information.
The right to erasure - delete your data.
The right to data portability - request structured export.
The right to restrict or object to processing - limit how we use your data.

Email legal@evenround.com to exercise any of these rights. We respond within 30 days.

7. Cookies

We use only strictly necessary cookies: a locale preference cookie and per-group magic-link tokens. We do not set tracking or advertising cookies. Because we use no consent-required cookies, there is no cookie banner.

8. Children

EvenRound is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have, contact us and we will delete it.

9. Changes

We will publish material changes here and update the effective date at the top.

10. Contact

Privacy questions: legal@evenround.com.