Legal

Privacy Policy

Last updated: January 27, 2026

1. Introduction

PayMates ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using PayMates, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

This policy applies to all users worldwide, including those in the European Economic Area (EEA), United Kingdom, California, and other jurisdictions with specific privacy regulations.

2. Information We Collect

2.1 Information You Provide

Account Information: Email address, phone number, name, and profile picture
Payment Information: For Android users, subscription payments are processed through Stripe. For iOS users, payments are processed through Apple In-App Purchases. We do not store full payment card details.
Expense Data: Bills, transactions, group expenses, settlement information, and notes you create
Receipt Images: Photos of receipts you upload or capture for expense tracking

2.2 Information We Collect Automatically

Device Information: Device type, operating system, unique device identifiers
Usage Information: App features used, interactions, and usage patterns
Log Data: IP address, browser type, access times, and pages viewed
Advertising Identifier: Used for delivering personalized advertisements through Google AdMob

2.3 Information from Third Parties

Contacts: With your permission, we access your device contacts to help you find friends and split expenses more easily
Authentication Providers: Information from Clerk authentication service when you create an account

3. Lawful Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, we process your personal data based on the following legal bases:

Contract Performance: Processing necessary to provide the Service you requested (account creation, expense tracking, payment processing)
Legitimate Interests: Processing for service improvement, fraud prevention, and security purposes, where such interests are not overridden by your rights
Consent: For personalized advertising, contact access, and push notifications - you may withdraw consent at any time
Legal Obligation: Processing required to comply with applicable laws and regulations

4. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our Service
Process transactions and send transaction notifications
Help you find and connect with friends for expense sharing
Scan and process receipt images for automatic expense entry
Send push notifications about expense updates, settlements, and important account information
Personalize your experience and deliver relevant content
Deliver personalized advertisements through Google AdMob
Detect, prevent, and address technical issues or fraudulent activity
Comply with legal obligations and enforce our terms

Important: We do NOT use your personal data, expense records, receipt images, or any user content to train artificial intelligence or machine learning models.

5. Data Tracking and Advertising

PayMates uses your data for tracking purposes to deliver personalized advertisements.

We use Google AdMob to display advertisements in our app. AdMob may collect and use your advertising identifier and other device information to show you personalized ads. This constitutes data tracking under Apple's App Tracking Transparency framework.

What This Means:

We collect your device's advertising identifier (IDFA on iOS, GAID on Android)
This identifier is used to deliver targeted, personalized advertisements to you
The data is shared with Google AdMob for advertising purposes
You can opt out of personalized ads in your device settings or when prompted by the app

For more information about Google's advertising practices, visit: https://policies.google.com/technologies/ads

6. How We Share Your Information

We may share your information with:

6.1 Service Providers

Google AdMob: For advertising and analytics (includes tracking data)
Clerk: For authentication and user management
Stripe: For subscription payment processing (Android users only; we never store full payment card details)
Google Cloud: For cloud storage and receipt image processing
Apple In-App Purchases: For subscription processing (iOS users only)

These service providers are contractually obligated to protect your data and may only process it according to our instructions.

6.2 Other Users

When you participate in groups or share expenses, certain information (name, profile picture, expense details) is visible to other group members.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or other legal process, or in response to a valid request from law enforcement or government authorities.

6.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, user information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the app before your data becomes subject to a different privacy policy.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide you services.

Specific Retention Periods:

Account Data: Retained until you request account deletion
Expense Records & Receipts: Retained for the duration of your account unless individually deleted
Transaction Logs: Retained for 7 years for legal and accounting compliance
Server Logs: Automatically deleted after 90 days
Backups: Removed within 60 days of data deletion from active systems

After Account Deletion: Upon account deletion request, we will delete your personal data within 30 days, except for data we are legally required to retain (such as transaction records for tax/accounting purposes for up to 7 years) or data necessary for fraud prevention and security.

8. Your Rights and Choices

All Users:

Access and Update: You can access and update your information through your account settings
Delete Account: You can delete your account at any time from Settings > Account > Delete Account
Opt-Out of Tracking: You can opt out of personalized ads by declining tracking when prompted or through your device settings
Push Notifications: You can disable push notifications in your device settings
Contacts Access: You can revoke contacts access in your device settings (this will limit friend-finding features)
Camera/Photos Access: You can revoke these permissions in device settings (this will limit receipt scanning features)

8.1 Additional Rights for EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have additional rights under GDPR:

Right of Access: Request a copy of your personal data
Right to Rectification: Request correction of inaccurate data
Right to Erasure: Request deletion of your personal data
Right to Restrict Processing: Request limitation of data processing
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
Right to Lodge a Complaint: File a complaint with your local supervisory authority

To exercise these rights, contact us at privacy@paymates.app. We will respond within 30 days.

8.2 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request information about the categories and specific pieces of personal information collected
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information
Right to Non-Discrimination: Receive equal service regardless of exercising your privacy rights
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information
Right to Non-Discrimination: Receive equal service regardless of exercising your privacy rights

Do Not Sell or Share My Personal Information: We do not sell your personal information. We share data with advertising partners (Google AdMob) as described in Section 5, which may constitute "sharing" under CCPA. You can opt out of this sharing through your device's privacy settings or by declining tracking when prompted.

To submit a request, email us at privacy@paymates.app or use the in-app settings. We will verify your identity before fulfilling requests.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Secure payment processing through PCI-DSS compliant providers
Regular security assessments and vulnerability testing
Access controls and employee training
24/7 security monitoring and logging

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify affected users via email within 72 hours of becoming aware of the breach
Provide information about the nature of the breach and data affected
Describe the measures taken to address the breach
Offer recommendations to mitigate potential adverse effects
Report to relevant supervisory authorities as required by law

11. Children's Privacy

PayMates is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we discover that we have collected information from a child under the applicable age, we will promptly delete it. If you believe we have collected information from a child, please contact us at privacy@paymates.app.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located. These countries may have data protection laws different from your country.

For EEA/UK Users: When we transfer your personal data outside the EEA/UK, we ensure adequate protection through:

Standard Contractual Clauses approved by the European Commission
Data Processing Agreements with service providers
Compliance with applicable data protection frameworks

By using PayMates, you consent to the transfer of your information to these countries.

13. Third-Party SDKs and Tracking Technologies

Our app uses the following third-party SDKs that may collect data:

Google AdMob: Advertising identifier, device info, ad interaction data
Clerk: Authentication tokens, session data
Stripe SDK (Android): Payment processing data
Expo/React Native: Crash reports and app performance data

Each SDK is governed by its own privacy policy. We encourage you to review the privacy policies of these third parties.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date at the top
Sending an email notification for significant changes
Displaying an in-app notice for material changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

PayMates Labs
Email: privacy@paymates.app
General Support: support@paymates.app

For EEA/UK Privacy Inquiries: If you are located in the EEA or UK and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority.