← Back

Privacy Policy

Last updated: 11 May 2026

Note on translation: The authoritative version of this policy is the Swedish original at kvitt.org/privacy.html. This English translation is provided for convenience. In case of discrepancy, the Swedish version prevails.

Kvitt is an app for splitting expenses between friends. We collect as little data as possible — only what the app needs to function. We never sell your data, we show no ads. The only data use that doesn't directly deliver app functionality is anonymous operational logs for debugging.

The short version: we store your name, mobile number (for Swish), the groups you're in, and the expenses you add. Everything is stored in Microsoft Azure in Sweden. You can delete your account at any time directly in the app (Profile → Delete my account). We share technically necessary data with Microsoft (hosting), RevenueCat (Plus subscriptions), Apple/Google (push notifications via their networks) and Firebase (push routing) — never for marketing purposes.

Data controller

Softi AB (org. no. 559067-1235), Nybyvägen 1, 746 37 Bålsta, Sweden, is the data controller for your information in the Kvitt app. Kvitt is a trademark owned and operated by Softi AB. Questions are answered at hej@kvitt.org.

What data we collect

You enter yourself:

Name — shown to other members of your groups.
Mobile number (Swedish format) — used as your Swish number so others can settle up with you.
Group information — group name, currency, who you invite.
Expenses — description, amount, category, date, how they're split, and optionally a photo of the receipt.
Payments — amount and recipient when you mark a debt as paid (but not the actual Swish transaction itself, see below).

Generated automatically:

Push token (Apple APNs / Google FCM) — so we can send a notification when someone in your group adds an expense or settles up. The token is linked to your user ID and deleted when you delete your account.
User ID — random ID identifying you in the cloud. Contains no personal information. Visible in the app's profile view.
Operational logs — anonymous server logs (which API call was made, response code, response time) are stored for 30 days in Microsoft Application Insights for debugging. Contain no personal information that can be linked to you.

We do not collect:

National ID number or other identifying information beyond name/mobile
Contact lists from your phone
Location / GPS data
Bank or card details
Browsing history
Cross-app tracking data (we do not use Apple's App Tracking Transparency API)

Why (legal basis)

We process your data to deliver the service you signed up for (Article 6(1)(b) GDPR — performance of a contract). You can stop using Kvitt at any time and ask us to delete your account.

Where your data is stored

All data is stored in Microsoft Azure in EU regions (Sweden Central for database and functions; West Europe for the Static Web App). Microsoft acts as our data processor under GDPR.

We do not transfer data outside the EU/EEA.

How long we keep your data

We keep your data for as long as your account is active. When you delete your account in the app (Profile → Delete my account) the following happens:

Profile (name, mobile number) — replaced with "Removed user" and an empty mobile number.
User token — invalidated immediately so none of your devices can read or write to your old groups anymore.
Push registrations — all tokens and installations are removed immediately.
RevenueCat customer — unlinked from your device (any active Plus subscription is still managed by Apple/Google).
Groups you were a member of — you are removed as an active member. Historical expenses you participated in or paid for remain in the group so other members can see their own history, but appear as an anonymous removed user.
Receipt images you uploaded — the images remain in Azure Blob Storage linked to the historical expenses. They are not accessible to anyone outside the group and contain no personal information beyond what you photographed yourself.

Backup snapshots in Azure rotate with 30-day retention, so data may remain in backup for up to 30 days before it is finally overwritten.

Third-party services

Kvitt uses the following sub-processors (all in the EU or under EU Standard Contractual Clauses):

Microsoft Azure (Irish legal entity, data centres in Sweden / West Europe) — hosting, database (Cosmos DB), file storage (receipt images), operational logs (Application Insights), real-time sync (Azure SignalR), push delivery (Notification Hubs).
RevenueCat (US provider, EU Standard Contractual Clauses) — manages subscription status for Kvitt Plus. Receives only your user ID, your IAP transactions from Apple/Google, and device platform. Never name, phone, or expense data.
Apple Push Notification service (APNs) / Google Firebase Cloud Messaging (FCM) — delivers push notifications. Receives only the push token and the notification content itself (e.g. "Stella added an expense").
Azure AI Document Intelligence (Plus feature) — when a Plus user scans a receipt the image is sent for OCR analysis. The image is not stored at Microsoft — it is analysed and discarded immediately. The result (total amount, date, merchant) is returned to your device.
Apple App Store / Google Play — distribution of the app and handling of In-App purchases for Plus. Apple and Google have their own policies for installation data and payment information.

We use no classic analytics services (no Google Analytics, no Mixpanel, no Amplitude). We use no ad networks. We do not share your data with third parties for marketing purposes.

About Swish

When you settle a debt, Kvitt opens the Swish app with the right recipient, amount and message pre-filled. The payment itself happens between you and Swish/your bank — Kvitt never sees your card details or transaction contents. We only store that you marked a debt as paid (date + amount + recipient in your group).

Security

We protect your data through:

TLS encryption (HTTPS) for all communication between app and server
Encryption at rest in Cosmos DB and Blob Storage
Token-based access — each group member has a unique token; no one outside the group can read its contents
No passwords stored (we use device-bound tokens instead)

Your rights under GDPR

You have the right to:

Access a copy of your data
Rectify incorrect data (done directly in the app's profile)
Erase your account and associated data
Restrict the processing of your data
Receive your data in a portable format (CSV export is available in the app for your expense groups)
Object to processing

Send a request to hej@kvitt.org and we'll respond within 30 days.

You also have the right to lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection (IMY), if you believe we are handling your data improperly.

Cookies and tracking

The kvitt.org website uses no cookies and no tracking. The app does not use cross-app tracking (we don't even call Apple's App Tracking Transparency API because we don't track you).

Limitation of liability

Kvitt is a utility app for keeping track of shared expenses. We are not responsible for the accuracy of the information you enter into the app, nor for the outcome of Swish payments you initiate via the app — Swish is a separate service from Getswish AB and Kvitt only forwards your pre-filled values to their app. Always verify the payment amount and recipient in the Swish app before approving.

Children

Kvitt is intended for people aged 13 and older. We do not knowingly collect data from children under 13. If you discover that a child has submitted data, contact us and we will delete it.

Changes to the policy

We may update this policy from time to time. Material changes are announced in the app before they take effect. The "Last updated" date at the top shows the current version.

Contact

Questions about personal data, or requests for deletion/export:
hej@kvitt.org