Privacy Policy

Last updated: June 4, 2026

1. Introduction

Biller ("we," "our," or "us") is an iOS app for splitting bills with groups. It tracks who paid what and who owes whom across trips, roommates, dinners, and recurring shared costs. This Privacy Policy explains what data we collect, what we don't, and how the data you create inside the app flows between your device, our backend (Firebase), and the small set of third-party services Biller relies on.

Biller is built by one developer. We don't sell ads, we don't track you across other apps, and we don't share your expense data with anyone beyond the providers described below that are needed to run the app.

2. Biller Does Not Move Money

This is the most important thing to understand about Biller's privacy posture. Biller is a record-keeping tool, not a payment service.We never see, hold, send, receive, or move money on anyone's behalf. We are not a bank, a money transmitter, or a payment processor.

When you "settle up" in Biller, you are only making a ledger entry that records a debt as paid. The actual money moves wherever you already settle up with each other: cash, Venmo, a bank transfer, whatever you choose, all outside of Biller. Because no payments happen in the app, we do not collect or store bank account numbers, card numbers, or any payment credentials. There is no payment account to link.

3. How Your Data Flows

Understanding the data flow is the clearest way to understand our privacy model:

Device ↔ Firebase (your groups and expenses): Your account, your groups, the expenses inside them, settlements, your contacts, and your notification feed are stored in Google Firebase (Firestore). A group and its expenses are readable only by the members of that group; everything else is scoped to your user ID. Security rules enforce this on the server, not just in the app.
Device ↔ Firebase Storage (receipt photos): If you attach a receipt photo to an expense, the image is uploaded to Firebase Storage. It is owned by you (the uploader) and visible to the members of that group.
Device ↔ Cloud Function ↔ OpenAI (the AI explainer):When you tap "Explain this for me" on an expense (or ask "why?" on a balance), the request goes to a Firebase Cloud Function we run, which forwards the relevant details to OpenAI (currently the gpt-4o-minimodel) to produce the explanation text. The OpenAI API key never ships to your phone; all AI calls go through our server. What we send to OpenAI for a single explanation is: the expense (description, amount, currency, who paid, the participants, and the split breakdown), the group name, your first name (so the explanation can say "you"), and your question. Per OpenAI's API data policy, API submissions are not used to train OpenAI's models. The explanation text is returned to your device and cached so the same question doesn't need to be regenerated.
Device ↔ Apple (sign-in): If you sign in with Apple, Apple handles authentication and returns a token to Firebase Auth. We never see your Apple password. Apple may relay a private, anonymized email address instead of your real one.
Device ↔ RevenueCat ↔ Apple (subscriptions): If you subscribe to Biller Pro, the purchase is processed by Apple. RevenueCat sits between the app and Apple to tell us whether your subscription is active. RevenueCat receives your Firebase user ID and the purchase and subscription events Apple returns. We never see your Apple ID or payment method.
Device ↔ PostHog (product analytics):Biller sends anonymous behavioral events to PostHog (for example "expense created," "AI explanation requested," "paywall shown," "subscription started") keyed to your Firebase user ID, so we can understand which parts of the app work. These events carry coarse metadata only (such as the split method used or the paywall source). The content of your expenses, your receipt photos, member names, and the AI explanation text are notsent to PostHog. You can opt out of analytics from Settings → Data & Analytics.

4. Information We Collect

Account information

Email address (from email/password sign-up, or the address Apple relays)
A Firebase Authentication user ID (UID), generated when you sign up
The sign-in provider you used (email/password or Apple)
Your display name, shown to other members of your groups
A profile photo URL, if you set one
A phone number, only if you choose to add one for contact linking

Biller does not send a verification email at sign-up. The app is a ledger and calculator, not a financial account, so you can start using it immediately.

Group and expense content (created by you)

Groups: name, optional emoji, optional cover photo, currency, and who the members are
Expenses: description, category, amount, currency, who paid, the participants, the split method and the resulting split
Settlements: a ledger entry recording that a debt was paid, with an optional note like "paid in cash" or "Venmo"
Receipt photos you attach to an expense (stored in Firebase Storage)
Your personal contacts list inside the app (name, optional email, optional phone, whether they're a favorite)

Balances are derived from your expenses and settlements by a Cloud Function; the app reads them but never writes them directly.

AI explanation records

The explanation text returned to you, plus which expense and group it was about
A hash of the expense state used to cache and reuse identical requests for up to 30 days
The model used and token counts, kept for cost monitoring
A monthly counter of how many fresh explanations you've used (to enforce the free-tier limit of three per month). These records are written only by our Cloud Functions.

Subscription state

Whether your Biller Pro entitlement is active, which product, and its expiry date, as reported by RevenueCat / Apple
A cached count of how many groups you have, used to enforce the free-tier limit of three active groups

Preferences

Your theme choice (system / light / dark), language, and per-trigger notification toggles
Whether you've opted out of PostHog analytics

Product analytics (PostHog, anonymous behavioral events)

Event names like "expense_created," "ai_explain_requested," "paywall_shown," "subscription_started," "group_created," tied to your Firebase user ID
Coarse metadata such as the split method used, whether an AI explanation was served from cache, and which paywall source was shown

The content of your expenses, receipt photos, member names, and AI explanation text is never sent to PostHog. You can turn analytics off in Settings → Data & Analytics.

What we do NOT collect

No bank account numbers, card numbers, or payment credentials (Biller moves no money)
No advertising identifier (no IDFA, no IDFV-based tracking)
No location data, calendar, microphone, or sensor data
No third-party ad networks, ad SDKs, or retargeting trackers
No cross-app or cross-site tracking of any kind
No session recording or screen replay

5. Camera, Photos & Contacts

Biller requests three device permissions, each only when you use the feature that needs it:

Camera:to scan another person's profile QR code so you can add them as a contact, and to take a photo of a receipt. (Biller has no "scan to pay" feature, because no money moves through the app.)
Photo library: to pick an existing photo of a receipt to attach to an expense.
Contacts: optional. If you allow it, Biller can read your phone contacts so you can quickly pick people when building a group. Your contacts stay on your device and are not uploaded, unless you explicitly save one into your in-app contacts list.

6. Third-Party Services

The App relies on the following services, each with their own privacy policies:

Google Firebase (Authentication, Firestore, Cloud Storage, Cloud Functions): hosts your account, groups, expenses, settlements, contacts, and receipt photos, and runs the AI explainer and account-deletion logic on the server.
OpenAI: receives the expense details, group name, your first name, and your question from our Cloud Function in order to write an explanation, only at the moment you ask for one. Per OpenAI's API data policy, API submissions are not used to train their models.
Apple: handles Sign in with Apple, App Store distribution, and Biller Pro in-app subscription billing.
RevenueCat: reports your Biller Pro subscription status to the app and to our backend. RevenueCat receives your Firebase user ID and the purchase events Apple returns. RevenueCat processes data in the United States.
PostHog: product analytics. Receives anonymous behavioral events keyed to your Firebase user ID, with no expense content. Hosted at us.i.posthog.com (United States). Session recording is disabled, and you can opt out in Settings.

7. Data Retention & Deletion

Your groups, expenses, settlements, contacts, and receipt photos live in your account so the group ledger stays intact over time.

You can delete your entire account from Settings → Security → "Delete account." This calls a Cloud Function that:

Marks the account for deletion with a 24-hour grace period, in case you change your mind, and immediately invalidates all of your sign-in sessions
After the grace period, deletes your Firebase Auth account, your user document, your contacts, your notifications, your AI usage counters, and the AI explanation records tied to you

Expenses and settlements inside a shared group are notdeleted, because they are shared facts that belong to the other members too (deleting your half would corrupt everyone else's balances). Instead, your name is replaced with "Former member" in those groups. If you sign back in with the same credentials within the 24-hour window, the deletion is cancelled.

8. Legal Basis for Processing (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

Contractual necessity (Art. 6(1)(b) GDPR): account creation, storing your groups and expenses, and generating explanations, all necessary to provide the service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR): basic platform operation, analytics for product improvement (which you can opt out of), and abuse prevention.

9. International Data Transfers

Firebase, OpenAI, RevenueCat, and PostHog all process data in the United States. If you access Biller from outside the U.S., your data is transferred to and processed in the U.S. These providers offer Standard Contractual Clauses for cross-border transfers.

10. Your Rights

You have the right to:

Access the personal information stored in your account (visible in the app)
Delete your entire account at any time from Settings
Opt out of product analytics from Settings → Data & Analytics
Request a copy of your data by emailing us

EEA/UK residents (GDPR): you also have the right to data portability, the right to restrict or object to processing, and the right to lodge a complaint with your local data protection authority.

California residents (CCPA/CPRA):you have the right to know what personal information we collect, the right to delete it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information.

11. Children's Privacy

Biller is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will delete the account.

12. Security

Authentication tokens are kept in the iOS Keychain via Expo Secure Store. All traffic between the app, Firebase, and the Cloud Functions uses HTTPS. Firestore security rules restrict each group to its members and everything else to your own UID, and the sensitive collections (balances, subscriptions, AI records) can only be written by our Cloud Functions, not by the app. No system is perfectly secure, but Biller doesn't store anything beyond what's needed to keep your group ledgers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page and (if significant) in the app. Continued use of Biller after changes constitutes acceptance.

14. Contact

Questions, requests, or anything else, write to support@moetalaat.com.

15. Summary

In short: Biller keeps your groups and expenses in Firebase, scoped so only the right people can read them. No money moves through Biller; settling up is just a ledger entry, and we never touch your payment details. When you ask the AI to explain a split, the expense details and your first name go to OpenAI only at that moment, only to write the explanation, and are not used to train any model. We run anonymous product analytics (PostHog) you can switch off, never on the content of your expenses. We don't run ads, we don't track you across other apps, and we don't sell your data. Delete your account and your personal data is removed; shared group facts stay, attributed to "Former member."