Privacy Policy

Effective Date: March 2026

1. Introduction

At SetAll ("Company", "we", "our", "us"), we respect your privacy and are strongly committed to keeping your personal data secure. This Privacy Policy describes how we collect, use, process, and disclose your information across our website, mobile applications, and desktop applications (collectively, the "Service").

SetAll operates a non-custodial ledger system. We do not ask for, process, or store your bank account details, credit card numbers, or social security numbers.

2. Information We Collect

We only collect the information absolutely necessary to provide the Service to you and your groups. This includes:

  • Account Information: When you register, we collect your email address, a chosen display name, and an optional profile picture. If you use Single Sign-On (e.g., Google or Apple), we collect your email and public profile data authorized by those providers.
  • Ledger & Transaction Data: To calculate debts, we store the metadata of expenses you input, including descriptions, amounts, currencies, dates, and the internal user IDs of the group members involved.
  • Device & Usage Information: We collect non-personally identifiable technical information, such as device type, OS version, app version, IP addresses, and crash logs to improve the stability of our multi-platform syncing engine.
  • Push Notification Tokens: When you enable notifications, we collect a device push token (via Firebase Cloud Messaging) used solely to deliver expense reminders and group activity alerts to your device. This token is deleted when you sign out or delete your account.
  • Local Device Storage: The app stores a local encrypted copy of your data on your device using SQLite and system secure storage (SharedPreferences / Keychain). This local data is used to enable offline access and is not shared with any third party.

3. How We Use Your Information

We use your data strictly to operate, maintain, and improve the SetAll Service. Specifically, we use your information to:

  • Sync your ledger across your personal devices via our cloud infrastructure.
  • Calculate optimized debt settlements using the "Greedy Flow" algorithm and securely display these balances to authenticated members of your groups.
  • Send you critical transactional emails, such as password resets, login links, and group invitations.
  • Diagnose app crashes, monitor server load, and perform security audits.

3a. Lawful Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following lawful bases as defined in Article 6 of the GDPR:

  • Performance of a Contract (Art. 6(1)(b)): Processing your account information, ledger data, and group membership is necessary to provide the Service you signed up for.
  • Legitimate Interests (Art. 6(1)(f)): We process crash logs, usage diagnostics, and security data to maintain the stability and security of the Service. These interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Where we request your consent (e.g., push notifications), you may withdraw it at any time through your device settings or by contacting us.

4. How We Share Your Information

We do not sell, rent, or trade your personal data to data brokers, marketing agencies, or any other third party. We only share information in the following limited circumstances:

  • With Other Users: When you join a shared group, your display name, avatar, and the expense records you participate in are visible to other members of that specific group.
  • With Service Providers: We share data with the following trusted infrastructure providers, each bound by data processing agreements, solely to operate the Service:
    • Supabase (United States) — database hosting, authentication, and real-time sync
    • Google / Firebase (United States) — crash reporting (Crashlytics), push notifications (FCM), and app distribution
    • Groq, Inc. (United States) — AI language model inference for the Insights Hub feature. When you use the AI chat or Deep Analysis features, the text of your query and anonymised financial context (expense categories and totals, not individual transaction details) are transmitted to Groq's servers to generate a response. Groq does not use this data to train its models. You can opt out of AI features by not using the Insights Hub.
    • Resend (United States) — transactional email delivery (account verification, group invitations)
    • Netlify (United States) — web application hosting and serverless function execution
  • For Legal Reasons: We may disclose your information if required by law or in response to valid requests by public authorities.

4a. International Data Transfers

SetAll is operated from Georgia and our service providers are primarily located in the United States. If you are located in the EEA, UK, or Switzerland, your personal data is transferred outside your jurisdiction to countries that may not provide the same level of data protection.

We rely on the following safeguards for these transfers:

  • Standard Contractual Clauses (SCCs): Our agreements with Supabase, Google/Firebase, and Resend incorporate EU Standard Contractual Clauses as approved by the European Commission.
  • Data Processing Agreements: All third-party processors are bound by contractual obligations to protect your data and process it only on our documented instructions.

You may request a copy of the relevant safeguards by contacting us at [email protected].

5. Data Security

SetAll employs industry-standard measures to protect your data, including:

  • Encryption: All data is encrypted in transit (TLS/SSL) and at rest on our database servers.
  • Row Level Security (RLS): Database policies are strictly enforced so that a user can only query and retrieve expenses and group data they are explicitly authorized to view.

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

6. Data Retention and Deletion

We retain your personal data only for as long as your account is active or as needed to provide the Service. Specific retention periods are:

  • Account and ledger data: Retained for the lifetime of your account. Upon deletion, all personal data is permanently removed from our active servers within 30 days.
  • Crash logs and diagnostics: Retained for up to 90 days, then automatically purged.
  • AI chat history: Stored locally on your device only. Not retained on our servers beyond the duration of the request. Cleared automatically when you sign out.
  • Push notification tokens: Deleted immediately upon sign-out or account deletion.
  • Shared group data: If you delete your account while a member of a shared group, your display name is replaced with "Deleted User" and expense records you participated in remain visible to other group members for settlement continuity. You may request full anonymisation of your contributions by contacting us before deleting your account.
  • Legal hold: We may retain certain data longer if required by applicable law or to resolve disputes.

Account Deletion: You can initiate permanent deletion of your account and all associated personal data directly within the SetAll app under Settings → Delete Account. You will receive a confirmation email once deletion is complete.

7. Your Privacy Rights (GDPR, UK GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. You can do this directly in-app via Settings → Delete Account, or by contacting us.
  • Right to Data Portability: Request a machine-readable export of your personal data. To exercise this right, email [email protected] with the subject "Data Export Request". We will provide a JSON or CSV file of your data within 30 days.
  • Right to Object or Restrict Processing: Object to or request restriction of certain processing activities, including processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent (e.g., push notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • CCPA Rights (California residents): You have the right to know what personal data we collect, the right to delete it, and the right to opt out of the sale of personal data. We do not sell personal data.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law). We may need to verify your identity before processing your request. If you are in the EEA or UK and believe your rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

8. Children's Privacy

Our Service is not directed to anyone under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If we discover that a child has provided us with personal data, we will immediately delete that information from our servers.

9. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top.

9a. Automated Decision-Making

SetAll does not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you. The AI Insights Hub feature generates suggestions based on your data, but all financial decisions remain entirely yours.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the exercise of your data protection rights, please contact us. For EEA and UK users, this contact serves as the point of contact for our Data Protection responsibilities:

[email protected]

SetAll Fintech Systems · 56 Tbilisi-Kojori st, Tbilisi, Georgia · Response time: within 30 days