Skip to main content
Spliz

Privacy Policy

Last updated: March 12, 2026

1. Introduction

Spliz, SASU ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your personal information. For our full legal information, see our Legal Notice page.

2. Data we collect

We collect minimal data necessary to provide the service: your wallet address (public, on-chain), display name and avatar (if provided), email address (if you sign in with Google or Apple via Privy), device identifiers for push notifications, and expense data you enter in the app (descriptions, amounts, members). We do not collect or store your private keys.

3. How we use your data

Your data is used solely to operate Spliz. We process your data on the following legal bases: (a) contract performance (GDPR Art. 6(1)(b)) for expense tracking, balance calculation, and settlement coordination; (b) legitimate interest (Art. 6(1)(f)) for service improvement, security monitoring, and fraud prevention; (c) legal obligation (Art. 6(1)(c)) for settlement record retention. We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Sub-processors and third-party services

Spliz relies on the following sub-processors. Each operates under its own privacy policy and only receives the minimum data needed for its purpose. Privy (authentication and embedded wallets, US — SCCs): wallet address, email if you sign in with Google or Apple. Coinbase (USDC on-ramp, US — SCCs): wallet address, IP for KYC and geo-fencing. Bridge (SEPA on-ramp, US — SCCs, planned V2): wallet address, IBAN, KYC documents. WalletConnect (external-wallet protocol, distributed infrastructure): wallet address, RPC payloads. Expo (push notifications, US — SCCs): push token, notification metadata. Sentry (error monitoring, US — SCCs): hashed user identifier, error stack traces, breadcrumbs (no message bodies, no expense amounts beyond truncated metadata). Chainalysis Oracle (AML sanctions screening, on-chain read-only): wallet address checked against the OFAC list — see section 9. Cloudflare R2 (avatar storage and immutable compliance log, US — SCCs): avatar image bytes and hashed wallet addresses for audit. Railway (API hosting, US — SCCs): all backend data. Vercel (website hosting, US — SCCs): no user data, only the public landing page. Base network (settlement, public blockchain): on-chain transaction data. We do not sell, rent, or share your data with third parties for advertising.

5. International transfers

Some of our service providers are based outside the European Economic Area, primarily in the United States (Privy, Coinbase, Expo, Vercel, Railway). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or the EU-US Data Privacy Framework where applicable. On-chain transaction data is stored on a decentralized network accessible globally.

6. On-chain data

Settlement transactions are recorded on the Base blockchain and are publicly visible. This includes wallet addresses, USDC amounts, and transaction timestamps. On-chain data cannot be deleted as it is part of the public blockchain ledger.

7. Data storage & security

Off-chain data (account info, expense details) is stored on secure servers. We use encryption in transit (TLS) and at rest. Access to production data is restricted to authorized personnel only.

8. Data retention & deletion

You can delete your account at any time from the app settings or via our public deletion page (https://spliz.app/account-deletion). We retain each data category only as long as necessary, with the following maximum durations: authentication tokens — 24 hours; active sessions — 90 days after revocation; account in soft-delete state — 30 days grace period before irreversible erasure; in-app notifications — 90 days after they are read; settlement notification dedup records — 30 days; avatars and push tokens — deleted at the moment you delete your account; settlement records on our database — 5 years (French commercial code retention obligation); compliance audit logs covering sanctions or AML events — 7 years (mandated by DAC8 / AMLD6 EU regulations); on-chain settlement transactions — permanent and outside our control. Expense data in an active Spliz remains until the group is archived or every member deletes their account.

9. Your rights (GDPR) and automated decisions

If you are in the European Economic Area, you have the right to: access your personal data, rectify inaccurate data, request deletion of your data, restrict or object to processing, data portability, and withdraw your consent at any time. To exercise these rights, contact us at privacy@spliz.app. You also have the right to lodge a complaint with your local supervisory authority (in France: CNIL — www.cnil.fr). Automated decision-making (Art. 22 GDPR): Spliz applies automated controls required by EU anti-money-laundering regulations (DAC8 / AMLD6). Wallet addresses are screened against the Chainalysis on-chain sanctions oracle and against per-user transfer limits ; a settlement or transfer involving a sanctioned address or exceeding the configured limit is automatically blocked. The legal basis is the legal obligation we are under (GDPR Art. 6(1)(c)). You have the right under Art. 22 GDPR to obtain human review, express your point of view, and contest such a decision — email privacy@spliz.app and we will conduct a manual review within 30 days. Providing your wallet address is necessary to use the settlement features ; display name and avatar are optional.

10. Cookies & tracking

The Spliz mobile app does not use cookies. Our website (spliz.app) uses only essential cookies required for functionality. We do not use advertising trackers or analytics that identify individual users.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes via the app or email. Continued use of Spliz after changes constitutes acceptance of the updated policy.

12. Children’s privacy

Spliz is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information, please contact us at privacy@spliz.app so we can delete it.

13. Contact

For privacy-related questions or requests, contact us at privacy@spliz.app.