Privacy Policy
Effective date: April 21, 2026 · Last updated: April 21, 2026
Nolstar Studio ("dvup", "we", "us", or "our") operates the dvup mobile application and related websites, including dvup.ca. This Privacy Policy explains what personal information we collect, how we use it, when we share it, how long we keep it, and what choices and rights you have.
1. Who We Are
Nolstar Studio is the controller for the personal information described in this policy unless this policy says otherwise. You can contact us at:
Nolstar Studio
103-3427 Roxton Ave
Coquitlam, British Columbia V3B0G7
Canada
Email: privacy@dvup.ca
General support: support@dvup.ca
2. Information We Collect
2.1 Information you provide or create
| Category | Examples | Why we use it |
|---|---|---|
| Account and profile data | Email address, display name, sign-in provider details | Create your account, authenticate you, sync your data, and provide support |
| Group and collaboration data | Group names, member names, avatars, colors, invite information, family-plan invite emails | Run shared groups and manage collaboration features |
| Expense and settlement data | Expense labels, amounts, currencies, notes, splits, recurring rules, settlement history, optional payment links you add | Provide the core expense-splitting service |
| Receipt data | Receipt images you choose to scan, on-device OCR text, parsed receipt fields, locally saved receipt photos | Read receipts, let you review them, and attach optional photos to expenses |
| Subscription and plan data | Product IDs, entitlement status, subscriber identifiers, purchase or restore events | Manage paid plans and unlock features when applicable |
| Support and communications | Emails you send us, bug reports, responses, and related attachments | Answer support requests and resolve issues |
2.2 Information collected automatically or generated by using the service
| Category | Examples | Why we use it |
|---|---|---|
| Device and app diagnostics | App version, device type, OS version, locale, crash data, error breadcrumbs, performance traces, crash screenshots | Keep dvup stable, secure, and compatible |
| Notification identifiers | FCM tokens, APNs tokens, platform, locale | Send push notifications you allow and keep them localized |
| Receipt scan operational metadata | Temporary image hashes, structured scan results, scan counters, scan-credit claims | Operate receipt scanning, enforce limits, prevent abuse, and support ad-earned scan credits |
| Advertising and consent data | Consent status, ad requests, ad interactions, device or app identifiers, IP address, and similar signals processed by Google's ad stack | Serve and measure free-tier ads and honor consent choices where required |
| Travel-mode location-derived data | If you enable auto-detect, the app requests device location and converts it into a country/currency result | Set a travel currency automatically; we do not send raw latitude/longitude to our backend for this feature |
| Local cache and preferences | Offline group data, expenses, preferences, onboarding state, receipt photos stored on your device | Make the app work offline and remember your settings |
| Website request data | IP address, browser, user agent, referrer, and basic request logs handled by hosting, CDN, or font providers | Deliver and secure our website |
2.3 Things we do not do
- We do not sell your personal information for money.
- We do not access your contact list or address book.
- We do not move or hold money between users; dvup is a tracking tool, not a payment processor.
- We do not store raw receipt images in our backend database or storage when you use the scan feature. Locally attached receipt photos stay on your device unless you choose to remove them.
3. How We Use Information
We use personal information to:
- Create accounts and sign users in with email, Apple, or Google.
- Sync groups, expenses, balances, recurring items, payment links, and family-plan coverage across devices.
- Process receipt scans, including an on-device OCR step and a server-side AI extraction step when you request it.
- Deliver push notifications, local notifications, and account or service messages.
- Operate free-tier ads, ad-earned scan credits, and paid feature access.
- Support travel-mode currency detection and exchange-rate features.
- Prevent abuse, rate-limit scans, debug failures, monitor performance, and improve reliability.
- Comply with legal obligations and enforce our Terms of Use.
4. How Information Is Shared
4.1 With other dvup users you choose to interact with
dvup is a collaborative product. People in the same group may be able to see information needed to use the service together, including your display name, the email address linked to your claimed member slot, optional payment links you choose to add, group membership, expense details, receipt details, and settlement activity. If you delete your account, shared ledger history may remain for other members while your slot is anonymized to "Former member" where applicable.
If another user invites you to a family plan, we receive the email address they enter for you from that user. We use that email to hold the invitation, show it to the intended account, and administer the shared plan.
4.2 With service providers and platforms
- Supabase — authentication, database, and edge-function infrastructure.
- Google Gemini API — receipt extraction for scans you initiate. Raw scan images are sent for processing but are not written to our persistent backend storage.
- Google ML Kit / platform OCR frameworks — on-device OCR runs locally on your device before or alongside server-side scanning.
- Google Firebase Cloud Messaging and Apple Push Notification service — push-delivery infrastructure.
- Google Mobile Ads / AdMob and Google User Messaging Platform — ads, ad measurement, and consent handling for the free tier.
- Sentry — crash reporting and performance monitoring, which can include technical diagnostics and crash screenshots depending on the event.
- Apple Sign in with Apple and Google Sign-In — authentication providers.
- RevenueCat and the Apple App Store / Google Play — subscription management and store billing if you purchase or restore a paid plan.
- Hosting, CDN, email, and website asset providers — website delivery, security, and support communications.
4.3 For legal, security, or business reasons
We may disclose information when required by law, legal process, or regulatory request; when we believe disclosure is necessary to protect rights, property, or safety; to investigate abuse or fraud; or in connection with a merger, acquisition, financing, or asset sale.
5. Legal Bases for Processing
Depending on where you are located, we rely on one or more of the following legal bases:
- Performance of a contract — to create your account, operate groups, sync expenses, deliver paid features, and provide the service you asked us to provide.
- Consent — for device permissions such as push notifications, camera/photo access, and optional travel-mode location detection, and for advertising choices where consent is required by law.
- Legitimate interests — for security, anti-abuse controls, diagnostics, service improvement, support, and enforcement of our terms, where those interests are not overridden by your rights.
- Legal obligation — where we must process or preserve information to comply with applicable law.
6. International Transfers
dvup is operated from Canada. Our service providers may process data in Canada, the United States, the European Union, or other countries where they operate. When required, we rely on applicable transfer mechanisms such as contractual protections, statutory adequacy decisions, or your consent where allowed by law.
7. Retention
- Account and profile data — kept while your account is active and for a reasonable period afterward as needed for support, security, and legal compliance, unless you request deletion sooner where available.
- Group, expense, and settlement records — kept until they are deleted or no longer needed for the service. If you delete your account, shared ledger records may remain for other group members while your personal identity is removed or anonymized where feasible.
- Family-plan invite emails and membership records — pending invite emails are kept while the invitation is pending. Family-plan records may remain afterward as part of plan history, billing support, fraud prevention, and account administration.
- Raw receipt scan images — processed transiently and not stored in our persistent backend storage after the scan request completes.
- Receipt scan logs — image hashes and parsed scan results are kept temporarily for up to 1 hour for rate limiting and deduplication.
- Scan counters and related plan records — kept as long as needed to enforce scan limits, synchronize feature access, and administer your account or plan.
- Device tokens — kept until sign-out, replacement, deletion, or stale-token cleanup.
- Local cache, preferences, and receipt photos on your device — kept on your device until you delete them, sign out, clear app data, or uninstall the app.
- Crash and performance data — kept according to our monitoring-provider retention settings and workspace configuration.
8. Your Choices and Rights
Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information, and to withdraw consent where processing relies on consent.
- In-app controls — dvup currently includes in-app data export and account-deletion flows in the profile/settings area.
- Permissions — you can turn push, camera, photos, or location permissions on or off through the relevant feature prompt and through your device settings.
- Ad choices — ad consent choices may be managed in the app under Settings > Privacy choices, through your device settings, and through other controls offered by Google or your platform.
- Corrections — you can edit much of your group and expense content directly in the app. For other corrections, contact us.
- Complaints — if you are in the EEA, UK, or another jurisdiction with a supervisory authority, you may lodge a complaint with that authority.
To exercise rights we cannot fulfill directly in the app, email privacy@dvup.ca. We may need to verify your identity before fulfilling a request.
9. California and Other U.S. State Privacy Disclosures
In the last 12 months, we have collected categories of information that may include identifiers, account/contact information, user-generated content, subscription information, device and internet activity data, limited geolocation-related data, and diagnostics. We do not sell personal information for money.
Because the free tier includes advertising technology, some ad-related disclosures may be treated as "sharing" or targeted advertising under California or other U.S. state privacy laws. Where that applies, you can use Settings > Privacy choices in the app, your device settings, or contact us to request an opt-out. We do not knowingly use or disclose sensitive personal information for purposes requiring a special right to limit beyond the service uses described here.
10. Children's Privacy
dvup is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child provided personal information to us, contact privacy@dvup.ca and we will review and take appropriate action.
11. Security
We use safeguards designed to protect personal information, including encryption in transit, authentication controls, row-level access controls in our backend, and provider settings intended to reduce unnecessary data collection. No system is perfectly secure, and we cannot guarantee absolute security.
12. Cookies, Website Technologies, and Third-Party Links
The mobile app does not use browser cookies. Our website may rely on standard hosting, CDN, security, and font-delivery technologies, which can involve ordinary web requests to third parties. If we add non-essential cookies or analytics later, we will update this policy and provide any notices required by law.
Our app and website may link to third-party services. Their privacy practices are governed by their own policies, not this one.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we may notify you in the app, by email, or by updating the date at the top of this page.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise a privacy right, or need help with a data request:
Nolstar Studio
103-3427 Roxton Ave
Coquitlam, British Columbia V3B0G7
Canada
Email: privacy@dvup.ca
General support: support@dvup.ca