Privacy Policy
Effective date: May 17, 2026
1. Data controller
The data controller for your personal information is taffel. For privacy-related inquiries, contact us at hi@taffel.app.
2. Data we collect
We collect the following data when you use taffel:
- Email address: when you register or join an event with your email
- Display name: the name you choose to identify yourself in events
- Country and city: automatically detected from your connection or language settings
- Device type: mobile, desktop, or tablet (to optimize the experience)
- Receipt photos: images of restaurant bills you upload for OCR processing
- Usage data: events created, events joined, last login
- Ad impression data: city, device type, and approximate view duration when you view or interact with a sponsor ad (aggregated analytics only; we do not link ad events to your account)
3. Purpose of processing
We use your data to:
- Provide the bill-splitting service
- Send you verification codes by email to access your account
- Process receipt photos using AI services to extract items and amounts
- Display contextual advertising through Google AdSense
- Generate aggregated, anonymous statistics about restaurant prices and consumption
- Send you partner communications (only if you gave explicit consent)
- Improve the service and detect abuse
4. Third-party services
We use external providers to operate the service, which may receive data:
- Resend: verification code email delivery. Receives your email address
- AI services: receipt photos are sent to AI services to extract text. Images are processed temporarily
- Cloudflare: image storage and anti-bot protection
- Google AdSense: contextual advertising. Google may use its own cookies to serve relevant ads. See Google's privacy policy
5. Cookies
taffel uses strictly necessary cookies for the service to work: session (taffel_session) and language (NEXT_LOCALE). These are set without extra consent because they are required for the product.
If you access taffel from the European Union, the European Economic Area, or the United Kingdom, the cookie banner appears the first time you are about to see an ad placement (e.g. while processing a receipt), not on the home page. Third-party advertising cookies (Google AdSense) load only if you choose “Accept all” or enable them in “My account” / the footer “Cookies” link; once you have chosen, we do not ask again. If you choose “Essential only”, you can still use taffel normally without AdSense. Outside those regions (e.g. Latin America) we do not ask for that consent and AdSense may load according to site configuration. taffel's own sponsor placements may appear in any case.
We do not use proprietary analytics cookies or third-party behavioral tracking tools.
6. Data retention
- Receipt photos: images not linked to any event are automatically deleted after 48 hours. Images linked to events may be retained in anonymized form to train recognition models
- Event data: items, amounts, and split data are retained in anonymized form to improve the service and train recognition models. Personal data linked to the event (account email and name) is removed when you delete your account
- Account data: retained while you have an active account. You can delete your account at any time from “My account”
- Anonymized statistical data: may be retained indefinitely as it cannot be attributed to any individual
7. Your rights
You have the right to:
- Access: request a copy of the data we hold about you by writing to hi@taffel.app
- Erasure: delete your account and personal data directly from the “My account” section in the app
- Withdraw marketing consent: you can disable partner communications at any time from “My account”
8. International transfers
Your data may be processed on servers located outside your country of residence, including Supabase, Cloudflare, and AI provider infrastructure. We only work with providers that offer adequate data protection guarantees.
9. Security
We implement reasonable technical measures to protect your data, including HMAC tokens for authentication, secure HttpOnly cookies, and encrypted communications (HTTPS). However, no system is 100% secure.
10. Minors
taffel is not directed at persons under the age of 18. If you become aware that a minor has provided personal data, please contact us at hi@taffel.app.
11. Changes to this policy
We may update this policy periodically. In the event of material changes, we will notify you by email if you have a registered account.
12. Contact
To exercise your rights or for privacy inquiries, contact us at hi@taffel.app.