Privacy Policy for Billka AI

1. Introduction

This Privacy Policy explains how Sytoss, s. r. o. ("we," "us," or "our") collects, uses, and protects your personal data when you use the Billka AI mobile application ("App"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller:

2. Data We Collect

2.1 Information You Provide Directly

  • Email Address: Required for account registration and login
  • Name: Optional, for self-identification within the app (can be any text)
  • Receipt/Bill Photos: Images you upload for scanning and expense tracking

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, unique device identifiers
  • IP Address: For error logging and security purposes
  • App Usage Data: How you interact with our app (if analytics consent is given)
  • Marketing Attribution Data: Information about which advertisement led to app installation (if marketing consent is given)

3. How We Use Your Data

We process your personal data for the following purposes:

3.1 Essential Services (Legal Basis: Contract Performance)

  • Creating and managing your account
  • Processing receipt/bill images to extract expense information
  • Enabling expense splitting and saving features
  • Providing search functionality for your saved receipts

3.2 App Improvement (Legal Basis: Legitimate Interest)

  • Debugging and fixing technical issues through error logs
  • Improving app performance and user experience

3.3 Analytics and Marketing (Legal Basis: Consent)

  • Understanding app usage patterns (with your consent)
  • Measuring effectiveness of marketing campaigns (with your consent)

3.4 Automated Decision-Making

We do not use your data for automated decision-making or profiling within the meaning of Article 22 of the GDPR

4. Data Sharing and Third-Party Services

We use the following third-party services to provide and improve our app:

4.1 Essential Services

  • Supabase: Authentication and user management (EU-Central-1)
  • Google Vertex AI/Gemini API: Receipt image processing and text recognition (EU)
  • Hetzner: Backend hosting (Germany)
  • DigitalOcean Spaces: Image storage (EU)
  • ElasticSearch: Search functionality (hosted on our servers in Germany)
  • Google Cloud Run: PDF to JPG conversion service (EU)

4.2 Optional Services (Based on Your Consent)

  • Sentry: Error tracking and app stability monitoring (Frankfurt, Germany)
  • AppsFlyer: Marketing attribution and campaign effectiveness (connected to Google Ads, Meta Ads Manager, TikTok Ads Manager)

We do not sell your personal data to third parties. Data sharing is limited to the services mentioned above for the specified purposes only.

4.3 Sub-processors

Some of our service providers may use sub-processors. We ensure that all sub-processors are bound by data protection agreements that provide at least the same level of protection as this policy.

5. Data Storage and Security

5.1 Storage Locations

All your data is stored within the European Union:

  • Backend servers: Germany (Hetzner)
  • Authentication data: EU-Central-1 (Supabase)
  • Error logs: Frankfurt, Germany (Sentry)
  • Images: EU (DigitalOcean)

We do not transfer your personal data outside the EU/EEA.

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Secure authentication through Supabase
  • Encrypted data transmission
  • Access controls and authentication for our systems
  • Regular security updates and monitoring

6. Data Retention

We retain your data for as long as your account is active. Specific data retention periods include:

  • Authentication data: Deleted immediately when your account is deleted.
  • Uploaded receipts and images: Anonymized within 7 days after account deletion.
  • Anonymized data (not linked to any user): Retained indefinitely for statistical and analytical purposes.

We are implementing automated data retention policies to ensure timely deletion or anonymization.

6.1 Anonymization Process

Anonymization is performed using one-way cryptographic hashing of user IDs and removal of any identifiable metadata from receipt images. After this process, the data can no longer be linked back to you and is no longer considered personal data under the GDPR.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you by emailing info@sytoss.com.

7.2 Right to Rectification

You can update your name and email in the app settings.

7.3 Right to Erasure (Right to be Forgotten)

You can delete your account through the "Delete Profile" button in the app settings. We will send you an email with further instructions to complete the deletion process.

7.4 Right to Restrict Processing

You can limit how we process your data through the consent settings in the app.

7.5 Right to Data Portability

To request your data in a portable format, please contact us at info@sytoss.com.

7.6 Right to Object

You can object to certain types of processing through the app's privacy settings.

7.7 Right to Withdraw Consent

You can withdraw your consent for analytics and marketing at any time through the app settings.

Note: Withdrawing your consent does not affect the lawfulness of any processing carried out before the withdrawal (Article 7.3 GDPR).

8. Consent Management

When you first launch the app, you will be presented with consent options for:

  • Necessary: Essential app functionality (always enabled), could not be withdrawn as it's required for the app to function
  • Analytics: Error tracking with full data (Sentry)
  • Marketing: Attribution tracking (AppsFlyer)

You can change these preferences at any time in the app settings. If you decline analytics consent, Sentry will still function but will automatically filter out personal identifiers.

9. Children's Privacy

Our app is rated 3+ in app stores, but we do not knowingly collect personal data from children under 16. The app requires email registration, which typically indicates users are above this age. If we become aware that we have collected data from a child under 16, we will take steps to delete that information.

10. Future Changes

10.1 Planned Features

We plan to introduce subscription features using RevenueCat. When implemented, this policy will be updated to reflect the additional data processing.

10.2 Policy Updates

We may update this Privacy Policy from time to time. We will notify you of any material changes through the app or via email. The "Effective Date" at the top will always reflect the latest version.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: info@sytoss.com

Address: Sytoss, s. r. o., Hany Meličkovej 6, 841 05 Bratislava - mestská časť Karlova Ves, Slovakia

Website: https://sytoss.com

12. Data Protection Authority

You have the right to lodge a complaint with a supervisory authority. The relevant authority for Slovakia is:

Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky)
Námestie 1.mája 18
811 06 Bratislava
Slovak Republic