Privacy Policy
Monkey Split is built privacy-first. No ads. No third-party analytics. No cross-site tracking. No selling or sharing of data. The section below spells out what we do process, why, and under which legal basis.
1. Controller
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is listed in our Imprint.
2. What data is processed
Monkey Split is a shared-expense app. We only process the data strictly necessary to operate your account and share expenses with the people you invite into a group.
2.1 Account data
When you create an account, we store your email address (for authentication and password recovery) and, optionally, a display name and profile picture.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract (providing the service you signed up for).
2.2 Expense and group data
Expenses, groups, participants, splits, and settlements you create are stored so that everyone in the group sees the same shared tab. This data is only visible to members of the group.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract.
2.3 Authentication cookies
We set a first-party session cookie so you stay signed in between visits. This is the only cookie we set. It contains an opaque session token — no personal information.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping you signed in (essential cookie, no consent required).
2.4 Hosting (Cloudflare)
The app and its database are hosted on Cloudflare (Workers, D1, KV, Pages). When your browser connects to our servers, Cloudflare necessarily processes your IP address, request URL, and user-agent. Cloudflare may retain security logs for up to 72 hours.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in serving and protecting the service.
3. Data we do NOT collect
- No analytics (no Google Analytics, no Matomo, no Plausible)
- No advertising, retargeting, or marketing pixels
- No cross-site tracking or browser fingerprinting
- No sale or sharing of data with third parties
- No behavioural profiling
4. Third-party services
| Service | Provider | Purpose |
|---|---|---|
| Cloudflare Workers, D1, KV, Pages | Cloudflare, Inc. (US, EU processing) | App hosting & database |
| Cloudflare Turnstile | Cloudflare, Inc. | Bot protection on signup |
| Google OAuth | Google LLC (US) | Sign-in (only if you click "Continue with Google") |
Cloudflare, Inc. and Google LLC are based in the United States and participate in the EU-US Data Privacy Framework.
5. Your rights (Art. 15–21 GDPR)
- Access (Art. 15) — request information about your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — delete your account and data
- Data portability (Art. 20) — export your data
- Objection (Art. 21) — object to processing
To exercise any of these rights, contact us via the information in the Imprint. We respond within 30 days.
6. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
7. Data retention
Account and expense data are retained as long as your account exists. Deleting your account removes your personal data; expenses in groups you shared with others may be anonymised to preserve the shared balance history for the remaining members.
8. Changes to this policy
We may update this policy to reflect changes in practice or legal requirements. The "Last updated" date above marks the most recent revision.