What the iOS app collects, why, and how you stay in control.
Last updated: 10 May 2026 · Effective: 10 May 2026
This policy covers the Easy Bill Split iOS app. For privacy practices on the main ffgcvs.com website, see the main privacy policy.
Short version: Easy Bill Split stores your bills on your device, not on a server. The only thing that ever leaves your phone is a receipt photo when you choose to scan one — and even then, the photo is processed for OCR and discarded shortly after. There is no account to create. We never see your name, your friends' names, the amounts on your bills, or who owes what. Anonymous app usage analytics and crash reports are collected to keep the app working; you can switch them off at any time in Settings.
Easy Bill Split and ffgcvs.com are operated by Felipe Goncalves, a sole trader based in London, United Kingdom. For the purposes of UK GDPR and the EU GDPR, Felipe Goncalves is the data controller.
Contact: [email protected]
The bills you create — names of the people you're splitting with, items, prices, taxes, tips — are stored locally on your iPhone or iPad using Apple's SwiftData framework. This data does not leave your device, is not synced to any server we control, and is not visible to us. If you delete the app, this data is removed with it.
If you choose to scan a receipt, the photo is sent over an encrypted (HTTPS) connection to our backend, which is hosted on Google Cloud (Firebase Cloud Functions, region us-central1, in Iowa, USA). The backend forwards the photo to Google's Gemini 2.5 Flash API for optical character recognition (OCR), receives the extracted line items back as structured text, and returns them to your app.
To prevent abuse and to avoid charging you (or us) for redundant scans, the backend keeps a SHA-256 hash of the photo and the OCR result in a temporary cache for up to 7 days. After that window the cache entry is automatically deleted by Firestore's TTL policy. The original photo itself is not retained.
The photo is processed for the sole purpose of returning structured line items to your app. It is not used to train AI models. Per Google's terms for the paid Gemini API, prompts and responses submitted via API key are not used to improve Google's products.
When the app first launches, Firebase Authentication creates an anonymous user ID for your install. This is a random string. It is not linked to your name, email, Apple ID, or any other personal identifier. We use it to enforce a per-install monthly cap on receipt scans (so a single device can't accidentally or maliciously rack up unbounded API costs) and to power App Check, an abuse-prevention layer that confirms requests are coming from a genuine copy of our app. If you reinstall the app, a new anonymous ID is generated.
We use Firebase Analytics to understand how the app is used in aggregate — for example, which features are tapped, which screens are reached, and where users drop off in the bill-splitting flow. Events do not contain bill contents, item descriptions, names of participants, or amounts.
You can switch this off entirely under Settings → Privacy → Analytics in the app. If you opt out, no further analytics events are sent from your device.
If the app crashes, Crashlytics sends a stack trace, the iOS version, the device model, and a non-personal install identifier so we can diagnose and fix the bug. Crash reports do not contain bill data. Crash reporting is treated as a legitimate interest because it is necessary to keep the app working; if you would like crash reports disabled for your device specifically, contact us.
Once onboarding finishes you may see two separate prompts, presented one after the other:
The two prompts are independent decisions. You can tap Allow All in our banner and still tap Ask App Not to Track on Apple's prompt — your stricter answer wins. Advertising-related telemetry only operates when both gates resolve to granted; if either is denied, those signals are set to denied and the device's advertising identifier (IDFA) is not used.
In practice this gates the Firebase Analytics consent signals ad_storage, ad_user_data, and ad_personalization, which determine whether ad-relevant measurement runs. As of the date of this policy, no third-party advertising SDKs are bundled with the app; if any are added later, the same in-app banner + iOS ATT decision will gate whether those SDKs load and operate.
You can change your mind at any time. Analytics and advertising can be toggled under Settings → Privacy inside the app. Apple's system tracking choice can be reset under iOS Settings → Privacy & Security → Tracking.
Easy Bill Split Premium is sold as an auto-renewing subscription through Apple's App Store. Apple processes the purchase. We never see your payment card, your billing address, or your Apple ID. The app receives only an entitlement signal indicating whether your subscription is active. Subscriptions can be managed or cancelled at any time in Settings → Apple ID → Subscriptions on your device.
The app requests camera access only when you tap the receipt-scan button. The camera is used solely to capture the receipt photo you send for OCR. We do not access your photo library.
Under UK GDPR / EU GDPR, every processing activity needs a legal basis. Ours are:
We do not sell your data. We share limited data with the following service providers (data processors), only as needed to operate the app:
We may also disclose data if required by law (e.g. a valid court order) or to protect the rights and safety of users and third parties.
Some of the providers above are located in the United States. Where data is transferred outside the UK or European Economic Area, the transfer is protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) the EU–US Data Privacy Framework. We rely on Google's and Apple's published certifications and contractual commitments for this purpose.
If you are in the UK or the European Economic Area, the GDPR gives you the right to:
Because the iOS app does not require an account and does not collect your name or email, we have no realistic way to identify your specific records from a request alone — the data is genuinely anonymous to us. The most direct way to exercise your rights is:
Easy Bill Split is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has used the app and you would like that data removed, please contact us.
All traffic between the app and our backend is encrypted in transit using TLS. The Cloud Function is protected by Firebase App Check, which verifies that requests come from a genuine, untampered copy of the app running on real Apple hardware. Receipt photos are not stored at rest — only their SHA-256 hash and the OCR text result are cached, and only for up to 7 days.
If we make material changes to this policy — for example, adding a new third-party service or a new category of data — we will update the "Last updated" date at the top of this page and, where the change is significant, surface a notice inside the app on next launch.
If anything here is unclear, or you'd like to exercise a data right, just send a quick email.