Privacy Policy

This policy covers both the Shalemli iOS app and the shalemli.com website. Where a section applies to only one of them — for example, Cloudflare Web Analytics, which runs only on the website — that scope is called out inline.

The Israel Privacy Protection Law (חוק הגנת הפרטיות, התשמ"א–1981) and its 2024 amendment apply. The sections below cover GDPR and CCPA baselines and add Israel-specific disclosures.

Summary at a glance

1. What Shalemli is

Shalemli is a mobile app that helps two people track shared expenses and settle balances between them. Every pair of users forms a channel. Inside a channel each person can log expenses, upload receipt photos, and record settlements; the other person must approve each entry before it affects the running balance.

This policy explains exactly what data Shalemli collects, why, where it goes, and how you can get rid of it.

2. Data you give us

We only collect the data Shalemli needs to do its job. None of it is used for advertising, tracking across other apps or websites, or sold to anyone.

Shalemli does not ask for: your location, your device's advertising identifier, your browsing history, audio, health data, or financial account information such as card or bank numbers. Contact-list access is described separately in section 5 — Shalemli reads contacts only when you tap "Find from contacts," and it only ever transmits one-way SHA-256 fingerprints, never plaintext numbers or names.

3. Data generated automatically

The Firebase platform records operational data that we don't actively mine but which exists for the service to function:

• IP address of API requests — used by Firebase for abuse prevention and rate limiting.
• Device type and OS version — sent by the Firebase SDK with each request for routing and debugging.
• Authentication events — sign-in timestamps, token refreshes, failed verification attempts. Used by Google to detect compromised accounts.
• Server logs — request paths, response codes, error traces. Retained per Google's standard retention windows.

Crash reporting and analytics are not enabled. We do not run Firebase Analytics, Firebase Crashlytics, or any third-party SDKs that profile your behaviour.

Separately, the marketing website at shalemli.com uses Cloudflare Web Analytics — a cookie-free service that records aggregate visit counts (page views, country, referrer). Cloudflare Web Analytics does not give us individual-level profiles or cross-site tracking identifiers; Cloudflare may receive request metadata such as IP addresses transiently for delivering the site and serving the analytics. This applies only to the website; the iOS app does not use Cloudflare Web Analytics.

4. Permissions Shalemli requests

We ask the iOS system for these permissions only when they're needed:

• Camera — only when you tap "Take photo" to attach a receipt or set your avatar.
• Photo Library — only when you tap "Choose from library". iOS shows the picker; Shalemli only sees the single image you select, not your full library.
• Contacts — only when you tap "Find from contacts" to look up which of your contacts already use Shalemli. Phone numbers are hashed on your device before they leave it; see section 5 for the full mechanics.
• Notifications — used for approval and expense alerts from your channel partner. You can decline and the app still works.

Shalemli does not request: location, microphone, health data, motion data, or any tracking permission.

5. Contacts

When you tap "Find from contacts," Shalemli reads the phone numbers from your device's contacts solely to suggest friends who already use the app. Phone numbers are converted to one-way fingerprints (SHA-256 hashes) on your device. Only the fingerprints are sent to our server, where they are compared against existing Shalemli users. Plaintext phone numbers, names, and any contacts that don't match are never transmitted, stored, or logged. You can revoke this access at any time in Settings → Shalemli → Contacts.

6. Name and label transliteration

When content in a channel appears in a different script than the one your app is set to (Hebrew vs. English), Shalemli may send the affected text to a third-party language-model service (Anthropic, listed in our service-provider list below) to render it in the script you can read. Two kinds of text are sent under this feature:

• A channel partner's display name — when a partner has not provided a name in your language.
• A group or tab label (for example, "Barbecue" or "Office lunch") — when the label was typed in a different script than you read.

Only the text being transliterated is sent — no phone number, email, photo, or other personal information. Each transliterated value is cached on our server, so under normal use the same text is sent at most once per language pair; in rare cases where several users open the same conversation at the same time before the first call completes, the request may be repeated a small number of times before the cache settles. You can prevent auto-transliteration of your own name entirely by providing both Hebrew and English names yourself in Settings → Edit name.

7. Where your data lives

All data is stored in Google Firebase (Firestore Database, Firebase Authentication, Firebase Cloud Storage, Firebase Cloud Functions). Firebase is operated by Google LLC and is subject to Google's Privacy Policy and Cloud Privacy Notice. We use Google Firebase under Google's standard Data Processing and Security Terms, which limit Google's use of Shalemli data to providing and securing the service.

• Firestore Database is hosted in the eur3 multi-region (Belgium and the Netherlands).
• Cloud Functions currently run in us-central1 (Iowa, United States). Cloud Functions process Firestore data transiently in that region. We do not intentionally store app records in us-central1 — application data lives in Firestore (eur3) and Cloud Storage — though operational logs and platform-level traces may be generated by Google Cloud as part of running the service.
• Firebase Authentication runs on Google's global identity infrastructure.
• Cloud Storage for receipts and avatars uses the Firebase Cloud Storage bucket shalemli-4cb75.firebasestorage.app, hosted in the EU multi-region (Google's multi-regional storage class spanning data centers in the European Union).

Google may process operational metadata internationally under its cloud terms. Such transfers are made on Google's contractual safeguards, including the EU Standard Contractual Clauses where applicable.

8. Who your data is shared with

We do not sell your data, and we do not share it for advertising. Shalemli relies on a small number of service providers, each used under contracts that limit their use of Shalemli data to providing and securing the service:

• Google LLC (via Firebase) — hosting, authentication, storage, and Cloud Functions for the iOS app. Firebase is the product Google operates; Google LLC is the contracting legal entity. Used under Google's standard Data Processing and Security Terms.
• Cloudflare, Inc. — Web Analytics on the website only (shalemli.com). Cookie-free aggregate visit counts; Cloudflare Web Analytics does not give us individual-level profiles or cross-site tracking identifiers. Cloudflare may receive request metadata such as IP addresses transiently for delivering the site and serving the analytics. The iOS app does not contact Cloudflare. Used under Cloudflare's Data Processing Addendum.
• Anthropic PBC — name and label transliteration only, server-to-server from our Cloud Functions. When channel content appears in a different script than the one your app is set to, the affected text is sent to Anthropic's Claude Haiku model so it can be rendered in the script you read. The text sent is limited to (a) a channel partner's display name (when they haven't provided one in your language), and (b) a group or tab label. No phone number, email, photo, or other personal information is sent. Anthropic does not train on data sent through their API by default. See Anthropic's Privacy Policy and Commercial Terms.
• Mobile carriers — for delivering the SMS verification code message to your phone, via Google Identity Toolkit. Standard SMS rates from your carrier may apply. We do not send marketing SMS.

Inside the app:

• The only person who can see entries in a channel is the other member of that channel — the person you manually invited by phone number. There is no broader "friends list" or feed.
• Inside a channel, your partner sees: your display name, the side of the balance that involves them, the expenses and settlements you log (including any receipt photos), and the date each entry was logged or resolved.
• Your phone number becomes visible to another user only after they enter it to invite you and you accept that invitation.

9. Legal bases for processing (GDPR)

For users in the EU, EEA, and UK, we rely on the following legal bases under Article 6 GDPR:

If you object to processing based on legitimate interests, contact us at limbaev@013.net.il.

10. Authentication and verification

• SMS verification is the only authentication method. We send a one-time code to confirm that you own the phone number you entered, and use that number to match you when a partner invites you and to prove account ownership. We never text you marketing messages.
• The verification code is delivered through Firebase Authentication (Google Identity Toolkit) and your mobile carrier.

11. Law enforcement and legal disclosures

We may disclose information if we are required to by law, court order, subpoena, or other valid legal process. Where lawful, we will notify you of any request that affects your data so you can respond or object. Google may also receive and respond to legal requests independently under its Government Requests for User Information policy.

12. How long we keep data

• Your account data, channel data, expenses, settlements, and receipt photos remain in the app until you delete them or delete your account.
• Pending expenses or settlements that are rejected remain visible to the submitter so they know the request was declined; dismissing a rejected item deletes it permanently.
• Audit-log-style data (for example, timestamps of rate-limited actions) is kept for up to 30 days and then deleted automatically.
• Phone-number mapping for relinking. After an account is hard-deleted (end of the 30-day grace window in section 13), we keep a server-only mapping of phone number → previous account identifier(s) for up to 12 months of inactivity, then purge it automatically. This is the longest-lived personal-data item Shalemli retains after deletion. Section 12 explains why we keep it, who can act on it, how to request earlier deletion, and how it's stored.
• Backup snapshots within Google's infrastructure are subject to Google's retention windows (typically up to 30 days) and are not user-accessible.

13. What happens when you delete your account

Deleting your account is designed to respect the app's core promise — that no one can unilaterally erase a shared financial record. It also gives you a way back if you change your mind.

Precondition: every balance must be settled.

You can only delete your account when every channel you're in has a zero balance. If you owe money to a partner, or a partner owes you, the app will block the deletion and prompt you to settle first.

Step 1 — Soft delete (immediately on tap)

When you tap "Delete account", the following happens right away:

• Your display name, phone number, and avatar photo are cleared from your user record.
• Your push notification tokens and block list are wiped.
• Rate-limit counters tied to your account are removed.
• A deletedAt timestamp is recorded on your user record, and you are signed out.

Your Firebase Authentication record stays alive during a 30-day grace window so a return is possible.

Step 2 — 30-day grace window

For the next 30 days, signing back in with the same phone number takes you to a "Restore your account" screen. Restoring clears the deletedAt timestamp and lets you set a new display name; your previous channels and balance history come back.

If you do nothing during the 30 days, the account is permanently deleted (see step 3). There is no way to expedite the final deletion inside the app — the policy commits to the 30-day window in writing.

Step 3 — Permanent deletion (≈ day 30)

A scheduled job runs daily and hard-deletes any account whose deletedAt is older than 30 days:

• The Firebase Authentication record is deleted, immediately freeing the phone number for use by a new account.
• The anonymized user document is removed from Firestore.
• All remaining server-side metadata tied to your uid is wiped.

Backup snapshots within Google's infrastructure are subject to Google's retention windows (see section 12) and roll off automatically.

Preserved for the other member at every stage:

• Channels you shared with another user — including their expenses, settlements, balance history, and receipt photos — stay intact in the partner's view. Your channel partner does not lose the financial record of your time together.
• Your original display name stays visible to the partner inside their channel. We do not rewrite history on their side: the names on past expenses, settlements, and the channel itself remain as they were when each entry was logged.

About re-signing up after permanent deletion:

Once the 30-day window has expired and the account is hard-deleted, the phone number is free for re-registration. Firebase issues a new account identifier on re-signup, so the new account is genuinely new — it cannot reconnect to your old channels.

Optional re-linking by the other member. To make returning to a former contact smoother, we keep one server-side record after the hard delete: a mapping of your phone number → your previous account identifier(s).

• Why we keep it. Without it, a returning user signing back up with the same phone number gets a brand-new account that has no way to surface their pre-existing relationship to a former channel partner — the partner would only see a stranger inviting them, with no signal that the historical channel between them could be reconnected. The mapping enables the partner-driven "Continue previous channel" affordance described above.
• Who can act on it. Only the other member of a previously shared channel can choose to stitch your new account into that historical channel. Your new account does not gain any access to the old channel unless that partner explicitly opts in on their side. You cannot, on your own, force a re-link.
• Retention and purge. The mapping is automatically deleted after 12 months of inactivity.
• Earlier deletion. You can ask us to delete the mapping earlier by emailing limbaev@013.net.il. We may ask you to verify control of the phone number or account before removing it (e.g. by responding from the email tied to the account, or by completing an SMS verification on the same number). Confirmed deletions are processed within 30 days.
• Storage form. The mapping lives in a server-only Firestore collection (phoneHistory) that no client can read or write — access is restricted to Firebase Cloud Functions running with admin credentials. If we change the storage form of this mapping, we will update this policy.

14. Your rights

You have the right to:

• Access a copy of the data Shalemli holds about you.
• Correct inaccurate data.
• Delete your account profile and personal account data, subject to shared-channel records and relinking metadata described in section 13. Channels you shared with someone else — including their entries, settlements, and the name that appeared on past entries on their side — stay in that partner's view because no one can unilaterally erase a shared financial record. The 12-month phone-number mapping covered in sections 12 and 13 is also retained unless you ask us to delete it earlier.
• Object to any processing that you consider unlawful.
• Port your data to another service in a machine-readable format. Exports are provided as JSON; a CSV export of expenses and settlements is available on request.

No automated decisions. Shalemli does not use profiling or automated decision-making that produces legal or similarly significant effects on you.

If you are in the European Union, EEA, or UK, these rights come from the General Data Protection Regulation (GDPR). In California, they are provided by the California Consumer Privacy Act (CCPA). Other jurisdictions may offer similar rights.

To exercise any of these rights, email us at limbaev@013.net.il. We respond within 30 days.

California users — CCPA threshold and non-discrimination: Some California privacy rights apply only to businesses covered by the CCPA. Shalemli is a small individual-developer service that may not meet the CCPA's revenue and data-volume thresholds. Even where the CCPA does not legally apply to us, we extend access, correction, and deletion rights to all users on request. We will not deny service, charge different prices, or provide different quality to users who exercise privacy rights.

Israeli users: Under the Privacy Protection Law and its 2024 amendment (Amendment 13), you also have the right to query the database, receive a copy of your data in a clear and understandable form, request correction of inaccurate data, and lodge a complaint with the Privacy Protection Authority (הרשות להגנת הפרטיות).

We assess on an ongoing basis whether Shalemli is subject to database registration or notification duties under the Privacy Protection Law as amended by Amendment 13. If those duties apply, we will register the database with the Privacy Protection Authority and update this policy accordingly. If you have a question about the current registration status, contact us at the email above.

Where to complain:

• Israel — Privacy Protection Authority
• EU/EEA — your national data protection authority (directory at the European Data Protection Board)
• California — California Privacy Protection Agency or the California Attorney General

15. Security

• All traffic between the app and Firebase uses TLS.
• Firestore security rules restrict each document to the two members of the channel that owns it; a user cannot access anyone else's data.
• Receipt photos in Cloud Storage are gated by the same membership check.
• Channel balance changes are performed through server-side Firebase Cloud Functions with access controls and reviewable logs.

No system is perfectly secure. If we discover a breach that affects your data, we will notify you and the relevant authorities without undue delay and in line with applicable law.

16. Children

Shalemli is not directed to children under 13. By using Shalemli, you represent that you are at least 13 years old, or the minimum age required to consent to data processing in your country (16 in much of the EU, 13 in the United States, 13 in Israel). If you are below that age, please use the app only with verifiable parental consent, or stop using it. We do not knowingly collect personal data from children under those ages.

If you believe a child has used the app and provided personal data, contact us at limbaev@013.net.il and we will delete the account and associated personal data, subject to shared-channel records described in section 13 where legally appropriate.

17. Do Not Track

Shalemli does not use tracking technologies, so Do Not Track browser signals do not apply. We do not allow third parties to track you through Shalemli.

18. Changes to this policy

We may update this policy from time to time. If we make material changes, we will bump the effective date above and notify users inside the app before the changes take effect. The latest version is always available at https://shalemli.com/privacy.html.

19. Contact

Questions, concerns, or requests related to your privacy:

Disclosure summary

Matches our App Store Privacy nutrition label:

• Data used to track you: none.
• Data linked to you: display name, phone number, user ID, photos (receipts and avatar), other user content (expense descriptions, amounts, settlements).
• Data not linked to you: none collected.

This disclosure matches ios/Shalemli/Resources/PrivacyInfo.xcprivacy and the answers we give on the App Store Connect privacy questionnaire.