Privacy Policy

The Israel Privacy Protection Law (חוק הגנת הפרטיות, התשמ"א–1981) and its 2024 amendment apply. The sections below cover GDPR and CCPA baselines and add Israel-specific disclosures.

Summary at a glance

1. What Shalemli is

Shalemli is a mobile app that helps two people track shared expenses and settle balances between them. Every pair of users forms a channel. Inside a channel each person can log expenses, upload receipt photos, and record settlements; the other person must approve each entry before it affects the running balance.

This policy explains exactly what data Shalemli collects, why, where it goes, and how you can get rid of it.

2. Data you give us

We only collect the data Shalemli needs to do its job. None of it is used for advertising, tracking across other apps or websites, or sold to anyone.

Shalemli does not ask for: your location, your contact list, your device's advertising identifier, your browsing history, audio, health data, or financial account information such as card or bank numbers.

3. Data generated automatically

The Firebase platform records operational data that we don't actively mine but which exists for the service to function:

• IP address of API requests — used by Firebase for abuse prevention and rate limiting.
• Device type and OS version — sent by the Firebase SDK with each request for routing and debugging.
• Authentication events — sign-in timestamps, token refreshes, failed verification attempts. Used by Google to detect compromised accounts.
• Server logs — request paths, response codes, error traces. Retained per Google's standard retention windows.

Crash reporting and analytics are not enabled. We do not run Firebase Analytics, Firebase Crashlytics, or any third-party SDKs that profile your behaviour.

Separately, the marketing website at shalemli.com uses Cloudflare Web Analytics — a cookie-free service that records aggregate visit counts (page views, country, referrer) without any personal identifiers or behavioural profiling. This applies only to the website; the iOS app does not use Cloudflare Web Analytics.

4. Permissions Shalemli requests

We ask the iOS system for these permissions only when they're needed:

• Camera — only when you tap "Take photo" to attach a receipt or set your avatar.
• Photo Library — only when you tap "Choose from library". iOS shows the picker; Shalemli only sees the single image you select, not your full library.
• Notifications — used for approval and expense alerts from your channel partner. You can decline and the app still works.

Shalemli does not request: location, contacts, microphone, health data, motion data, or any tracking permission.

5. Where your data lives

All data is stored in Google Firebase (Firestore Database, Firebase Authentication, Firebase Cloud Storage, Firebase Cloud Functions). Firebase is operated by Google LLC and is subject to Google's Privacy Policy and Cloud Privacy Notice.

• Firestore Database is hosted in the eur3 multi-region (Belgium and the Netherlands).
• Cloud Functions run in the same eur3 region.
• Firebase Authentication runs on Google's global identity infrastructure.
• Cloud Storage for receipts and avatars uses Firebase's default bucket location for the project.

Google may process operational metadata internationally under its cloud terms. Such transfers are made on Google's contractual safeguards, including the EU Standard Contractual Clauses where applicable.

6. Who your data is shared with

We do not sell your data, and we do not share it for advertising. We use Google Firebase as our service provider to host, authenticate, store, and secure app data. Specifically:

• Inside the app, the only person who can see entries in a channel is the other member of that channel — the person you manually invited by phone number. There is no broader "friends list" or feed.
• Inside a channel, your partner sees: your display name, the side of the balance that involves them, the expenses and settlements you log (including any receipt photos), and the date each entry was logged or resolved.
• Your phone number becomes visible to another user only after they enter it to invite you and you accept that invitation.
• SMS verification messages are routed through Google Identity Toolkit and your mobile carrier. Standard SMS rates from your carrier may apply.

7. Legal bases for processing (GDPR)

For users in the EU, EEA, and UK, we rely on the following legal bases under Article 6 GDPR:

If you object to processing based on legitimate interests, contact us at limbaev@013.net.il.

8. Authentication and verification

• SMS verification is the only authentication method. We send a one-time code to confirm that you own the phone number you entered, and use that number to match you when a partner invites you and to prove account ownership. We never text you marketing messages.
• The verification code is delivered through Firebase Authentication (Google Identity Toolkit) and your mobile carrier.

9. Law enforcement and legal disclosures

We may disclose information if we are required to by law, court order, subpoena, or other valid legal process. Where lawful, we will notify you of any request that affects your data so you can respond or object. Google may also receive and respond to legal requests independently under its Government Requests for User Information policy.

10. How long we keep data

• Your account data, channel data, expenses, settlements, and receipt photos remain in the app until you delete them or delete your account.
• Pending expenses or settlements that are rejected remain visible to the submitter so they know the request was declined; dismissing a rejected item deletes it permanently.
• Audit-log-style data (for example, timestamps of rate-limited actions) is kept for up to 30 days and then deleted automatically.
• Backup snapshots within Google's infrastructure are subject to Google's retention windows (typically up to 30 days) and are not user-accessible.

11. What happens when you delete your account

Deleting your account is designed to respect the app's core promise — that no one can unilaterally erase a shared financial record. It also gives you a way back if you change your mind.

Precondition: every balance must be settled.

You can only delete your account when every channel you're in has a zero balance. If you owe money to a partner, or a partner owes you, the app will block the deletion and prompt you to settle first.

Step 1 — Soft delete (immediately on tap)

When you tap "Delete account", the following happens right away:

• Your display name, phone number, and avatar photo are cleared from your user record.
• Your push notification tokens and block list are wiped.
• Rate-limit counters tied to your account are removed.
• A deletedAt timestamp is recorded on your user record, and you are signed out.

Your Firebase Authentication record stays alive during a 30-day grace window so a return is possible.

Step 2 — 30-day grace window

For the next 30 days, signing back in with the same phone number takes you to a "Restore your account" screen. Restoring clears the deletedAt timestamp and lets you set a new display name; your previous channels and balance history come back.

If you do nothing during the 30 days, the account is permanently deleted (see step 3). There is no way to expedite the final deletion inside the app — the policy commits to the 30-day window in writing.

Step 3 — Permanent deletion (≈ day 30)

A scheduled job runs daily and hard-deletes any account whose deletedAt is older than 30 days:

• The Firebase Authentication record is deleted, immediately freeing the phone number for use by a new account.
• The anonymized user document is removed from Firestore.
• All remaining server-side metadata tied to your uid is wiped.

Backup snapshots within Google's infrastructure are subject to Google's retention windows (see section 10) and roll off automatically.

Preserved for the other member at every stage:

• Channels you shared with another user — including their expenses, settlements, balance history, and receipt photos — stay intact in the partner's view. Your channel partner does not lose the financial record of your time together.
• Your original display name stays visible to the partner inside their channel. We do not rewrite history on their side: the names on past expenses, settlements, and the channel itself remain as they were when each entry was logged.

About re-signing up after permanent deletion:

Once the 30-day window has expired and the account is hard-deleted, the phone number is free for re-registration. Firebase issues a new account identifier on re-signup, so the new account is genuinely new — it cannot reconnect to your old channels.

Optional re-linking by the other member. To make returning to a former contact smoother, we keep one server-side record after the hard delete: a mapping of your phone number → your previous account identifier. When you re-register and invite that same contact, the invite carries a hint that surfaces a "Continue previous channel" button on their side. They can choose to stitch your new account into the historical channel they kept, or start a fresh one — the decision is theirs alone, and your new account inherits no data unless they opt in. This mapping is stored in a server-only collection that no client can read, and is automatically purged after 12 months of inactivity.

12. Your rights

You have the right to:

• Access a copy of the data Shalemli holds about you.
• Correct inaccurate data.
• Delete your account and all data associated with it.
• Object to any processing that you consider unlawful.
• Port your data to another service in a machine-readable format. Exports are provided as JSON; a CSV export of expenses and settlements is available on request.

If you are in the European Union, EEA, or UK, these rights come from the General Data Protection Regulation (GDPR). In California, they are provided by the California Consumer Privacy Act (CCPA). Other jurisdictions may offer similar rights.

To exercise any of these rights, email us at limbaev@013.net.il. We respond within 30 days.

California users — CCPA threshold and non-discrimination: Some California privacy rights apply only to businesses covered by the CCPA. Shalemli is a small individual-developer service that may not meet the CCPA's revenue and data-volume thresholds. Even where the CCPA does not legally apply to us, we extend access, correction, and deletion rights to all users on request. We will not deny service, charge different prices, or provide different quality to users who exercise privacy rights.

Israeli users: Under the Privacy Protection Law and its 2024 amendment, you also have the right to query the database, receive a copy of your data in a clear and understandable form, request correction of inaccurate data, and lodge a complaint with the Privacy Protection Authority (הרשות להגנת הפרטיות).

Where to complain:

• Israel — Privacy Protection Authority
• EU/EEA — your national data protection authority (directory at the European Data Protection Board)
• California — California Privacy Protection Agency or the California Attorney General

13. Security

• All traffic between the app and Firebase uses TLS.
• Firestore security rules restrict each document to the two members of the channel that owns it; a user cannot access anyone else's data.
• Receipt photos in Cloud Storage are gated by the same membership check.
• Channel balance changes are performed through server-side Firebase Cloud Functions with access controls and reviewable logs.

No system is perfectly secure. If we discover a breach that affects your data, we will notify you and the relevant authorities without undue delay and in line with applicable law.

14. Children

Shalemli is not directed at children under 13 (or the equivalent age in your country). If you believe a child has used the app and provided personal data, contact us and we will delete it.

15. Do Not Track

Shalemli does not use tracking technologies, so Do Not Track browser signals do not apply. We do not allow third parties to track you through Shalemli.

16. Changes to this policy

We may update this policy from time to time. If we make material changes, we will bump the effective date above and notify users inside the app before the changes take effect. The latest version is always available at https://shalemli.com/privacy.html.

17. Contact

Questions, concerns, or requests related to your privacy:

Disclosure summary

Matches our App Store Privacy nutrition label:

• Data used to track you: none.
• Data linked to you: display name, phone number, user ID, photos (receipts and avatar), other user content (expense descriptions, amounts, settlements).
• Data not linked to you: none collected.

This disclosure matches ios/Shalemli/Resources/PrivacyInfo.xcprivacy and the answers we give on the App Store Connect privacy questionnaire.