1. Who We Are
VAKKA is an independent project developed and operated by Victor García, an individual developer established in France.
Data controller (responsible for processing your personal data):
Victor García (VAKKA)
27 rue Serpis
92140 Clamart, France
Email: vakka.contact@gmail.com
VAKKA ("we", "us", "our") provides a digital service that helps users organize and understand shared expenses. This Privacy Policy explains what personal data we process, why we process it, the legal bases we rely on where applicable, how long we keep it, the third parties that may help us provide the Service, and the rights available to you.
2. Scope
This Policy applies to the VAKKA mobile app, related websites and landing pages, invite flows, support communications, and backend systems used to operate the Service.
3. Privacy Approach in Plain Language
- We process the information needed to create accounts, operate shared expense groups, and provide app functionality.
- Some data is provided directly by you; some may be provided by other users when they invite or refer to you in a shared expense context.
- Certain features, such as receipt scanning or AI-assisted extraction, are optional.
- We do not sell your personal data.
- We may use specialized service providers for hosting, authentication, storage, app infrastructure, billing, analytics, customer support, and optional AI processing.
4. Categories of Data We Process
- Account Data: such as email address, account identifier, display name, avatar or profile details you choose to provide, and timestamps related to account creation or updates.
- Authentication Data: identifiers used to sign you in or verify your account through an authentication provider.
- Shared Expense Data: such as group names, participant labels, expenses, balances, reimbursements, settlement records, notes, categories, currencies, dates, and related audit events.
- User-Generated Content: any free text, descriptions, labels, notes, invite-related information, images, or attachments you submit.
- Purchase and Entitlement Data: information needed to validate premium access, restore purchases, detect active plans, and manage billing status as provided by app stores or purchase platforms.
- Technical and Security Data: such as IP address, device information, crash or error logs, timestamps, request metadata, abuse-prevention signals, and service diagnostics.
- Support and Contact Data: information you provide when contacting us for help, feedback, legal requests, or account issues.
- Usage and Analytics Data: information about how you interact with the app, such as features used, screens viewed, actions taken, event sequences, session patterns, and engagement metrics. Events may include contextual properties of the action, such as expense category, currency, amount, or group type, to help us understand how the Service is used. This data is collected to understand usage, identify issues, and improve the Service. It is associated with a pseudonymous internal identifier (not your name or email) and device metadata such as platform and app version.
- Optional AI Feature Data: data submitted when you choose to use AI-assisted functionality, for example an image of a receipt for extraction of line items or totals.
5. Data About Other People
The Service may allow you to add other participants, invite people, or create placeholder names for shared expense coordination. If you provide personal data relating to another person (for example, their name, email address, or phone number), you are responsible for ensuring you have a valid reason to do so and that the information is appropriate and not excessive.
Where you add another person's contact information or personal data to the Service, we encourage you to inform that person that you are sharing their data with VAKKA. They may contact us at vakka.contact@gmail.com to exercise any rights they may have under applicable data protection law, including access, correction, or deletion of their data (Article 14 GDPR).
Please do not upload special-category or highly sensitive personal data about yourself or others unless the Service clearly requires it and explicitly supports that use.
6. Why We Process Personal Data
| Purpose | Examples of Data Used | Legal Basis (where applicable) |
|---|---|---|
| Create and manage accounts | Account data, authentication identifiers | Contract |
| Operate expense-sharing features | Group data, expenses, settlements, audit records | Contract; legitimate interests |
| Provide premium purchases and restore entitlements | Purchase status, entitlement identifiers, billing metadata | Contract |
| Operate optional AI-assisted features | Receipt or bill images, extracted structured data | Consent or user-initiated request; contract where applicable |
| Secure the Service and prevent abuse | Technical logs, request metadata, anti-fraud signals | Legitimate interests |
| Respond to support, legal, and privacy requests | Contact details, account details, correspondence | Legitimate interests; legal obligation |
| Analyze usage patterns and improve the Service | Usage and analytics data, pseudonymous user identifier, device metadata, app version | Legitimate interests |
| Comply with legal obligations | Any data reasonably required for compliance | Legal obligation |
Where we rely on legitimate interests (Art. 6(1)(f) GDPR), those interests are: ensuring the technical integrity, security, and continuity of the Service; preventing fraud and abuse; diagnosing and resolving errors; improving the product based on aggregated usage patterns; and responding effectively to user support and legal requests. We have assessed that these interests are not overridden by the rights and interests of data subjects, given the nature of the data processed, the controls in place, and the reasonable expectations of users of a shared expense tool.
7. Optional AI-Assisted Features
If you choose to use an optional AI-assisted feature, the relevant input may be processed by us and/or by a specialized third-party AI service provider for the sole purpose of delivering that feature. For example, if you scan a receipt, the image and extracted data may be processed to identify items, prices, totals, or similar structured information.
- These features are optional.
- Outputs may be incomplete or inaccurate and should be reviewed by you.
- We may use external providers to perform the processing.
- Provider locations and technical implementations may change over time.
8. Service Providers and Data Sharing
We may share personal data with trusted service providers that help us operate the Service, including providers for:
- Cloud hosting, storage, networking, and infrastructure
- Authentication and account management
- App store billing, subscriptions, and entitlement validation
- Customer support and operational communications
- Security monitoring, logging, and abuse prevention
- Analytics and product improvement (currently Mixpanel)
- Optional AI or automation features
We may also disclose data if required to comply with law, regulation, legal process, or enforceable government request, or if necessary to protect rights, safety, security, or the integrity of the Service.
9. International Transfers
VAKKA is established in France (European Union). Personal data stored or processed within the EU/EEA benefits from GDPR protection without requiring additional transfer safeguards.
Some service providers we use (such as authentication, analytics, cloud infrastructure, or AI processing services) may process your data outside the EU/EEA, in particular in the United States. Where such transfers occur, we rely on one or more of the following safeguards pursuant to Chapter V GDPR:
- Adequacy decisions (Art. 45 GDPR) — for countries that the European Commission has recognized as providing an adequate level of data protection;
- Standard Contractual Clauses — SCCs (Art. 46(2)(c) GDPR) — the EU standard contractual clauses adopted by the European Commission, which contractually bind service providers to appropriate data protection obligations;
- Other mechanisms under Art. 46 GDPR where applicable and appropriate.
The countries and providers involved may change over time as the Service evolves. You may request further information about the specific safeguards in place for a given transfer by contacting us at the address in Section 18.
10. Data Retention
We retain personal data for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain records, resolve disputes, prevent abuse, enforce agreements, and meet legal obligations.
- Account and expense-related data is generally kept while your account remains active and for a reasonable period thereafter.
- Some records may be retained longer where needed for integrity, fraud prevention, dispute handling, backups, or legal compliance.
- Optional AI inputs or uploaded files may be retained for shorter periods depending on the feature and operational needs.
- Technical logs are usually retained only for limited periods unless needed longer for investigation or compliance.
- Analytics data is retained for as long as needed for product analysis and improvement, and may be subject to the retention policies of the analytics provider.
11. Security
We take reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, and disclosure. However, no system is perfectly secure, and we cannot guarantee absolute security.
12. Your Rights
If you are in the EU/EEA or another jurisdiction with applicable data protection law, you have the following rights:
- Access (Art. 15 GDPR): obtain a copy of your personal data and information about how it is processed.
- Rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
- Erasure (Art. 17 GDPR): request deletion of your personal data in certain circumstances.
- Restriction (Art. 18 GDPR): request that we limit how we use your data while a dispute is resolved.
- Data portability (Art. 20 GDPR): receive your data in a structured, commonly used, machine-readable format.
- Objection (Art. 21 GDPR): object to processing based on legitimate interests, including for direct marketing.
- Withdrawal of consent (Art. 7(3) GDPR): where processing is based on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
These rights are not absolute and may be subject to legal exceptions. To exercise any of them, contact us at vakka.contact@gmail.com. We will respond within 30 days. We may need to verify your identity before acting on a request.
If you are in France or the EU, you also have the right to lodge a complaint with the supervisory authority in your country. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr. You may also contact the supervisory authority in your EU member state of habitual residence.
13. Account Deletion and User Requests
If the app provides an account deletion option, you may use it there. You may also contact us to request deletion or other privacy actions. We may need to verify your identity before acting on a request.
Deleting your account may not instantly remove all information from backups, system logs, abuse-prevention systems, or records that must be retained for legal or legitimate operational reasons.
14. Children
The Service is not intended for children below the minimum age stated in our Terms or required by applicable law. If you believe a child has provided personal data in violation of this Policy, contact us so we can review the issue.
15. Third-Party Platforms
If you download the app through an app store or interact with third-party platforms, those parties may process data under their own privacy policies and terms. This Privacy Policy does not control how independent third parties process data outside our role.
16. Changes to This Policy
We may update this Privacy Policy from time to time. If we do, we will update the “Last updated” date and, where appropriate, provide additional notice through the app, website, or other reasonable means.
17. Automated Decision-Making
We do not make solely automated decisions that produce legal effects concerning you or that similarly significantly affect you within the meaning of Article 22 GDPR. The Service uses automated calculations to process expense data and generate balance summaries or settlement suggestions, but all such outputs are informational only and require your review and action. No automated profiling is used to evaluate personal aspects such as creditworthiness, behavior, or reliability.
18. Contact
If you have privacy questions, requests, or complaints, contact us at:
Victor García (VAKKA)
27 rue Serpis
92140 Clamart, France
Email: vakka.contact@gmail.com