1. Introduction
1.1. This Privacy Policy ("Policy") explains how SmythTec (Pty) Ltd, trading as Splibble ("Splibble", "SmythTec", "Company", "we", "us", "our"), a company incorporated and registered in the Republic of South Africa, collects, uses, processes, stores, shares, and protects your personal information when you use the Splibble mobile application, web application, and related services (collectively, the "Service").
1.2. This Policy is drafted in compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA"), and also addresses requirements under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), the UK Data Protection Act 2018, the Brazilian Lei Geral de Proteção de Dados (Law No. 13,709/2018) ("LGPD"), and other applicable international data protection legislation.
1.3. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and processing of your personal information as described in this Policy.
1.4. This Policy forms an integral part of our Terms and Conditions. Defined terms used herein shall have the same meaning as in the Terms and Conditions unless otherwise stated.
2. Information Controller
2.1. For the purposes of POPIA, GDPR, and other applicable data protection laws:
Responsible Party / Data Controller:
SmythTec (Pty) Ltd (trading as Splibble)
Email: privacy@splibble.com
Website: https://www.splibble.com
Data Protection Officer (DPO / Encarregado):
Email: dpo@splibble.com
2.2. If you have any questions about this Policy or our data practices, please contact us at the details provided above.
3. Information We Collect
3.1. Information You Provide Directly
| Data Category | Specific Data | Purpose | Legal Basis (POPIA/GDPR) |
|---|---|---|---|
| Account Registration | First name, last name, email address | Account creation and identification | Consent / Contractual necessity |
| Profile Photograph | Photograph | User identification within sessions | Consent |
| Authentication Credentials | Email, password | Account security and access | Contractual necessity |
| Verification Data | Verification codes | Identity verification | Contractual necessity |
3.2. Information Generated Through Use
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Bill Images | Photographs of bills and receipts | AI processing and bill splitting | Consent / Contractual necessity |
| Session Data | Establishment name, line items (item names, quantities, prices), item assignments, tip selections | Bill splitting functionality | Contractual necessity |
| Activity History | Session participation records, counterpart names, amounts, currencies, timestamps | Transaction history and reference | Contractual necessity / Legitimate interest |
| Financial Transaction Data | Payment amounts, payment status, transaction references (where Financial Features are available) | Payment processing and record-keeping | Consent / Contractual necessity |
3.3. Information Collected Automatically
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Device Information | Device country code, locale, platform (iOS/Android/Web) | Regional service configuration and currency detection | Legitimate interest |
| Location Data | GPS coordinates, Wi-Fi-derived location, or other location signals (where permission is granted) | Establishment identification, service personalisation, and feature enhancement | Consent |
| Connection Data | Connection identifiers, connection timestamps | Real-time session functionality | Contractual necessity |
| Performance Metrics | Processing durations, response times | Service performance monitoring and improvement | Legitimate interest |
3.4. Information We Do NOT Collect
- Full payment card numbers, CVV codes, or banking credentials (where Financial Features are available, these are collected directly by the PCI DSS Level 1 compliant Payment Processor, not by Splibble)
- Contacts or address book data
- Call logs, SMS data, or browsing history
- Biometric data (fingerprints, face recognition data)
- Health or medical information
- Government-issued identification numbers
- Social media account credentials
- Microphone recordings or audio data
4. How We Use Your Information
4.1. We process your personal information for the following purposes:
(a) Service Delivery
- Creating and managing your user account
- Processing bill images to extract line items
- Enabling real-time collaborative bill splitting sessions
- Enabling session sharing between Users
- Calculating split amounts and tip allocations
- Maintaining your activity history
- Identifying establishments and venues (where location data is available)
- Processing financial transactions (where Financial Features are available)
(b) Service Improvement and Personalisation
- Analysing aggregated, anonymised performance metrics to improve service reliability
- Monitoring processing accuracy for service enhancement
- Internal analytics using anonymised and aggregated data
- Personalising your experience, including relevant content and recommendations
- Training and improving AI and machine learning models using irreversibly anonymised, de-identified Content that no longer constitutes personal information (subject to opt-out — see Section 11)
(c) Communication
- Sending verification codes for account registration and password resets
- Sending service-related notices (e.g., Terms or Policy updates)
- Communicating information about features, offers, or promotions that may be relevant to you (you may opt out of non-essential communications at any time)
(d) Security and Integrity
- Detecting and preventing fraud, abuse, and security incidents
- Authenticating users and maintaining session integrity
- Managing real-time connections
4.2. We do not use your personal information for:
- Sale to third parties for their independent marketing purposes
- Automated decision-making that produces legal effects (beyond bill item extraction which you manually verify)
- Credit scoring, insurance underwriting, or financial profiling
5. Legal Basis for Processing
5.1. Under POPIA and GDPR, we process your personal information based on the following legal grounds:
| Legal Basis | Application |
|---|---|
| Consent (POPIA s11(1)(a) / GDPR Art. 6(1)(a)) | Account creation, profile photograph upload, bill image processing, location data collection, promotional communications |
| Contractual Necessity (POPIA s11(1)(b) / GDPR Art. 6(1)(b)) | Providing the bill splitting service, session management, authentication, payment processing |
| Legitimate Interest (POPIA s11(1)(f) / GDPR Art. 6(1)(f)) | Service improvement, security monitoring, performance analytics, personalisation |
| Not applicable (anonymised data) | AI model training uses irreversibly anonymised data that does not constitute personal information — see Section 11. Opt-out provided as a matter of good practice |
| Legal Obligation (POPIA s11(1)(c) / GDPR Art. 6(1)(c)) | Compliance with applicable laws, responding to lawful requests from authorities, financial record-keeping |
5.2. Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
6. Data Sharing and Third-Party Processors
6.1. Categories of Third-Party Service Providers
We share your personal information with the following categories of third-party service providers, solely for the purpose of delivering and improving the Service:
| Category | Data Shared | Purpose |
|---|---|---|
| Cloud Infrastructure Providers | Account, session, and file data | Data hosting, storage, authentication, and compute services |
| AI and Machine Learning Providers | Bill/receipt images, contextual data (e.g., country code) | Automated extraction of text, line items, and related information from bills |
| App Distribution Platforms | App metadata, crash reports (if enabled by your device settings) | Application distribution and updates |
| Payment Service Providers (where Financial Features are available) | Transaction identifiers and payment amounts as required to initiate transactions. Splibble does not share or have access to your full payment card numbers, CVV codes, or banking credentials — these are collected directly by the PCI DSS Level 1 compliant Payment Processor | Payment processing and settlement |
| Partner Establishments (where applicable) | Anonymised or aggregated usage data; transaction data where required for offer redemption | Promotional offers and discount fulfilment |
A list of the current categories of data processors we engage, and the jurisdictions in which they operate, is available upon request by contacting privacy@splibble.com.
6.2. Data Residency
We implement a regional data residency model designed to keep your personal information as close to you as possible:
- (a) Personal data (your name, email address, profile photograph, and other personally identifiable information) is stored in cloud infrastructure located in the jurisdiction associated with your app store account (e.g., South African users' personal data is stored in South Africa);
- (b) Non-personally identifiable session data (such as anonymised split amounts, item assignments, and session metadata from which personal identifiers have been removed) may be stored in the region where the splitting session was initiated;
- (c) This separation ensures that your personal information benefits from the data protection laws of your home jurisdiction, while session performance is optimised for all participants regardless of location;
- (d) If you believe that the data residency jurisdiction associated with your app store account does not reflect your actual country of residence, and your country of residence imposes data localisation requirements, please contact us at privacy@splibble.com to request a residency adjustment.
6.3. Session Participants
When you create or join a Session, the following information is visible to all Session Participants:
- Your first name and last name
- Your profile photograph
- Your item assignments within the session
- Your calculated split amount
6.4. We Do NOT:
- Sell your personal information to third parties
- Share your personal information with data brokers or data resellers
- Share your personal information with credit bureaus or financial institutions (except as required for Financial Features)
6.5. Legal and Compliance Disclosures
We may disclose your personal information if required to do so by law, or in the good-faith belief that such disclosure is necessary to:
- Comply with a legal obligation, court order, or lawful government request;
- Protect and defend the rights, property, or safety of Splibble, our Users, or the public;
- Investigate potential violations of our Terms and Conditions;
- Detect, prevent, or address fraud, security, or technical issues.
6.6. Law Enforcement and Legal Process
Where we receive a subpoena, court order, or other lawful request for User data, we will:
- (a) Comply with the request to the extent legally required;
- (b) Where not prohibited by law or court order, make reasonable efforts to notify the affected User prior to disclosure so that they may seek a protective order or other appropriate remedy;
- (c) Limit the scope of disclosure to the data specifically required by the legal process;
- (d) Where the data of other Users (such as Session Participants) would be incidentally disclosed, take reasonable steps to minimise the disclosure of non-relevant personal information.
6.7. Business Transfers
In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Policy.
7. International Data Transfers
7.1. Your personal information is stored in cloud infrastructure located in the jurisdiction associated with your app store account, as described in Section 6.2 above.
7.2. In the course of providing the Service, certain data is transferred to infrastructure located outside your home jurisdiction. These transfers include:
- (a) AI processing: Bill images and contextual data (e.g., country code) are transmitted to AI service providers whose processing infrastructure may be located in jurisdictions outside South Africa;
- (b) App distribution: App metadata and crash reports (where enabled) are processed by international app distribution platforms;
- (c) Session data: Non-personally identifiable session data may be stored in a different region from your personal data, as described in Section 6.2;
- (d) Payment processing: Where Financial Features are used, transaction data is processed by Payment Processors whose infrastructure may be located in jurisdictions outside South Africa.
7.3. POPIA Compliance (Section 72): Where personal information is transferred outside South Africa, we ensure that the recipient country provides an adequate level of protection, or that appropriate safeguards are in place, including binding corporate rules, standard contractual clauses, or your explicit consent.
7.4. GDPR Compliance (Chapter V): Where personal information of EU/EEA data subjects is transferred outside the EU/EEA, we rely on adequacy decisions, standard contractual clauses (SCCs), or other approved transfer mechanisms under GDPR.
7.5. Details of the specific jurisdictions to which your data is transferred are available upon request by contacting privacy@splibble.com.
8. Data Retention
8.1. We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:
| Data Type | Retention Period | Rationale |
|---|---|---|
| User profile data | Duration of account existence + 30 days after deletion request | Service delivery and account recovery |
| Bill images | Duration of session + automatic expiry after period of inactivity | Temporary processing; not retained long-term |
| Session data | Duration of session + retained in activity history | Transaction reference for Users |
| Activity history | Duration of account existence | User-accessible transaction history |
| Financial transaction records | As required by applicable financial regulations and tax law (note: full payment card details are never stored by Splibble — these are held exclusively by the Payment Processor) | Legal and regulatory compliance |
| Authentication tokens | Until expiry or logout | Session security |
| Location data | Duration of the relevant session or interaction; not retained long-term | Feature delivery |
| Performance metrics | Aggregated and anonymised; retained indefinitely | Service improvement |
| Verification codes | Until used or expired | Account security |
8.2. Upon account deletion, we will delete or anonymise your personal information within thirty (30) days, except where retention is required by law or for legitimate business purposes (e.g., to comply with legal obligations, resolve disputes, or enforce our agreements).
8.3. Aggregated, anonymised data that cannot be used to identify you may be retained indefinitely for analytical and statistical purposes.
9. Data Security
9.1. We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, including:
- Data encrypted in transit and at rest using industry-standard encryption;
- Managed authentication services with cryptographically secure credential handling;
- Token-based authentication with automatic expiry and refresh mechanisms;
- API-level authentication and authorisation on all endpoints;
- Role-based access controls governed by the principle of least privilege;
- Input validation on all data inputs;
- Domain-restricted API access policies;
- Real-time connection management with automatic stale session cleanup;
- No storage of raw passwords;
- Where Financial Features are available, all payment processing is handled by PCI DSS Level 1 compliant Payment Processors. Splibble does not store, process, or have access to full payment card numbers, CVV codes, or banking credentials.
9.2. DESPITE THESE MEASURES, NO METHOD OF ELECTRONIC TRANSMISSION OR STORAGE IS 100% SECURE. We cannot guarantee absolute security. You acknowledge and accept the inherent risks of transmitting information over the internet and using cloud-based services.
9.3. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Regulator (South Africa) as required under POPIA Section 22;
- Notify affected data subjects as soon as reasonably possible;
- For EU/EEA data subjects, notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
10. Your Rights
10.1. Rights Under POPIA (South African Data Subjects)
Under POPIA, you have the right to:
| Right | Description |
|---|---|
| Access (s23) | Request confirmation of whether we hold your personal information and request a copy thereof |
| Correction (s24) | Request correction or deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained personal information |
| Deletion (s24) | Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected |
| Object (s11(3)) | Object to the processing of your personal information on reasonable grounds |
| Withdraw Consent (s11(2)) | Withdraw previously given consent to processing |
| Complain (s74) | Lodge a complaint with the Information Regulator |
| Not be Subject to Automated Decision-Making (s71) | Not be subject to a decision based solely on automated processing that significantly affects you |
10.2. Rights Under GDPR (EU/EEA Data Subjects)
If you are located in the EU or EEA, you additionally have the right to:
| Right | Description |
|---|---|
| Data Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances |
| Erasure ("Right to be Forgotten") (Art. 17) | Request erasure of your personal data in certain circumstances |
| Lodge a Complaint (Art. 77) | Lodge a complaint with your local supervisory authority |
10.3. Rights Under CCPA (California Residents)
If you are a California resident, you have the right to:
| Right | Description |
|---|---|
| Know | Know what personal information is collected, used, shared, or sold |
| Delete | Request deletion of personal information |
| Opt-Out | Opt out of the sale of personal information (note: we do not sell personal information) |
| Non-Discrimination | Not be discriminated against for exercising your privacy rights |
10.4. Rights Under LGPD (Brazilian Data Subjects)
If you are located in Brazil, the Lei Geral de Proteção de Dados (Law No. 13,709/2018) ("LGPD") applies. You have the right to:
| Right | Description |
|---|---|
| Confirmation and Access (Art. 18(I-II)) | Confirm whether your data is being processed and access it |
| Correction (Art. 18(III)) | Request correction of incomplete, inaccurate, or outdated data |
| Anonymisation, Blocking, or Deletion (Art. 18(IV)) | Request anonymisation, blocking, or deletion of unnecessary or excessive data |
| Data Portability (Art. 18(V)) | Request portability of your data to another service provider |
| Deletion (Art. 18(VI)) | Request deletion of personal data processed with your consent |
| Information on Sharing (Art. 18(VII)) | Request information about public and private entities with which your data has been shared |
| Revocation of Consent (Art. 18(IX)) | Revoke consent at any time |
| Review of Automated Decisions (Art. 20) | Request a review of decisions made solely on the basis of automated processing that affect your interests |
To exercise any rights under the LGPD, please contact our Data Protection Officer at dpo@splibble.com.
10.5. Exercising Your Rights
To exercise any of the above rights, please contact us at:
Email: privacy@splibble.com
We will respond to your request within:
- POPIA: A reasonable time, not exceeding thirty (30) days
- GDPR: One (1) month, extendable by two (2) further months for complex requests
- CCPA: Forty-five (45) days, extendable by an additional forty-five (45) days
We may request verification of your identity before processing your request to protect against unauthorised access.
11. AI Processing and Automated Decision-Making
11.1. The Service uses artificial intelligence and machine learning technologies, which may include third-party providers, to process bill images and other Content. This involves transmitting Content to AI services for automated extraction of text, line items, and related information.
11.2. Data minimisation: Only the data strictly necessary for AI processing is transmitted (e.g., the bill image and contextual information such as country code for currency detection). Your personal account information, profile data, and activity history are not transmitted to AI providers for bill processing purposes.
11.3. Human review: AI-processed data is always presented to you for manual review and editing before being used in a Session or for any financial purpose. No automated decision with legal or significant effect is made without your explicit review and confirmation.
11.4. AI Training. By using the Service, you acknowledge that Splibble may use anonymised and de-identified versions of your Content (from which all personally identifiable information, including facial images, has been irreversibly removed) for the purpose of training, improving, and developing AI and machine learning models used in connection with the Service. For the purposes of this section, "anonymised and de-identified" means that the data has been processed such that it cannot reasonably be used, whether alone or in combination with other available data, to identify any individual. We employ industry-standard anonymisation techniques and conduct periodic assessments of re-identification risk. In the event that data previously considered anonymised is found to be re-identifiable, such data shall be treated as personal information and processed in accordance with the full terms of this Policy. As irreversibly anonymised data does not constitute personal information under POPIA or personal data under GDPR, this processing falls outside the scope of data protection regulation. Nevertheless, we provide the opt-out mechanism described in Section 11.5 as a matter of transparency and good practice.
11.5. Opt-out of AI Training. You may opt out of the use of your anonymised Content for AI training at any time by:
- (a) Contacting us at privacy@splibble.com; or
- (b) Using the relevant opt-out setting within the Service (where available).
Upon receiving your opt-out request, we will cease using your Content for AI training purposes within thirty (30) days. Models already trained prior to your opt-out may retain generalised, non-reversible learnings that cannot practicably be extracted, isolated, or deleted. Opting out will not affect the functionality of the Service or your ability to use any features.
12. Camera, Location, and Device Permissions
12.1. The Service may request the following device permissions:
| Permission | Purpose | Required? |
|---|---|---|
| Camera | Photographing bills and receipts for processing | Required for core scanning functionality |
| Photo Library | Uploading profile photographs | Required for profile setup |
| Location | Identifying establishments, personalising experience, and enhancing service features | Optional; may limit certain features if denied |
12.2. You may deny or revoke any of these permissions at any time through your device settings. Denying camera access will prevent you from scanning bills. Denying location access may limit certain features but will not prevent core functionality.
12.3. We do not access your camera, photo library, or location without your explicit permission. The camera is activated only when you initiate a bill scan. Location data is collected only when relevant features are in use and permission has been granted. We do not continuously track your location in the background.
13. Children's Privacy
13.1. The Service is not directed at and is not intended for use by children under the age of eighteen (18) years, or the age of legal majority in the applicable jurisdiction.
13.2. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take immediate steps to delete such information.
13.3. If you believe that a child has provided us with personal information, please contact us immediately at privacy@splibble.com.
14. Cookies and Tracking Technologies
14.1. The Splibble mobile application does not use cookies.
14.2. The Splibble web application may use essential cookies or local storage solely for authentication session management. These are strictly necessary for the functioning of the Service and cannot be disabled without losing access to authenticated features.
14.3. We may use anonymised, aggregated analytics to understand how the Service is used and to improve it. Such analytics do not identify individual Users.
15. Do Not Track
15.1. Some web browsers transmit "Do Not Track" (DNT) signals. As we do not engage in cross-site tracking, the Service's behaviour does not differ based on DNT signals.
16. Data Breach Notification
16.1. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information, we will:
- (a) Assess the breach to determine the risk to data subjects;
- (b) Notify the Information Regulator (South Africa) as required under POPIA Section 22;
- (c) Notify affected data subjects as soon as reasonably possible after the discovery of the breach, providing:
- A description of the nature of the breach;
- The categories and approximate number of data subjects affected;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach;
- Recommendations for affected data subjects to mitigate potential adverse effects.
16.2. For EU/EEA data subjects, notification will be made in accordance with GDPR Articles 33 and 34.
17. Information Regulator (South Africa)
17.1. If you are unsatisfied with our handling of your personal information, you have the right to lodge a complaint with the Information Regulator:
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: enquiries@inforegulator.org.za
Website: https://inforegulator.org.za
18. Changes to This Policy
18.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
18.2. We will notify you of material changes by:
- Posting the updated Policy on our website and within the Service;
- Updating the "Last Updated" date at the top of this Policy;
- Where practicable, sending a notification to the email address associated with your account.
18.3. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.
19. Third-Party Links
19.1. The Service may contain links to third-party websites, applications, or services. This Policy does not apply to such third-party services.
19.2. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services you access.
20. Data Processing Agreements
20.1. We have entered into data processing agreements with our key third-party service providers that include appropriate technical and organisational measures to protect your personal information.
20.2. These agreements include obligations regarding:
- Confidentiality of processing;
- Security measures;
- Sub-processor management;
- Data breach notification;
- Data subject rights assistance;
- Data deletion or return upon termination.
21. Anonymised and Aggregated Data
21.1. We may create anonymised or aggregated data from your personal information by removing or obscuring identifiers such that the data cannot reasonably be used to identify any individual. Such anonymised or aggregated data is not personal information and is not subject to this Policy.
21.2. Anonymised and aggregated data helps us and our partners improve products and services. We may use, licence, or share such data for any lawful purpose, including but not limited to:
- Improving the accuracy and reliability of the Service;
- Industry research, benchmarking, and trend analysis (e.g., aggregated spending patterns and behaviours);
- Training, developing, and improving artificial intelligence and machine learning models;
- Sharing insights with business partners to help them better understand trends and improve their offerings;
- Other analytical, statistical, and commercial purposes.
21.3. Any data shared with third parties under this section will be in anonymised or aggregated form only. We do not sell, licence, or share data in any form that could reasonably be used to identify an individual User.
22. Retention After Account Deletion
22.1. Upon your request to delete your account:
- Your profile data (name, email, profile photograph) will be deleted within thirty (30) days;
- Your authentication credentials will be immediately revoked;
- Your activity history records will be anonymised (personal identifiers removed);
- Bill images associated with expired sessions will have already been removed through automatic session expiry;
- Financial transaction records may be retained as required by applicable law;
- Aggregated, anonymised analytics data that cannot be used to identify you may be retained indefinitely;
- AI models trained on anonymised versions of your Content prior to deletion may retain generalised, non-reversible learnings that cannot practicably be extracted, isolated, or deleted. No personally identifiable data persists in such models.
22.2. Certain data may be retained beyond the deletion period where required to:
- Comply with legal obligations (including financial record-keeping requirements);
- Resolve disputes;
- Enforce our Terms and Conditions;
- Prevent fraud or abuse.
23. Contact Us
For any privacy-related questions, concerns, requests, or complaints, please contact:
SmythTec (Pty) Ltd (trading as Splibble) — Privacy
Email: privacy@splibble.com
Website: https://www.splibble.com
We will endeavour to respond to all enquiries within a reasonable timeframe and in accordance with applicable legal requirements.
By using the Splibble Service, you acknowledge that you have read, understood, and agree to the collection and processing of your personal information as described in this Privacy Policy.