Privacy Policy

1. Introduction

Welcome to WhosPaid. This service is provided by Herdl Ltd ("we", "us", "our"), a company registered in England and Wales (Company Number: 08394619). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our group expense tracking service ("the Service").

Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy.

WhosPaid is a trading name of Herdl Ltd.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us:

• Account Information: Email address, password (encrypted)
• Group Information: Group names, descriptions, total amounts, currency, payment instructions
• Member Information: Names, email addresses (optional), custom amounts, notes
• Payment Information: Payment status, dates, amounts (tracking only - we do not process payments)
• Receipt Images: Optional file uploads for payment verification

2.2 Automatically Collected Information

When you use the Service, we automatically collect:

• Usage Data: Pages viewed, features used, time spent on the Service
• Device Information: Browser type, operating system, device type
• Log Data: IP address, access times, referring URLs
• Cookies: Session cookies for authentication (see Section 8)

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Create and manage groups, track payments, display payment status
• Authentication: Verify your identity and secure your account
• Communication: Send payment reminder emails (when configured by administrators)
• Improvement: Analyze usage patterns to improve features and user experience
• Security: Detect and prevent fraud, abuse, and security incidents
• Compliance: Comply with legal obligations and enforce our Terms
• Customer Support: Respond to your inquiries and provide technical support

4. Public Display of Information

Publicly Displayed Information:

• Group names
• Member names
• Payment amounts
• Payment status (Paid, Pending, Overdue)
• Installment information

NOT Publicly Displayed:

• Email addresses
• Passwords
• Admin account information
• Payment instructions (unless made public by administrator)

5. Information Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

• Hosting: Vercel (application hosting)
• Database: Vercel Postgres (data storage)
• File Storage: Vercel Blob Storage (receipt images)
• Email Delivery: Resend (payment reminder emails)
• Rate Limiting: Upstash Redis (abuse prevention)

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

5.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted over HTTPS with TLS encryption
• Password Protection: Passwords are hashed using bcrypt with 12 rounds
• JWT Authentication: Signed tokens using HS256 algorithm
• Rate Limiting: Protection against brute-force attacks and abuse
• Input Validation: All user inputs are validated and sanitized
• XSS Prevention: HTML entity encoding for email templates
• Security Headers: CSP, X-Frame-Options, and other protective headers
• Regular Backups: Automated database backups for data recovery

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

• Account Data: Retained while your account is active, plus 90 days after deletion
• Group Data: Retained until manually deleted by administrators
• Audit Logs: Retained for 12 months for security and debugging purposes
• Backups: Retained for 30 days for disaster recovery

You may request deletion of your data at any time (see Section 10).

8. Cookies and Tracking Technologies

8.1 Cookies We Use

We use the following types of cookies:

• Essential Cookies: Required for authentication and core functionality (cannot be disabled)
• Session Cookies: JWT tokens stored in cookies to maintain your login session

8.2 Managing Cookies

Most browsers allow you to control cookies through their settings. However, disabling cookies may prevent you from using certain features of the Service.

8.3 Third-Party Cookies

We do not use third-party advertising or analytics cookies. All cookies are first-party cookies set by our Service.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those of your country.

Our hosting provider (Vercel) operates globally. When your data is transferred internationally, we ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

10. Your Privacy Rights

Depending on your location, you may have the following rights:

10.1 Access and Portability

You have the right to request a copy of the personal information we hold about you.

10.2 Correction

You can update your account information and group data directly through the Service.

10.3 Deletion

You have the right to request deletion of your personal information, subject to certain legal exceptions.

10.4 Restriction and Objection

You may object to certain processing of your data or request restriction of processing.

10.5 Withdrawal of Consent

Where processing is based on consent, you may withdraw your consent at any time.

To exercise these rights, please contact us at privacy@whospaid.com. We will respond to your request within 30 days.

11. UK GDPR Compliance

For users in the United Kingdom, we comply with the UK General Data Protection Regulation (UK GDPR). Our legal basis for processing your information includes:

• Contract: Processing necessary to provide the Service to you
• Legitimate Interests: Improving the Service and preventing fraud
• Consent: Where you have explicitly consented (e.g., email reminders)
• Legal Obligation: Complying with legal requirements

12. Children's Privacy

The Service is not intended for children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Updating the "Last updated" date at the top of this page
• Sending an email notification (for significant changes)
• Displaying a prominent notice on the Service

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Data Protection Officer: For UK GDPR-related inquiries, you may contact our Data Protection Officer at dpo@whospaid.com

Supervisory Authority: If you are located in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk