kwita.
PolskiGet started

Privacy policy

Last updated: 8 May 2026

Short version: we collect only what's needed for the app to work. We don't sell your data to anyone.

Who looks after your data

The data controller is Marcin Perłak Mroomy (sole proprietorship), NIP 2220668250, ul. Zamknięta 10 lok. 1.5, 30-554 Kraków, Poland.

Questions, requests, complaints — email agata.perlak@icloud.com.

What we know about you

  • Email — to log you in and send important messages.
  • Name or nickname — so friends recognise you instead of an anonymous ID.
  • Password — stored as a hashed digest. We don't know your actual password.
  • Profile picture — if you upload one.
  • Your settlements — amounts, descriptions, dates, friends, tags. This is the whole point of the app.
  • Some technical data — IP address, browser type, in-app clicks.

Sharing data is voluntary, but without email and password you can't create an account.

Why we collect this

  • To make the app work — show who owes whom, invite friends (legal basis: contract performance, GDPR Art. 6(1)(b)).
  • To improve the app and detect break-in attempts (legitimate interest, Art. 6(1)(f)).
  • To meet legal obligations, e.g. respond to authority requests (Art. 6(1)(c)).

Who else gets your data

We use third-party services. Each has a data processing agreement with us (under GDPR Art. 28):

  • Vercel — app hosting (US-based, EU processing region)
  • Neon — Postgres database (US-based, EU region)
  • Resend — email delivery (US-based)
  • PostHog — analytics (EU, host: eu.i.posthog.com)

Some providers are based in the US. Transfer happens under European Commission Standard Contractual Clauses and the EU-US Data Privacy Framework.

We don't sell your data to brokers, ad networks, or anyone else.

Cookies

  • Session cookie (logged-in state) — required for the app to work.
  • Analytics (PostHog, when enabled) — anonymous usage stats. You can block them in your browser settings.

How long we keep data

  • Account and settlements — as long as your account exists. After deletion, removed within 30 days.
  • Database backups — up to 30 days.
  • Technical logs — up to 90 days.

Your rights

You can at any time:

  • see what we know about you
  • correct your data (yourself in settings or via email)
  • delete your account
  • export your data
  • object to processing

If you think we mishandle your data, you can complain to the Polish Personal Data Protection Office (uodo.gov.pl).

Security

Passwords are hashed, connections go over HTTPS, the database sits in a private network. We back things up. If despite all this a breach happens, we'll email you within 72 hours.

Children

Anyone can use the app:

  • 16 and older — without parental consent.
  • Under 16 — only with parent/guardian consent. Polish law requires this.

If we notice an under-16 account without parental consent, we'll ask for it. Without consent, the account will be deleted.

Parents — if your child is using the app without your consent, email us and we'll handle it.

Changes

If anything important changes, we'll update this page and email accounts that are still active.