Privacy Policy
Last updated 2026-05-16
Kvitta ("we", "us", "the service") is a bill-splitting application operated for personal
use. This policy explains what data we collect, why we collect it, and how we protect it.
1. Who we are
Kvitta is self-hosted by the operator at kvitta.myhrmans.com. Servers are
located in Sweden. For privacy questions, contact privacy@myhrmans.com.
2. What we collect
- Account: your email address (used for sign-in via magic-link or via Google / Apple sign-in if you choose that), your display name, and optionally your Swedish mobile number (used only to pre-fill the recipient when a friend pays you back via Swish).
- Groups and friends: the groups you create or join, who is a member, who is a friend.
- Expenses and settlements: the amounts, titles, dates, categories, and per-person split that you record yourself.
- Receipts (Premium scanning): if you scan a receipt, the photo is sent to our own OCR service (self-hosted, not a third party) to extract the merchant, date, line items, and total. The image is processed transiently and not stored; the extracted line items and the original merchant name are saved with the expense you create.
- Bank connection (optional): if you connect a bank, we store the encrypted EnableBanking session identifier, the account UID, the bank name, the last four digits of the account, and the session expiry date.
- Bank transactions: we do not store raw bank transactions. They are fetched live from EnableBanking each time you open the Bank inbox and held only in memory for the duration of the request (with a short server-side cache for performance). When you choose to split a transaction or mark it as personal, we store only the opaque transaction reference (no merchant, amount, or date is persisted with it).
- Session cookies: a long-lived HTTP-only cookie containing a hashed session token so you stay signed in.
We do not collect: device identifiers beyond what your browser sends, location data, analytics or tracking events.
3. Why we collect it
All of the data above is collected solely to provide the service you signed up for:
splitting bills with friends, calculating balances, suggesting settlements, and (if you
opted in) importing bank transactions.
4. Third parties
- EnableBanking AB (Helsinki, Finland) is our licensed AISP for
PSD2-regulated bank access. They handle authentication with your bank and return
transaction data to us on request. We only ever read transactions — Kvitta cannot move
money. See EnableBanking's privacy notice.
- One.com (Copenhagen, Denmark) handles outgoing email for our
magic-link sign-in. Your email address is forwarded to them for the duration of
delivering the sign-in message.
- Google Ireland Limited (Dublin, Ireland) and Apple
Distribution International Limited (Cork, Ireland) are used only if you
choose Sign in with Google / Apple. They verify your identity and return your
email + display name to us. If you sign in with the email magic link instead, no
data is shared with Google or Apple.
5. How we protect data
- All traffic to and from
kvitta.myhrmans.com is encrypted with TLS. - Bank session identifiers are encrypted at rest using AES-256-GCM with a key stored only on the application server.
- Session cookies are HTTP-only, secure, and SameSite=Lax.
- Database is reachable only on the private network, never exposed to the internet.
6. Retention & account deletion
Your data is kept for as long as your account exists. You can delete your account any time from Settings → Delete account, or on the web at kvitta.myhrmans.com/account/delete.
Deleting your account permanently removes your personal data — name, email, phone, sign-in methods, friendships, and any connected bank session. Expenses and settlements you shared with other people remain in their groups, anonymised as “Deleted user”, because removing them would corrupt everyone else's balances.
You can also disconnect your bank at any time from the Bank inbox; doing so deletes the
stored session.
7. Your rights (GDPR)
Under the EU General Data Protection Regulation and Swedish data protection law, you
have the right to access, correct, export, and delete your data. To exercise any of
these rights, email privacy@myhrmans.com.
You also have the right to lodge a complaint with the Swedish Authority for Privacy
Protection (IMY) at imy.se.
8. Changes
If we change this policy, the "last updated" date above will change. Material changes
will be communicated in-app on your next sign-in.