Skip to main content

ParentSplit Privacy Policy

Version 2.4.0 · Last updated: 2026-06-09

ParentSplit Privacy Policy

Version 2.4.0 — Effective June 9, 2026

Plain-language summary. ParentSplit helps co-parents track and split shared child expenses. We collect what we need to do that — your account, the receipts and expenses you log, the messages you send your co-parent, and the diagnostics needed to keep the app reliable. Receipt scanning runs in the cloud by default, but on supported iOS and Android devices you can use Quick Scan, which runs the AI entirely on your phone and never uploads the image. When enabled, we keep anonymized, redacted learning signals from cloud scans, search, and assistant usage to improve ParentSplit-controlled AI. Message tone training is separate and starts only if you enable Improve tone review. These controls live in Settings → Privacy → Help improve AI, and we’ll delete what we already collected within 30 days after opt-out. We never sell your data or use it for advertising.

Changes in v2.4 (June 9, 2026)

This version (2.4.0) corrects and expands disclosures following an internal legal-docs audit. The substantive changes:

  1. Message permanence disclosure (Sections 4.3 and 7.1). Co-parent messages cannot be edited or deleted after sending; they are a tamper-evident shared record that both parents rely on. Messages hidden by moderation are also retained. Expense comments remain editable and deletable.
  2. Subprocessor table additions (Section 6.1). Added Anthropic (AI classification and reply drafting for emails to support@parentsplit.app), Expo (push notification relay between our servers and Apple/Google push services), and FreeTSA (RFC 3161 timestamping of evidence-export manifest hashes). Added a dedicated Cloudflare Workers AI row describing its AI processing role: message tone scoring and rewrite suggestions, message embeddings for in-app semantic search, and PDF rendering of message-thread exports (inference only, never model training). See also new Section 4.6b.
  3. Corrected children’s-data description (Sections 2, 3, and 12). We collect child first names and optional nicknames, child tags on expenses, and child names used as context in cloud receipt scanning. We do not collect child ages; the prior text saying otherwise was inaccurate.
  4. Explicit defaults for analytics and crash reporting (Sections 4.11, 4.12, and 7). Crash reporting and usage analytics are enabled by default and can be turned off at any time in Settings → Privacy (opt-out).
  5. Country-aware AI-training defaults (Section 7.4). Receipt/search/assistant training defaults to on for United States workspaces and off for workspaces in Canada or where the workspace country cannot be determined. Message tone training remains opt-in everywhere. Collection of new receipt training pairs is currently paused during an internal review.
  6. Updated account-deletion vendor propagation (Section 7.2). The deletion cascade now accurately describes which vendor records we delete via API (PostHog, RevenueCat) and which expire on retention schedules (Sentry).
  7. Accuracy fixes: removed the password-hashing claim (ParentSplit does not store account passwords, Section 11), corrected the audit-log actor description (internal account ID and display name, Section 4.9), and corrected the server-log IP description (Section 4.13).
  8. Archive pages now published. Prior policy versions are available at parentsplit.app/privacy/archive.

Continued use of ParentSplit after the effective date above constitutes acceptance.

Changes from v2.3.0 → v2.3.1 (May 27, 2026)

Patch revision covering factual clarifications only. No new data collection, no expanded use of existing data, and no consent re-acknowledgment required. Specifically:

  • §4.4 Cloud AI Receipt Scanning: model versions updated to Gemini 3.1 Flash Lite on both Vertex AI and Google AI Studio (we upgraded both paths to the latest stable Flash-Lite tier; the prior Vertex path used 2.5 Flash Lite and the prior AI Studio path used 3.1 Flash Lite Preview). Replaced the inaccurate noLogging flag claim with the actual mechanisms — Google Cloud Customer Agreement defaults for Vertex AI, and the Gemini API Additional Terms (which require a billing-enabled paid project for the no-training guarantee to apply) for the Gemini API. Replaced the absolute “do not retain” language with the more accurate phrasing: providers do not use prompts or responses for model training or product improvement, but may transiently log or cache request data for operational, security, abuse-prevention, or legally required purposes under their terms.
  • §4.4 and §4.7b — Direct Gemini API fallback disabled in production by default: the Gemini API fallback path (for both receipt scanning and assistant) is disabled in production unless both an explicit fallback-enable flag and an internal paid-project confirmation flag are set on the deployment. This prevents a misconfigured free-tier API key from being used for processing your data.
  • New §4.7b Cloud Assistant (“Ask ParentSplit”) Data Flow: dedicated section explaining what the assistant sends to a cloud AI provider, when. Discloses the new Pro-tier gate: callers on the Free tier are blocked at the server boundary before any prompt reaches a cloud AI provider — only Pro callers can invoke the cloud assistant model, and only when deterministic retrievers cannot answer.

The Pro-tier gate is privacy-improving for Free users (less data leaves ParentSplit) and unchanged for Pro users (same data flow as prior policy). Continued use of ParentSplit after the effective date above constitutes acceptance.

Changes from v2.2 (May 2026)

This version (2.3) aligns the public policy, in-app disclosures, analytics controls, and native permissions with the redesigned app. By continuing to use ParentSplit after the effective date above, you accept the changes. The substantive disclosures are:

  1. Assistant and search training signals (new Section 4.7). The Improve receipts, search, and assistant control now clearly covers redacted search and assistant prompts, redacted assistant responses, result counts, selected result type/rank, and outcome signals. We do not store selected record IDs or unredacted prompts in this dataset.
  2. Analytics consent and minimization (updated Sections 4.12 and 5). In-app PostHog analytics now honors the Usage Analytics toggle and strips exact amounts, expense IDs, names, notes, reasons, receipt content, and message content before capture. Website PostHog analytics now loads only after browser consent.
  3. Crash-reporting control (updated Section 4.11). Crash reports are disabled unless the in-app Crash Reports toggle is on. Breadcrumbs are scrubbed to avoid merchant names, exact amounts, message text, receipt file paths, and similar content.
  4. Native permission cleanup. ParentSplit no longer requests microphone or motion permissions because the current redesigned app does not use voice recording or motion sensors.
  5. AI provider disclosure (updated Sections 4.4 and 6.1). Cloud Scan and assistant features disclose the AI service providers that may process receipt images, prompts, and necessary app context as service providers.

If you would prefer the previous version, you can view v2.2 here (archived), but please note that continued use of ParentSplit means the current version governs.

1. Who We Are

ParentSplit is a mobile and web service operated by Leap21 LLC (“Leap21,” “ParentSplit,” “we,” “us,” or “our”), a Florida limited liability company.

This Privacy Policy applies to:

  • The ParentSplit mobile app (iOS via the App Store, Android via Google Play)
  • The ParentSplit website at parentsplit.app and any subdomain (e.g., api.parentsplit.app)
  • The Convex backend that powers the app (database, file storage, scheduled jobs)
  • Any related communications we send you (transactional email, push notifications)

It does not cover:

  • Apple’s, Google’s, or your device manufacturer’s separate privacy practices
  • Third-party services you choose to integrate with (e.g., your email provider, your bank, a court system)
  • Other Leap21 LLC products that have their own privacy policies

2. Who This Policy Is For (and Who It Is Not)

ParentSplit is built for adult co-parents managing shared expenses for their children. The service is not directed at children under 13 (United States) or under 16 (European Economic Area).

We do collect data about children. Specifically: a child’s first name and an optional nickname, child tags on expenses (for example, “School supplies for Jack”), and child names included as context in cloud receipt scanning so that receipts can be matched to the right child. We do not collect child ages or birthdates. This data is provided by the adult parent on behalf of the child, is treated with the same protections as the parent’s own data, and is governed by the parent’s account.

We do not knowingly create accounts for users under 18. If we learn that an account belongs to a minor, we will close it and delete the data. If you believe a minor has registered, please email privacy@parentsplit.app.

Because the service is not “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), the heightened verifiable-parental-consent rules under COPPA do not apply. We treat data about children as sensitive and apply the strongest protections we offer to that data anyway.

3. The Data We Collect — At a Glance

CategoryExamplesSourceWhy
Account dataEmail, name, profile photoYou provide itTo create and secure your account
Auth identifiersApple Sign In ID, Google OAuth ID, magic-code email sessionYou + Apple/GoogleTo log you in
Workspace dataWorkspace name, child first names and optional nicknames, child tags on expenses, custom categories, expense agreementYou provide itTo run the co-parent expense workflow
Expense dataAmount, merchant, date, category, notes, payer, splitsYou provide itThe core service
Receipt imagesPhotos of receipts you scanYou provide it via camera or uploadTo extract expense data + recordkeeping
Comments / chatMessages between co-parents on expensesYou provide itThe discussion thread
AI scan resultsMerchant, amount, line items, category extracted by our AIDerived from your receiptsTo pre-fill the expense form
Receipt AI training pairs (NEW v2)Anonymized, PII-redacted versions of AI scan resultsDerived from your scansTo improve receipt AI (opt-out available)
Message tone training pairs (NEW v2.2)Redacted message text, tone labels, and coarse text metadataDerived from messages only if separately enabledTo improve tone review (explicit opt-in only)
Assistant/search training events (NEW v2.3)Redacted prompts/responses, result counts, selected result type/rank, outcome signalsDerived from search and assistant usage if training is enabledTo improve ParentSplit search and assistant behavior (opt-out available)
Subscription statePro / Free, trial status, renewal dateRevenueCat (Apple/Google handle billing)To know which features to enable
Audit logCryptographic hash chain of expense eventsGenerated by the appDispute resolution, documented recordkeeping
Crash reportsStack traces, device model, OS version, scrubbed breadcrumbsSentry SDK, on by default, opt-out in SettingsTo find and fix bugs
AnalyticsScreen views, feature events, coarse buckets/counters, anonymized user IDPostHog SDK, on by default, opt-out in SettingsTo understand which features people actually use
Server logsIP address, request URL, response code, timingConvex / CloudflareSecurity, debugging, abuse prevention

We do not collect:

  • Your full credit card number, CVV, or bank account credentials (those go directly to Apple/Google/RevenueCat)
  • Your contacts, full calendar, photos library content beyond what you select, microphone audio, motion-sensor data, or location
  • Browsing history outside the app
  • Health or biometric data (Face ID and Touch ID stay on your device — we never see them)
  • Government identifiers (SSN, driver’s license, passport)

4. How We Collect and Use Each Category

4.1 Account, Authentication, and Receipt Storage

When you create an account, we collect your email and a profile name. If you sign in via Apple, we receive an opaque user identifier and (if you allow it) your name and email. If you sign in via Google OAuth, we receive your Google account email and a stable user identifier. We use Convex Auth as the authentication layer.

  • Magic-code email login: we email you a six-digit code; the code is short-lived (10 minutes) and hashed in our database. We do not store the code in plaintext.
  • Apple Sign In: complies with Apple’s “Hide My Email” — if you choose that, we never see your real email, only the relay address.
  • Google OAuth: uses standard OAuth 2.0 + OpenID Connect. We request openid email profile scopes and nothing else.
  • Sessions: stored as short-lived JWTs (~24h) plus a longer-lived refresh token. You can revoke all sessions in Settings → Account → Active Sessions.

Receipt images you upload are stored in Convex File Storage (_storage), tied to your workspace. They are encrypted at rest by Convex and accessible only to:

  • Members of your workspace (typically you and your co-parent)
  • Our automated AI scanning pipeline (cloud cascade, see Section 4.4)
  • Leap21 employees with operational need (subject to internal access controls and audit logging)

When you delete an expense, the associated receipt image is deleted from storage immediately. When you delete your account, all receipts in your workspace are deleted as part of the cascade described in Section 7.2.

4.2 Workspace and Expense Data

A “workspace” is the shared container for a pair of co-parents. Both members can read and write all workspace data; that’s the point of the product. You should only invite your co-parent (or comparable trusted party) into a workspace.

We compute balances, settlements, and splits server-side. The math is logged into the audit log (see Section 4.9) so that disputes can be resolved by reference to a tamper-evident history.

4.3 Comments and Chat

Comments on expenses (and any free-text fields like expense notes) are stored as the user wrote them. We do not use chat content for advertising. We use chat content for tone-review training only if you separately enable Improve tone review in Settings, and then only after redaction as described in Section 4.6. If you ask the ParentSplit assistant a question, the prompt and the app context needed to answer it may be sent to an AI service provider as described in Sections 4.7 and 6.1. Chat content is visible to both co-parents in a workspace.

Message permanence. Workspace messages between co-parents are retained as a shared co-parenting ledger. After you send a message, you cannot edit it, delete it, clear it, or hide it from the other workspace member. This is by design: the message history is a tamper-evident shared record that both parents rely on, and allowing one parent to alter or erase it would defeat that purpose. Messages hidden by moderation are also retained in the underlying record. Expense comments are different: you can edit or delete your own expense comments at any time. If you or your co-parent export or share workspace records, attorneys, mediators, legal representatives, or courts may review those messages; ParentSplit does not provide legal advice and does not decide how a message will be used in a legal proceeding.

We reserve the right to scan content in response to a credible Trust & Safety report (e.g., abusive messaging that appears to violate our Terms of Service). We do not proactively review your messages as humans; automated tone, search, and export processing is described in Section 4.6b.

4.4 Cloud AI Receipt Scanning

When you take a photo of a receipt and choose Scan Receipt (the default, cloud-powered path), we:

  1. Upload the receipt image to Convex File Storage as described in 4.1.
  2. Send the image to one of three AI providers in a cascade for extraction:
    • Google Cloud Vertex AI (Gemini 3.1 Flash Lite) — primary
    • Google AI Studio (Gemini 3.1 Flash Lite) — fallback
    • xAI (Grok 4.1 Fast) — last resort
  3. Receive back structured fields: merchant, amount, line items, date, category, matched children, etc.
  4. Pre-fill the expense form with those fields. You review and save.

Each provider receives only the single image and a structured prompt. None of the providers uses your data to train or improve their foundation models. Providers may transiently log or cache request data for operational, security, abuse-prevention, or legally required purposes under their terms; the prohibition is on model training and product improvement, not on all server-side processing. The protections in place:

  • Vertex AI: governed by the Google Cloud Customer Agreement and Vertex AI’s data-protection terms. Under these terms, Google does not use customer prompts, inputs, or outputs to train or improve its foundation models. Vertex AI requests originate from a Google Cloud project covered by these terms.
  • Gemini API (Google AI Studio): governed by the Gemini API Additional Terms. The Gemini API Additional Terms provide that, when the API key is associated with a billing-enabled (paid) Google Cloud project, Google does not use prompts or responses for model training or product improvement. The Gemini API integration is disabled in ParentSplit production by default; it is only enabled when both an explicit fallback-enable flag and an internal paid-project confirmation flag are set on the deployment.
  • xAI: governed by xAI’s enterprise terms, which prohibit use of customer content for model training.

4.5 AI Training Data — psxMonoTrainingPairs (NEW v2)

We use cloud-AI scan results to improve ParentSplit’s own AI accuracy over time. After a successful cloud scan and before showing you the result, we write an anonymized, PII-redacted copy of the parsed result into a separate database table called psxMonoTrainingPairs. This is governed entirely by the policy in this section and the opt-out in Section 7.4.

What we store, after redaction:

  • A SHA-256 hash of your workspace ID (with a server-side pepper). The hash is one-way and unrecoverable — we cannot map it back to your workspace, your account, or your name.
  • A bucketed amount (rounded to the nearest $5 if ≤ $100, or $25 if > $100). We never store the exact amount.
  • The merchant name only if it appears on a small whitelist of public chains (Target, Walmart, Costco, Whole Foods, etc.). Otherwise the merchant is stored as null — local businesses, professional services, sole proprietors, therapy practices, pharmacies, attorneys, etc. are never identified.
  • Line items, with names redacted to category labels for any item that matches our sensitive-category heuristic (medical, pharmacy, contraception, mental-health, legal, addiction-recovery, mature-content keywords). Other line items keep their name and a bucketed price.
  • A redacted version of the OCR text with all detected names, addresses, phone numbers, emails, partial credit-card numbers, and account numbers stripped.
  • Day-of-week and hour-of-day (no exact date).
  • The model version we used for the scan, so we can compare versions over time.
  • A SHA-256 fingerprint of the redacted payload for deduplication.

What we do NOT store:

  • The receipt image. (The image stays in your workspace storage as in Section 4.1, and is deleted on expense or account deletion. It is not copied into the training dataset.)
  • Your workspace ID, user ID, email, or any direct identifier.
  • The exact amount.
  • Names of the co-parents or children.
  • Free-text notes you wrote on the expense.
  • Anything from the comment thread on the expense.

How we use it:

  • We review the dataset internally to find systematic accuracy failures (e.g., “we always miss the tax line on Whole Foods receipts”).
  • When the dataset reaches a meaningful size — currently planned at ~10,000 pairs across at least 500 unique merchant whitelist entries — we may use it to fine-tune a small on-device receipt-extraction model (called PSx-Mono / MR-C in our internal roadmap). That model would ship to your phone in a future app update; the training itself is performed by Leap21 on internal infrastructure.
  • We do not use this dataset for advertising. We do not share it with third parties. We do not sell it.

Why we believe this is privacy-respecting:

  • The receipt image stays in your workspace and is never copied into the training set.
  • The workspace identifier is replaced by a one-way hash and cannot be reversed without the server-side pepper, which is rotated and access-controlled.
  • The amount is bucketed to the point where re-identification by amount is infeasible.
  • Sensitive merchant and line-item categories (medical, legal, mental-health, etc.) are stripped before write — you cannot infer “user X bought item Y at merchant Z” from the dataset.
  • The dataset itself stays on Leap21-controlled infrastructure and is exported only to Leap21-controlled training nodes when a training run is authorized.

You can opt out at any time — see Section 7.4.

4.6 Message Tone Training — messageToneTrainingPairs (NEW v2.2)

Message tone training is separate from receipt AI training. The receipt-training toggle does not authorize message training. If you enable Improve tone review, we may store a redacted tone-training row when you send a message.

What we store, after redaction:

  • A SHA-256 hash of your workspace ID with a server-side pepper.
  • The message text after replacing names, child names, phone numbers, emails, addresses, links, dates/times, payment/account details, case/order numbers, and exact amounts with placeholders.
  • Coarse metadata such as sender role (A or B), message hour/day buckets, character-count bucket, token-count bucket, and redaction counts.
  • The coarse tone label and sentiment score bucket used by the tone-review system.
  • A SHA-256 fingerprint of the redacted payload for deduplication.

What we do NOT store in the tone-training dataset:

  • Raw, unredacted message text.
  • Workspace ID, user ID, message ID, topic ID, email, or direct identifiers.
  • Co-parent names, child names, phone numbers, email addresses, links, exact dates/times, exact amounts, payment/account details, case/order numbers, or addresses.
  • Receipt images or receipt OCR.

How we use it:

  • Internal evaluation and improvement of tone review, heated-language warnings, and rewrite suggestions.
  • Fine-tuning or evaluating a ParentSplit-controlled tone-review model only after the dataset reaches sufficient size and diversity.
  • No advertising, sale, or third-party model training.

You can disable Improve tone review at any time. Disabling stops new writes immediately and triggers deletion of previously collected tone-training rows tied to your workspace within 30 days.

4.6b Message Tone Analysis and Search (Processing, Not Training)

Separately from the opt-in tone training dataset above, ParentSplit performs automatic AI inference on message content using Cloudflare Workers AI as a service provider:

  • Tone scoring and rewrite suggestions: when you compose a message, your draft is processed to score its tone and, if you tap the suggestion button, to generate rewrite suggestions.
  • Semantic search: messages are converted into embeddings (numeric vectors) so that in-app search can find messages by meaning, not just exact words.
  • Message-thread export: when you export a message thread, the thread is rendered to PDF using Cloudflare’s rendering service.

This is inference-only processing: Cloudflare does not use this content to train models, and we do not add this content to any training dataset through this path. Worker logs for these features are content-free (identifiers and latency only). This processing happens as part of providing the messaging, search, and export features themselves; the Improve tone review toggle in Section 4.6 controls only the separate training dataset, not this operational processing.

4.7b Cloud Assistant (“Ask ParentSplit”) Data Flow

When you use Ask ParentSplit — the in-app AI assistant — most prompts are answered without calling any cloud AI provider. ParentSplit runs five deterministic retrievers locally and on our backend (expense lookup, balance, review queue, settlement, message-draft grounding) that cover the everyday questions; we built it this way so that as much of your data as possible stays inside ParentSplit’s own backend.

A prompt is sent to a Google cloud AI provider only when (i) the prompt requires open-ended reasoning or message drafting that the deterministic retrievers cannot answer, and (ii) you are on Pro. Free callers are blocked at the server boundary with a MODEL_REQUIRES_PRO response before any data is sent to a cloud AI provider for assistant processing — your prompt never leaves ParentSplit’s backend in that case.

When a Pro caller does reach the model path, the assistant uses:

  • Google Cloud Vertex AI (Gemini 3.1 Flash Lite) — the only model provider enabled in production.

A direct Gemini API fallback (Google AI Studio) is implemented for resilience but is disabled in production by default. It is only enabled when both an explicit fallback-enable flag and an internal paid-project confirmation flag are set on the deployment, so a free-tier API key cannot accidentally be used for assistant processing.

The request payload sent to the provider includes:

  • Your prompt text
  • A compact workspace context: your first name, your co-parent’s first name, the number and total amount of pending expenses, and short summaries of the most relevant pending expense rows (merchant, amount, category, date, payer, child first name tags) needed to answer your question
  • Up to the last few turns of the current conversation (so the assistant remembers what you just asked)
  • A short system prompt that tells the model what ParentSplit is and how to behave

The request payload does not include:

  • Your full expense history, settlement history, or message history
  • Receipt images (those go to a separate cloud-scan flow described in §4.4)
  • Your email address, password, OAuth tokens, payment information, IP address, exact home address, or device identifiers
  • Other workspaces’ data

Provider-side data handling for assistant requests matches the receipt-scan section above: Google does not use prompts or responses for model training or product improvement under the Vertex AI terms (and under the Gemini API Additional Terms when the fallback is enabled on a billing-confirmed paid project). Providers may transiently log or cache request data for operational, security, abuse-prevention, or legally required purposes under their terms — the prohibition is on training and product improvement, not on all server-side processing. We additionally maintain server-side rate limits (30 requests/minute and 500/day per user) and prompt-injection / abuse audit logging so that even an attacker who hijacked a session could not exfiltrate workspace data through the assistant at scale.

If you do not want any cloud model processing of your assistant prompts, stay on the Free tier. The Free tier intentionally answers your prompts entirely with on-backend deterministic retrievers and never invokes a cloud assistant model.

4.7 Assistant and Search Training Events — assistantInteractionTrainingEvents (NEW v2.3)

The Improve receipts, search, and assistant control also governs privacy-safe learning signals from ParentSplit search and assistant features. If this control is on, we may store a row when you submit a search, ask the assistant a question, use a suggestion, give feedback, or take an assistant-recommended action.

What we store, after redaction:

  • A SHA-256 hash of your workspace ID with a server-side pepper.
  • Search or assistant prompt text after replacing detected names, child names, emails, phone numbers, addresses, links, dates/times, exact amounts, payment/account details, case/order numbers, and selected record identifiers with placeholders.
  • Assistant response text after the same redaction pass.
  • Coarse metadata such as source (home_search, expense_search, assistant_prompt, etc.), event type, result count, selected result type, selected result rank, action type, provider/model name, latency bucket, and pending-expense count or amount bucket.
  • A SHA-256 fingerprint of the redacted payload for deduplication.

What we do NOT store in this dataset:

  • Raw, unredacted search or assistant prompts.
  • Raw, unredacted assistant responses.
  • Workspace ID, user ID, expense ID, message ID, setting ID, or selected result ID.
  • Receipt images, receipt OCR, comments, notes, names, emails, phone numbers, exact dates/times, exact amounts, payment/account details, case/order numbers, or addresses.

How we use it:

  • Internal evaluation and improvement of ParentSplit search relevance, assistant routing, assistant answer quality, guardrails, and suggested actions.
  • No advertising, sale, or third-party model training.

You can disable Improve receipts, search, and assistant at any time. Disabling stops new writes immediately and triggers deletion of previously collected assistant/search training rows tied to your workspace within 30 days.

4.8 On-Device AI — Quick Scan (NEW v2)

If you have a supported iOS device with Apple’s on-device Foundation Models framework available, or a supported Android device with AICore support (Pixel 8 / 8 Pro / 8a / 9 series, Galaxy S24 / S24+ / S24 Ultra / S24 FE / Z Fold 6 / Z Flip 6, and certain other recent devices), the app shows a Quick Scan button in the add-expense menu. When you use Quick Scan:

  1. The receipt image is captured by the camera and stored only in your phone’s app sandbox.
  2. Apple Vision OCR or Android ML Kit OCR extracts text on the device.
  3. Apple’s on-device Foundation Models framework or Google’s Gemini Nano processes the OCR text on the device to extract merchant / amount / category.
  4. The extracted fields pre-fill the expense form. You review and save.

The image is never uploaded to ParentSplit’s servers when you use Quick Scan. No training-pair record is created. No PII leaves your device.

When you save the expense, only the structured fields (merchant, amount, etc.) are sent to our servers, the same as if you had typed them in manually.

Quick Scan availability depends on your device hardware, operating-system version, and Apple or Google’s continued support for the on-device model APIs.

4.9 Audit Log (Hash Continuity)

For dispute resolution and documented recordkeeping, ParentSplit maintains a hash-continuity audit log of every expense-altering event in your workspace. The log is implemented in convex/lib/auditLog.ts as a SHA-256 hash chain: each record’s hash incorporates the previous record’s hash, the timestamp, the actor, and the before/after state. Changes or omissions are cryptographically detectable.

The audit log:

  • Is generated server-side automatically; you cannot disable it
  • Is retained for seven (7) years to satisfy the longest reasonable evidentiary retention period in U.S. family law
  • Is included in evidence exports for your records
  • Evidence exports are server-signed and independently verifiable at parentsplit.app/verify when generated

We retain the audit log for the seven-year period even if you delete your account, because doing otherwise would make a malicious user’s history disappear from the co-parent’s records and would defeat the purpose of maintaining a documented communication record. Audit log entries record the acting parent’s internal account ID and display name at the time of the action for the seven-year window. After the seven-year window, audit log entries are anonymized (actor field set to deleted-user) and rolled into long-term cold storage. ParentSplit does not provide legal advice or guarantee that any court will admit an export.

4.10 Subscriptions and Payments

We do not process payments ourselves. Subscriptions to Pro tier are sold through:

  • Apple In-App Purchase on iOS (governed by Apple’s Privacy Policy)
  • Google Play Billing on Android (governed by Google’s Privacy Policy)

Apple and Google handle the credit-card / payment-method information directly. We never see your card number, CVV, or bank details. We use RevenueCat as a thin server-side broker: RevenueCat tells us “user X is on Pro until date Y,” nothing more. RevenueCat’s privacy policy is at revenuecat.com/privacy.

4.11 Crash Reports — Sentry

Crash reporting is enabled by default and can be turned off at any time in Settings → Privacy → Crash Reports (opt-out). While it is on, the app sends crash and runtime-error reports to Sentry (sentry.io). The crash report may include:

  • Stack trace (file names, function names, line numbers from our code)
  • Device model, OS version, app version, locale
  • A scrubbed breadcrumb log of the most recent app actions (e.g., “tapped Add Expense”)
  • Anonymized user identifier (a hashed account ID, not your email or name)
  • Internal record identifiers needed to debug the failing path

We scrub breadcrumbs and error context before capture to avoid sending merchant names, exact amounts, message text, receipt file paths, receipt OCR, or co-parent names. We also scrub PII server-side in our Sentry configuration: any string that matches an email, phone number, address, or full name pattern is replaced with [REDACTED] before storage. We retain crash reports for 90 days.

You can disable crash reporting in Settings → Privacy → Crash Reports at any time. When the toggle is off, the app stops crash-event uploads.

4.12 Product Analytics — PostHog

Usage analytics is enabled by default and can be turned off at any time in Settings → Privacy → Usage Analytics (opt-out). While it is on, we use PostHog (us.posthog.com) to understand which features people use. PostHog records:

  • Screen views (Home, Add Expense, Settings, etc.) — not the contents of those screens
  • Button taps and feature engagement (e.g., “tapped Quick Scan”)
  • An anonymized stable identifier (a hashed account ID)
  • Device class (iPhone / Android / web) and app version
  • Coarse counters and buckets, such as number of line items detected, scan timing, or an amount bucket instead of an exact amount

Before capture, the app strips exact amounts, expense IDs, merchant names, categories, notes, rejection reasons, receipt content, chat/message content, co-parent names, child names, deep-link paths, and error-message text. We do not send personal data, receipt content, chat content, or workspace member identities to PostHog.

You can disable in-app analytics in Settings → Privacy → Usage Analytics at any time. Website analytics uses the same PostHog provider but loads only after you choose Allow analytics in the website cookie banner.

4.13 Server Logs

Our backend (Convex production deployment, Cloudflare Workers, Cloudflare Tunnel) records standard server logs containing:

  • Request IP address
  • Request URL path and HTTP method
  • Response status code and timing
  • User-agent string
  • Authenticated user’s internal account ID, when present

Platform request logs are retained for approximately 30 days by our infrastructure providers for security, debugging, and abuse-prevention purposes. IP addresses also appear in security audit records (such as failed two-factor attempts and abuse blocks) and are retained as long as needed for security.

5. Cookies and Similar Technologies

The ParentSplit mobile app does not use HTTP cookies (it is a native app). The marketing website at parentsplit.app uses cookies and similar technologies as follows:

CookieTypePurposeDuration
__cf_bmEssentialCloudflare bot management — security, abuse prevention30 minutes
cf_clearanceEssentialCloudflare proof-of-work after challenge1 year
ph_*AnalyticsPostHog session and feature-flag identifiers1 year
ps_analytics_consentPreferenceStores your website analytics choice (granted or denied)Until cleared
(no advertising cookies)We do not run ads or retargeting on the website

The marketing website does not load PostHog analytics cookies unless you choose Allow analytics in the cookie banner. Cloudflare may set essential security cookies before or during a challenge. There are no advertising cookies, no cross-site tracking pixels, no Facebook Pixel, no Google Ads, no Meta CAPI, no LinkedIn Insight Tag.

6. How We Share Your Information

We share your information only as described below.

6.1 Service Providers (Sub-processors)

We use the following sub-processors to operate ParentSplit. Each is bound by a Data Processing Agreement (DPA) consistent with GDPR Article 28.

ProviderPurposeData flowRegion
Convex (convex.dev)Database, file storage, real-time sync, scheduled jobsAll app dataUnited States
Cloudflare (cloudflare.com)DNS, CDN, Workers, Tunnel, Email Routing, R2 (receipt attachments, evidence-export bundles, assets)Network traffic, forwarded receipt emails, receipt attachments, evidence-export bundles, public assetsUnited States / global edge
Cloudflare Workers AI (cloudflare.com)AI processing of message content: message drafts are processed for tone scoring and rewrite suggestions, messages are embedded for in-app semantic search, and message-thread exports are rendered to PDF (see Section 4.6b)Co-parent message text, message embeddings, message threads (export rendering). Inference only: not used to train models; worker logs are content-free (identifiers and latency only)United States / global edge
Apple (apple.com)App Store distribution, IAP, Sign In with Apple, Push Notifications (APNs)Account, subscription state, push tokens, push notification payloadsGlobal
Google (google.com)Google Play distribution, Play Billing, Google OAuth, Vertex AI Gemini 3.1 Flash Lite for receipt scanning + assistant processing, AI Studio Gemini (disabled in production by default; only enabled when an explicit fallback-allow flag and a paid-project confirmation flag are both set), Android Push (FCM)Account, subscription state, receipt images and email-receipt text (cloud scan only), registered child names as receipt-matching context, assistant prompts + server-constructed workspace context when a Pro caller uses assistant features, push tokensGlobal
xAI (x.ai)Grok-4.1 receipt scanning fallbackReceipt images and email-receipt text (cloud scan only, fallback path), registered child names as receipt-matching contextUnited States
Anthropic (anthropic.com)Support email classification and reply drafting for emails sent to support@parentsplit.appSender identity, subject, and body of emails you send to support@parentsplit.appUnited States
RevenueCat (revenuecat.com)Subscription state brokerSubscription identifiersUnited States
Sentry (sentry.io)Crash reporting (on by default; opt-out in Settings)Stack traces, device info, anonymized user ID, scrubbed breadcrumbs, internal debug identifiersUnited States
PostHog (us.posthog.com)Product analytics (on by default; opt-out in Settings)Screen views, feature events, coarse buckets/counters, anonymized user IDUnited States
Resend (resend.com)Transactional email (magic-code login, account notifications, receipt confirmations and failure notices, opt-in weekly digest)Email address, message content (may include merchant and amount details)United States
Expo (expo.dev)Push notification relay between ParentSplit servers and Apple (APNs) / Google (FCM) push services; app update deliveryPush tokens, notification payloads (payloads can include merchant names, amounts, and comment previews)United States
FreeTSA (freetsa.org)RFC 3161 trusted timestamping of evidence-export manifestsA SHA-256 manifest hash only; no user content is sent, and no user data can be derived from the hashGermany

This list is current as of the effective date. We will update this Privacy Policy if we add or remove material sub-processors.

6.2 Co-Parent in Your Workspace

The whole point of the product is that two co-parents share a workspace and can see each other’s expense entries, receipts, and comments. Anything you log in a workspace is visible to the other workspace member. This is product behavior, not a sharing decision in the privacy-policy sense — but we mention it for clarity.

If your relationship with your co-parent ends or becomes adversarial, you can:

  • Leave the workspace (Settings → Workspace → Leave Workspace)
  • Delete your account (Settings → Account → Delete Account) — note that the audit log retention rule in Section 4.9 applies
  • Revoke all active sessions (Settings → Account → Active Sessions)

You cannot retroactively remove your existing entries from the other co-parent’s view, by design. The audit log is tamper-evident.

We will disclose your information when we have a good-faith belief that disclosure is required to:

  • Comply with a valid subpoena, court order, or government request
  • Enforce our Terms of Service
  • Detect, prevent, or address fraud, abuse, security, or technical issues
  • Protect the rights, property, or safety of Leap21, our users, or the public

When we receive a legal request, we evaluate it for legal sufficiency and notify the affected user where we are legally permitted to do so.

6.4 Business Transfers

If Leap21 is acquired, merged, or sells substantially all of its assets, your information may transfer to the successor entity as part of the transaction. The successor will be bound by the privacy commitments in this policy until they publish their own (and notify you of any material change).

6.5 We Do Not Sell or Share for Cross-Context Behavioral Advertising

For purposes of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we do not sell your personal information and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months. We have no plans to do so. There is no “Do Not Sell or Share My Personal Information” toggle because there is nothing to opt out of — but if you want one anyway, contact privacy@parentsplit.app and we will record your preference for the avoidance of doubt.

7. Your Rights and Choices

7.1 In-App Controls

You can change or delete the following directly in the app:

  • Profile — name, profile photo (Settings → Account → Profile)
  • Email — change via Settings → Account → Email
  • Active sessions — Settings → Account → Active Sessions → Sign Out
  • Workspace data — edit/delete individual expenses, expense comments, child entries, receipts
  • Crash reports — Settings → Privacy → Crash Reports (on by default; turn off at any time)
  • Usage analytics — Settings → Privacy → Usage Analytics (on by default; turn off at any time)
  • Receipt/search/assistant AI training contribution — Settings → Privacy → Help improve AI → Improve receipts, search, and assistant (NEW v2.3, see 7.4)
  • Message tone training contribution — Settings → Privacy → Help improve AI → Improve tone review (NEW v2.2, explicit opt-in only, see 7.4)

What you cannot change or delete in-app: co-parent messages cannot be edited or deleted after sending. The message history is a tamper-evident shared record that both parents rely on (see Section 4.3); messages hidden by moderation are also retained. This applies to messages only: expense comments remain editable and deletable as listed above.

7.2 Right to Erasure (Account Deletion)

You can delete your account in Settings → Account → Delete Account. This triggers the following cascade in the Convex backend, executed within 30 days of your request:

  1. Your user document is removed from users and authAccounts
  2. All your sessions are revoked
  3. Your workspace memberships are removed; if you were the sole member, the workspace + all expenses + all comments + all receipts are deleted
  4. If your co-parent remains in the workspace, your contributions remain but are reattributed to a deleted-user placeholder so the co-parent’s history stays intact
  5. Anonymized AI training pairs tied to your workspace are deleted (NEW v2.3) — this is implemented via SHA-256 workspace-hash lookup against psxMonoTrainingPairs, assistantInteractionTrainingEvents, and messageToneTrainingPairs
  6. Apple and Google retain their own billing and transaction records under their policies; those records are outside our deletion cascade
  7. As part of the deletion cascade, we request deletion of your PostHog analytics profile and your RevenueCat subscriber record via their APIs; Sentry crash events are not individually deletable, but they expire under the 90-day retention described in Section 4.11
  8. Audit log entries are retained per Section 4.9 (seven years, then anonymized)

7.3 Right to Access and Portability

You can request an export of your personal data by emailing privacy@parentsplit.app from your registered email address. We will provide a JSON export within 30 days, covering:

  • Account profile
  • All workspaces you belong to
  • All expenses, comments, settlements, and receipts in those workspaces
  • Subscription state
  • Audit log entries you generated

7.4 AI Training Controls (NEW v2.3)

You can control receipt/search/assistant training and message tone training independently:

  1. Open the app
  2. Go to Settings → Privacy → Help improve AI
  3. Use Improve receipts, search, and assistant for receipt, search, and assistant training
  4. Use Improve tone review for message tone training

When you turn Improve receipts, search, and assistant off:

  • We immediately stop writing new receipt, search, and assistant training rows from your workspace
  • Your aiTrainingOptOutAt timestamp is recorded
  • A daily automated cleanup job (cleanupOptedOutTrainingPairs, runs 03:00 UTC) deletes all previously collected anonymized training pairs tied to your workspace, with a 30-day grace period from your opt-out timestamp before the deletion fires (this grace period exists so a fast opt-out / opt-in flip does not destroy data needlessly)
  • After 30 days, you can verify deletion by re-querying via the data export in Section 7.3 — the result will show zero receipt/search/assistant training rows

The default for the Improve receipts, search, and assistant toggle depends on your workspace’s country: it defaults to on for workspaces in the United States, and to off for workspaces in Canada or where the workspace’s country cannot be determined. Continued use of ParentSplit after the effective date constitutes acceptance of these defaults. You can switch the toggle on or off at any time without affecting any other ParentSplit feature.

One honest note: collection of new receipt training pairs is currently paused while we complete an internal review of the training pipeline. The controls described in this section still govern any future collection, and the deletion mechanics above continue to apply to previously collected rows.

Improve tone review defaults to off everywhere. Message tone training starts only if you explicitly enable that control. Turning it off stops new message-tone training writes immediately and deletes previously collected tone-training rows tied to your workspace within 30 days. Receipt training consent does not authorize message tone training.

7.5 Right to Correction

If any of your account data is inaccurate, you can correct it in-app. For data you cannot correct yourself (e.g., audit-log entries), email privacy@parentsplit.app and we will correct it within 30 days where the correction is consistent with our recordkeeping integrity requirements.

7.6 Right to Object / Restrict Processing (GDPR)

EEA, UK, and Swiss residents may object to our processing of personal data based on legitimate interests, or request that we restrict processing while we evaluate the request. Email privacy@parentsplit.app.

7.7 Right to Lodge a Complaint

If you are unsatisfied with our response to a privacy request, you have the right to complain to your local data-protection authority. For California, this is the California Privacy Protection Agency (cppa.ca.gov). For the EEA, your national DPA. For the UK, the Information Commissioner’s Office (ico.org.uk).

7.8 Authorized Agents (CCPA/CPRA)

California residents may use an authorized agent to submit a privacy request. The agent must provide signed permission and proof of identity. We may verify the request directly with you before processing.

7.9 Non-Discrimination

We will not deny, charge differently for, or reduce the quality of ParentSplit because you exercise any privacy right described in this section.

For users in the EEA, UK, or Switzerland, our legal bases under Article 6 of the GDPR are:

ProcessingLegal basis
Account creation, authenticationPerformance of a contract (Art. 6(1)(b))
Expense, receipt, settlement processingPerformance of a contract (Art. 6(1)(b))
Audit log retention (7 years)Compliance with legal obligations (Art. 6(1)(c)) and legitimate interest in maintaining a documented record (Art. 6(1)(f))
Cloud AI receipt scanningPerformance of a contract (Art. 6(1)(b))
Receipt/search/assistant training data collection (NEW v2.3)Legitimate interest in improving service quality (Art. 6(1)(f)) — we have completed a Legitimate Interests Assessment; opt-out is available in-app. The default for this control is country-aware (on for United States workspaces, off for Canadian or undetermined-country workspaces; see Section 7.4)
Message tone training data collection (NEW v2.2)Consent (Art. 6(1)(a)) — explicit opt-in only, revocable in-app
Subscriptions and billingPerformance of a contract (Art. 6(1)(b))
Crash reports, analyticsLegitimate interest in operating a reliable service (Art. 6(1)(f)) — opt-out available
Marketing emailConsent (Art. 6(1)(a)) — opt-in only, unsubscribe in every message

Where we rely on legitimate interests, you have the right to object (Section 7.6).

9. International Data Transfers

ParentSplit is operated in the United States. If you are accessing the service from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our service providers operate (see Section 6.1).

For transfers from the EEA, UK, or Switzerland to the United States, we rely on:

  • Standard Contractual Clauses (the European Commission’s 2021 SCCs) with each U.S. sub-processor
  • Data Privacy Framework certification, where available (Apple, Google, Cloudflare are DPF-certified at the date of this policy)
  • Supplementary measures including encryption in transit (TLS 1.3), encryption at rest (AES-256 on Convex storage), and restricted access controls

10. Data Retention Summary

DataRetention periodReason
Account profileLifetime of accountService provision
Workspace data, expenses, comments, receiptsLifetime of account; deleted on cascade per Section 7.2Service provision
Receipt AI training pairs (anonymized)Until opt-out + 30 days OR account deletion + 30 daysReceipt AI improvement, opt-out support
Assistant/search training events (redacted)Until opt-out + 30 days OR account deletion + 30 daysSearch and assistant improvement, opt-out support
Message tone training pairs (redacted)Until opt-out + 30 days OR account deletion + 30 daysTone review improvement, opt-in support
Audit log7 years; anonymized thereafterDocumented recordkeeping (Section 4.9)
Subscription state (RevenueCat)Per Apple/Google requirements (typically 7 years tax-record retention)Tax compliance
Crash reports (Sentry)90 daysBug investigation
Analytics events (PostHog)12 monthsProduct decisions
Server logs (platform request logs)Approximately 30 days, held by our infrastructure providersSecurity, debugging, abuse prevention
IP addresses in security audit records (failed two-factor attempts, abuse blocks)As long as needed for securitySecurity, abuse prevention
Email magic codes10 minutes (unhashed never persisted), 7 days (hashed)Auth flow
Backups (Convex automatic)14 days rollingDisaster recovery

Deletion from active storage triggers the cascade described in Section 7.2; there is no separate purge job needed.

11. Data Security

We implement reasonable and industry-standard technical and organizational measures to protect your data:

  • TLS for network traffic
  • AES-256 encryption at rest for all Convex-stored data (including receipts)
  • No stored passwords: ParentSplit does not store account passwords; sign-in uses Apple/Google OAuth or short-lived email codes that are stored only in hashed form
  • SHA-256 hash chains for the audit log
  • OWASP-aligned application security: rate limiting, input validation, parameterized queries, CSRF protection on the marketing site, session-token rotation, OAuth-flow CSRF tokens
  • Internal access controls — Leap21 employees access production data only with documented business need; access is logged
  • Sub-processor due diligence — we review available security documentation, privacy terms, and DPAs before adding material providers
  • Security review — we perform internal security review before material releases and may engage third-party review for higher-risk changes
  • Disclosure — if we suffer a breach affecting your personal data, we will notify you within 72 hours of becoming aware, consistent with GDPR Article 33 timelines, even where your jurisdiction does not require it

No system is perfectly secure. If you believe your account has been compromised, revoke your active sessions in Settings → Account → Active Sessions and email privacy@parentsplit.app immediately.

12. Children’s Data Reiteration

ParentSplit is for adult co-parents. Children do not interact with the service directly; their data appears only as fields parents enter (a first name and optional nickname, child tags on expenses, school names where a parent types one) and as child names passed as context to cloud receipt scanning to match a receipt to a child. We treat children’s data as sensitive and apply our strongest protections to it. We do not advertise to children, do not profile them, and do not share their data with third parties except as a sub-processor would receive data about anyone in a workspace.

If you are a parent who believes your child’s data is in ParentSplit without your authorization (e.g., the other co-parent created the workspace without consent), email privacy@parentsplit.app and we will work with you to resolve the situation.

13. California-Specific Disclosures (CCPA / CPRA)

For California residents, the following table maps the data we collect to the categories defined in the CCPA / CPRA:

CCPA categoryWhat we collectPurposeDisclosed to (if not service providers)
A. IdentifiersName, email, account ID, IP address, OAuth IDsAccount, auth, securityNone
B. California customer recordsName, emailAccountNone
C. Protected classificationsNone collected
D. Commercial infoSubscription statusService tierNone
E. BiometricNone collected (Face ID/Touch ID stays on device)
F. Internet activityScreen views, button taps, coarse analytics, redacted search/assistant interaction signals if training is enabledProduct improvementNone
G. GeolocationNone collected (no GPS access requested)
H. Sensory dataReceipt photos you choose to uploadExpense extractionGoogle/xAI as service providers (cloud scan only)
I. Professional infoNone collected
J. Education infoSchool names if you enter themExpense categorizationNone
K. InferencesAI-extracted expense category, child matchExpense pre-fillNone
L. Sensitive personal infoNone routinely collected. Sensitive categories (medical, legal, etc.) are detected and redacted before receipt training-pair writes per Section 4.5. Message-tone and assistant/search training replace direct identifiers, dates/times, exact amounts, links, child names, parent names, and legal/order identifiers before write per Sections 4.6 and 4.7.

We have not sold or shared for cross-context behavioral advertising any personal information in the preceding 12 months. We have no plans to.

To exercise California rights, email privacy@parentsplit.app or use the in-app controls in Section 7.

14. Changes to This Policy

We will notify you of material changes by:

  • Updating the “version” and “effectiveDate” at the top of this document
  • Posting a notice in the app and at parentsplit.app/privacy
  • Sending an email to your registered email address for material changes that expand our use of your data
  • Showing a one-time consent-acknowledgment screen in the app on next launch for material changes

Continued use of the service after the new effective date constitutes acceptance.

We will keep all prior versions accessible at parentsplit.app/privacy/archive.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise any of your privacy rights:

  • Email: privacy@parentsplit.app (preferred)
  • General contact: info@parentsplit.app
  • Mailing address: Leap21 LLC (mailing address available upon written request to legal@parentsplit.app), United States
  • Response time: within 30 days of receipt; we may extend by an additional 60 days for unusually complex requests, with notice

Please note: emails sent to support@parentsplit.app may be processed by an AI provider (Anthropic) to classify the request and draft a reply, as described in Section 6.1.

Effective June 9, 2026. © 2026 Leap21 LLC. All rights reserved.