Privacy Policy
Last updated: July 16, 2026
This privacy policy explains which personal data is processed when you use the "Quitso" iOS app and the associated website. The revised Swiss Federal Act on Data Protection (FADP) is the governing framework; for users in the EEA, the additional information in section 13 (GDPR) applies.
1. Controller
The controller responsible for data processing in connection with the "Quitso" app (iOS) and the associated website (quitso.com, later quitso.com) is:
Maximilian Rechenauer, Am Stadtrand 43, 8600 Dübendorf, Switzerland
Email: support@quitso.com
2. Key points at a glance
- Quitso works without an account and without registration. You do not have to provide your name or an email address.
- The app is free of charge and contains no advertising and no in-app purchases; anonymous, non-identifiable usage statistics (section 7).
- Your group data is stored in the Google Cloud region Zurich (Switzerland).
- Only if you enable push notifications is a device token processed by a service in the USA (Expo).
- The website is static and uses no cookies.
3. What data the app processes
3.1 Anonymous authentication ID
When the app is first launched, it creates a random, anonymous identifier via Firebase Authentication. This identifier contains no name, no email address and no other contact details, and does not allow us to directly identify you. It is used solely to technically secure access to your groups.
3.2 Group data
When you create or join a group, the following content is stored in the cloud database (Cloud Firestore) and synchronised between the devices of the group members:
- the group name and the currency selected for the group,
- person names as freely entered by users,
- expenses and payments with title, amount and date.
The app calculates the balances (who owes whom how much) from this information. Quitso also works offline: entries are then initially stored locally on your device and synchronised as soon as an internet connection is available again.
All group data is visible to all members of the respective group. Joining takes place via a 9-digit code or an invitation link. Important: these codes are bearer codes — anyone who knows the code or link can join the group and view its data. Therefore only share the code or link with people who are actually meant to be members of the group.
3.3 Push token (only if notifications are enabled)
If you enable push notifications (opt-in), a technical device token is stored in the database of your groups so that notifications — for example about new entries in your groups — can be delivered to you. As long as you do not enable notifications, no token is created or stored.
3.4 Freely entered names — note on third-party data
Person names in Quitso are free text entries. If you enter names or other details of third parties, they become visible to all group members. Therefore do not enter data about other people without their consent; if in doubt, use nicknames or initials.
The app does not process any further personal data.
4. Purposes of processing
We process the data described above solely to:
- provide the app's core functions (managing groups, recording expenses and payments, calculating balances, suggesting settlements, synchronising data between group members),
- deliver push notifications, if you have enabled them,
- ensure the secure and stable operation of the app and the website.
No processing takes place for advertising or profiling purposes; anonymous usage statistics are described in section 7.
5. Storage location and processor (Google Firebase)
Quitso uses Google Firebase (Firebase Authentication, Cloud Firestore, Firebase Hosting) as its technical platform. Google acts as a processor, meaning Google processes the data only on our instructions and on the basis of a data processing agreement.
Our Firebase project is configured in the region europe-west6 (Zurich, Switzerland), where the group data is stored. To the extent that Google processes data outside Switzerland or the EEA in the course of operating its services, this is based on the EU Standard Contractual Clauses concluded by Google, with the amendments required for Switzerland.
6. Push notifications via Expo (USA)
Quitso uses the Expo Push Service provided by Expo, Inc., based in the USA, to deliver push notifications. Your device push token and the content of the respective notification are transmitted to Expo; actual delivery to your device then takes place via Apple's notification service.
Note on data export to the USA: From the perspective of Swiss data protection law, the USA does not generally guarantee an adequate level of data protection; in particular, US authorities may be able to access data, and enforcing your rights may be more difficult. This transfer only takes place if you actively enable push notifications; it is based on your consent (Art. 17 para. 1 let. a FADP; for users in the EEA: Art. 49(1)(a) GDPR). You can disable notifications at any time in the settings of the app or your device; after that, no further data is transmitted to Expo.
7. Anonymous usage statistics (Firebase Analytics)
To understand which features are actually used and to keep the app stable and improve it in a targeted way, Quitso uses Google Analytics for Firebase ("Firebase Analytics"), a service provided by Google. It records pseudonymous usage events, in particular:
- which features are used (for example: group created, expense recorded, settlement opened),
- general app and device information (device model, operating system version, language setting, approximate country),
- a randomly generated app instance ID that does not allow us to directly identify you.
Not collected: no names, no amounts, no group content and no advertising identifiers — your device's advertising ID (IDFA) is not used. There is no tracking of your activity across other apps or websites, and we do not create cross-service profiles.
Objection: The recorded events contain no direct link to your person; we are unable to attribute them to individual users (cf. Art. 11 GDPR). If you nevertheless wish to object to this collection, contact support@quitso.com.
Processor and note on data export to the USA: Google acts as a processor and handles this data only on our instructions. The data may also be processed on servers in the USA. From the perspective of Swiss data protection law, the USA does not generally guarantee an adequate level of data protection; in particular, US authorities may be able to access data, and enforcing your rights may be more difficult. The transfer is based on the EU Standard Contractual Clauses concluded by Google, with the amendments required for Switzerland.
Legal basis: We base this processing on our legitimate interest in developing the app in line with actual usage and in its stable operation (FADP); given the pseudonymous, minimal data collection, your interests remain safeguarded. For users in the EEA, the legal basis is Art. 6(1)(f) GDPR (legitimate interests); you can object to the processing at any time with effect for the future (contact: support@quitso.com).
Unchanged: Quitso contains no advertising, no advertising SDKs and no social media plugins. We do not sell any data.
8. Website
Our website is a static page with no login area. It uses no cookies and no trackers. When you visit the website, the hosting provider (Google Firebase Hosting) temporarily logs access data, in particular the IP address, for technical and security reasons. We do not evaluate these server logs.
Cookie banner and consent log
On your first visit, a banner asks for your preference regarding optional anonymous statistics and marketing. No such features are currently in use; your choice will be honored if they are introduced in the future. Your selection is stored locally in your browser (localStorage; strictly necessary, no tracking) and additionally recorded as a log entry in our database. Stored are: the choice per category (statistics/marketing), a randomly generated client ID (not linked to any name, account or app data), the browser identifier (user agent), the page language and the time — no IP address. The client ID serves solely to prove consent and to delete your entries in a targeted way on request (legal basis: accountability and record-keeping duties; for users in the EEA Art. 7(1) GDPR).
You can change your choice at any time via the "Cookie settings" link in the footer, where you can also see your consent ID; quoting it, you can request deletion of all associated log entries by emailing support@quitso.com.
9. Data security
Data transmitted between the app or website and the servers is encrypted in transit. Access to group data is restricted to the members of the respective group by means of security rules.
10. Retention and deletion
- Group data remains stored for as long as the group exists. If a member deletes the group, the associated data is removed from the database.
- If you leave a group, you no longer have access to its data; entries already recorded remain available to the other members until the group is deleted.
- Push token: if you disable notifications, no further notifications are sent to your device.
For deletion requests that you cannot carry out yourself in the app, please contact support@quitso.com.
11. Disclosure of data
We disclose personal data only to the following recipients:
- Google (Firebase) as a processor for authentication, data storage and website hosting (see section 5),
- Expo, Inc. for the delivery of push notifications — only if you have enabled them (see section 6),
- the other members of your group, who can view the shared group data.
Any disclosure beyond this only takes place if we are legally obliged to do so.
12. Your rights under the Swiss Federal Act on Data Protection
Under the revised Swiss Federal Act on Data Protection (FADP), you have in particular the following rights:
- access to information on whether and which data we process about you (Art. 25 FADP),
- rectification of inaccurate data (Art. 32 FADP),
- deletion of your data,
- delivery or transfer of your data in a commonly used electronic format (Art. 28 FADP),
- objection to data processing.
Please note: since Quitso works without accounts, we are generally unable to attribute stored data to a specific person on our own. We may therefore need additional information from you to handle your request (for example the name or code of the group concerned). You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).
13. Information for users in the EEA (GDPR)
To the extent that the EU General Data Protection Regulation (GDPR) applies to the data processing, we rely on the following legal bases under Art. 6(1) GDPR:
- point (b) (performance of a contract): provision of the app's functions, in particular the storage and synchronisation of group data and the anonymous authentication;
- point (a) (consent): push notifications, including the associated transfer to Expo in the USA (Art. 49(1)(a) GDPR); you can withdraw your consent at any time with effect for the future by disabling notifications;
- point (f) (legitimate interests): technical server logs of the website to ensure secure and stable operation.
Users in the EEA additionally have the rights under Art. 15 to 21 GDPR (access, rectification, erasure, restriction of processing, data portability, objection) as well as the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
14. Changes to this privacy policy
We may amend this privacy policy, for example if the app, the services used or the legal situation change. The current version published on the website applies.
15. Contact
If you have any questions about data protection, you can reach us at: Maximilian Rechenauer, Am Stadtrand 43, 8600 Dübendorf, Switzerland, email: support@quitso.com.