Quitso

Privacy Policy

Last updated: July 16, 2026

This privacy policy explains which personal data is processed when you use the "Quitso" iOS app and the associated website. The revised Swiss Federal Act on Data Protection (FADP) is the governing framework; for users in the EEA, the additional information in section 13 (GDPR) applies.

1. Controller

The controller responsible for data processing in connection with the "Quitso" app (iOS) and the associated website (quitso.com, later quitso.com) is:

Maximilian Rechenauer, Am Stadtrand 43, 8600 Dübendorf, Switzerland

Email: support@quitso.com

2. Key points at a glance

3. What data the app processes

3.1 Anonymous authentication ID

When the app is first launched, it creates a random, anonymous identifier via Firebase Authentication. This identifier contains no name, no email address and no other contact details, and does not allow us to directly identify you. It is used solely to technically secure access to your groups.

3.2 Group data

When you create or join a group, the following content is stored in the cloud database (Cloud Firestore) and synchronised between the devices of the group members:

The app calculates the balances (who owes whom how much) from this information. Quitso also works offline: entries are then initially stored locally on your device and synchronised as soon as an internet connection is available again.

All group data is visible to all members of the respective group. Joining takes place via a 9-digit code or an invitation link. Important: these codes are bearer codes — anyone who knows the code or link can join the group and view its data. Therefore only share the code or link with people who are actually meant to be members of the group.

3.3 Push token (only if notifications are enabled)

If you enable push notifications (opt-in), a technical device token is stored in the database of your groups so that notifications — for example about new entries in your groups — can be delivered to you. As long as you do not enable notifications, no token is created or stored.

3.4 Freely entered names — note on third-party data

Person names in Quitso are free text entries. If you enter names or other details of third parties, they become visible to all group members. Therefore do not enter data about other people without their consent; if in doubt, use nicknames or initials.

The app does not process any further personal data.

4. Purposes of processing

We process the data described above solely to:

No processing takes place for advertising or profiling purposes; anonymous usage statistics are described in section 7.

5. Storage location and processor (Google Firebase)

Quitso uses Google Firebase (Firebase Authentication, Cloud Firestore, Firebase Hosting) as its technical platform. Google acts as a processor, meaning Google processes the data only on our instructions and on the basis of a data processing agreement.

Our Firebase project is configured in the region europe-west6 (Zurich, Switzerland), where the group data is stored. To the extent that Google processes data outside Switzerland or the EEA in the course of operating its services, this is based on the EU Standard Contractual Clauses concluded by Google, with the amendments required for Switzerland.

6. Push notifications via Expo (USA)

Quitso uses the Expo Push Service provided by Expo, Inc., based in the USA, to deliver push notifications. Your device push token and the content of the respective notification are transmitted to Expo; actual delivery to your device then takes place via Apple's notification service.

Note on data export to the USA: From the perspective of Swiss data protection law, the USA does not generally guarantee an adequate level of data protection; in particular, US authorities may be able to access data, and enforcing your rights may be more difficult. This transfer only takes place if you actively enable push notifications; it is based on your consent (Art. 17 para. 1 let. a FADP; for users in the EEA: Art. 49(1)(a) GDPR). You can disable notifications at any time in the settings of the app or your device; after that, no further data is transmitted to Expo.

7. Anonymous usage statistics (Firebase Analytics)

To understand which features are actually used and to keep the app stable and improve it in a targeted way, Quitso uses Google Analytics for Firebase ("Firebase Analytics"), a service provided by Google. It records pseudonymous usage events, in particular:

Not collected: no names, no amounts, no group content and no advertising identifiers — your device's advertising ID (IDFA) is not used. There is no tracking of your activity across other apps or websites, and we do not create cross-service profiles.

Objection: The recorded events contain no direct link to your person; we are unable to attribute them to individual users (cf. Art. 11 GDPR). If you nevertheless wish to object to this collection, contact support@quitso.com.

Processor and note on data export to the USA: Google acts as a processor and handles this data only on our instructions. The data may also be processed on servers in the USA. From the perspective of Swiss data protection law, the USA does not generally guarantee an adequate level of data protection; in particular, US authorities may be able to access data, and enforcing your rights may be more difficult. The transfer is based on the EU Standard Contractual Clauses concluded by Google, with the amendments required for Switzerland.

Legal basis: We base this processing on our legitimate interest in developing the app in line with actual usage and in its stable operation (FADP); given the pseudonymous, minimal data collection, your interests remain safeguarded. For users in the EEA, the legal basis is Art. 6(1)(f) GDPR (legitimate interests); you can object to the processing at any time with effect for the future (contact: support@quitso.com).

Unchanged: Quitso contains no advertising, no advertising SDKs and no social media plugins. We do not sell any data.

8. Website

Our website is a static page with no login area. It uses no cookies and no trackers. When you visit the website, the hosting provider (Google Firebase Hosting) temporarily logs access data, in particular the IP address, for technical and security reasons. We do not evaluate these server logs.

Cookie banner and consent log

On your first visit, a banner asks for your preference regarding optional anonymous statistics and marketing. No such features are currently in use; your choice will be honored if they are introduced in the future. Your selection is stored locally in your browser (localStorage; strictly necessary, no tracking) and additionally recorded as a log entry in our database. Stored are: the choice per category (statistics/marketing), a randomly generated client ID (not linked to any name, account or app data), the browser identifier (user agent), the page language and the time — no IP address. The client ID serves solely to prove consent and to delete your entries in a targeted way on request (legal basis: accountability and record-keeping duties; for users in the EEA Art. 7(1) GDPR).

You can change your choice at any time via the "Cookie settings" link in the footer, where you can also see your consent ID; quoting it, you can request deletion of all associated log entries by emailing support@quitso.com.

9. Data security

Data transmitted between the app or website and the servers is encrypted in transit. Access to group data is restricted to the members of the respective group by means of security rules.

10. Retention and deletion

For deletion requests that you cannot carry out yourself in the app, please contact support@quitso.com.

11. Disclosure of data

We disclose personal data only to the following recipients:

Any disclosure beyond this only takes place if we are legally obliged to do so.

12. Your rights under the Swiss Federal Act on Data Protection

Under the revised Swiss Federal Act on Data Protection (FADP), you have in particular the following rights:

Please note: since Quitso works without accounts, we are generally unable to attribute stored data to a specific person on our own. We may therefore need additional information from you to handle your request (for example the name or code of the group concerned). You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

13. Information for users in the EEA (GDPR)

To the extent that the EU General Data Protection Regulation (GDPR) applies to the data processing, we rely on the following legal bases under Art. 6(1) GDPR:

Users in the EEA additionally have the rights under Art. 15 to 21 GDPR (access, rectification, erasure, restriction of processing, data portability, objection) as well as the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

14. Changes to this privacy policy

We may amend this privacy policy, for example if the app, the services used or the legal situation change. The current version published on the website applies.

15. Contact

If you have any questions about data protection, you can reach us at: Maximilian Rechenauer, Am Stadtrand 43, 8600 Dübendorf, Switzerland, email: support@quitso.com.