Privacy Policy

Last Updated: November 2025

TrakApp LLC ("Trak") provides the Trak mobile application ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our iOS and Android apps.

Personal Data means any information that identifies or can identify you.

By creating an account or using Trak, you agree to the practices described in this Privacy Policy. If you do not agree with any part of this Privacy Policy, please stop using the Service.

1. Scope

This Privacy Policy applies to:

Trak mobile applications for iOS and Android
All in-app features: groups, tasks, events, expenses, groceries, vibes
Push notifications and reminders
Communications and support interactions

This policy does NOT apply to:

Third-party platforms you use independently
External websites not operated by Trak
Apple's and Google's own privacy practices (they handle app store payments)

2. Information We Collect

2.1 Account Information - Required at Signup

First name and last name
Username (3-20 characters, lowercase letters, numbers, underscores, periods only)
Email address
Password (encrypted, minimum 6 characters)
Birthdate
Country (selected from dropdown)
City (selected from dropdown based on country)
Currency code (auto-selected from country, can be changed)

2.2 Account Information - Optional

Phone number with country code
Profile picture/avatar (JPG, JPEG, PNG, WEBP formats only)
Monthly income (can be added later in profile settings)

Important: We do not scan or analyze your uploaded photos. Photos are stored as-is and only displayed to you and users you choose to share them with (friends or group members).

2.3 User-Generated Content

All content you create in Trak:

Tasks:

Task name and description
Assigned users
Due dates and times
Notification times
Recurrence settings (daily, weekly, monthly, yearly, custom)
Completion status

Events:

Event title and description
Location (text field only - we do not access GPS or collect precise location)
Start and end dates/times
Attendees from your groups
Recurrence settings
Notification reminders

Expenses:

Description and notes
Amounts and currency
Participants and split methods (equal, unequal, percentage, shares)
Categories (user-defined or default)
Payment methods (user-defined labels only, no actual card details)
Dates and timestamps
Payment status (who paid, who owes)

Grocery Lists:

Item names
Quantities and units
Categories
Priority levels
Purchase status (bought/not bought)
Notes

Groups:

Group names
Group pictures (optional)
Member list and roles (admin/member)
Currency settings per group

Vibes:

Reaction emoji
Text messages
Sender and receiver information

Payment Tracking (Bill Reminders):

Bill names
Amounts and currency
Recurrence schedules
Assigned users
Status tracking

Note: This is for personal bill reminders only, not actual payment processing.

Payment Methods:

User-defined method names (e.g., "Credit Card", "Cash", "Venmo")
User-selected colors

We do NOT collect actual card numbers, bank accounts, or financial credentials.

Notes and Descriptions:

Free-form text across all features

2.4 System-Generated Metadata

User ID (UUID from Supabase Auth)
Timestamps: created_at, updated_at, completed_at, joined_at, bought_at, left_at
Device timezone (auto-detected from device settings for notification scheduling)
Session tokens (managed by Supabase, stored locally in device AsyncStorage)

2.5 Device & Technical Information

Device type and model
Operating system and version
App version
Platform (iOS or Android)
Device identifiers (session ID, installation ID from Expo Constants)
Language preference
IP address (used for authentication security only, not tracked)

2.6 Push Notification Data

Expo push tokens (generated when you enable notifications)
Device ID (to manage multiple devices)
Platform (iOS/Android)
Token registration timestamps
Notification delivery status

2.7 Friend System Data

Friend connections between users
Friend request status (pending, accepted, rejected)
Request timestamps
Username search queries (not logged)

2.8 Currency Exchange Data

When you use the currency conversion feature:

Currency codes (e.g., USD, EUR, GBP)
Conversion amounts (processed server-side only)
Exchange rates fetched from ExchangeRate-API
Cached rates stored in our database (expires after 24 hours)
No personal information sent to ExchangeRate-API
All requests proxied through our Supabase Edge Function

3. How We Use Your Information

Trak uses your information to:

Create and authenticate your account
Sync your data across all your devices
Display correct currency formats and regional settings
Provide currency conversion features with real-time exchange rates
Enable group collaboration (tasks, events, expenses, groceries)
Send scheduled notifications and reminders adjusted to your timezone
Match your local time for notification delivery
Enable friend connections and user search by username
Provide customer support when you contact us
Maintain service security and detect abuse
Prevent fraud and unauthorized access
Comply with legal obligations

What We Do NOT Do:

We do not sell your personal data
We do not use third-party analytics
We do not use advertising or cross-app tracking
We do not access GPS or collect precise location data
We do not share your data with marketers

4. How We Share Your Information

4.1 With Service Providers

We share information only with these trusted service providers:

Supabase (Backend Infrastructure)

PostgreSQL database (stores all structured data)
Authentication service (email/password login)
File storage ("avatars" bucket for profile and group pictures)
Realtime subscriptions (live updates when data changes)
Edge Functions (5 server-side functions for notification processing)
Region: United States
Data protected by row-level security policies
Supabase cloud infrastructure in the United States data center

Expo Push Notification Service

Delivers push notifications to your device
Push tokens sent to Expo servers for message delivery
Notification content delivered through exp.host API
More info: https://expo.dev/privacy

ExchangeRate-API

Provides currency exchange rates for currency conversion features
Data fetched through our Supabase Edge Function (server-side only)
Exchange rates cached for 24 hours in our database
No personal user data is sent to ExchangeRate-API
Only currency codes are sent to retrieve conversion rates
Service: https://www.exchangerate-api.com

These providers process data on our behalf under strict contractual confidentiality and security obligations.

4.2 With Other Users (Group Context)

When you join groups or connect with friends:

Group Members Can See:

Shared tasks (name, description, assignee, due dates)
Shared events (title, description, location text, attendees, dates)
Shared expenses (amounts, participants, splits, payment status)
Shared grocery lists (items, quantities, categories, purchase status)
Vibes you send to the group
Group pictures
Your name, username, and profile picture

Friends Can See:

Your name
Your username
Your profile picture

Always Private (Never Visible to Other Users):

Email address
Phone number
Password
Birthdate
Country and city
Monthly income
Personal group content (only you can see personal groups)
Payment methods you create
Device information
Push tokens
IP address

Important Notes:

Shared group content remains visible to other members even after you delete items
If you delete your account, your identifying information is removed but group content may remain visible to other members
Expense participation and amounts are visible to all group members

4.3 For Legal, Safety, or Security Reasons

We may disclose information if required to:

Comply with legal obligations (court orders, subpoenas)
Respond to valid legal requests from law enforcement
Protect Trak's rights, property, or users
Detect or prevent fraud, abuse, or security threats
Investigate Terms of Service violations

We seek to limit such disclosures to what is strictly necessary.

4.4 What We NEVER Share

Personal data with advertisers
Data with analytics companies
Data with third parties for marketing purposes
Your information for cross-app tracking
Payment card information (we don't collect this)

5. Data Storage & Transfers

5.1 Primary Storage - Supabase Cloud

Data stored on Supabase cloud infrastructure in the United States data center
Subject to U.S. data protection laws
Row-level security policies protect your data
Only you and users you explicitly share with can access your data
Encrypted in transit (HTTPS) and at rest

5.2 Local Device Storage

Trak stores some information locally on your device:

AsyncStorage:

Session tokens for authentication persistence
Allows you to stay logged in
Cleared when you sign out or delete the app

File System Cache:

Downloaded copies of profile pictures and group pictures
Stored in device cache directory
Reduces data usage and improves performance
Cleared when you delete the app or clear app cache

In-Memory Cache:

Temporary data with 30-60 second expiration
Group lists, user lists, current session data
Never persisted to disk
Cleared when you close the app

All local storage is automatically cleared when you delete the app.

5.3 Edge Processing (Server-Side Functions)

Six server-side functions run on Supabase infrastructure:

Send scheduled push notifications
Deliver queued notifications
Generate monthly expense reports
Queue expense notifications
Send manual notifications
Fetch currency exchange rates from ExchangeRate-API

These functions:

Run on Supabase Edge Network (United States)
Process notification scheduling and delivery
Fetch and cache currency exchange rates
Access only necessary data to complete their task
Do not store additional data beyond what's in the database
Proxy external API calls (no direct client-to-ExchangeRate-API communication)

5.4 International Data Transfers

Trak stores and processes data using U.S.-based service providers
If you use Trak from outside the United States, your data is transferred to the U.S.
These regions may have different data protection laws than your home country
By using Trak, you consent to this international data transfer
We apply technical and contractual safeguards regardless of location

6. Data Security

Trak uses industry-standard security measures:

Technical Security:

HTTPS encryption for all network communication
Password hashing and encryption (via Supabase Auth)
Row-level security on database tables
Access controls (only authorized users can access specific data)
Session token management with automatic expiration
Secure file storage with access policies

Organizational Security:

Regular security reviews
Monitoring for abuse and unusual activity
Modern cloud infrastructure with security best practices

Important:

No system is completely secure
You are responsible for protecting your account credentials
Do not share your password
Protect access to your device
Notify us immediately if you suspect unauthorized access

7. Data Visibility & Privacy

What Other Users Can See:

Your name, username, and avatar (to friends and group members only)
Shared group content (tasks, events, expenses, groceries you participate in)
Vibes you send
Group membership (who's in your shared groups)

What Remains Completely Private:

Email address (never shown to other users)
Password (encrypted and never shown)
Birthdate
Phone number
Country and city
Monthly income
Personal group content (groups you create for yourself only)
Payment methods you create (just labels for your own tracking)
Device information
Push tokens
IP address
Session data

8. What We Do NOT Collect

Trak explicitly does NOT collect:

Location Data:

GPS coordinates or precise location
Background location tracking
Location history
Note: Event "location" field is text-only, you manually type addresses

Contact & Personal Information:

Device contacts or address book
Device calendar events
Social media profiles
Government IDs or social security numbers

Health & Biometric Data:

Health or fitness data
Biometric data (Face ID/Touch ID authentication happens on-device only)

Device Access:

Microphone or audio recordings (we don't request microphone permission)
Camera access (except when you explicitly choose to take a photo)
Bluetooth data
SMS or call logs

Tracking & Advertising:

Advertising identifiers (IDFA on iOS, AAID on Android)
Cross-app usage data
Web browsing history
Third-party tracking pixels

Financial Data:

Payment card numbers
Bank account information
CVV codes or security codes
Banking credentials

Web Technologies:

Cookies (we have no web app)
Web tracking technologies
Browser fingerprinting

9. Permissions We Request

Notifications Permission

When: After you sign in (first-time launch)
Why: To send reminders for tasks, events, and payment schedules
Platform: Uses Expo Notifications API
Control: You can enable/disable in device Settings → Trak → Notifications
What we send: Task reminders, event reminders, bill reminders, expense notifications

Camera Permission

When: Only when you tap "Take Photo" for profile/group pictures
Why: To capture a photo for upload
Platform: Uses expo-camera package
Control: iOS/Android will prompt when you first use the feature

Photo Library Permission

When: Only when you tap "Choose from Library"
Why: To select an existing photo from your gallery
Platform: Uses expo-image-picker package
Control: iOS/Android will prompt when you first use the feature

Android-Specific Permissions

Automatically requested:

POST_NOTIFICATIONS (Android 13+) - for push notifications
RECEIVE_BOOT_COMPLETED - to restart notification service after device reboot
VIBRATE - to vibrate device for notifications
WAKE_LOCK - to wake device for notification delivery

iOS-Specific

Background remote notifications - for receiving push notifications when app is closed

Permissions We Do NOT Request

Location (GPS)
Contacts/Address Book
Calendar
Microphone
Bluetooth
Phone calls or SMS

10. Your Rights

Depending on your location (GDPR, CCPA, etc.), you may have rights to:

Access Your Data:

View your personal information in-app (Profile Settings)
Request a copy of all data we have about you

Update Information:

Edit your profile, name, username, city, country, currency
Update or remove profile picture
Modify or delete tasks, events, expenses, groceries

Delete Your Account:

Request account deletion by contacting support@trakapp.io
Personal information removed within 30 days
Group content may remain visible to other members (your identity removed)

Export Your Data:

Contact support@trakapp.io to request data export
Receive a copy of your information in portable format

Withdraw Consent:

Disable push notifications in device settings
Remove camera/photo permissions in device settings
Stop using the Service at any time

Object to Processing:

Contact us to object to specific data uses
Right to restrict processing (where applicable)

Note: Some rights may vary by jurisdiction. We comply with applicable data protection laws in your region.

11. Data Retention

While Your Account Is Active

Data retained indefinitely to provide the Service
You can delete content at any time

After Account Deletion

Personal information removed from active systems within 30 days
Group content may remain visible to other members (your identifying details removed)
Your name replaced with "Deleted User" in group records

Backups

Retained for 30-90 days for recovery purposes
Automatically purged after retention period

Legal Compliance

May retain longer if required by law
May retain for fraud prevention or security purposes

Push Tokens

Automatically removed when you sign out
Removed immediately upon account deletion

12. Children's Privacy

Trak is not intended for anyone under 13 years old
We do not knowingly collect data from children under 13
We require birthdate at signup to verify age eligibility
If we discover a child under 13 has created an account, we will delete it immediately
Parents: If you believe your child has used Trak, contact us at support@trakapp.io so we can remove their information

13. Cookies and Tracking

Mobile App (No Web Technologies)

Trak does not use cookies (we have no web app)
Trak does not use any web tracking technologies
Trak does not use browser-based tracking

What We Do Use

Local device storage (AsyncStorage) for session persistence
In-memory caching for performance
Device identifiers from Expo (session ID, installation ID)

Analytics

Trak does not use third-party analytics
No Google Analytics, Firebase Analytics, Mixpanel, Amplitude, or similar services
No advertising SDKs or tracking pixels
Basic app performance data collected through console logs (not sent anywhere)

Purpose

Local storage used solely to improve app performance
Not used for advertising
Not used for cross-app tracking
Not shared with third parties for marketing

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

Changes to our practices
New features or services
Legal or regulatory requirements

When We Update:

"Last Updated" date changes
Significant changes: in-app notification or email
Changes take effect when posted

Your Continued Use:

Using Trak after changes = acceptance of updated Privacy Policy
If you disagree with changes, stop using the Service and contact us to delete your account

15. Contact Information

For questions, concerns, or requests regarding your privacy:

TrakApp LLC

Email: support@trakapp.io

Privacy inquiries
Data access requests
Account deletion requests
Data export requests
Security concerns
Questions about this Privacy Policy