This policy explains what data SplitMyTicket collects, why, how it is protected, and your rights. It applies in accordance with the General Data Protection Regulation (GDPR — EU 2016/679).
1. Data Controller
Company name: SullyAndCie
Country: Belgium
Application: SplitMyTicket — https://splitmyticket.com
Data protection contact: [to be completed upon launch]
2. Data Collected and Purposes
We collect only the data strictly necessary for the operation of the service. SplitMyTicket does not collect sensitive data within the meaning of Article 9 of the GDPR.
| Data collected | Required? | Retention period | Legal basis |
|---|---|---|---|
| Email (organiser) | Yes | Duration of account | Contract performance |
| Participant first name | No (optional) | 48 hours | Consent |
| Participant token (technical) | Yes | 48 hours | Legitimate interest |
| Receipt photo | Yes (OCR scan) | 48h then automatic deletion | Legitimate interest |
| Items and prices extracted | Yes | 48 hours | Legitimate interest |
| Organiser IBAN | No (optional) | Duration of session | Consent |
| Analytical data (see §3) | No | 24 months (aggregated) | Consent |
| Technical logs (IP, errors) | Automatic | 30 days | Legitimate interest |
2.1 Receipt Photo Processing
Photos submitted for OCR analysis are sent to Anthropic Inc.'s Claude Vision API (sub-processor). They are used solely to extract items and prices. They are not retained by Anthropic beyond processing and are automatically deleted from our servers within 48 hours of the session closing.
2.2 What We Do NOT Do
- We do not sell your personal data to third parties
- We do not use your data for targeted advertising purposes
- We do not profile individual users
- We do not retain data beyond the periods indicated
3. Analytical Data and Consumption Insights (opt-in)
This feature is subject to your explicit consent. No analytical data is collected without your prior agreement.
SplitMyTicket may, with your consent, collect aggregated and anonymised data on consumption habits. This data allows the production of anonymous statistics on restaurant consumption trends (popular dish types, average basket, number of guests, etc.).
3.1 Nature of Data Collected (with consent)
- Categories of items consumed (dishes, drinks, desserts) — never exact names
- Average basket per person and per session
- Number of participants per session
- Approximate geographical region (city or region) — never a precise address
- Type of establishment if provided
- Approximate meal time (lunch / evening)
3.2 What This Data NEVER Contains
- No data allowing an individual to be identified
- No first name, email, IBAN or token
- No photo or raw receipt content
- No precise GPS location
3.3 Use of This Data
This aggregated data may be used to:
- Improve application features
- Produce anonymous statistical reports on consumption trends
- In a future version, offer these aggregated insights to restaurant professionals (anonymised only, no individual data)
You may withdraw your consent at any time from your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
4. Cookies and Trackers
4.1 Strictly Necessary Cookies (no consent required)
- Authentication session cookie (connected organiser)
- UI preferences cookie (theme, language)
4.2 Analytical Cookies (consent required)
SplitMyTicket may use traffic analysis tools (e.g. Google Analytics, PostHog or equivalent) to understand how users navigate the application. These tools place tracking cookies.
If analytical tools are enabled, a GDPR-compliant consent banner will be presented on your first visit. You may refuse without any impact on your use of the service.
Data collected via these tools includes: pages visited, session duration, device type, country (never a full IP if Google Analytics 4 is configured with anonymisation). They are never cross-referenced with your personal account data.
5. Sub-processors
| Sub-processor | Role | Location & guarantees |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | USA — EU Standard Contractual Clauses |
| Vercel Inc. | Frontend hosting, CDN, deployment | USA — EU Standard Contractual Clauses |
| Anthropic Inc. | OCR / AI analysis of receipt photos | USA — EU Standard Contractual Clauses |
| Upstash Inc. | Redis rate limiting | USA — EU Standard Contractual Clauses |
| Google LLC | Analytics (if enabled, with consent) | USA — EU Standard Contractual Clauses + Google DPA |
6. Transfers Outside the EU
All our sub-processors are established in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46 of the GDPR. Data processing agreements (DPAs) are in place with each sub-processor.
7. Your Rights (GDPR)
In accordance with the GDPR (Articles 15 to 22), you have the following rights:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right of rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to data portability (Art. 20) — receive your data in a structured format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to restriction (Art. 18) — request temporary suspension of processing
- Right to withdraw consent — at any time for processing based on consent (analytics, consumption data)
To exercise these rights: [email address to be completed] or via your account settings.
You also have the right to lodge a complaint with the Belgian Data Protection Authority: www.dataprotectionauthority.be
8. Security
We implement appropriate technical and organisational measures:
- TLS encryption for all communications
- Data encryption at rest (Supabase)
- Row Level Security (RLS) on all tables
- Limited-use participant tokens (48h, 32-character nanoid)
- Rate limiting on the scan API (10 requests/hour/IP)
- Secure environment variables — no secrets in source code
9. Minors
SplitMyTicket is intended for persons aged at least 16. We do not knowingly collect personal data relating to minors under 16.
10. Changes to This Policy
This policy may be updated. In the event of a substantial change, we will notify you by email (if you have an account) or via a notice visible in the application. The update date is always shown at the top of the document. Continued use of the service after notification constitutes acceptance.
11. Contact
Data Controller: SullyAndCie — https://splitmyticket.com
For any request relating to your personal data: [email address to be completed]
Belgian supervisory authority: Data Protection Authority — www.dataprotectionauthority.be