Privacy Policy

Version 1.0.0 · Effective 28 May 2026

This Privacy Policy explains how evvnly collects, uses, and protects your personal data when you use our app and website, and the rights you have under the EU General Data Protection Regulation (“GDPR”). We are committed to keeping your data yours.

1. Data controller

The controller of your personal data is Rather Active - Unipessoal, Lda, a company incorporated in Portugal, with its registered office at Rua Dom António de Sousa Barroso, 9, 2730-254 Valejas, Portugal and tax/registration number (NIPC) 517304198. For any privacy question or to exercise your rights, contact us at hello@ratheractive.tech.

2. What data we collect

We collect only what we need to run evvnly:

  • Account data — your email address and authentication identifiers. If you sign in with a third-party provider (such as Google or Apple), we receive a basic identifier and the email associated with that account.
  • Profile data — your display name, and optionally a profile photo and short bio that you choose to add.
  • Expense and group data — the groups you create or join, the people in them, expenses, amounts, currencies, descriptions, balances, settlements, and any receipt images you upload.
  • Device and notification data — a push-notification token for the devices where you enable notifications.
  • Diagnostic data — technical data such as app version and crash/error reports, used to keep the Service working and to fix problems. We do not currently run third-party usage analytics (no tracking of which screens or features you use).

We do not ask for or intentionally collect special-category data (such as health or political data). Please do not put such information into expense descriptions or notes.

3. Why we use it, and our lawful basis

PurposeLawful basis (GDPR Art. 6)
Create and manage your account; provide the core expense-splitting featuresPerformance of a contract
Process evvnly Plus purchases and keep tax/accounting recordsPerformance of a contract; legal obligation
Send service messages (e.g. group invites, verification, account notices)Performance of a contract
Send push notifications you have enabledConsent
Diagnose crashes and errors to keep the Service stableLegitimate interests
Keep the Service secure and prevent abuse or fraudLegitimate interests

Where we rely on consent, you can withdraw it at any time (for example, by turning off notifications in your settings). Where we rely on legitimate interests, we have weighed those interests against your rights.

4. Sub-processors we use

We share data with a small set of trusted service providers who process it on our behalf, under contract and only as needed to run evvnly:

  • Google Firebase Authentication — sign-in and account security.
  • Google Cloud Firestore — storage of your profile, group, and expense data.
  • Google Cloud Storage — storage of receipt images and profile photos.
  • Google Cloud Platform (GCP) — hosting of our backend services.
  • Firebase Cloud Messaging (FCM) — delivery of push notifications.
  • Firebase Crashlytics — crash and error reporting.
  • Resend — delivery of transactional emails.

We do not sell your personal data, and we do not share it with third parties for their own advertising.

5. International transfers

Some of our providers (including Google and Resend) are based in, or may process data in, countries outside the European Economic Area, such as the United States. Where data is transferred outside the EEA, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses or an applicable adequacy decision — so that your data keeps an equivalent level of protection.

6. How long we keep it

We keep your personal data for as long as your account is active. When you delete your account, we delete your personal data from our live systems, except where we must keep limited records to meet a legal obligation (for example, billing and tax records for paid purchases). Backups are cycled out on a rolling basis.

Some shared content (such as an expense you added to a group) may remain visible to other members of that group after you leave or delete your account, because it forms part of their shared record — but it will no longer be linked to your profile.

7. Your rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data (“right to be forgotten”);
  • restrict or object to certain processing;
  • data portability — receive your data in a structured, machine-readable format;
  • withdraw consent at any time, where processing is based on consent.

You can export your data and delete your account directly in the app (Settings → Privacy). For any other request, email hello@ratheractive.tech and we will respond within the time limits set by the GDPR.

If you believe we have mishandled your data, you can lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD)https://www.cnpd.pt — or with the authority in your EU country of residence.

8. Security

We use technical and organisational measures to protect your data, including encryption in transit, access controls, and reputable infrastructure providers. No system is perfectly secure, but we take reasonable steps to protect your data and to respond promptly if something goes wrong.

9. Children

evvnly is not directed at children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the version and effective date above and, where appropriate, notify you in the app or by email.

11. Contact

For any privacy question or request, email us at hello@ratheractive.tech.