Privacy Policy

Who we are

Round is operated by the maker of the Round iOS app (the “app”, “Round”, “we”, “us”). You can reach us at support@tryround.dev. The website you are on is tryround.dev.

What we collect

Account

When you sign in with Apple, Apple sends us either your real email or an Apple relayed email at your choice, plus a stable user identifier. We store the identifier and the email so we can sign you back in and contact you about your account. We do not get your password and we do not see your Apple ID.

Waitlist email

Before Round opens on the App Store, this site collects email addresses through a single form. The address is stored in our Supabase database next to a timestamp, your browser user agent, and the source page (always landing). We do not store your IP address. We use the address to send you exactly one email the day Round goes live, and then we delete the row. If you want off the list before launch, write to support@tryround.dev and we will remove you the same day.

Expense data

The expenses you log in Round include the amount, currency, a short description, the people involved, and any group it belongs to. We store this so the app can show your balances on every device you sign in on. The descriptions are written by you, in your own words, on your own time. We do not mine them.

Device push token

To deliver push notifications about activity in your groups, we store a Firebase Cloud Messaging token tied to your account. This token is used only to send you notifications. It is rotated when iOS rotates it, and removed when you sign out or delete the app.

What we do not collect

• Your location. Round never asks for location permission. There is no analytics SDK reading it in the background.
• Your contacts. If you grant Contacts access in iOS, Round reads them on device only, to suggest names you can add to a group. The contact list itself is never uploaded.
• Your camera or photo library. Until receipt scan ships, we never ask. When it ships, the image is processed on device or in a single API call you initiate, and is not retained on our servers.
• Third party analytics or session replay. The first version ships without a telemetry SDK. If we add anonymous, aggregate analytics later, we will say so in this document and ask you in the app.
• Advertising identifiers. We do not run ads.

Where your data goes

Supabase

Round stores your account and expense data in Supabase, a Postgres based service in the United States (us-east-1). Data at rest is encrypted. Connections to Supabase use TLS. Access from our side is logged. Supabase is the only host that holds your account and ledger.

Firebase Cloud Messaging

Push delivery uses Firebase Cloud Messaging. We send the FCM service a message payload and your device token, and the service hands it to Apple Push Notification service which delivers it to your phone. We do not use Firebase Analytics, Firebase Crashlytics, or any other Firebase product.

OpenAI (parser fallback)

Round parses your typed phrase on device first. When the on device parser is not confident, the phrase (and only the phrase) is sent through a Supabase Edge Function to OpenAI’s gpt-4o-mini, which returns the parsed fields. We do not send your account identifier, your contact list, or anything else along with the phrase. You can switch this fallback off in Settings, in which case low confidence parses simply ask you to clarify in the UI.

Apple

Subscriptions are handled by Apple via StoreKit 2. Apple processes the payment and sends us a receipt that confirms whether you have an active entitlement. We never see your card.

Cross border transfers

Round’s primary data store is in the United States. If you use Round from outside the United States, your data will be transferred there and stored there. We rely on Standard Contractual Clauses where required and on the data processing terms of our sub processors.

How long we keep it

We keep your account and expense data for as long as your account exists. If you delete your account, we delete your account row and the expenses associated with it within 30 days. Backups are rotated out within 60 days. If you only delete the app from your phone, your data stays on Supabase under your account so you can sign back in from any other device.

Your rights

Wherever you live, you can ask us to do the following with your data. Most of these are buttons in the app under Settings. Some require an email if you want a copy outside the app.

• Access. See everything we hold about you.
• Export. Download your expenses and groups as a machine readable file (CSV or JSON).
• Correction. Fix anything that is wrong. Most of this you can do yourself in the app.
• Deletion. Delete your account and the data tied to it. Settings, Account, Delete account.
• Objection or restriction. Tell us to stop a specific use of your data, where the law allows.
• Withdraw consent. Where we rely on consent (for example, the AI fallback), you can switch it off.

For the EU and the UK, our legal bases are the contract you have with us (to provide the app), our legitimate interest (to keep the service running and secure), and your consent (for optional features). For California residents, we do not sell or share your personal information as those terms are defined by the CCPA. For Indian residents, we comply with the Digital Personal Data Protection Act 2023 and you can exercise your rights by emailing us.

To exercise any of these rights, write to support@tryround.dev. We respond within 30 days.

Children

Round is not directed to children under 13, and we do not knowingly collect data from anyone under 13. If you are a parent or guardian and believe your child has signed up, write to us and we will delete the account.

Security

We use TLS for all traffic between the app, Supabase, and our Edge Functions. Data is encrypted at rest in Supabase. Access to production data is limited to the people who run the service, and is logged. We are a small team, so we do not pretend to have a SOC 2 certificate. We follow the practices that a careful indie shop should follow.

Changes to this policy

If we materially change this policy, we will update the effective date at the top of this page and, where required, notify you in the app or by email. Continued use of Round after a change constitutes acceptance of the new policy.

Contact

Questions, requests, or anything else, reach us at support@tryround.dev.