uUniBudz

Privacy Policy

Effective: 17 May 2026 · Last updated: 17 May 2026

Plain English first: UniBudz is a South African student app for bill-splitting, friend-locating, and finding events. We keep the data we need to make those features work — and nothing more. We don't sell your data. We don't run ads. We protect it with industry-standard security. If you ever want to see what we hold on you or delete it, email unibudzapp@gmail.com and we'll act within 30 days.

1. Who we are

UniBudz is operated as a sole proprietorship by Ryan Daniel van Eeden ("we", "us", "our") based in South Africa. We are the Responsible Party under the Protection of Personal Information Act, 2013 (POPIA) for the personal information described in this policy.

Contact for any privacy question, data request, or complaint: unibudzapp@gmail.com.

2. What we collect

We collect the minimum personal information needed to run the features you choose to use:

Category	What it is	Why we collect it
Account	Email address, first name, last name, password (hashed), profile photo (optional)	To create your account, sign you in, and show you to your friends and groupmates
Expense data	Group names, expense titles, amounts, categories, notes, who paid, who owes	The core bill-splitting feature
Receipt images (Pro only)	Photos of till slips you choose to scan	To extract line items via OCR (see §5). Stored privately in your account folder; auto-purged after 24 hours if not attached to an expense
Friend graph	Friend connections, friend codes, blocked users, nicknames you assign	To run the Friends tab + privacy controls
Location (when you choose to share)	GPS coordinates while the app is foregrounded	Group/friend live location features. Off by default. Only updates while the Map tab is open. Friend-wide location auto-expires when stale
SOS events	Coordinates + timestamp when you trigger SOS	To notify your friends of an emergency
Push device tokens	Firebase Cloud Messaging (FCM) token	To send you push notifications. Stale tokens auto-delete
Notification preferences	Quiet hours, channel choices, event toggles	To respect when and what you want to be notified about
Pro subscription status	Tier (free / pro), expiry date	To unlock Pro features for paying users
Reviews and submissions	Review text, ratings, suggested venues, event submissions	To improve the venue and event data for all users. Reviews are screened by automated moderation (see §5)
Usage events	Anonymous venue impressions, popup opens, action taps	To improve which venues we surface and to share aggregated stats with venues. Not tied to your account in shared reports
Device + diagnostic data	App version, error logs, basic platform info (Android version etc)	To debug crashes and improve stability

We do not collect: contact lists, photos other than what you upload, microphone, calendar, browsing history outside the app, advertising IDs, or any biometric data.

3. How we use it

To run the app. Authentication, syncing your expenses, showing your friends on the map, delivering push notifications, gating Pro features.
To keep it safe. Filtering blocked users out of recipient lists, moderating reviews, detecting abuse.
To improve it. Aggregated usage stats help us decide which features to build next and which venue listings are stale.
To support you. If you email us, we'll keep that email so we can reply.

We do not use your personal information for advertising or profiling. We do not sell or rent your data to any third party.

4. Legal basis for processing

Under POPIA, we process your personal information on the following bases:

Your consent — you sign up for the account and choose which optional features to enable (location sharing, push notifications).
Performance of a contract — to deliver the services you signed up for, including Pro features if you subscribe.
Legitimate interests — to keep the platform secure, prevent abuse, and improve product quality. We weigh these against your privacy rights and only act where the interest is not overridden.
Legal obligation — to respond to lawful requests from regulators or law enforcement.

5. Third-party processors (Operators under POPIA)

We use a small number of trusted service providers to run the app. Each is bound by their own privacy obligations and only processes data on our instructions:

Operator	What they do	Where
Supabase	Database, authentication, file storage, server-side logic	Hosted in EU (Ireland)
Firebase Cloud Messaging (Google)	Delivers push notifications	Google global infrastructure
Resend	Sends transactional emails (sign-up codes, password resets)	USA / global
OpenAI	Receipt OCR (Pro feature), review moderation, deal text extraction. Data submitted to OpenAI is not used to train OpenAI models	USA
Mapbox	Map tiles + geocoding for the map screen	USA
Google Maps / Places	Venue location and detail enrichment	Google global infrastructure
Quicket	Public event listing data (read-only, no personal information sent)	South Africa
Cloudflare	Hosting for the website and admin dashboard, DNS, edge caching	Global edge network

We have selected these providers because they offer industry-standard security controls (encryption in transit and at rest, SOC 2 or equivalent compliance) and provide contractual protections appropriate to cross-border transfers.

6. Cross-border transfers

Because the providers above operate outside South Africa, some of your personal information is transferred internationally. Under POPIA s72, we only transfer personal information to a country that has comparable data protection laws, the recipient is bound by binding rules / contracts providing comparable protection, you have consented, or the transfer is necessary for the performance of our contract with you. We rely on the operators' standard contractual clauses and equivalent safeguards.

7. Sharing with other users

Some information is visible to other UniBudz users by design:

Inside a group: your display name, profile photo, friend code, expenses you create, and your share of group expenses are visible to all group members.
Friends: your friend code, name, profile photo, and online/active status are visible to people who add you as a friend.
Live location: only members of groups you've opted into sharing with, or friends with whom you've reciprocally enabled location sharing, can see your position. Off by default.
Reviews: any review you post is publicly visible to all UniBudz users, attributed to your display name.

8. Data retention

Account data — kept while your account is active. Deleted within 30 days of account deletion.
Expense and group data — kept while you remain in the group. When the group is deleted, expenses are cascade-deleted.
Friend locations — auto-purged after a short period of inactivity (typically < 1 hour).
Receipt images — kept while attached to an expense; orphan uploads purged after 24 hours.
Notification preferences — kept while account is active.
Push device tokens — auto-removed when invalid or when you sign out.
Backups — held by Supabase for up to 7 days after deletion, then purged.

9. Your rights under POPIA

You have the following rights regarding your personal information:

Access — request a copy of what we hold on you.
Correction — ask us to fix anything inaccurate.
Deletion — close your account and have your personal data deleted (subject to legitimate retention obligations).
Object — object to specific processing activities at any time.
Withdraw consent — withdraw consent for any optional processing (location, push, etc.) at any time, from within the app.
Lodge a complaint — with us first at unibudzapp@gmail.com, or with the South African Information Regulator at complaints.IR@justice.gov.za or inforegulator.org.za.

We will respond to all requests within 30 calendar days.

10. Security

We protect your information with:

TLS encryption for all data in transit between the app and our servers.
Encryption at rest for the database and file storage (provided by Supabase).
Row-Level Security policies that prevent users from accessing data that isn't theirs.
Hashed passwords (we never see your password in plain text).
Restricted internal access — only the UniBudz operator can view administrative data, and only for support and operational purposes.

No system is 100% secure. If we ever discover a personal data breach that creates a risk to you, we will notify you and the Information Regulator without unreasonable delay, in line with POPIA s22.

11. Children

UniBudz is intended for users aged 18 or older (university students). We do not knowingly collect personal information from anyone under 18. If we learn we have, we will delete it. If you believe a minor has signed up, please email unibudzapp@gmail.com.

12. Cookies and tracking

The mobile app does not use cookies or third-party analytics SDKs. The companion website at unibudz.co.za uses Cloudflare's standard infrastructure logs (IP address, browser type) for security and performance. We do not embed advertising or analytics trackers.

13. Changes to this policy

We may update this policy as the app evolves. If we make material changes, we will notify you in-app and bump the "Last updated" date at the top. Continued use after a change means you accept the updated policy.

14. Contact

Privacy questions, access requests, deletion requests, or complaints:
unibudzapp@gmail.com