Privacy Policy
Last Updated: February 11, 2026
1. Introduction
Welcome to Splitro's Privacy Policy. This Privacy Policy explains how Splitro ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use our crowdfunding platform available at https://splitro.com (the "Service" or "Platform").
We are committed to protecting your privacy and ensuring transparency about our data practices. This Privacy Policy should be read in conjunction with our Terms and Conditions.
Your Rights
We respect your privacy rights and are committed to compliance with:
- • UK GDPR (United Kingdom General Data Protection Regulation)
- • EU GDPR (European Union General Data Protection Regulation)
- • UK Data Protection Act 2018
- • Other applicable privacy laws
This Privacy Policy applies to all Users of the Service, including visitors, registered Users (Creators and Supporters), and anyone who interacts with our Platform.
2. Data Controller Information
Identity of Data Controller
Splitro is the data controller responsible for your personal information collected through the Service.
Operating Entities
SPLITRO LTD
Company registered in England and Wales (United Kingdom)
PEGASUS SOLUTIONS, INC.
US Parent Company (registered in United States)
support@splitro.com
Support Portal
splitro.com/settings/supportData Protection Officer
For questions related to data protection and privacy:
support@splitro.com
EU Representative
For EU users with data protection questions:
support@splitro.com
3. Information We Collect
We collect several types of information to provide and improve our Service.
Authentication Data
- • Email address (stored in Firebase Authentication)
- • Password (hashed, never stored in plain text)
- • Email verification status
Profile Information
- • Username (unique, 4-15 characters)
- • Display name (1-50 characters)
- • Bio (0-160 characters)
- • Profile picture and banner image
- • Social media links (optional)
- • Website URL (optional)
Creator-Specific Information
- • Country (required for Stripe zone determination)
- • Payout currency preference (GBP, USD, EUR, or others)
Financial Data
- • Stripe Customer ID (for payment processing)
- • Stripe Connect Account ID (for Creators)
- • Payment card information (stored by Stripe, NOT Splitro)
- • Transaction history and payout records
- • Monthly spending totals
🔒 Payment cards are stored by Stripe (PCI-DSS certified), never by Splitro
Group and Activity Data
- • Groups created or joined
- • Splits created or contributed to
- • Auto-Split schedules (for recurring contributions)
- • Group membership status
Information Collected Automatically
- • IP address
- • Browser type and version
- • Device type and operating system
- • Pages visited and features used
- • Date and time of access
4. Legal Basis for Processing (GDPR)
For Users in the UK and EU, we process your personal data based on the following legal grounds:
4.1 Contractual Necessity
We process your data to provide the Service as outlined in our Terms and Conditions, including:
- Creating and managing your Account
- Processing payments and contributions
- Facilitating Group creation and membership
- Sending transactional emails (payment confirmations, receipts, security alerts)
4.2 Legitimate Interests
We process your data based on our legitimate interests, including:
- Fraud prevention and security
- Service improvement and analytics
- Customer support
- Business operations and compliance
4.3 Consent
We process your data based on your explicit consent for:
- Optional features (X/Twitter integration for milestone posts)
- Marketing communications (you can opt out at any time)
4.4 Legal Obligation
We process your data to comply with legal obligations, including:
- Tax reporting requirements
- Anti-money laundering (AML) and Know Your Customer (KYC) regulations
- Financial record-keeping requirements
- Court orders and legal processes
5. How We Use Your Information
5.1 Core Service Provision
- • Create and manage your Account
- • Authenticate your identity and maintain session security
- • Process payments and contributions via Stripe
- • Calculate and distribute funds to Creators
- • Manage Groups, Splits, and Auto-Splits
- • Track contribution history and milestones
- • Generate payout reports for Creators
5.2 Communication
We use your information to send:
- Transactional emails (payment confirmations, receipts, payout notifications, failed payment alerts)
- Milestone notifications (25%, 50%, 75%, and 100% funding progress)
- Security alerts (password resets, login from new devices, suspicious activity)
- Service updates (important changes to Terms, Privacy Policy, or Platform functionality)
5.4 Fraud Prevention and Security
- • Detect and prevent fraudulent transactions
- • Monitor for suspicious activity
- • Enforce our Terms and Conditions
- • Comply with legal obligations
- • Protect the rights and safety of Users
6. How We Share Your Information
We do NOT sell your personal information to third parties.
We share your information only in the following limited circumstances:
Third-Party Service Providers
We share your information with trusted service providers who help us operate the Platform:
Stripe, Inc.
Purpose: Payment processing, Stripe Connect accounts, payout management
Data Shared: Payment cards, bank accounts, transaction data, identity verification
Privacy Policy: https://stripe.com/privacy
Firebase (Google Cloud)
Purpose: User authentication, database storage (Firestore)
Data Shared: Email, password (hashed), user profiles, Groups, Splits, transactions
Privacy Policy: https://firebase.google.com/support/privacy
SendGrid (Twilio)
Purpose: Transactional email delivery
Data Shared: Email addresses, recipient names, email content
Privacy Policy: https://www.twilio.com/legal/privacy
Cloudflare R2
Purpose: Storing user avatars, banners, Group images, Split images
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Legal Requirements
We may disclose your information if required by law, including:
- Court orders or subpoenas
- Legal processes and investigations
- Regulatory inquiries (tax authorities, financial regulators)
- Law enforcement requests (with valid legal authority)
- Protection of rights: To protect the rights, property, or safety of Splitro, our Users, or the public
7. International Data Transfers
Where Your Data is Processed
Splitro operates globally, and your data may be transferred to and processed in countries outside your country of residence, including:
- United Kingdom (Firebase, Cloudflare)
- European Economic Area (Firebase, Cloudflare, AWS)
- United States (Stripe, SendGrid, AWS, Vercel, Open Exchange Rates, X/Twitter)
Safeguards for International Transfers
For data transfers from the UK and EU to countries without adequate data protection laws, we rely on:
- Standard Contractual Clauses (SCCs) with service providers in the United States
- Adequacy decisions by the European Commission where applicable
- Service provider commitments to data protection frameworks and compliance
8. Data Retention
We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy and comply with legal obligations.
| Data Type | Retention Period |
|---|---|
| User profile data (active accounts) | Until account deletion |
| Transaction records | 7 years (legal requirement) |
| Images (avatars, banners, Split images) | Until deleted by User or account closure |
| Rate limiting data (IP addresses, User IDs) | 60 seconds (automatic expiration) |
| Audit logs | 7 years (security and compliance) |
| Support tickets | 3 years after closure |
| Email delivery logs | 30 days (SendGrid retention) |
| Payout records | 7 years (financial compliance) |
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal information:
Right to Access (GDPR Article 15)
Request a copy of the personal information we hold about you.
📧 Email: support@splitro.com with "Data Access Request"
Right to Rectification (GDPR Article 16)
Correct inaccurate or incomplete personal information.
⚙️ Update directly in Account settings or contact support
Right to Erasure / "Right to be Forgotten" (GDPR Article 17)
Request deletion of your personal information (exceptions: transaction records retained for 7 years).
🗑️ Request account deletion at /settings/support
Right to Data Portability (GDPR Article 20)
Receive your data in JSON or CSV format.
📦 Email: support@splitro.com with "Data Portability Request"
Response Times
We will respond to all data subject requests within:
- • 30 days (standard)
- • 60 days (for complex requests, with notification)
10. Security Measures
We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.
🔐 Authentication Security
- • Firebase Authentication with email verification
- • HttpOnly cookies (XSS protection)
- • Token refresh mechanism (3600s expiry)
- • Password hashing (never stored in plain text)
🛡️ Data Transmission
- • HTTPS/TLS encryption (end-to-end)
- • Stripe PCI-DSS Level 1 certification
- • Signed URLs for images (7-day expiration)
⚡ API & Network Security
- • Rate limiting via Upstash Redis
- • CSRF protection (SvelteKit built-in)
- • Webhook signature verification
- • DDoS protection via Vercel & Cloudflare
💳 Payment Security
- • PCI-DSS compliance via Stripe
- • 3D Secure authentication
- • Fraud detection via Stripe Radar
- • Atomic database transactions
11. Cookies and Tracking Technologies
Essential Cookies Only
We use only essential cookies necessary for the Service to function:
| Cookie Name | Purpose | Duration |
|---|---|---|
| fb_id_token | Firebase authentication ID token | 3600s (1 hour) |
| fb_rf_token | Firebase refresh token for session renewal | 3600s (1 hour) |
Cookie Properties:
- • HttpOnly: Yes (prevents XSS attacks)
- • Secure: Yes (HTTPS only)
- • SameSite: Lax (CSRF protection)
❌ What We Do NOT Use
- • Third-party tracking cookies (Google Analytics, Facebook Pixel, etc.)
- • Advertising cookies
- • Social media cookies (except when you explicitly connect X/Twitter)
- • Marketing or analytics cookies
12. Children's Privacy
Age Restriction
The Service is NOT intended for children under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.
Parental Notice
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@splitro.com, and we will delete the information promptly.
Verification
By using the Service, you represent and warrant that you are at least 18 years old.
13. Third-Party Links and Services
External Links
The Platform may contain links to third-party websites, services, or resources (e.g., Creator websites, social media profiles).
We are NOT responsible for:
- The privacy practices of third-party websites
- The content or accuracy of third-party websites
- Your interactions with third-party services
Third-Party Service Provider Privacy Policies
- • Stripe: https://stripe.com/privacy
- • Firebase (Google): https://firebase.google.com/support/privacy
- • SendGrid (Twilio): https://www.twilio.com/legal/privacy
- • Cloudflare: https://www.cloudflare.com/privacypolicy/
- • AWS: https://aws.amazon.com/privacy/
- • Vercel: https://vercel.com/legal/privacy-policy
14. Changes to This Privacy Policy
Right to Modify
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal requirements, or Platform functionality.
Material Changes
- • We will notify you via email at least 30 days before material changes take effect
- • A prominent notice will be displayed on the Platform
- • The "Last Updated" date at the top of this Policy will be updated
Non-Material Changes
- • Minor updates (e.g., clarifications, formatting) may be made without advance notice
- • The "Last Updated" date will be updated
Your Acceptance
- • Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy
- • Material changes may require explicit re-acceptance
- • If you do not agree to the changes, you must stop using the Service and may request Account deletion
15. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Right to Know
You have the right to request:
- Categories of personal information collected
- Categories of sources of personal information
- Business or commercial purpose for collecting personal information
- Categories of third parties with whom we share personal information
Right to Delete
You have the right to request deletion of your personal information (subject to legal retention requirements).
Right to Opt-Out of Sale
We do NOT sell your personal information. Therefore, there is no need to opt out of sale.
Exercising CCPA Rights
To exercise your CCPA rights, contact us at support@splitro.com with "CCPA Request" in the subject line.
16. Data Breach Notification
Our Commitment
In the event of a data breach that affects your personal information, we are committed to transparency and timely notification.
Notification Timeline
For UK/EU Users (GDPR):
We will notify affected Users within 72 hours of becoming aware of the breach
For All Users:
We will provide timely notification via email and/or Platform notice
Information Provided
- • Nature of the breach and data affected
- • Likely consequences of the breach
- • Measures we have taken to mitigate harm
- • Recommended steps for Users to protect themselves
- • Contact information for questions
Prevention Measures
We continuously monitor our systems for security threats and implement measures to prevent unauthorized access, including:
- Regular security audits
- Penetration testing
- Employee training on data security
- Incident response plans
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
General Inquiries
support@splitro.com
Support Portal
splitro.com/settings/supportData Protection
For GDPR inquiries
support@splitro.com
Subject: "Data Protection Inquiry"
Response Time
Privacy inquiries
Within 30 days
UK Operating Entity
SPLITRO LTD
Registered in England and Wales
US Parent Company
PEGASUS SOLUTIONS, INC.
Registered in United States
UK Supervisory Authority
18. Summary of Key Points
📊 What information do we collect?
- • Account information (email, username, password)
- • Profile information (display name, bio, images, social links)
- • Financial data (via Stripe - payment cards, transactions, payouts)
- • Usage data (IP address, device information, pages visited)
🎯 How do we use your information?
- • To provide the Service (authentication, payments, Groups, Splits)
- • To communicate with you (transactional emails, notifications)
- • To improve the Platform (analytics, bug fixes)
- • To prevent fraud and ensure security
🤝 Do we share your information?
- • We do NOT sell your information
- • We share with trusted service providers (Stripe, Firebase, SendGrid, etc.)
- • We may disclose if required by law
⏱️ How long do we keep your information?
- • Active accounts: Until you delete your Account
- • Transaction records: 7 years (legal requirement)
- • Images: Until deletion or account closure
- • Rate limiting data: 60 seconds (automatic expiration)
19. Acknowledgment
BY USING THE SERVICE, YOU ACKNOWLEDGE THAT:
- You have read and understood this Privacy Policy
- You consent to the collection, use, and sharing of your information as described
- You understand your privacy rights and how to exercise them
- You understand that we use third-party service providers to operate the Platform
- You have reviewed the privacy policies of our third-party service providers
- You understand that transaction records are retained for 7 years for legal compliance
Thank you for trusting Splitro with your personal information. We are committed to protecting your privacy and providing a secure, transparent Platform.
Last Updated: February 11, 2026
For the most current version of this Privacy Policy, please visit: https://splitro.com/privacy
Splitro © 2026 © 2026 Splitro. All rights reserved.
