LoanItLoanIt

Privacy Policy

LoanIt – Privacy Policy

Last updated: 20 November 2025 Owner / Controller: Saud Alhafith (individual) Contact email: saudalhafith@gmail.com Location: Riyadh, Saudi Arabia

Thank you for using LoanIt. This Privacy Policy explains how we collect, use, and share information when you use:

  • The LoanIt iOS app, and
  • The LoanIt websites and backend APIs (including loanit.app and api.loan-it.app).

By using LoanIt, you agree to this Privacy Policy.

This document is intended to be clear and honest, but it is not legal advice. Laws may require additional terms in your country.

1. What LoanIt does (and doesn’t) do

LoanIt helps you track interpersonal loans and shared expenses with friends and small groups. It records who paid, who owes, and how much.

  • We do not move money, connect bank accounts, or process payments.
  • LoanIt is a record-keeping and reminder tool only.

2. Information we collect

2.1 Information you provide directly

Account & profile

When you create an account or update your profile, we collect:

  • Name (first, last, and full name)
  • Username
  • Email address
  • Local currency preference (e.g., SAR)

This profile data is stored in our main users table and also in your local app cache.

Authentication

For sign-in and sign-up we collect:

  • Email and password

  • For third-party login:

    • Google ID token and access token
    • Apple ID token

These tokens are forwarded to Supabase Auth to create or verify your account. We do not store your raw password; Supabase Auth stores password hashes.

Loans, participants, and transactions

LoanIt is all about your financial relationships with others. When you use the app, we store:

  • Loan details: title, date, notes, base and local currencies

  • Participants:

    • Which users/contacts are in each loan
    • Participant role (OWNER, ADMIN, MEMBER)
    • Names and (optionally) phone numbers for virtual participants

  • Transactions:

    • Who paid (creditor) and who owes (debtors)
    • Amounts in base and local currency
    • Dates and optional notes
    • Per-participant splits (“who owes what”)

Notes and titles are free text; they can contain any information you choose to write about yourself or others.

Reminders and notifications content

If you schedule reminders or customize notification text, we store:

  • Reminder title
  • Reminder body template (which may include tokens like {debtorName}, {amount}, {loanTitle}, {creditorName})
  • Scheduled time, status and meta (sent, failed, attempts, etc.)

We also store a local notification history on your device (title, body, category, deep link) so you can see past notifications in the app.

Support and communication

If you email us or otherwise contact support, we will receive the information you provide (email address, message content, and any attachments).

2.2 Information collected automatically

Device & technical information

When the app talks to our backend, it sends limited device metadata in HTTP headers:

  • Device model (e.g., “iPhone”)
  • Operating system name and version
  • App version

This helps us debug issues and understand which devices and app versions are in use.

Push notification tokens

To send push notifications, we collect:

  • APNs token (Apple)
  • Firebase Cloud Messaging (FCM) registration token
  • Your preferred language (EN/AR)
  • Platform (iOS)

We store your FCM token in a user_device_tokens table tied to your user account and use it only for LoanIt notifications.

Server logs

Our backend logs basic HTTP access data and errors, including:

  • Timestamp
  • HTTP method and URL (which may include IDs or invite tokens)
  • Response status
  • User agent (browser / app version)

We do not deliberately log your passwords or your full JWT token. Some error logs may include Supabase error payloads and FCM error messages, which can occasionally contain identifiers (e.g. email, device token).

We typically retain server logs for about 30 days, subject to hosting configuration.

2.3 Information from third-party providers

Authentication providers

  • Supabase Auth – handles email/password and token-based authentication, and stores the core auth record (auth.users). It receives your email, password (hashed), and login metadata.
  • Sign in with Apple / Google – when you use these options, Apple/Google receive the usual sign-in information, and we receive tokens used to create or sign you in via Supabase.

Subscriptions & analytics identifiers

  • RevenueCat (subscriptions) receives your LoanIt user ID, name, email, push token, and a PostHog distinct ID, to manage Pro entitlements and subscription analytics.
  • PostHog (product analytics) receives an anonymous distinct ID and may collect product usage events and device information. Screen auto-capture is disabled.
  • Firebase Analytics collects limited analytics events (e.g., login / sign-up with method) and standard device statistics.

Email delivery

We use email delivery providers (currently Resend and/or the email provider integrated with Supabase) to send:

  • Verification emails
  • Password reset links
  • Other strictly transactional emails

These providers receive your email address and the content of the messages we send.

Website hosting & analytics

Our marketing site is hosted on Vercel, which may log IP addresses, user agents, and basic analytics about visits to loanit.app.

3. How we use your information

We use your information for the following purposes:

  1. Provide and maintain the service

    • Create and manage your account and profile
    • Let you create, edit, and delete loans, participants, and transactions
    • Calculate balances, splits, and analytics (net position, payables/receivables, trends)

  2. Notifications and reminders

    • Send push notifications when new transactions are added, when you’re added to a loan, and when reminders you scheduled are due
    • Store and show notification history inside the app

  3. Authentication and security

    • Authenticate you via Supabase Auth and third-party providers
    • Protect your account with password reset and session checks
    • Detect suspicious activity or abuse

  4. Subscriptions & Pro features

    • Manage your Pro subscription through RevenueCat
    • Determine if you have an active Pro entitlement (premium and premium_until claims)
    • Unlock Pro features such as advanced analytics and scheduled reminders

  5. Analytics and product improvement

    • Understand high-level usage (e.g., how many users use reminders, how often loans are created)
    • Improve UX, performance, and reliability
    • Analyze conversion from free to Pro (only in aggregate)

  6. Legal, safety, and compliance

    • Enforce our Terms of Use
    • Respond to lawful requests from authorities (if required by applicable law)
    • Protect our rights, property, and users (e.g., investigating abuse or fraud)

We do not sell your personal data and we do not use ad networks or IDFA-based advertising.

4. Legal bases (for users in the EEA/UK and similar regions)

Where data protection law (like GDPR) applies, we process your personal data under these legal bases:

  • Contract – to provide the app and features you request (account, loans, transactions, reminders, Pro subscription).

  • Legitimate interests – for:

    • Basic analytics and product improvement
    • Preventing abuse and ensuring security
    • Storing limited logs to debug and protect the service

  • Consent – where required for push notifications and for any optional analytics or marketing you explicitly opt into.

You can withdraw consent at any time via system settings (e.g., disabling notifications) or by contacting us.

5. How we share information

We share your information only with:

  1. Service providers (processors) who help us run LoanIt, such as:

    • Supabase (auth & database)
    • Hosting provider(s) (servers / infrastructure)
    • Firebase (push notifications & analytics)
    • RevenueCat (subscriptions)
    • PostHog (product analytics)
    • Email delivery providers (currently Resend and/or Supabase’s email provider)
    • Currency rate provider(s) (FX data only; no user-identifiable data)

    These providers process data on our behalf and under our instructions.

  2. Other users in your loans

    • Other participants in a loan can see:

      • The loan title, notes, and amounts
      • Participant names and roles
      • Transactions affecting that loan

    • This is core to how LoanIt works: the whole point is a shared record among participants.

  3. If required by law

    • We may disclose information if we reasonably believe it is necessary to:

      • Comply with a legal obligation or lawful request
      • Protect the rights, privacy, or safety of our users or the public
      • Enforce our agreements or defend against legal claims

We do not share your information with advertisers or data brokers.

6. International data transfers

  • Our servers and databases are currently hosted in the European Union (Hetzner and Supabase Postgres).
  • Some of our service providers (for example, Firebase, RevenueCat, PostHog, Vercel, email providers) may process data in other countries, including the United States or other regions.

Where required by law, we rely on appropriate safeguards offered by those providers (such as standard contractual clauses or equivalent mechanisms) or ensure that transfers are permitted by applicable data protection laws.

Because the internet is global, your data may be processed in countries that have different data protection laws than your own. We aim to work only with reputable providers that have strong security and privacy practices.

7. Data retention

We keep data only for as long as necessary for the purposes described above or as required by law.

Account & profile data

  • While your account is active, we retain your profile and related data.
  • If you delete your account, we delete your user profile and Supabase auth record promptly, and cascade or anonymize related data as described below.

Loans, participants, and transactions

Our goal is to preserve financial history for remaining participants while protecting your identity:

  • If you delete your account and you have no transactions in a given loan, your participant record in that loan can be removed.

  • If you delete your account and you do have transactions, we:

    • Remove the link to your user account (user_id is set to NULL),
    • Keep an anonymous participant record so other people’s history remains consistent.

  • If you are the only real participant left in a loan and you delete your account (or leave that loan), the loan and related data may be deleted entirely.

Loan owners or admins can also delete specific loans and transactions; in that case, related records are removed by the backend (with cascading deletes).

Reminders and notification history

  • Server-side reminder records (loan reminders) are kept so we can show history and avoid replaying old notifications. Currently there is no automatic purge, but we may implement one in future.
  • Local notification history on your device is kept until you clear it from within the app or delete the app.

Device tokens

  • Device tokens are deleted when:

    • They are reported invalid by Firebase (FCM), or
    • Your user account is deleted (cascade deletes from user_device_tokens).

Logs

  • Server logs are retained for approximately 30 days and then rotated or removed, depending on server configuration.

Local caches on your device

  • The app maintains a local SQLite database and some JSON caches in your device’s storage to support offline usage.
  • Signing out or deleting your account clears session data and access but does not necessarily delete the database file itself; it becomes unused but may remain on disk until the app is removed or local storage is cleared.

8. Your rights and choices

Depending on where you live, you may have some or all of the following rights:

  1. Access – request a copy of the personal data we hold about you.
  2. Correction – ask us to correct inaccurate or incomplete data.
  3. Deletion – delete your account and, where possible, other information.
  4. Restriction – request that we limit processing in certain cases.
  5. Portability – request your data in a structured, commonly used format where technically feasible.
  6. Objection – object to certain processing (e.g., analytics) where we rely on legitimate interests.
  7. Withdraw consent – where processing is based on consent (e.g., notifications), you can withdraw it.

8.1 Using in-app controls

Within the LoanIt app you can:

  • Update your profile information
  • Delete individual loans and transactions (subject to your role in that loan)
  • Create, edit, and cancel reminders
  • Delete your account via Settings → Account → Delete Account
  • Sign out and stop using the app
  • Control notification permissions via your device settings

8.2 Contacting us

You can also exercise your rights or ask questions by emailing:

saudalhafith@gmail.com

We may ask you to verify your identity before fulfilling certain requests. Some rights may be limited, for example when fulfilling your request would impact other users’ rights (e.g., deleting history that others rely on).

If you are in a region with a data protection authority (for example, the EEA, UK, or Saudi PDPL regulator), you may also have the right to lodge a complaint with that authority.

9. Security

We take reasonable technical and organizational measures to protect your data, including:

  • Using reputable hosting, auth, and database providers
  • Protecting network communications with HTTPS
  • Using access controls on backend services
  • Avoiding logging of sensitive secrets (e.g., passwords, full tokens)

However, no system is perfectly secure. We cannot guarantee absolute security of your data. If we become aware of a serious incident affecting your data, we will take reasonable steps to notify you and comply with applicable laws.

10. Children

LoanIt’s content rating on the App Store is 4+, which reflects content suitability, not an intended audience.

  • We do not knowingly target or market LoanIt to children under 13.
  • We do not knowingly collect personal data from children without parental consent where required by law.

If you believe a child has created an account or provided personal data without appropriate consent, please contact us so we can investigate and take appropriate action (including account deletion where applicable).

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example when we add new features, integrate new providers, or when laws change.

When we make material changes, we will:

  • Update the “Last updated” date at the top, and
  • Where appropriate, notify you in the app or by email.

Your continued use of LoanIt after changes take effect means you accept the updated policy.

12. How to contact us

If you have any questions, concerns, or requests about this Privacy Policy or your personal data, you can contact:

Controller:

Saud Alhafith Riyadh, Saudi Arabia Email: saudalhafith@gmail.com