Privacy Policy.

Effective 23 April 2026 · Last updated 23 April 2026

This policy explains what data Zel collects, how it's used, and the choices you have. Zel is a chat-first expense-splitting app operated by the Zel team ("we", "us"). Questions? Email alexdevpanda@gmail.com.

1. Data we collect

We collect only what's needed to run the app.

1.1 Account data (required)

• Email address — to create your account, sign you in, and send password-reset or magic-link emails.
• Display name — shown to other members of trips you're part of.
• Username — a unique handle used to add you to trips by name.
• Profile photo (optional) — if you choose to upload one.

1.2 Trip and expense data

When you create or participate in a trip, we store:

• Trip name, description, and optional cover image.
• The list of members you add (their display names, and — if they're Zel users — their user IDs).
• Expenses you record: amount, currency, description, category, who paid, and how it's split between members.
• Settlement records (who paid whom, when, and how much).
• Chat messages and reactions within a trip.

1.3 Receipt and chat images

When you attach a photo to a chat message or use the receipt feature, the image is uploaded to our storage backend (Supabase Storage). Images stay until you or a trip member deletes the message, or the trip is deleted.

1.4 Feedback submissions

When you send feedback through the in-app help flow, we store the message text, your user ID, and any screenshots you attach. This is used solely to triage and respond to your feedback.

1.5 Device data

• Push notification token — when you enable notifications, we register a token with Apple Push Notification service (APNs) so we can send you alerts about trips you're in.
• Locale / default currency — we read your device locale to suggest a default currency. You can change it at any time.
• Session token — stored locally in the OS secure store (iOS Keychain / Android Keystore) to keep you signed in. Never sent to third parties.

1.6 Permissions we request

We only ask for permissions when you actively use the feature:

• Camera — only when you tap the camera button to take a photo for a chat.
• Photo library — only when you pick an image to share in chat or set as profile/trip picture.

You can revoke these at any time in your device settings. The app stops using them immediately.

1.7 What we do not collect

• We do not track you across other apps or websites.
• We do not run advertising or advertising SDKs.
• We do not run third-party analytics SDKs.
• We do not collect your contacts, location, calendar, microphone, or Bluetooth data.
• We do not sell your data. Ever.

2. How we use your data

We do not use your data to build advertising profiles, train external AI models, or share with data brokers.

3. Who we share data with

We share data only with service providers that help us run Zel:

We don't share your data with anyone else. We don't sell it.

4. Server logs

Our backend (Supabase) keeps short-lived logs of API requests (timestamps, IP, endpoint) so we can debug problems and detect abuse. These logs do not contain your message bodies, expense amounts, or passwords. Logs are retained for a limited period and then discarded.

5. Data retention

• Account data — retained while your account exists.
• Trip, expense, chat data — retained while the trip exists. Deleting a trip deletes its messages, expenses, splits, and images.
• Images — deleted when the associated message or trip is deleted.
• Feedback — retained so we can follow up; deleted on request.
• Backups — encrypted backups may persist for up to 30 days after deletion.

When you delete your account, we delete your profile, authored trips, and associated content. Trips you participated in but didn't create may retain your historical display name in expense records so balances remain accurate for other members.

6. Your rights and choices

You can at any time:

• Access your data — everything we have about you is visible inside the app.
• Export your trips — use the "Export to Spreadsheet" feature to download an .xlsx of any trip's transactions and balances.
• Correct your data — edit your profile, trip details, expenses, and splits.
• Delete your account — contact us at alexdevpanda@gmail.com to request deletion.
• Opt out of push notifications — turn them off in iOS/Android device settings at any time.
• Opt out of feedback follow-up — email us to have feedback records deleted.

If you're in the EU/UK (GDPR) or California (CCPA), you additionally have the right to:

• Request a portable copy of your data.
• Object to processing.
• Lodge a complaint with your local data protection authority.

We'll respond to rights requests within 30 days.

7. Security

• Data in transit is encrypted via TLS.
• Passwords are hashed by Supabase Auth; we never see them in plaintext.
• Session tokens on your device are stored in the OS secure enclave (iOS Keychain / Android Keystore).
• Database access is protected by row-level security: members of a trip can only read that trip's data; no user can read another user's private account data.

No system is perfectly secure. If we become aware of a breach that affects you, we'll notify you within the timelines required by applicable law.

8. Children

Zel is not directed at children under 13 (or under 16 in the EU/UK), and we do not knowingly collect data from them. If you believe a child has signed up, contact alexdevpanda@gmail.com and we'll delete the account.

9. International data transfers

Zel operates via cloud infrastructure that may store data in regions outside your country. Where required, we rely on standard contractual clauses or equivalent safeguards.

10. Changes to this policy

If we make material changes, we'll update the effective date above and — for significant changes — notify you in-app before they take effect.

11. Contact

This policy applies to the Zel mobile app (iOS and Android) and the Zel web app.