Privacy Policy
Last updated: May 16, 2026
The short version: We collect only what's needed to make Chaaq work. We don't sell your data. We don't show ads. We don't track you across other apps or websites. Your financial information stays between you and the people you share it with.
1. Who we are
Chaaq is operated by CapraTrail Studios LLP ("we", "us", "our"), the data controller for the personal information described in this policy. This policy explains how we handle your information when you use the Chaaq mobile app and our website at chaaq.app.
2. What we collect
We collect information in two ways: what you give us directly, and what's generated when you use the app.
Information you provide:
- Account details — phone number (when using OTP authentication), email address (when using email or Sign in with Apple), display name, and an optional profile photo. If you use Sign in with Apple and choose to hide your email, we receive only the relay email Apple provides.
- Financial records — expense descriptions, amounts, currencies, split details, payment records, and notes you add to transactions
- Group and chit fund data — group and chit names, member lists, configuration choices, bid amounts, winner records, and payment status
- Contact information for non-Chaaq users — names and phone numbers of people you explicitly add to splits, groups, or chits. We never read your full device contact list — only individuals you select via the in-app picker after granting Contacts permission.
- Receipt images — photos you attach to expenses
Information generated automatically:
- Device information — device model, operating system version, and app version (for crash reporting and compatibility)
- Usage data — which features you use and how often, aggregated and not tied to individual user profiles
- Authentication tokens — secure tokens for keeping you signed in
- Push notification tokens — an anonymous device token (APNs token) so we can deliver notifications you've opted into
What we do NOT collect:
- Bank account or credit card numbers
- Your full device contact list
- Location data
- Browsing history
- SMS or call logs
- Health, biometric, or other sensitive personal data
App Tracking Transparency: Chaaq does not "track" you as defined by Apple's App Tracking Transparency framework. We do not link your identity or activity in Chaaq to data collected by other companies' apps or websites for advertising, measurement, or any other cross-context purpose.
3. How we use your information
We use your data to make the app work. Specifically:
- Provide the service — tracking expenses, calculating balances, managing groups and chit funds (lawful basis: contract performance under GDPR Article 6(1)(b))
- Authentication — verifying your identity via phone OTP, email/password, or Sign in with Apple (lawful basis: contract performance)
- Notifications — sending payment reminders and activity updates only if you opt in (lawful basis: consent under Article 6(1)(a))
- Service improvements — understanding aggregate usage to make features better (lawful basis: legitimate interests under Article 6(1)(f))
- Support — responding when you contact us with questions or issues
- Legal compliance — when required by law, regulation, or valid legal process (lawful basis: legal obligation under Article 6(1)(c))
We never use your data for: advertising, selling to third parties, profiling for marketing, or any purpose unrelated to the app's functionality. We do not engage in automated decision-making that produces legal or similarly significant effects on you.
4. How we store and protect your data
Your data is stored on Google Firebase / Cloud Firestore, which provides enterprise-grade security including encryption at rest (AES-256) and in transit (TLS 1.2+), automatic backups, and compliance with SOC 1, SOC 2 Type II, ISO 27001, and ISO 27018 standards.
Receipt images are stored in Firebase Cloud Storage with authenticated access only — no one can view your receipts without being signed into an account that has access to them.
We enforce strict Firestore security rules, server-side: you can only read and write data that belongs to you or groups and chits you're an active member of. These rules cannot be bypassed by a modified client.
5. Payments
Chaaq is an expense tracker, not a payment processor. When you record a payment, you're logging that a payment happened — the actual money transfer happens outside the app (cash, bank transfer, UPI, etc.).
For Pro subscriptions, payments are processed through Apple's In-App Purchase system. We never see or store your payment card details — Apple handles all payment processing under their own privacy policy.
If we add additional payment methods in the future (such as Razorpay or Stripe for non-IAP paths), they will process payment data under their own privacy policies and PCI DSS standards. We will update this policy and notify you before that change takes effect.
6. Who can see your data
- Your individual splits — only you and the person you're tracking expenses with
- Group expenses — all members of that specific group
- Chit fund data — all members of that specific chit fund
- Your profile — your name and avatar are visible to people you share groups, chits, or splits with
We do not share your data with any third parties for marketing, advertising, profiling, or any other commercial purpose.
7. Third-party services
We use a small number of trusted services to operate the app. Each is bound by a data processing agreement and operates under its own privacy policy:
- Google Firebase — authentication, Firestore database, cloud storage, crash reporting, and push notification delivery (privacy policy)
- Apple — Sign in with Apple, In-App Purchase, and Apple Push Notification service (privacy policy)
These providers process data on our behalf solely to deliver the services we use. They are contractually prohibited from using your data for their own purposes.
8. Your rights
You have full control over your data. Depending on your location, you have the following rights:
All users:
- Access — request a copy of all data we hold about you
- Correction — update your profile information anytime in the app
- Deletion — delete your account and all associated data from Settings → Delete Account
- Export — request a machine-readable export of your data by emailing us
Users in the EU, UK, and EEA (GDPR): in addition to the rights above, you have the right to:
- Restrict or object to the processing of your personal data
- Withdraw consent at any time (where processing is based on consent)
- Lodge a complaint with your national data protection supervisory authority
We do not have an appointed Data Protection Officer because the scale and nature of our processing does not require one under GDPR Article 37. For all data protection matters, contact info@chaaq.app.
Users in California (CCPA / CPRA): you have the right to:
- Know what personal information we collect, use, and share
- Request deletion of your personal information
- Opt out of the "sale" or "sharing" of your personal information (we do not sell or share personal information as defined by CCPA, so there is nothing to opt out of)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at info@chaaq.app. We'll respond within 30 days (or 45 days for CCPA requests, with possible extension).
9. Data retention
We keep your personal data for as long as your account is active. When you delete your account, we permanently remove all your personal data, expense records, and receipt images from our active systems within 30 days. Backup copies are purged within 90 days.
Some anonymized, aggregated data (which cannot identify you) may be retained for service improvement and analytics. Limited information may be retained longer where required by applicable law, regulation, or to resolve disputes — for example, records required for tax or anti-fraud compliance.
10. Children's privacy
Chaaq is not intended for children under 13, or older where local law requires a higher minimum age (some EU countries require 16). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has provided us with personal information, please contact us at info@chaaq.app and we will promptly delete it.
11. International users
Chaaq is available worldwide. Your data is stored on Google Cloud servers and may be processed in the regions where Google operates, which may be outside your home country. Where data is transferred from the EU/EEA, UK, or other regions with data protection regulations, we rely on appropriate safeguards including the EU Standard Contractual Clauses and Google's certifications under relevant frameworks. By using the app, you consent to these transfers.
12. Cookies and similar technologies
The Chaaq mobile app does not use cookies. Our website (chaaq.app) uses only essential cookies necessary for the site to function — no tracking, advertising, or analytics cookies.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, we'll notify you through the app or by email. The "Last updated" date at the top tells you when this policy was last revised. Continued use of Chaaq after a change means you accept the updated policy.
14. Contact us
Questions, concerns, or requests about your privacy? Reach out:
- Email: info@chaaq.app
- Website: chaaq.app
We aim to respond to all privacy-related inquiries within 7 days.