kaya← Home
Legal

Privacy Policy

Effective date: March 26, 2026 · Last updated: March 26, 2026

01Introduction

Welcome to Kaya ("we," "our," or "us"). Kaya is a mobile application and web platform ("Service") designed to help friend groups split expenses, track balances, and settle payments easily.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Kaya iOS application and the website at kaya.dlmbaccay.com. It also describes your rights under the Republic Act No. 10173, also known as the Data Privacy Act of 2012("DPA"), and its Implementing Rules and Regulations.

By accessing or using Kaya, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms herein, please discontinue use of the Service immediately.

02Who We Are

Kaya is an independently developed application. For purposes of the Data Privacy Act of 2012, the developer of Kaya acts as the Personal Information Controller (PIC) — the entity that determines the purposes and means of processing your personal data.

Contact
Email: dlmbaccay@gmail.com
Website: kaya.dlmbaccay.com

03Information We Collect

3.1 Information You Provide Directly

  • Account Information: When you sign in via Google or Apple, we receive your name and email address from the respective identity provider. We do not collect or store passwords.
  • Profile Information: Your display name, first name, last name, and optionally a profile photo (avatar) that you choose to upload.
  • Group Data: Names of expense groups you create or join, and the category of those groups (e.g., trip, food, home).
  • Expense Data: Descriptions of expenses, amounts (stored in Philippine Peso centavos), expense category, date, who paid, and how the expense is split among group members.
  • Settlement Data: Records of payments between members, including optional notes and optional payment proof photos you choose to upload.
  • Invite Information: If you invite someone to a group via email, we collect the recipient's email address for the purpose of sending that single invitation. This is stored as a pending invite until accepted or until the group is deleted.
  • User-Generated Content: Photos of receipts or payment proofs that you upload within the app.

3.2 Information Collected Automatically

  • Push Notification Token: If you grant notification permissions, we collect your device's Expo push notification token and store it against your profile to deliver expense and settlement notifications. This token is device-specific and does not identify you personally on its own.
  • Authentication Session Data: We use Supabase for authentication, which maintains a session token stored on your device via AsyncStorage. This allows you to remain signed in across sessions.

3.3 Information We Do Not Collect

We do not collect:

  • Payment card numbers, bank account details, or GCash credentials
  • Precise GPS or location data
  • Microphone, camera roll (photos are explicitly chosen by you via picker), or contacts
  • Browsing history, behavioral tracking, or advertising identifiers
  • Biometric data (Face ID / Touch ID is handled entirely by your device's OS and is never transmitted to us)

04How We Use Your Information

We use the information we collect for the following purposes, all of which constitute legitimate interests or are necessary for the performance of the service you requested:

PurposeData UsedBasis
Create and maintain your accountName, email, avatarPerformance of contract
Display your profile within groupsDisplay name, avatarPerformance of contract
Record and split expensesExpense data, split amountsPerformance of contract
Track balances between group membersExpense data, settlement dataPerformance of contract
Send group invite emailsRecipient email addressLegitimate interest / consent
Send push notifications for expenses and settlementsPush tokenConsent
Maintain data integrity for deleted accountsAnonymized profile rowLegitimate interest
Detect abuse and enforce Terms of ServiceAccount and usage dataLegitimate interest
Improve the ServiceAggregate, non-identifiable usage patternsLegitimate interest

We do not use your data for advertising, profiling, or sale to third parties.

05How We Share Your Information

5.1 Within Your Groups

Kaya is a collaborative app — certain information is visible to members of groups you belong to:

  • Your display name and avatar are visible to all members of any group you join.
  • Expense amounts, descriptions, categories, and who paid are visible to all group members.
  • Settlement records between you and another member are visible to both parties and to all group members in the Activity tab.
  • Receipts and payment proof photos you upload are visible to all group members.

By joining a group, you consent to this visibility within that group's membership.

5.2 Third-Party Service Providers

We use the following third-party processors in the delivery of Kaya. Each processes data only as necessary for the stated purpose:

Supabase, Inc.
Role:
Database, authentication, file storage
Data:
All user and app data stored on Supabase's cloud infrastructure
Location:
Supabase's default region (US East unless configured otherwise)
Google LLC (Google OAuth)
Role:
Identity provider for Google Sign-In
Data:
Your Google account name and email address at sign-in
Apple Inc. (Sign in with Apple)
Role:
Identity provider for Apple Sign-In
Data:
Your Apple ID name and email (or relay email if you chose to hide it)
Resend, Inc.
Role:
Transactional email delivery
Data:
Recipient email address for group invite emails
Expo (Expo Application Services / EAS)
Role:
Mobile app distribution, push notification delivery
Data:
Expo push notification tokens for delivering in-app notifications

We do not sell, rent, or trade your personal information to any third party.

5.3 Legal Obligations

We may disclose your information if required to do so by applicable law, court order, or governmental authority in the Philippines or any other applicable jurisdiction.

06Data Retention

Data TypeRetention Period
Active account (profile, group data, expenses, settlements)For as long as your account is active
Invite emails (pending status)Until accepted, or until the group is deleted
Invite emails (accepted status)Retained for record-keeping while the group exists
Push notification tokensRetained while account is active; removed on account deletion
Storage files (avatars, receipts)Retained while account is active; not automatically deleted on account deletion (see note below)
Anonymized profile row (deleted accounts)Indefinitely, for referential integrity of historical expense and settlement records
Note on Storage Files: When you delete your account, your profile row is anonymized (your name is replaced with "Deleted User" and your avatar URL is cleared). However, receipt photos and payment proof images you previously uploaded to group expenses may remain in cloud storage as they are linked to shared group expense records, not solely to your account. If you wish to request deletion of specific uploaded files, contact us directly.

07Account Deletion

You may delete your account at any time from the Profile screen in the app. Upon deletion:

  1. 1.Your profile is anonymized — your name becomes "Deleted User," your avatar is removed, and your email is disassociated.
  2. 2.You are removed from all group memberships.
  3. 3.All groups you created are deleted (along with their associated expenses and settlements).
  4. 4.Your authentication account (Apple or Google) is revoked from our system.
  5. 5.Your push notification token is cleared.

Expenses and settlements you participated in (but did not create the group for) remain in those groups' history attributed to "Deleted User" to preserve the financial records of other members.

This process is irreversible. We recommend settling all outstanding balances before deleting your account.

08Your Rights Under the Data Privacy Act of 2012

As a data subject under Republic Act No. 10173 and its IRR, you have the following rights:

Right to be Informed
You have the right to be informed that your personal data is being collected and processed. This Privacy Policy fulfills that obligation.
Right to Access
You may request a copy of the personal data we hold about you. Submit requests to dlmbaccay@gmail.com.
Right to Rectification
You may correct inaccurate or outdated personal data through the Edit Profile screen in the app, or by contacting us directly.
Right to Erasure or Blocking
You may request deletion of your personal data. The in-app Account Deletion flow is the primary mechanism. For specific file deletion requests (e.g., uploaded receipts), contact us directly.
Right to Object
You may object to processing of your personal data, including for direct marketing purposes. As Kaya does not engage in direct marketing, this right is primarily relevant to any future changes in use.
Right to Data Portability
You may request a copy of your personal data in a structured, commonly used, and machine-readable format. Contact us to request a data export.
Right to File a Complaint
If you believe your data privacy rights have been violated, you may file a complaint with the National Privacy Commission (NPC) of the Philippines: privacy.gov.ph · info@privacy.gov.ph · 5th Floor, Delegation Building, PICC Complex, Pasay City, 1307

To exercise any of these rights, email us at dlmbaccay@gmail.com. We will respond within 30 days of receiving your request.

09Data Security

We take reasonable technical and organizational measures to protect your personal data, including:

  • All data in transit is encrypted via HTTPS/TLS
  • Supabase enforces Row-Level Security (RLS) on all database tables — you can only read and write data you are authorized to access
  • Authentication is handled exclusively via OAuth 2.0 (Google, Apple) — we never store passwords
  • Storage buckets for avatars and receipts enforce appropriate access policies
  • Edge Functions that require service-role access operate server-side only and are never exposed to the client

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong credentials with your linked Google or Apple account.

10Children's Privacy

Kaya is not directed to individuals under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at dlmbaccay@gmail.com and we will take steps to delete that information.

11International Users

Kaya is designed primarily for Philippine users, and data may be stored on servers located outside the Philippines (Supabase's infrastructure). By using Kaya, you acknowledge and consent to the transfer of your personal data to servers outside the Philippines, subject to appropriate safeguards consistent with the Data Privacy Act of 2012.

12Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document. For significant changes, we may also provide notice within the app.

Continued use of Kaya after changes have been posted constitutes your acceptance of the revised Privacy Policy.

13Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Dominic Baccay
Email: dlmbaccay@gmail.com
Website: kaya.dlmbaccay.com

This Privacy Policy was last reviewed and updated on March 26, 2026.