Privacy Policy

PRIVACY POLICY

Tabfare

Effective Date: September 28, 2025 | Last Revised: February 18, 2026

Entity: Media Strife Holdings LLC d/b/a Tabfare (“Tabfare,” “we,” “our,” or “us”)

Contact: support@tabfare.ai

Mailing Address: [Registered address in New York State]

1. Introduction

This Privacy Policy explains how Media Strife Holdings LLC d/b/a Tabfare collects, uses, discloses, retains, and protects your personal information when you use our mobile applications (iOS and Android), websites (including tabfare.ai), web applications, and all related services, features, and hosted content (collectively, the “Services”).

This Privacy Policy is incorporated into and forms part of our Terms and Conditions. By downloading, installing, accessing, or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, you must stop using the Services and delete the application from your device(s).

We may update this Privacy Policy from time to time. Please review it periodically. For material changes, we will provide notice as described in Section 16.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (“GDPR”), UK GDPR, and other applicable data-protection laws, the data controller responsible for your personal information is:

Media Strife Holdings LLC d/b/a Tabfare

Email: support@tabfare.ai

Address: [Registered address], New York, NY

If you are located in the EU/EEA or UK and wish to exercise your data-protection rights, you may contact us at the above address or email. If required under GDPR Article 27, we will appoint and disclose an EU/UK representative.

3. Information We Collect

3.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, phone number (optional), and password (stored in hashed form). If you sign in via a third-party provider (e.g., Sign in with Apple, Google Sign-In), we receive limited profile data as permitted by that provider.

Profile Information: Avatar or profile photo (optional), display name, payment handles (e.g., Venmo® username, PayPal® email, Cash App® $cashtag, Zelle® identifier), and group or trip names.

Receipts and Bills: Images you upload for OCR scanning, OCR-extracted text and itemized data, manually entered bill details, recurring-expense entries, and participant details (names, email addresses, or phone numbers of people you add to a split).

Payment Request Information: When you generate a payment request, we collect the payee handle, amount, and a description or memo. We do NOT collect, process, store, or have access to your banking information, credit card numbers, or payment credentials.

Support Communications: Information you provide when you contact customer support, including email correspondence, in-app feedback, and any attachments.

Survey and Feedback Data: Responses you provide to optional surveys, polls, or feedback requests.

3.2 Information Collected Automatically

Device Information: Device type, model, operating system and version, app version, unique device identifiers (e.g., IDFV on iOS, Android ID), screen resolution, and language/locale settings.

Usage Data: App interactions (screens viewed, features used, buttons tapped), session duration, crash logs, error reports, and performance data.

Log Data: IP address (used for approximate geolocation, security, and fraud prevention), access timestamps, referring URLs (for web access), and browser type (for web access).

Location Data (Optional): Approximate or precise location data only if you explicitly grant permission through your device’s operating-system settings (e.g., for receipt geotagging). You may revoke location permission at any time through your device settings. We do not collect location data by default.

3.3 Information from Third Parties

App Stores (Apple, Google): Subscription status, purchase receipts, transaction identifiers, and renewal information. We do not receive your payment method details.

Payment Applications: When you open a payment request via Venmo, PayPal, Cash App, or Zelle, we may receive limited confirmation identifiers (e.g., that a request was initiated). We never receive your banking data, account balances, or transaction history from these platforms.

Authentication Providers: If you use Sign in with Apple or Google Sign-In, we receive only the information you authorize (typically name and email).

3.4 Information We Do NOT Collect

We do not collect biometric data (fingerprints, face scans, voiceprints).
We do not collect financial account numbers, credit/debit card numbers, or bank routing numbers.
We do not use third-party ad-tracking cookies or cross-app tracking identifiers (IDFA/GAID).
We do not participate in the AppTrackingTransparency (ATT) tracking framework because we do not track users across third-party apps or websites.

4. How We Use Your Information

We process your personal information for the following purposes:

Provide and operate the Services — OCR scanning, bill splitting, group tracking, payment request generation.

Legal basis (GDPR): Contract performance.

Improve and optimize the Services — Analyzing usage patterns, A/B testing features, debugging errors.

Legal basis (GDPR): Legitimate interest.

Communicate with you — Transactional emails, subscription confirmations, support responses, service announcements.

Legal basis (GDPR): Contract performance / Legitimate interest.

Security and fraud prevention — Detecting unusual activity, enforcing Terms, preventing abuse.

Legal basis (GDPR): Legitimate interest / Legal obligation.

Legal compliance — Tax obligations, responding to lawful requests, dispute resolution.

Legal basis (GDPR): Legal obligation.

Marketing (with consent) — Product updates, new feature announcements, promotional offers.

Legal basis (GDPR): Consent (opt-in).

We do not sell your personal information. We do not share your personal information with third parties for their own direct marketing purposes. We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. AI and Machine-Learning Processing

Tabfare uses optical character recognition (OCR) and machine-learning (ML) models to parse receipt images and extract itemized data. We want to be transparent about how this works:

On-device vs. cloud processing: Some OCR processing may occur locally on your device. When server-side processing is required, receipt images are transmitted via encrypted channels (TLS 1.2+) to our cloud infrastructure.
Third-party AI services: We may use third-party ML/AI services (e.g., Google Cloud Vision, Firebase ML) to process receipt images. These services process data solely on our behalf under data-processing agreements. Your data is not used by these third parties to train their own models or for any purpose other than providing the service to Tabfare.
Model training: We may use anonymized and aggregated receipt layout patterns (with all personal identifiers removed) to improve our OCR accuracy. Individual receipt images containing personal data are not used for model training without your explicit, separate consent.
Data retention for processing: Receipt images sent for cloud OCR processing are deleted from processing servers within 24 hours after extraction is complete. Only the extracted text data is retained in your account.

6. Sharing and Disclosure of Information

We share your personal information only in the following limited circumstances:

6.1 With Other Users (At Your Direction)

When you add participants to a bill split or share a group expense, those participants can see your name, the bill details, and the amounts owed. You control who you add and what you share.

6.2 With Third-Party Payment Platforms

When you generate a payment request, we transmit the necessary information (payee handle, amount, memo) to the selected payment platform (Venmo, PayPal, Cash App, Zelle) to initiate the request. These platforms are governed by their own privacy policies.

6.3 With Service Providers

We engage trusted third-party service providers who process data solely on our behalf and under our instructions, subject to data-processing agreements that require them to protect your data:

Google Firebase / Firestore — Purpose: Backend infrastructure, database hosting, authentication, App Check. Data accessed: account data, bill/receipt data, usage metadata.
Google Cloud Vision / Firebase ML — Purpose: OCR and ML receipt processing. Data accessed: receipt images (transient, deleted within 24 hours).
Firebase Analytics — Purpose: Anonymized usage analytics. Data accessed: anonymized usage events, device type, app version.
Firebase Crashlytics — Purpose: Crash reporting and stability monitoring. Data accessed: crash logs, device info, stack traces (no PII).
Cloud hosting (e.g., GCP) — Purpose: Server infrastructure. Data accessed: all data stored in Services (encrypted at rest).
Email service provider — Purpose: Transactional and support emails. Data accessed: email address, name.

All service providers are contractually bound to use your data only for the specified purposes and to maintain at least the same level of data protection as described in this Privacy Policy.

6.4 For Legal Reasons

We may disclose your information if required to do so by law (e.g., subpoena, court order, government request) or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights, property, or safety of Tabfare, our users, or the public; (c) prevent fraud or address security issues; or (d) enforce our Terms and Conditions.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice within the Services before your information is subject to a different privacy policy.

6.6 With Your Consent

We may share your information in other circumstances with your explicit consent.

6.7 We Never

Sell your personal information to any third party.
Share your personal information with advertisers for targeted advertising.
Share your data with data brokers.
Use your data for cross-app tracking.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account data: Retained until account deletion + 30 days (grace period for accidental deletion).
Receipts and bill data: Retained until you delete them or delete your account (user-controlled).
OCR-processed images (cloud): Deleted within 24 hours of extraction. Only extracted text is retained in your account.
Usage analytics: 26 months, anonymized (per Firebase Analytics defaults).
Crash logs: 90 days. No PII included.
Backup copies: Up to 90 days after deletion (automatic backup rotation).
Support correspondence: 3 years after resolution (for quality assurance and legal compliance).
Legal hold / dispute data: Duration of hold + applicable statute of limitations (as required by law).

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Data stored in our databases is encrypted at rest using AES-256 or equivalent.
Authentication and access controls: Passwords are salted and hashed. We enforce role-based access controls for internal access to user data. Firebase App Check verifies client integrity.
Firestore security rules: Database-level rules ensure users can only access their own data.
Monitoring: We monitor for suspicious activity, unauthorized access attempts, and anomalies.
Incident response: We maintain an incident-response plan. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law (e.g., within 72 hours under GDPR).

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

9. Your Privacy Rights

9.1 All Users

Regardless of your location, you may:

Access your personal information stored in your Tabfare account at any time through the app.
Edit or correct your account information through Settings.
Delete individual receipts, bills, or groups within the app.
Delete your account entirely (see Section 11).
Opt out of marketing communications by using the unsubscribe link in any email or adjusting notification preferences in Settings.
Revoke location permission through your device’s operating-system settings at any time.

9.2 California Residents (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act as amended by the California Privacy Rights Act, you have the following rights:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes of collection, and the categories of third parties with whom we shared your data.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: Tabfare does not sell or share your personal information as defined by the CCPA/CPRA. No opt-out is required, but you may still make such a request for the record.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
Right to Limit Use of Sensitive Personal Information: Tabfare does not collect sensitive personal information as defined by the CPRA (e.g., Social Security numbers, precise geolocation for profiling, racial/ethnic data).

To submit a request: Email support@tabfare.ai with the subject line “CCPA Request.” We will verify your identity before fulfilling any request. We will respond within 45 days (extendable by an additional 45 days with notice).

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent’s authority.

CCPA Data Collection Summary (Preceding 12 Months)

Identifiers (name, email, phone) — Collected: Yes | Sold: No | Shared for cross-context behavioral ads: No
Commercial information (purchase/subscription history) — Collected: Yes | Sold: No | Shared: No
Internet / electronic activity (usage data, logs) — Collected: Yes | Sold: No | Shared: No
Geolocation, approximate (from IP) — Collected: Yes | Sold: No | Shared: No
Precise geolocation — Collected: Only with consent | Sold: No | Shared: No
Visual information (receipt images) — Collected: Yes | Sold: No | Shared: No
Inferences (spending patterns) — Collected: No | Sold: No | Shared: No
Sensitive personal information — Collected: No | N/A | N/A

9.3 EU/EEA Residents (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

Right of Access (Art. 15): Obtain a copy of the personal data we hold about you.
Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to legal exceptions.
Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: You may file a complaint with your local Data Protection Authority.

To exercise any right, email support@tabfare.ai. We will respond within 30 days (extendable by up to 60 days for complex requests, with notice).

9.4 UK Residents (UK GDPR and Data Protection Act 2018)

You have the same rights as described in Section 9.3 above. You may file a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk. Nothing in this Privacy Policy overrides your statutory rights under the Consumer Rights Act 2015 or the Data Protection Act 2018.

9.5 Other Jurisdictions

If you reside in a jurisdiction with consumer-privacy laws that provide additional rights (e.g., Brazil’s LGPD, Canada’s PIPEDA, Australia’s Privacy Act 1988, or state-level U.S. privacy laws such as those in Virginia, Colorado, Connecticut, and others), those rights are not affected by this Privacy Policy, and we will comply with applicable local requirements.

10. International Data Transfers

Tabfare is based in the United States. Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

If you are located in the EU/EEA, UK, or another jurisdiction with data-transfer restrictions, we rely on the following legal mechanisms to safeguard your data during international transfers:

Standard Contractual Clauses (SCCs): EU-approved SCCs incorporated into our data-processing agreements with service providers.
UK International Data Transfer Agreement (IDTA) or UK Addendum: For transfers from the UK.
Adequacy decisions: Where the European Commission or UK Secretary of State has determined a country provides adequate protection.
EU-U.S. Data Privacy Framework: Where applicable, we rely on service providers certified under the EU-U.S. Data Privacy Framework.

You may request information about the specific safeguards applied to your data transfers by contacting support@tabfare.ai.

11. Account Deletion

You have the right to delete your Tabfare account at any time. Account deletion is available:

In-app: Settings > Account > Delete Account.
By email: Send a request to support@tabfare.ai from the email associated with your account.

When you delete your account:

All receipts, bills, overlays, groups, and profile data are permanently deleted from active systems within 30 days.
Backup copies may persist for up to 90 days before permanent deletion through automatic backup rotation.
Anonymized and aggregated data that cannot reasonably identify you may be retained.
Data subject to a legal hold, regulatory requirement, or active dispute will be retained until the obligation is resolved.
Your subscription (if any) is NOT automatically cancelled by account deletion. You must cancel separately through Apple or Google (see Terms and Conditions, Section 5.3).

12. Children’s Privacy

The Services are not directed to children under the age of 13 (or the minimum age required by applicable law in your jurisdiction, such as 16 in certain EU member states).

We do not knowingly collect personal information from children below these age thresholds without verifiable parental consent. If we become aware that we have collected personal information from a child without proper consent, we will take steps to delete that information as promptly as possible.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at support@tabfare.ai.

13. Cookies and Tracking Technologies

13.1 Mobile Application

The Tabfare mobile app does not use traditional browser cookies. We use:

Local storage / device preferences: To remember your settings, authentication state, and display preferences.
Firebase Analytics (anonymized): Collects anonymized usage events, app version, and device type. Does not use IDFA or GAID. Respects device-level “Limit Ad Tracking” and “Opt out of Ads Personalization” settings.
Firebase Crashlytics: Collects crash reports and stack traces. No personally identifiable information is included.

13.2 Website (tabfare.ai)

Our website may use:

Essential cookies: Required for login sessions and security. Cannot be disabled.
Analytics cookies: Anonymized usage analytics (e.g., page views). We do not use third-party advertising cookies.
Preference cookies: To remember your display and language preferences.

We do not use third-party ad-tracking cookies. We do not engage in cross-site tracking. EU/UK users will be presented with a cookie-consent banner for non-essential cookies.

13.3 Do Not Track

Some browsers transmit a “Do Not Track” (DNT) signal. There is no universally accepted standard for how to respond to DNT signals. Because Tabfare does not engage in cross-site tracking, our practices are already consistent with DNT principles.

14. Free Tier vs. Premium: Privacy Differences

Both Free Tier and Premium users receive the same privacy protections. The differences between tiers are purely functional, not privacy-related, with one exception:

Advertising (Free Tier only): Free Tier users may see non-targeted, contextual banner advertisements. These ads are not personalized based on your data and do not involve sharing your personal information with advertisers. Ad providers may collect anonymized impression data (e.g., that an ad was displayed) but do not receive your identity, usage data, or receipt content.
Ad-free experience (Premium): Tabfare Premium subscribers ($2.99 USD/month + tax) do not see any advertisements.

15. Third-Party Links and Services

The Services may contain links to or integrations with third-party websites and services, including Venmo®, PayPal®, Cash App®, Zelle®, Apple App Store, and Google Play Store. These third-party services have their own privacy policies, and Tabfare is not responsible for their privacy practices. We encourage you to review those policies before interacting with those services.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

We will update the “Last Revised” date at the top of this Policy.
For material changes, we will provide at least 14 days’ advance notice via email, in-app notification, or prominent posting on the Services.
For changes affecting how we process your data under GDPR (e.g., new purposes, new categories of recipients), we will provide 30 days’ advance notice and, where required, obtain your renewed consent.
Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.
If you do not agree with a revised Privacy Policy, you must stop using the Services, cancel any active subscription, and delete your account.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

General Inquiries / Privacy Requests: support@tabfare.ai

CCPA Requests: support@tabfare.ai (Subject: “CCPA Request”)

GDPR / UK Data Protection Requests: support@tabfare.ai (Subject: “GDPR Request”)

Data Protection Officer (if appointed): [To be designated as required]

Mail: Media Strife Holdings LLC d/b/a Tabfare, [Registered Address], New York, NY

We aim to respond to all privacy inquiries within 30 days (or sooner as required by applicable law).