Privacy
This policy covers the Chara hosted service operated by Dow Technology. If you self-host Chara on your own server, you are the data controller and this policy does not apply — you set your own.
0 · What this policy covers
This policy applies to the Chara hosted service operated by Dow Technology. If you connect the Chara app to a self-hosted server run by someone else, the operator of that server is the data controller for data stored on it; this policy does not cover that data. Your local device data (PIN, Face ID, cached avatars) is processed by your operating system on your device — Chara never sees it.
1 · Who we are
This service is operated by Dow Technology, a Swedish enskild firma owned by Lucas Dow, who acts as the data controller. We are not required to appoint a formal Data Protection Officer; privacy inquiries are handled directly by the data controller at privacy@dowtech.dev.
2 · What we collect
Stored against your account:
- Email address — required to sign in.
- Display name — shown to people in your groups.
- Avatar URL — optional.
- Phone number — optional; used so people can pay you back via Swish or a similar app. We do not send SMS.
- Locale — your preferred language, defaulted from your device.
Stored against your groups and expenses:
- Expense entries — amount, currency, date, description, payer, split, and group members.
- Settlements — who paid whom and when.
- Receipts — any photos or PDFs you choose to attach. If you opt in to receipt scanning, the image is sent to Google's Gemini API for text extraction; the extracted text is stored next to the receipt.
- Activity log — for each group we record what changed so the group has a coherent history.
Stored for operations:
- Push tokens — an opaque identifier from Expo, plus platform and last-used timestamp.
- Magic-link tokens — one-time random tokens, hashed at rest, valid 15 minutes, deleted after use.
- Request logs — IP, user agent, path, and status code. Retained for security monitoring and operational diagnostics.
Product analytics and diagnostics:
- Pseudonymous product-interaction events via PostHog (host:
eu.i.posthog.com, EU region). Pseudonymous user ID only; no IDFA, no cross-app tracking. Can be disabled in Settings → Privacy. - Crash diagnostics — stack traces, device model, OS version. Not linked to your identity.
We do not collect: your contacts, your location, advertising identifiers, or payment card data.
Sign in with Apple. If you sign in via Apple's Hide My Email, your relay address (*@privaterelay.appleid.com) is stored like any other email. You can revoke the link at any time via iOS Settings → Apple ID → Sign in with Apple → Chara.
Biometric data. Face ID, Touch ID, and the optional in-app PIN are processed entirely on your device by iOS or Android. Chara never sees them or transmits them. The PIN is stored hashed in the device's secure enclave.
3 · Why we collect it (lawful basis)
- Contract (GDPR Art. 6(1)(b)) — to provide the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — request logs for security, abuse prevention, and debugging.
- Consent (Art. 6(1)(a)) — push notifications, product analytics, and the optional Gemini receipt-scanning feature.
Where processing is based on consent, you have the right to withdraw your consent at any time without penalty. You can do so in Settings → Privacy (analytics), Settings → Notifications (push), or by simply not using the receipt-scanning feature. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
4 · Who sees your data
The people you share groups with see the expenses in those groups. Outside that, we use these subprocessors:
| Subprocessor | Purpose | Region |
|---|---|---|
| Dow Technology private infrastructure (Stockholm, Sweden) | Primary hosting, database, file storage | Sweden / EU |
| Cloudflare | DNS, edge, email routing | US / global |
| Brevo (Sendinblue SAS) | Transactional email delivery (magic links) | France / EU |
| Expo (EAS) | Mobile app builds, push notification delivery | US |
| PostHog Cloud EU | Product analytics | Germany / EU |
| Google (Gemini API) | Optional receipt OCR | US |
| Apple Sign In | Optional sign-in | US |
| Google Sign In | Optional sign-in | US |
| European Central Bank | Public FX rates (no PII sent) | EU |
| Google Fonts | Marketing site fonts only | US |
US transfers rely on Standard Contractual Clauses and the EU–US Data Privacy Framework where the recipient is certified. We do not sell, rent, license, or trade personal data.
The marketing website (getchara.lovable.app) loads Google Fonts and is hosted on Lovable; it does not run product analytics or advertising trackers.
5 · Where your data lives
Primary storage and backups are in the EU. Transfers to US-based processors rely on Standard Contractual Clauses with supplementary measures as required under EU law.
6 · How long we keep it
- Active accounts: as long as the account exists.
- Account deletion: on request to
privacy@dowtech.devor in-app (Profile → Delete Account). We action requests within 30 days; backups rotate out within 90 days. - Request logs: retained for security monitoring and operational diagnostics.
- Billing records: not applicable while the service is free. Once paid plans launch, 7 years per Swedish accounting law.
7 · Your rights
Under GDPR you can access your data, correct it, export it, restrict processing, object, withdraw consent, and delete your account. Email privacy@dowtech.dev; we respond to verified requests within 30 days. You may also complain to your local supervisory authority — in Sweden, that's Integritetsskyddsmyndigheten (IMY).
You can delete your account from inside the app: Profile → Delete Account. All open balances on a server must be settled before deletion is allowed on that server.
Automated decision-making. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects. The optional receipt OCR feature extracts text from images you submit; it does not make decisions about you.
8 · Security
Transport is TLS, terminated at the network edge. Database and object storage volumes are encrypted at rest using industry-standard encryption. Access to production environments is restricted to authorized administrative personnel. Magic-link tokens are random and hashed at rest. See the security overview for the full picture.
9 · Children
Chara is not directed at children under 13. If you believe a child has signed up, contact us and we'll remove the account.
10 · California residents
If you are a California resident, you have the rights described in §7 (access, correction, portability, deletion, restriction, objection). We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. Contact privacy@dowtech.dev to exercise your rights.
11 · Changes
If we change this policy materially, we'll email active users and post a notice in-app. The "last updated" date above always reflects the current version.
