Privacy Policy
Latest updated: June 16, 2026
Content
1. Introduction
This Privacy Policy explains how MVM Solutions ("Tabsnap", "we", "us", "our") collects, uses, and protects your personal data when you use the Tabsnap iOS app and the tabsnap.app website. MVM Solutions is a sole trader based in Amsterdam, the Netherlands, and acts as the Data Controller for the personal data described here.
Tabsnap is a bill-splitting app for iOS. You scan a restaurant receipt, split the items between participants, and each participant pays the host through their own bank app. Tabsnap does not handle money itself.
If you have questions about this policy, email contact@tabsnap.app
1. Introduction
This Privacy Policy explains how MVM Solutions ("Tabsnap", "we", "us", "our") collects, uses, and protects your personal data when you use the Tabsnap iOS app and the tabsnap.app website. MVM Solutions is a sole trader based in Amsterdam, the Netherlands, and acts as the Data Controller for the personal data described here.
Tabsnap is a bill-splitting app for iOS. You scan a restaurant receipt, split the items between participants, and each participant pays the host through their own bank app. Tabsnap does not handle money itself.
If you have questions about this policy, email contact@tabsnap.app
2. Data we collect
We collect only the data we need to run the app. We do not sell data. We do not use advertising SDKs. We do not track you for marketing.
Account data
A user ID
A phone number (used as your account identifier, since we sign you in through SMS verification)
An optional email address (only if you choose to add one in your profile, used for account recovery, never for marketing or sign-in)
A display name
An avatar URL and avatar colour
Account metadata (account creation timestamp, last sign-in timestamp)
Bill data
Venue name, date, and items with prices
Participants you add (name, optional email)
Who owes what on each bill
Payment URLs you paste as the host (for example a Tikkie or iDEAL link)
Payment-status markers (paid, unpaid)
Receipt images
The photo you take of the receipt
Stored in a private Supabase Storage bucket, readable only by the bill host and the bill's participants
Audit log
Every change made to a bill, with timestamp (edit, add participant, mark paid)
Usage counters
Your daily scan count and an estimated Anthropic token cost, used internally for rate limiting
Crash telemetry
Stack traces, iOS version, device model
Anonymised by default (no user content is captured)
Push notification token
If you turn on notifications, your device registers with the Apple Push Notification service and we store the resulting device push token, linked to your account, so we can notify you about your bills (for example when someone pays their share)
You can turn notifications off at any time in iOS Settings, which stops the pushes
Product analytics
Anonymous product-usage events (for example which screens you open and which actions you take), used to understand how the app is used and to improve it
Your account is referenced only by a one-way hashed id, and we do not send your name, phone number, email, or exact bill amounts to analytics
You can switch this off any time under Settings > Notifications > Anonymous analytics
What we do not collect
Email address at sign-up (phone number is your identifier, email in your profile is optional and provided by you only if you want it, used for account recovery)
Location
We do not store your contact list. When you grant Contacts permission, your contacts' phone numbers are sent to our EU server only to check which of them already use Tabsnap. They are matched and then discarded, not stored, see Section 3 for how matching works.
Credit card numbers (there are none, Tabsnap does not process cards)
IBAN numbers as separate fields (the host pastes a payment URL, we do not store bank account numbers)
Marketing preferences
Advertising identifiers, IDFA, or ad IDs
2. Data we collect
We collect only the data we need to run the app. We do not sell data. We do not use advertising SDKs. We do not track you for marketing.
Account data
A user ID
A phone number (used as your account identifier, since we sign you in through SMS verification)
An optional email address (only if you choose to add one in your profile, used for account recovery, never for marketing or sign-in)
A display name
An avatar URL and avatar colour
Account metadata (account creation timestamp, last sign-in timestamp)
Bill data
Venue name, date, and items with prices
Participants you add (name, optional email)
Who owes what on each bill
Payment URLs you paste as the host (for example a Tikkie or iDEAL link)
Payment-status markers (paid, unpaid)
Receipt images
The photo you take of the receipt
Stored in a private Supabase Storage bucket, readable only by the bill host and the bill's participants
Audit log
Every change made to a bill, with timestamp (edit, add participant, mark paid)
Usage counters
Your daily scan count and an estimated Anthropic token cost, used internally for rate limiting
Crash telemetry
Stack traces, iOS version, device model
Anonymised by default (no user content is captured)
Push notification token
If you turn on notifications, your device registers with the Apple Push Notification service and we store the resulting device push token, linked to your account, so we can notify you about your bills (for example when someone pays their share)
You can turn notifications off at any time in iOS Settings, which stops the pushes
Product analytics
Anonymous product-usage events (for example which screens you open and which actions you take), used to understand how the app is used and to improve it
Your account is referenced only by a one-way hashed id, and we do not send your name, phone number, email, or exact bill amounts to analytics
You can switch this off any time under Settings > Notifications > Anonymous analytics
What we do not collect
Email address at sign-up (phone number is your identifier, email in your profile is optional and provided by you only if you want it, used for account recovery)
Location
We do not store your contact list. When you grant Contacts permission, your contacts' phone numbers are sent to our EU server only to check which of them already use Tabsnap. They are matched and then discarded, not stored, see Section 3 for how matching works.
Credit card numbers (there are none, Tabsnap does not process cards)
IBAN numbers as separate fields (the host pastes a payment URL, we do not store bank account numbers)
Marketing preferences
Advertising identifiers, IDFA, or ad IDs
3. When someone sends you a Tabsnap link (web participants)
You can open a Tabsnap split or payment link in your browser without an account. When you do, we process only what you give us: the name or nickname you type, the items you select or claim, and, if you mark your share as paid, the amount and payment method you enter. The controller is MVM Solutions (Amsterdam). Our legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in letting invited people split a bill without creating an account. We keep this information for as long as the host keeps the bill, and it is deleted at most about 30 days after the host deletes the bill. We do not use it for marketing or advertising. Your browser also stores a random device identifier and your last-used name in local storage so you can return and adjust your own claim; this is functional only, not analytics or tracking. The receipt photo the host attached is visible to everyone who has the link. Questions: contact@tabsnap.app.
3. When someone sends you a Tabsnap link (web participants)
You can open a Tabsnap split or payment link in your browser without an account. When you do, we process only what you give us: the name or nickname you type, the items you select or claim, and, if you mark your share as paid, the amount and payment method you enter. The controller is MVM Solutions (Amsterdam). Our legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in letting invited people split a bill without creating an account. We keep this information for as long as the host keeps the bill, and it is deleted at most about 30 days after the host deletes the bill. We do not use it for marketing or advertising. Your browser also stores a random device identifier and your last-used name in local storage so you can return and adjust your own claim; this is functional only, not analytics or tracking. The receipt photo the host attached is visible to everyone who has the link. Questions: contact@tabsnap.app.
4. How we use your data
Each type of processing has a clear legal basis under the GDPR.
Creating and running your account, storing your bills, and showing bills to participants: performance of a contract (Art. 6(1)(b) GDPR).
Crash reporting via Sentry: our legitimate interest in keeping the app stable (Art. 6(1)(f) GDPR).
Rate limiting and fraud prevention (the usage counters): our legitimate interest in protecting the service and controlling costs (Art. 6(1)(f) GDPR).
Parsing the receipt photo or its OCR-extracted text with Anthropic's Claude Sonnet 4.6 model to turn it into structured items: performance of a contract (Art. 6(1)(b) GDPR).
Sending push notifications about your bills when you enable notifications, using the device push token your phone registers with Apple: performance of a contract (Art. 6(1)(b) GDPR).
Anonymous product analytics via PostHog to understand usage and improve the app, with your account referenced only by a one-way hashed id: our legitimate interest in improving the service (Art. 6(1)(f) GDPR), which you can opt out of under Settings > Notifications > Anonymous analytics.
Future marketing emails (none today): your consent, which you can withdraw at any time (Art. 6(1)(a) GDPR).
Receipt parsing (what actually crosses the wire): Receipt parsing runs in two paths. The on-device path uses Apple Vision OCR to extract text from your receipt photo without leaving the device. That text is then sent to Anthropic's Claude Sonnet 4.6 model so it can structure the text into items, totals, tax, and tip. If Apple Vision cannot read the receipt (blurry, low contrast, rotated), the app falls back to an image-based path: the receipt photo itself is sent to Claude Sonnet 4.6 for visual parsing. In both paths the receipt content is processed by Anthropic only for the duration of the request. We do not train any model on your receipts. The original photo also stays in our private Supabase Storage bucket so the bill host and participants can re-open it.
4. How we use your data
Each type of processing has a clear legal basis under the GDPR.
Creating and running your account, storing your bills, and showing bills to participants: performance of a contract (Art. 6(1)(b) GDPR).
Crash reporting via Sentry: our legitimate interest in keeping the app stable (Art. 6(1)(f) GDPR).
Rate limiting and fraud prevention (the usage counters): our legitimate interest in protecting the service and controlling costs (Art. 6(1)(f) GDPR).
Parsing the receipt photo or its OCR-extracted text with Anthropic's Claude Sonnet 4.6 model to turn it into structured items: performance of a contract (Art. 6(1)(b) GDPR).
Sending push notifications about your bills when you enable notifications, using the device push token your phone registers with Apple: performance of a contract (Art. 6(1)(b) GDPR).
Anonymous product analytics via PostHog to understand usage and improve the app, with your account referenced only by a one-way hashed id: our legitimate interest in improving the service (Art. 6(1)(f) GDPR), which you can opt out of under Settings > Notifications > Anonymous analytics.
Future marketing emails (none today): your consent, which you can withdraw at any time (Art. 6(1)(a) GDPR).
Receipt parsing (what actually crosses the wire): Receipt parsing runs in two paths. The on-device path uses Apple Vision OCR to extract text from your receipt photo without leaving the device. That text is then sent to Anthropic's Claude Sonnet 4.6 model so it can structure the text into items, totals, tax, and tip. If Apple Vision cannot read the receipt (blurry, low contrast, rotated), the app falls back to an image-based path: the receipt photo itself is sent to Claude Sonnet 4.6 for visual parsing. In both paths the receipt content is processed by Anthropic only for the duration of the request. We do not train any model on your receipts. The original photo also stays in our private Supabase Storage bucket so the bill host and participants can re-open it.
5. Who we share data with
We use a small number of third-party processors. Each one has a written data-processing agreement with us.
Supabase Inc. (data processor). Hosts our Postgres database, object storage, auth, and edge functions. Primary region: EU (Frankfurt, eu-central-2). Purpose: backend for the app. Contract: Supabase standard DPA.
Anthropic PBC (data processor). Provides the Claude Sonnet 4.6 language model we use to parse receipts. On the text path we send only the OCR-extracted text. On the image fallback path we send the receipt photo itself. Anthropic does not retain the input beyond what is needed to process the request and does not use it for model training under the Commercial Terms. Location: United States. Transfer mechanism: Standard Contractual Clauses (SCCs) included in Anthropic's Commercial Terms of Service, available at https://www.anthropic.com/legal/commercial-terms.
Sentry GmbH (data processor). Crash reporting for the app. Our Sentry account is hosted in the DE region. Purpose: detect and fix crashes. Crash data is anonymised by default.
PostHog (data processor). Provides anonymous product analytics so we can see how the app is used and improve it. We host PostHog in the EU. Your account is referenced only by a one-way hashed id, and we do not send your name, phone number, email, or exact bill amounts. Purpose: product analytics. You can opt out under Settings > Notifications > Anonymous analytics.
Twilio Inc. (data processor). Delivers the 6-digit one-time password (OTP) we send to your phone number when you sign in. Data shared: your phone number and the OTP token. The OTP is single-use and expires in 60 seconds. Location: United States, with some routing infrastructure in the EU. Transfer mechanism: Standard Contractual Clauses (SCCs) under Supabase's Twilio integration, which includes a Data Processing Agreement. Purpose: SMS delivery of verification codes.
Apple Inc. (platform, in-app purchase provider, and push delivery provider). Tabsnap is distributed through the App Store, which is subject to Apple's own privacy terms. Tabsnap Pro is sold through Apple In-App Purchase, so Apple processes your purchase and subscription. When you enable notifications, Apple's push service (APNs) delivers our notifications to your device. We do not currently use Sign in with Apple. If we add it as an optional sign-in method in a future release, we will update this policy.
Resend Inc. (data processor, not live yet). When enabled, Resend will send transactional emails such as account confirmations. No marketing use.
We do not share your data with any other third parties. We do not sell your data. We do not share your data for advertising purposes.
5. Who we share data with
We use a small number of third-party processors. Each one has a written data-processing agreement with us.
Supabase Inc. (data processor). Hosts our Postgres database, object storage, auth, and edge functions. Primary region: EU (Frankfurt, eu-central-2). Purpose: backend for the app. Contract: Supabase standard DPA.
Anthropic PBC (data processor). Provides the Claude Sonnet 4.6 language model we use to parse receipts. On the text path we send only the OCR-extracted text. On the image fallback path we send the receipt photo itself. Anthropic does not retain the input beyond what is needed to process the request and does not use it for model training under the Commercial Terms. Location: United States. Transfer mechanism: Standard Contractual Clauses (SCCs) included in Anthropic's Commercial Terms of Service, available at https://www.anthropic.com/legal/commercial-terms.
Sentry GmbH (data processor). Crash reporting for the app. Our Sentry account is hosted in the DE region. Purpose: detect and fix crashes. Crash data is anonymised by default.
PostHog (data processor). Provides anonymous product analytics so we can see how the app is used and improve it. We host PostHog in the EU. Your account is referenced only by a one-way hashed id, and we do not send your name, phone number, email, or exact bill amounts. Purpose: product analytics. You can opt out under Settings > Notifications > Anonymous analytics.
Twilio Inc. (data processor). Delivers the 6-digit one-time password (OTP) we send to your phone number when you sign in. Data shared: your phone number and the OTP token. The OTP is single-use and expires in 60 seconds. Location: United States, with some routing infrastructure in the EU. Transfer mechanism: Standard Contractual Clauses (SCCs) under Supabase's Twilio integration, which includes a Data Processing Agreement. Purpose: SMS delivery of verification codes.
Apple Inc. (platform, in-app purchase provider, and push delivery provider). Tabsnap is distributed through the App Store, which is subject to Apple's own privacy terms. Tabsnap Pro is sold through Apple In-App Purchase, so Apple processes your purchase and subscription. When you enable notifications, Apple's push service (APNs) delivers our notifications to your device. We do not currently use Sign in with Apple. If we add it as an optional sign-in method in a future release, we will update this policy.
Resend Inc. (data processor, not live yet). When enabled, Resend will send transactional emails such as account confirmations. No marketing use.
We do not share your data with any other third parties. We do not sell your data. We do not share your data for advertising purposes.
6. How long we keep data
We keep data only for as long as we need it.
Phone number: kept as long as your account is active, and deleted on cascade when you delete your account.
OTP tokens: not stored server-side beyond the verification window needed to verify them.
SMS delivery logs at Twilio: Twilio may retain message logs for up to 30 days under its standard terms.
Bills, items, and participants: until you delete the bill or your account.
Receipt images: until you delete the bill, or the account, whichever comes first.
Audit log (bill events): 12 months, then pruned automatically.
Sentry crash events: 30 to 90 days (Sentry default retention).
Account profile: deleted immediately when you delete your account, except for a pseudonymous user ID that stays in the audit log for 12 months so we can resolve disputes between participants.
Usage counters: sliding 90-day window.
Encrypted backups via Supabase: rolling 30 days.
Optional profile email: kept as long as it sits on your profile, you can clear it at any time, in which case it is deleted immediately.
Push notification token: kept while notifications are enabled and tied to your account, removed when you disable notifications or delete your account.
Product analytics events: retained by PostHog under our configured retention and tied only to a one-way hashed id.
When you use the in-app Delete Account button, we run a cascade delete across the database and storage immediately. Your name, phone number, optional email, bills, avatar, and receipt images are permanently deleted right away. This is immediate and cannot be undone: there is no grace period and no way to restore the account afterwards. We retain only a pseudonymous transaction ID (for example, "user-a4f2b91c") in the audit log for 12 months to resolve disputes between participants. This pseudonymous ID on its own cannot identify you and is kept under a separate retention schedule from your profile.
6. How long we keep data
We keep data only for as long as we need it.
Phone number: kept as long as your account is active, and deleted on cascade when you delete your account.
OTP tokens: not stored server-side beyond the verification window needed to verify them.
SMS delivery logs at Twilio: Twilio may retain message logs for up to 30 days under its standard terms.
Bills, items, and participants: until you delete the bill or your account.
Receipt images: until you delete the bill, or the account, whichever comes first.
Audit log (bill events): 12 months, then pruned automatically.
Sentry crash events: 30 to 90 days (Sentry default retention).
Account profile: deleted immediately when you delete your account, except for a pseudonymous user ID that stays in the audit log for 12 months so we can resolve disputes between participants.
Usage counters: sliding 90-day window.
Encrypted backups via Supabase: rolling 30 days.
Optional profile email: kept as long as it sits on your profile, you can clear it at any time, in which case it is deleted immediately.
Push notification token: kept while notifications are enabled and tied to your account, removed when you disable notifications or delete your account.
Product analytics events: retained by PostHog under our configured retention and tied only to a one-way hashed id.
When you use the in-app Delete Account button, we run a cascade delete across the database and storage immediately. Your name, phone number, optional email, bills, avatar, and receipt images are permanently deleted right away. This is immediate and cannot be undone: there is no grace period and no way to restore the account afterwards. We retain only a pseudonymous transaction ID (for example, "user-a4f2b91c") in the audit log for 12 months to resolve disputes between participants. This pseudonymous ID on its own cannot identify you and is kept under a separate retention schedule from your profile.
7. Your rights
Under the GDPR you have the following rights.
Right of access (Art. 15): ask for a copy of the personal data we hold about you.
Right to rectification (Art. 16): correct data that is wrong or incomplete.
Right to erasure (Art. 17): ask us to delete your data.
Right to restriction (Art. 18): ask us to pause processing in specific cases.
Right to object (Art. 21): object to processing based on legitimate interest.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
Right to withdraw consent (Art. 7): withdraw consent at any time where consent is the legal basis.
How to use these rights
To exercise any of the rights above, contact us at contact@tabsnap.app. Because your phone number is your account identifier, please write from an email address you can be reached at and include the phone number tied to your account so we can verify the request. We respond within 30 days (one calendar month, extendable by up to two further months for complex requests, per Art. 12(3) GDPR, in which case we will tell you why). No fee applies to reasonable requests.
In addition, some rights can be exercised directly in the app:
To delete your account and all associated data, open the app, go to Settings, and tap Delete Account.
To export your data as JSON, use the in-app "Export my data" button in Settings once it is available. Until then, email us as above.
7. Your rights
Under the GDPR you have the following rights.
Right of access (Art. 15): ask for a copy of the personal data we hold about you.
Right to rectification (Art. 16): correct data that is wrong or incomplete.
Right to erasure (Art. 17): ask us to delete your data.
Right to restriction (Art. 18): ask us to pause processing in specific cases.
Right to object (Art. 21): object to processing based on legitimate interest.
Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON).
Right to withdraw consent (Art. 7): withdraw consent at any time where consent is the legal basis.
How to use these rights
To exercise any of the rights above, contact us at contact@tabsnap.app. Because your phone number is your account identifier, please write from an email address you can be reached at and include the phone number tied to your account so we can verify the request. We respond within 30 days (one calendar month, extendable by up to two further months for complex requests, per Art. 12(3) GDPR, in which case we will tell you why). No fee applies to reasonable requests.
In addition, some rights can be exercised directly in the app:
To delete your account and all associated data, open the app, go to Settings, and tap Delete Account.
To export your data as JSON, use the in-app "Export my data" button in Settings once it is available. Until then, email us as above.
8. Data security
We take reasonable technical and organisational measures to protect your data.
Data in transit is encrypted using TLS.
Data at rest is encrypted by Supabase on the Postgres database and on object storage.
Access to bills and receipt images is enforced by Supabase Row Level Security (RLS), so only the host and the bill's participants can read them.
Backups are encrypted.
We do not hold ISO 27001, SOC 2, or similar certifications. We rely on the security posture of Supabase, Sentry, Anthropic, Twilio, PostHog, and Apple for the parts of the stack they operate.
8. Data security
We take reasonable technical and organisational measures to protect your data.
Data in transit is encrypted using TLS.
Data at rest is encrypted by Supabase on the Postgres database and on object storage.
Access to bills and receipt images is enforced by Supabase Row Level Security (RLS), so only the host and the bill's participants can read them.
Backups are encrypted.
We do not hold ISO 27001, SOC 2, or similar certifications. We rely on the security posture of Supabase, Sentry, Anthropic, Twilio, PostHog, and Apple for the parts of the stack they operate.
9. International data transfers
Your data is stored primarily in the EU (Supabase Frankfurt region, eu-central-2), in Germany (Sentry DE region), and in the EU for product analytics (PostHog EU hosting).
Some processing involves transfers outside the EU:
Anthropic PBC processes receipt text or images in the United States. The transfer is covered by Standard Contractual Clauses (SCCs) included in Anthropic's Commercial Terms of Service.
Twilio Inc. delivers SMS verification codes from the United States, with some routing via EU infrastructure. The transfer is covered by Standard Contractual Clauses included in Twilio's Data Processing Addendum, which is incorporated through Supabase's Twilio integration.
Apple Inc. operates the App Store. Apple's own terms and safeguards apply.
9. International data transfers
Your data is stored primarily in the EU (Supabase Frankfurt region, eu-central-2), in Germany (Sentry DE region), and in the EU for product analytics (PostHog EU hosting).
Some processing involves transfers outside the EU:
Anthropic PBC processes receipt text or images in the United States. The transfer is covered by Standard Contractual Clauses (SCCs) included in Anthropic's Commercial Terms of Service.
Twilio Inc. delivers SMS verification codes from the United States, with some routing via EU infrastructure. The transfer is covered by Standard Contractual Clauses included in Twilio's Data Processing Addendum, which is incorporated through Supabase's Twilio integration.
Apple Inc. operates the App Store. Apple's own terms and safeguards apply.
10. Children's privacy
Tabsnap is rated 4+ on the App Store and available worldwide. However, our digital-consent threshold for creating an account is 16, aligned with the default age under the GDPR and the age set by Dutch law (our primary market). You must also have a phone number you are entitled to use, on a line you control, in order to complete SMS verification. If you are under 16, you need permission from a parent or legal guardian to use Tabsnap and to agree to this Privacy Policy. This applies whether you are in the Netherlands, another EU country, or outside the EU. If we learn that we hold data for a user under 16 without parental consent, we will delete that data.
10. Children's privacy
Tabsnap is rated 4+ on the App Store and available worldwide. However, our digital-consent threshold for creating an account is 16, aligned with the default age under the GDPR and the age set by Dutch law (our primary market). You must also have a phone number you are entitled to use, on a line you control, in order to complete SMS verification. If you are under 16, you need permission from a parent or legal guardian to use Tabsnap and to agree to this Privacy Policy. This applies whether you are in the Netherlands, another EU country, or outside the EU. If we learn that we hold data for a user under 16 without parental consent, we will delete that data.
11. Changes to this policy
We may update this policy as the app and the law evolve. When we make a material change we will:
Update the "Last updated" date at the top.
Notify you inside the app or by email before the change takes effect.
Continued use of Tabsnap after the change means you accept the new policy.
11. Changes to this policy
We may update this policy as the app and the law evolve. When we make a material change we will:
Update the "Last updated" date at the top.
Notify you inside the app or by email before the change takes effect.
Continued use of Tabsnap after the change means you accept the new policy.
12. Contact
For any privacy question, data request, or complaint, contact us first.
Email: contact@tabsnap.app
Controller: MVM Solutions, Amsterdam, the Netherlands
12. Contact
For any privacy question, data request, or complaint, contact us first.
Email: contact@tabsnap.app
Controller: MVM Solutions, Amsterdam, the Netherlands
13. Supervisory authority
If you feel we have not handled your data properly, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or with the supervisory authority in your EU country of residence.
13. Supervisory authority
If you feel we have not handled your data properly, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or with the supervisory authority in your EU country of residence.