Privacy Policy

Short version: Burse is a bill-splitting app. We collect your phone number and the name you choose to display. Receipt images are processed by AI to extract item data and then discarded. Payments are handled entirely by Stripe — we never see or store your card details. We do not sell your data.

1. Who We Are

Burse ("Burse," "we," "us," or "our") is a mobile application and web service operated at burse.me that helps groups split restaurant and dining bills. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our app or website.

If you have questions about this policy, email us at privacy@burse.me.

2. Information We Collect

2a. Information You Provide

Phone number. Required to create an account and for identity verification via one-time passcode (OTP). We store your phone number in E.164 format (e.g., +15551234567).
Display name. An optional name (up to 64 characters) you choose to show to others in shared tabs. You can leave this blank.
Receipt images. Photos you take or upload through the scanner. These images are transmitted to our receipt-parsing service and immediately discarded after the item data is extracted — they are not stored on our servers.

2b. Information Collected Automatically

Tab and transaction data. Tab titles, item names, amounts, participant lists, assignment records, and payment status. This is the core operational data required to provide the service.
Device identifier. A UUID generated on your device and included in authentication tokens to bind sessions to a single device. This is not used for advertising.
Server logs. Standard web server logs including IP address, request path, HTTP status code, and timestamp. Logs are retained for 30 days and used solely for security monitoring and debugging.

2c. Information We Do Not Collect

We do not store payment card numbers, bank account numbers, or other payment credentials. All payment processing is handled by Stripe under their own privacy policy.
We do not collect location data.
We do not collect contacts from your device address book.
We do not use advertising identifiers (IDFA, GAID).

3. How We Use Your Information

We use the information we collect to:

Verify your identity and create/maintain your account
Enable the core service: creating tabs, assigning items, collecting payments
Send SMS notifications about tabs you are involved in (payment requests, reminders)
Process payouts to tab creators via Stripe Connect
Prevent fraud, abuse, and unauthorized access
Comply with legal obligations
Respond to your support requests

We do not use your information to build advertising profiles, and we do not sell, rent, or broker your personal data to third parties.

4. Third-Party Services

Burse integrates with the following services to deliver its functionality. Each processes data under their own privacy policies, which we encourage you to review.

Service	Purpose	Data Shared	Privacy Policy
Stripe	Payment processing, Connect payouts	Payment amount, tab metadata, connected account IDs	stripe.com/privacy
Twilio	SMS delivery (OTP codes, payment links)	Phone number, message body	twilio.com/legal/privacy
Anthropic (Claude)	Receipt image parsing (item extraction)	Receipt image (not stored after parsing)	anthropic.com/privacy
Supabase	Database and authentication infrastructure	All stored user and tab data	supabase.com/privacy
Upstash (Redis)	Rate limiting, session deduplication	Anonymized request keys (no PII)	upstash.com/privacy

5. SMS Communications

By creating an account you consent to receive transactional SMS messages from Burse, including:

One-time passcodes (OTPs) for sign-in
Payment request links when a tab is sent to you
Reminder messages when a payment is overdue (if the tab creator has enabled auto-nudge)

You can opt out of reminder messages at any time in Settings → Notifications. OTP messages are required for account access and cannot be disabled.

Standard message and data rates may apply. Message frequency varies based on app usage.

6. Data Retention

Data Type	Retention Period
Account data (phone, display name)	Until account deletion or 2 years of inactivity
Tab and transaction records	3 years from creation (for dispute resolution)
Receipt images	Discarded immediately after item extraction
Authentication tokens	Access tokens: 15 minutes. Refresh tokens: 30 days.
Server logs	30 days
Revoked refresh tokens	7 days after revocation, then purged

7. Your Rights

Regardless of where you live, you have the right to:

Access the personal data we hold about you
Correct inaccurate data (update your display name in the app at any time)
Delete your account and associated personal data
Export your data in a machine-readable format
Object to or restrict certain processing

To exercise any of these rights, email privacy@burse.me. We will respond within 30 days. Note that deleting your account will not erase transaction records required for legal or dispute-resolution purposes during the 3-year retention window.

California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act, California residents have additional rights, including the right to know what categories of personal information we collect, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising privacy rights.

Categories of personal information collected: identifiers (phone number, device ID), commercial information (tab and payment records), and inferences drawn from usage (tab activity). We do not sell or share personal information with third parties for cross-context behavioral advertising.

EEA / UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, our lawful basis for processing your data is:

Contract: processing necessary to provide the service you signed up for
Legitimate interests: fraud prevention, security, and service improvement
Legal obligation: retention of financial records

You have the right to lodge a complaint with your local supervisory authority.

8. Children's Privacy

Burse is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@burse.me and we will promptly delete it.

9. Data Security

We implement technical and organizational measures to protect your information, including:

TLS encryption for all data in transit
RSA-signed JWTs (RS256) with short 15-minute access token expiry
Device-bound authentication tokens
Rate limiting and brute-force protections on all authentication endpoints
No storage of payment card data (handled entirely by Stripe's PCI-compliant systems)

No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via in-app notification or SMS. Your continued use of Burse after any change constitutes acceptance of the updated policy.

11. Contact Us

Questions, concerns, or requests regarding this Privacy Policy:

Email: privacy@burse.me
Web: burse.me