GroupCart Privacy Policy
Last updated: 15 May 2026
This Privacy Policy explains what data the GroupCart iOS app (“GroupCart”, “the app”, “we”) collects, how that data is used, and what rights you have regarding your data. By using the app you agree to the practices described below.
1. Who is the data controller
GroupCart is developed and operated by:
Kalle Hartiala
Email: getgroupcart@gmail.com
The developer is the data controller responsible for handling your personal data under the EU General Data Protection Regulation (GDPR) and equivalent local laws.
2. What data we collect
We collect only the data that is necessary to operate the app.
Account data
- Email address (used as your login identifier)
- A password, which is never stored in plain text — Firebase Authentication handles password hashing on its servers
Profile data
- Display name (chosen by you, visible to other members of your group)
Shopping data
- Shopping list items (name, category, quantity, unit, who added or checked the item, timestamps)
- Recipes (name and ingredients, saved per group)
- Shopping history (past purchases, grouped by day)
- Quick Add items (personal items you frequently buy)
- Group memberships (which groups you belong to, your role inside them)
Technical data
- Firebase Cloud Messaging (FCM) push notification token, used to deliver bell-press notifications to your devices
- Anonymous crash and diagnostic data via Firebase Crashlytics, used to identify and fix bugs
We do not collect: location data, contacts, photos, advertising identifiers, biometric data, payment information, or any tracking data used to profile you across other apps or websites.
3. Why we collect this data and the legal basis
The data above is processed for the following purposes:
- To run the app — synchronising shopping lists, recipes, and history between members of a group (legal basis: performance of a contract).
- To send push notifications — when a group member presses the bell to alert others (legal basis: legitimate interest, the core function of the app).
- To improve reliability — anonymous crash reports help us fix bugs (legal basis: legitimate interest).
We do not use your data for marketing, advertising, profiling, or automated decision-making.
4. Who has access to your data
- You — full access to your own data.
- Other members of your group(s) — can see shopping list items, recipes, history, and display names within the groups you share with them.
- Firebase / Google Cloud — provides the infrastructure (Authentication, Firestore database, Cloud Functions, Cloud Messaging, Crashlytics) used by the app. Google’s privacy practices are described at https://firebase.google.com/support/privacy and https://policies.google.com/privacy.
We do not sell or rent your data to anyone. We do not share data with third parties other than the Google Cloud infrastructure described above.
5. Where your data is stored
Data is stored on Firebase / Google Cloud servers. Some of these servers are located in the United States and other countries outside the European Economic Area (EEA). Where data is transferred outside the EEA, Google relies on Standard Contractual Clauses approved by the European Commission to provide an adequate level of protection. You can read Google’s data processing terms at https://cloud.google.com/terms/data-processing-addendum.
6. How long we keep your data
- Active accounts: as long as your account exists.
- After you delete your account: your account record and personal quick-add items are deleted immediately. Items you added to shared lists, history, and recipes remain visible to the other members of your group(s), because that data belongs to the group as a whole.
- Anonymous crash and diagnostic data: retained by Firebase Crashlytics for up to 90 days.
7. Your rights
Under the GDPR you have the right to:
- Access your personal data
- Correct inaccurate data (you can edit your display name in Settings)
- Delete your account at any time (Settings → Delete Account)
- Export your data
- Restrict or object to the processing of your data
- Lodge a complaint with your local data protection authority (in Finland: the Office of the Data Protection Ombudsman, https://tietosuoja.fi/)
To exercise any of these rights other than account deletion, please email getgroupcart@gmail.com. We aim to respond within 30 days.
8. Children’s privacy
GroupCart is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you become aware that a child has provided us with personal data without parental consent, please contact us and we will delete it.
9. Security
All data is transmitted over HTTPS using industry-standard TLS encryption. Firebase Authentication handles password storage using established hashing techniques. We rely on Google Cloud’s physical and operational security controls to protect data at rest. No system is perfectly secure, but we take reasonable steps to safeguard your data.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the “Last updated” date at the top of this page. Continued use of the app after changes means you accept the updated policy.
Questions about this Privacy Policy or how your data is handled:
Email: getgroupcart@gmail.com