Privacy Policy

Last updated: 15 May 2026

This Privacy Policy explains what data the GroupCart iOS app ("GroupCart", "the app", "we") collects, how that data is used, and what rights you have regarding your data. By using the app you agree to the practices described below.

1. Who is the data controller

GroupCart is developed and operated by Kalle Hartiala. Email: getgroupcart@gmail.com. The developer is the data controller responsible for handling your personal data under the EU General Data Protection Regulation (GDPR) and equivalent local laws.

2. What data we collect

We collect only the data necessary to operate the app.

Account data: your email address (login identifier) and a password, which is never stored in plain text — Firebase Authentication handles password hashing on its servers. If you use Sign in with Apple, we receive the name and email you choose to share (Apple can relay a private email).

Profile data: a display name you choose, visible to other members of your group.

Shopping data: shopping list items, recipes, shopping history, Quick Add items, and which groups you belong to.

Technical data: a push notification token used to deliver alerts, and anonymous crash/diagnostic data via Firebase Crashlytics used to fix bugs.

We do not collect location, contacts, photos, advertising identifiers, biometric data, payment information, or any data used to track you across other apps or websites.

3. Why we collect it and the legal basis

We do not use your data for marketing, advertising, profiling, or automated decision-making.

4. Who has access to your data

You have full access to your own data. Other members of your group(s) can see shopping items, recipes, history and display names within the groups you share. Firebase / Google Cloud provides the infrastructure (Authentication, Firestore, Cloud Functions, Cloud Messaging, Crashlytics, App Check). See Firebase privacy and Google's privacy policy. We do not sell or rent your data to anyone.

5. Where your data is stored

Data is stored on Firebase / Google Cloud servers, some located outside the European Economic Area. Where data is transferred outside the EEA, Google relies on Standard Contractual Clauses approved by the European Commission. See Google's data processing terms.

6. How long we keep your data

7. Your rights

Under the GDPR you may access, correct, delete, export, restrict or object to the processing of your data, and lodge a complaint with your local data protection authority (in Finland: the Office of the Data Protection Ombudsman, tietosuoja.fi). You can delete your account at any time in Settings → Delete Account. For other requests, email getgroupcart@gmail.com. We aim to respond within 30 days.

8. Children's privacy

GroupCart is not directed at children under 13 and we do not knowingly collect their personal data. If you believe a child has provided us data without parental consent, contact us and we will delete it.

9. Security

All data is transmitted over HTTPS using industry-standard TLS encryption. Firebase Authentication handles password storage using established hashing techniques, and App Check helps ensure requests come from the genuine app. No system is perfectly secure, but we take reasonable steps to safeguard your data.

10. Changes to this policy

We may update this policy from time to time. Material changes are reflected by updating the "Last updated" date above. Continued use of the app after changes means you accept the updated policy.

11. Contact

Questions about this policy or how your data is handled: getgroupcart@gmail.com.