Privacy Policy
Effective Date: 2026-05-20 Last Updated: 2026-05-16 Version: 1.0
These Privacy Policy have been prepared with the assistance of legal counsel. Operator: Dibby.
1. Introduction
Dibby ("Dibby", "we", "us", or "our") is an expense-splitting
service operated by Dibby with its
principal place of business in Toronto, Ontario, Canada. We operate the Dibby mobile application and the
associated services accessible at https://dibby.ca (collectively,
the "Service").
This Privacy Policy ("Policy") explains how we collect, use, disclose,
retain, and otherwise process personal information about you when you
access or use the Service. It applies in addition to our Terms of
Service available at https://www.dibby.ca/legal/terms (the "Terms"), which
are incorporated by reference. Capitalized terms not defined here have
the meanings given in the Terms.
By accessing or using the Service, you acknowledge that you have read, understood, and agreed to the practices described in this Policy. If you do not agree with any part of this Policy, you must not access or use the Service.
2. Scope
This Policy applies to:
- The Dibby mobile application for Android (and, when made available, iOS) distributed via the Google Play Store and Apple App Store;
- Any successor or related application, version, edition, or release;
- Any websites operated by us under
dibby.caor its subdomains; - Any communications, notifications, support interactions, or other services provided by us in connection with the foregoing.
This Policy does not apply to third-party services, websites, applications, or platforms that we link to or integrate with. Those third parties operate under their own privacy policies and we encourage you to review them.
3. Definitions
For the purposes of this Policy:
- "Personal Information" means information that, alone or in combination with other information, identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular identifiable natural person or household. The term has the jurisdictionally-specific meanings given to it under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the EU General Data Protection Regulation 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), and any other applicable data protection laws.
- "Process", "Processing", or "Processed" means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "You" or "your" means the natural person who accesses, registers for, or uses the Service. Where you act on behalf of another person (for example, as a group administrator), you represent that you have the authority to do so.
4. Information We Collect
We collect the following categories of Personal Information.
4.1 Information You Provide to Us
| Category | Examples | Purpose |
|---|---|---|
| Account credentials | Email address; password (where applicable, stored hashed using Argon2id or equivalent); display name | Authentication, account recovery, identifying you to other group members |
| Profile information | Profile photo (optional); preferred currency; locale; timezone | Personalising the Service and rendering financial values |
| Phone numbers | Phone number in E.164 format. As of version 1.0, phone-based authentication is disabled in the Service and phone fields are not collected from end users. Phone numbers may be collected only if and when we re-enable phone authentication, at which time we will update this Policy and notify you. | Phone-based authentication and friend matching, if and when enabled |
| Group and membership data | Group names; cover photographs; member roles (owner, administrator, member); placeholder member labels; per-group category labels | Operating the core expense-splitting functionality |
| Expense data | Amounts; dates; descriptions; categories; payer; split type (equal, exact, percentage, shares); line items; comments; activity log entries | Operating the core expense-splitting functionality |
| Settlement data | Amounts; dates; payer; payee; settlement notes; partial-payment indicators | Operating the settlement-tracking functionality |
| Receipt content | Receipt photographs uploaded by you; OCR-extracted text including merchant name, items, prices, taxes, totals; optional manual edits | Receipt attachment, line-item itemisation, and OCR-assisted entry |
| Support communications | Email or in-app messages you send to support; attachments; metadata such as the subject and time of the message | Responding to your requests and improving the Service |
4.2 Information We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device information | Operating system and version; device model; screen size; preferred language; timezone offset; mobile network operator (where available); installed application version | Compatibility, debugging, fraud prevention, populating crash reports |
| App-activity information | Screens viewed; features used; in-app actions taken; approximate timing of events | Improving the Service; security investigations; only when you have opted in |
| Diagnostic information | Application crash data; stack traces; error codes; non-fatal exception reports; performance metrics | Identifying and fixing defects |
| Network and connection metadata | IP address; coarse geolocation derived from IP (country/region only); HTTP user agent; request timestamps | Security, abuse prevention, rate limiting, regulatory compliance |
| Authentication metadata | Login timestamps; authentication method (email/phone); two-factor status; session identifiers; device fingerprints used solely for session continuity | Authentication and security |
| Cookies and similar technologies | Local storage entries on the device (MMKV and platform-secure storage); session tokens; non-tracking preference flags. We do not use advertising cookies, advertising identifiers, or cross-site tracking technologies. | Persisting authentication and preferences between sessions |
4.3 Information From Third Parties
| Source | Information | Purpose |
|---|---|---|
| Apple Sign In | Your Apple-managed email (real or relayed) and display name | Authenticating you, if you choose this method |
| Google Sign In | Your Google email address and display name | Authenticating you, if you choose this method |
| Other group members | When a member adds you as a participant in an expense, your existing account profile becomes visible to other members of that group | Operating shared-expense functionality |
We do not purchase Personal Information from data brokers, advertising networks, social media platforms (other than the limited sign-in integrations identified above), or any third party.
4.4 Information We Do Not Collect
For clarity, we do not collect:
- Government-issued identification numbers or images thereof;
- Financial account, credit card, or bank account numbers (we do not process payments through the Service);
- Biometric identifiers transmitted off-device (Face ID, Touch ID, and Android fingerprint operate exclusively on your device and never leave it);
- Precise geolocation (latitude/longitude) beyond what is necessary to resolve a coarse IP-based country/region for security purposes;
- Health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, or any other "special category" data under Article 9 of the GDPR;
- Information about minors under the age of digital consent in your jurisdiction (see Section 11, Children's Privacy).
5. How We Use Personal Information (Purposes and Legal Bases)
We Process Personal Information for the following purposes. Where the GDPR applies, we identify the legal basis on which we rely.
| Purpose | Examples | Legal Basis under GDPR |
|---|---|---|
| Providing the Service | Account creation; group and expense management; settlement tracking; receipt OCR | Performance of a contract (Article 6(1)(b)) |
| Communicating with you | Service announcements; security notices; responses to support enquiries; transactional emails such as password resets and OTP codes | Performance of a contract (Article 6(1)(b)); legitimate interests (Article 6(1)(f)) where the communication is not strictly contractual |
| Protecting the Service | Detecting and preventing fraud, abuse, spam, and unauthorised access; investigating policy violations; enforcing the Terms; protecting the safety and security of users and third parties | Legitimate interests (Article 6(1)(f)); legal obligation (Article 6(1)(c)) where applicable |
| Improving the Service | Diagnostic logs and crash reporting; aggregated and de-identified usage analytics (opt-in only); user research where you affirmatively volunteer | Consent (Article 6(1)(a)) for opt-in analytics; legitimate interests (Article 6(1)(f)) for crash diagnostics necessary to keep the Service operational |
| Complying with legal obligations | Responding to lawful requests from public authorities; tax, accounting, or regulatory record-keeping; responding to data-subject requests | Legal obligation (Article 6(1)(c)) |
| Establishing, exercising, or defending legal claims | Litigation; insurance; risk management; M&A due diligence | Legitimate interests (Article 6(1)(f)) |
By default, opt-in product analytics are disabled. You may enable them in the Service's settings; you may disable them at any time. We do not Process Personal Information for direct marketing without your prior, explicit, and revocable consent.
6. How We Share Personal Information
We share Personal Information only as described in this section. We do not sell or rent Personal Information, and we do not "share" it for cross-context behavioural advertising as those terms are defined in the CCPA/CPRA.
6.1 Within the Service (other users)
Information you provide to a group (your display name, profile photo, expense entries, comments, settlement records) becomes visible to other members of that group. Members admitted to a group can see all content created within the group, including content created before they joined unless soft-deleted (see Section 7, Retention).
6.2 Service Providers (Data Processors)
We engage the following categories of service providers to operate the Service. Each is bound by written agreements that limit their processing to the purposes we instruct, require appropriate technical and organisational security measures, and prohibit secondary use.
| Provider | Service | Categories of Information | Location of Processing |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication, file storage, edge function execution, realtime synchronisation | All categories listed in Section 4.1 and 4.2 | United States (primary), with regional replicas as configured |
| Google LLC (Google Cloud Vision API) | Optical character recognition on receipt images you upload | Receipt images and the OCR-extracted text returned | United States |
| Google LLC (Firebase Cloud Messaging) | Delivery of push notifications to Android devices | Device push tokens; notification payload metadata | United States |
| Apple Inc. (Apple Push Notification service) | Delivery of push notifications to iOS devices, when iOS is supported | Device push tokens; notification payload metadata | United States |
| Twilio Inc. | One-time-password delivery via SMS (only when phone authentication is enabled — currently disabled) | Phone number; OTP code; delivery metadata | United States |
| Brevo (formerly Sendinblue) | Transactional email delivery (magic links, password resets, account notifications) | Email address; message content; delivery metadata | European Union |
| Sentry (Functional Software, Inc.) | Crash reporting and error monitoring on the web application. Sentry is intentionally not initialised on the mobile application in version 1.0, so no crash data is sent from the mobile app to Sentry. | Error stack traces; non-sensitive event metadata; user identifiers (pseudonymised where feasible) | United States |
| PostHog Inc. | Self-hosted product analytics, where you have opted in | Pseudonymised event data; device and session identifiers | European Union (self-hosted) |
| Cloud infrastructure provider(s) underpinning Supabase | Compute, storage, and networking | All categories listed in Section 4.1 and 4.2 | Primarily United States |
This list may change. We will update it in this Policy and treat material changes as described in Section 13.
6.3 Legal and Regulatory Disclosures
We may disclose Personal Information when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, legal process, or enforceable governmental request;
- Enforce the Terms, including investigation of potential violations;
- Detect, prevent, or otherwise address fraud, security, or technical issues;
- Protect against harm to the rights, property, or safety of Dibby, our users, or the public, as required or permitted by law.
Where legally permitted, we will attempt to notify you before disclosing your Personal Information in response to a legal request.
6.4 Business Transfers
If we are involved in a merger, acquisition, sale of assets, financing, bankruptcy, dissolution, or similar corporate transaction or proceeding, Personal Information may be transferred to, accessed by, or otherwise made available to the counterparty. We will require that the recipient continue to honour the commitments in this Policy or notify affected users of any material changes prior to the transfer.
6.5 With Your Consent
We may share Personal Information with third parties not listed above where you have given us your specific, informed, and revocable consent to do so.
7. Data Retention
We retain Personal Information for as long as is necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law.
| Category | Retention |
|---|---|
| Account profile | For the lifetime of your account, plus a 30-day grace period after deletion is requested (see "Account Deletion" below). After 30 days, the account record is anonymised in place — your identity is severed from financial records, but the amount, date, and group context of historic expenses remain so that other members' balance histories are not retroactively altered. |
| Group, expense, and settlement records | Retained for as long as the group remains active. Soft-deleted records retain a deleted_at marker for audit purposes and are not surfaced in any user-facing screen. |
| Receipt photographs and OCR-extracted text | Retained for as long as is reasonably necessary to operate the Service and to enable you to audit historic expenses and settlements, and thereafter for any period required to comply with our accounting, tax, regulatory, or legal-process obligations. Retention periods are reviewed periodically and may be shortened in our discretion. You may individually delete any receipt at any time from the corresponding expense; deleted receipts are removed from object storage, and the associated OCR text and line items are deleted or de-identified, within a reasonable period thereafter. |
| Authentication metadata (login timestamps, IP, user agent) | Retained for a period reasonably necessary to investigate security events and detect abuse, after which the records are deleted or aggregated. |
| Crash and diagnostic logs | Retained for a reasonable diagnostic period, after which the records are deleted or aggregated. |
| Marketing communications opt-in records | For as long as you remain opted in, plus a reasonable period after opt-out so that we can demonstrate compliance with applicable consent requirements. |
| Backups | Encrypted backups are retained on a rolling basis. Deletion requests propagate to backups within that rolling window. |
Account Deletion. You may request deletion of your account at any time from within the Service. Upon receipt of your request:
- Your account is immediately disabled. You cannot sign in.
- A 30-day grace period begins. If you sign in (or contact support from the email of record) within 30 days, the account is fully restored.
- At the end of the grace period, your profile information (display name, photo, email, phone if any) is anonymised. Expense, group, and settlement records continue to exist with your contributions marked as belonging to a former member, so that other users' financial history is not altered.
Deletion is final after the 30-day grace period and cannot be undone.
8. Data Security
We implement reasonable technical and organisational measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation:
- Transport Layer Security (TLS) for network communications between the Service and our backend;
- At-rest encryption of the database and object storage volumes at the cloud-infrastructure layer;
- Row-Level Security (RLS) policies on database tables containing Personal Information, enforcing group-membership-based access controls;
- Industry-standard cryptographic hashing of any stored authentication credentials, as provided by our backend authentication provider;
- Biometric or device-passcode gating of the mobile application client where supported by the operating system;
- Principle-of-least-privilege access controls for personnel; and
- Ongoing review of dependencies and third-party services for known vulnerabilities.
No method of transmission over the Internet or method of electronic storage is 100 % secure. While we strive to use commercially reasonable means to protect your Personal Information, we cannot guarantee its absolute security. You are responsible for safeguarding your account credentials and for using a unique, strong password. You must notify us promptly at the contact address in Section 14 if you suspect any unauthorised access to your account.
Free-Tier Disclosure. Version 1.0 of the Service operates on the free tier of our backend provider, which does not include access to the provider's encrypted-secrets vault. As a precautionary measure, phone-based authentication is disabled in version 1.0 so that phone numbers are not collected or stored. If we re-enable phone authentication in a future version, we will at that time also enable column-level encryption of stored phone numbers and update this Policy.
Breach Notification. In the event of a "breach of security safeguards" (within the meaning of the Personal Information Protection and Electronic Documents Act (Canada), the Personal Health Information Protection Act, 2004 (Ontario), the Act respecting the protection of personal information in the private sector (Quebec — Law 25), or any other applicable law) that creates a real risk of significant harm to you, we will:
(a) notify the Office of the Privacy Commissioner of Canada and any other applicable supervisory authority (including, where applicable, the Quebec Commission d'accès à l'information and any data protection authority designated under the GDPR), as soon as feasible after we are reasonably satisfied of the facts;
(b) directly notify affected individuals, by email to the address on file or by another commercially reasonable method, as soon as feasible, including a description of the incident, the categories of Personal Information involved, the steps we are taking to mitigate harm, and the contact point for further information;
(c) maintain records of every breach for at least twenty-four (24) months, in a form that allows us to demonstrate compliance with our notification obligations to any supervisory authority upon request.
Specific statutory time-windows applicable in your jurisdiction (including GDPR Article 33's seventy-two (72) hour rule for controllers in the EEA) will be observed in addition to the commitments above.
9. International Data Transfers
We are based in Canada. Our service providers operate from Canada, the United States, and the European Union, among other locations. As a result, your Personal Information may be transferred to and Processed in countries other than the country in which you reside. These countries may have data-protection laws that differ from those in your country.
Where we transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of protection, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (2021/914) and the UK Addendum thereto, together with supplementary measures where required by applicable law and guidance.
You may obtain a copy of the safeguards we have implemented for any particular transfer by contacting us at the address in Section 14, subject to reasonable redaction of commercially sensitive terms.
10. Your Rights
Subject to applicable law and reasonable verification of your identity, you may have the following rights with respect to your Personal Information. The availability and scope of each right depends on your jurisdiction.
| Right | Description |
|---|---|
| Access | Obtain confirmation that we Process Personal Information about you and a copy of that information. |
| Rectification | Request correction of inaccurate or incomplete Personal Information. |
| Erasure ("right to be forgotten") | Request deletion of your Personal Information in defined circumstances, subject to our legal retention obligations. The in-app account-deletion flow satisfies this right in most cases. |
| Restriction | Request that we restrict Processing of your Personal Information in defined circumstances. |
| Portability | Receive a copy of Personal Information you have provided to us in a structured, commonly used, machine-readable format, and transmit that data to another controller. The in-app "Full data export (GDPR)" feature exists to satisfy this right. |
| Objection | Object to Processing based on our legitimate interests, including for direct marketing. |
| Withdraw consent | Where Processing is based on your consent, withdraw consent at any time, without affecting the lawfulness of Processing carried out before the withdrawal. |
| Lodge a complaint | File a complaint with a data-protection authority, including the Office of the Privacy Commissioner of Canada, the European data-protection authority of your habitual residence or place of work, the UK Information Commissioner's Office, or the California Attorney General. |
| Non-discrimination (CCPA/CPRA) | We will not deny you the Service, charge you different prices, or provide a different level of service because you exercised any of your rights under the CCPA/CPRA. |
You may exercise these rights by contacting us at the address in Section 14 or by using the corresponding in-app feature. We will respond within the time periods required by applicable law, typically thirty (30) days. We may provide a response more quickly where required by law (e.g. 15 days in certain jurisdictions). We may extend this period by an additional sixty (60) days when reasonably necessary, in which case we will notify you of the extension and the reason.
If you are an authorised agent acting on behalf of a California consumer, you must provide signed written permission from the consumer or proof of power of attorney before we can process the request. We may require the consumer to verify their own identity directly with us.
11. Children's Privacy
The Service is not directed to, and we do not knowingly collect Personal Information from, children under the age of 13 (or such higher age threshold as may be required in your jurisdiction — generally 14 in Spain, 15 in France and Czech Republic, and 16 in Germany, the Netherlands, and certain other EU member states).
If you are a parent or guardian and you believe that your child has provided Personal Information to us without your consent, please contact us at the address in Section 14 and we will take reasonable steps to delete the information. If we become aware that we have collected Personal Information from a child under the applicable age threshold without verified parental consent, we will delete that information promptly.
The Service includes a self-attestation of age at sign-up. We do not warrant that this mechanism prevents all underage usage; we rely on parents and guardians to supervise their children's online activity.
12. Cookies and Similar Technologies
The mobile application uses local storage technologies, including MMKV and the platform-secure keystore (iOS Keychain, Android Keystore), to persist authentication tokens, user preferences, and operational state. These technologies are strictly necessary for the operation of the Service and cannot be disabled while continuing to use the Service.
The Service does not use cookies for advertising, cross-site tracking, fingerprinting, or behavioural profiling. The Service does not participate in third-party advertising networks.
Where a future web version of the Service uses cookies, we will provide an in-context cookie banner consistent with the European Union ePrivacy Directive and the UK Privacy and Electronic Communications Regulations, with separate consents for each category of non-strictly-necessary cookie.
13. Changes to This Policy
We may modify this Policy from time to time. When we do, we will update the "Last Updated" date at the top of this Policy. If the changes are material — for example, if we begin processing new categories of Personal Information, share Personal Information with new categories of recipients, change a legal basis on which we rely, or shorten a retention period in a way that affects you adversely — we will notify you prominently in the Service and, where reasonably practicable, by email, with reasonable advance notice consistent with applicable law before the changes take effect. Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the revised Policy.
We maintain a public version history of this Policy in our source repository to enable historical comparisons.
14. Contact Us
If you have questions, concerns, complaints, or requests regarding this Policy or our processing of Personal Information, please contact us at:
- Email:
privacy@dibby.ca - Postal address: Dibby, Toronto, Ontario, Canada
If you are located in the European Economic Area, the United Kingdom, or Switzerland and we are required to designate an EU/UK/Swiss representative under Article 27 of the GDPR or its UK or Swiss equivalents, we will identify that representative here. (Pending appointment.)
The supervisory authority in our home jurisdiction is the Office of
the Privacy Commissioner of Canada
(https://www.priv.gc.ca/en/report-a-concern/). You may also have
the right to lodge a complaint with the supervisory authority in the
jurisdiction in which you live, work, or where an alleged
infringement has occurred.
15. Region-Specific Disclosures
15.1 Canada (PIPEDA and Provincial Privacy Laws)
We comply with PIPEDA and, where applicable, with provincial privacy legislation including Quebec's Act respecting the protection of personal information in the private sector ("Law 25"). Quebec residents have rights to data portability, rights with respect to automated decision-making, and the right to obtain information about the use of their personal information; the contact address in Section 14 is also our designated person responsible for the protection of personal information for Quebec purposes. ### 15.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)
For users in the EEA, the UK, or Switzerland, the data controller of your Personal Information is Dibby at the address in Section 14. The legal bases on which we rely are identified in Section 5. You have the rights identified in Section 10. You may contact our representative (when appointed) at the address in Section 14.
15.3 California (CCPA / CPRA)
In the preceding twelve (12) months we have collected the categories of Personal Information identified in Section 4 for the purposes described in Section 5. We have disclosed the categories identified in Section 4 to the categories of recipients identified in Section 6. We have not sold or shared (as those terms are defined in the CCPA/CPRA) any Personal Information. We have not collected or Processed sensitive Personal Information for purposes that would trigger your right to limit such Processing.
You have the right, subject to verification of your identity, to:
- Know what categories and specific pieces of Personal Information we collect, use, disclose, and (if applicable) sell or share about you;
- Delete Personal Information we have collected from you, subject to exceptions;
- Correct inaccurate Personal Information;
- Opt out of any future sale or sharing of Personal Information (we do not currently engage in either);
- Limit the use and disclosure of sensitive Personal Information (we do not currently Process sensitive Personal Information beyond what is necessary to provide the Service);
- Not be discriminated against for exercising these rights.
To exercise these rights, contact us at the address in Section 14.
15.4 Other US State Laws
To the extent the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, or other US state consumer-privacy laws apply, we comply with their respective requirements and afford their analogous rights to residents of those states. Residents of those states may exercise applicable rights by contacting us at the address in Section 14.
15.5 Accessibility
We are committed to making the Service accessible to users with disabilities. We strive to follow the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA, where reasonably practicable, and comply with the Accessibility for Ontarians with Disabilities Act, 2005 and applicable analogues in other jurisdictions. If you encounter a barrier in the Service or wish to request information in an alternate format, please contact us at the address in Section 14 and we will respond within a reasonable time, free of charge.
15.6 Quebec Cross-Border Disclosure Assessment
Before disclosing Personal Information about a Quebec resident outside Quebec — including to a service provider in another province or in another country — we assess the disclosure as required by section 17 of the Act respecting the protection of personal information in the private sector, taking into account the sensitivity of the information, the purpose of its use, the protective measures applicable to the recipient, and the legal framework of the recipient's jurisdiction. Records of these assessments are available to the Commission d'accès à l'information on request.
15.7 Other Jurisdictions
If you are located in a jurisdiction not specifically identified above (including Australia, Brazil, India, Japan, New Zealand, Singapore, South Korea, or others), we comply with applicable local laws and afford you any rights granted by those laws. Contact us at the address in Section 14 for jurisdiction-specific enquiries.
End of Privacy Policy.