Dolio

Legal

Privacy Policy

Last updated

This policy explains what personal data Dolio (“we”, “us”, “our”) collects when you use the Dolio mobile app or visit https://dolio.org, why we collect it, who we share it with, and the rights you have over it. We follow the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”).

Data controller

The data controller responsible for your personal data is CodeNomad, established in the Netherlands (KvK 95085270). You can reach us at privacy@dolio.org.

What we collect and why

  • Email address — to authenticate you, send sign-in links, deliver account-deletion confirmations, and answer support requests. Legal basis: performance of the contract between you and us (Art. 6(1)(b) GDPR).
  • Display name — shown to other members of any group you join so they can identify your share of expenses. Legal basis: performance of the contract.
  • Sign-in identifiers — if you choose Sign in with Apple or Sign in with Google, the provider returns a stable identifier that we link to your account. We never receive your password from those providers. Legal basis: performance of the contract.
  • Group and expense content — group names, currency, memberships, expense descriptions, amounts, splits, payers, and settlement records. Without this content the app cannot compute balances. Legal basis: performance of the contract.
  • Push notification token — if you grant notification permission, your device's push token is stored so we can deliver notifications about your groups. Legal basis: your consent (Art. 6(1)(a) GDPR); you can revoke it at any time in your device settings.
  • Server and access logs — IP address, timestamp, and user-agent for each request, retained for up to 30 days. Legal basis: our legitimate interest in keeping the service secure and abuse-free (Art. 6(1)(f) GDPR).

We do not collect precise location, contacts, photos, files, calendar data, microphone or camera input, or device identifiers for tracking. We do not use analytics or advertising SDKs, and we do not run third-party tracking cookies on our website.

Cookies

The Dolio web app sets a single authentication cookie (better-auth.session_token) that keeps you signed in. It is strictly necessary for the service to function and is exempt from consent under Article 5(3) of the ePrivacy Directive. We do not use analytics, advertising, or social-media cookies.

How long we keep your data

  • Account data (email, name, sign-in identifiers, push token) — for as long as your account exists.
  • Group and expense content you created — for as long as the group exists. When you delete your account, your name on each shared expense is replaced with “Deleted user” and the link to your account is severed, so the remaining members keep their balances and history. The content itself is co-owned with the other group members and is not deleted automatically.
  • Server and access logs — up to 30 days, then deleted.
  • Email delivery logs kept by our email provider — according to that provider's retention policy (typically 30 days).

Who we share it with

We do not sell your personal data and we do not share it for third-party marketing. We rely on a small number of service providers (for hosting, email delivery, push notifications, and optional third-party sign-in) that process data on our behalf and only on our instructions.

Other members of any group you join can see the display name, expense descriptions, amounts, and splits you contribute to that group. That is the whole point of a shared expense tracker — pick group members carefully.

Where your data lives

Our database is hosted on Private VPS hosted in the EU in European Union. All connections use HTTPS/TLS. Some sub-processors (notably push and OAuth providers) process data globally; transfers outside the European Economic Area rely on the European Commission's Standard Contractual Clauses or an equivalent safeguard.

Your rights under the GDPR

If your personal data is processed by us, you have the right to:

  • Access the data we hold about you (Art. 15).
  • Have inaccurate data corrected (Art. 16).
  • Have your data erased (Art. 17). You can do this yourself from the app: Profile → Delete account.
  • Restrict or object to certain processing (Art. 18 and 21).
  • Receive your data in a portable format (Art. 20) — email us and we will send you a JSON export.
  • Withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, email privacy@dolio.org. We respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands that is the Autoriteit Persoonsgegevens.

Security

We use TLS for all traffic, hash passwords with industry-standard algorithms, scope access to production systems to authorised maintainers only, and keep dependencies patched. No system is perfectly secure; please report suspected vulnerabilities to privacy@dolio.org.

Children

Dolio is not directed at children under 16. If you believe a child has registered, contact us and we will remove the account.

Changes to this policy

If we make material changes we will update the date at the top of this page and, where appropriate, notify you in the app before the change takes effect.

Contact

Privacy questions: privacy@dolio.org. General support: support@dolio.org.

© 2026 Dolio

Questions? support@dolio.org