← Back to Aviary

Privacy Policy

Last updated: February 22, 2026

1. Introduction

Aviary ("we," "us," or "our") is a personal expense-splitting application operated by Greg Bigelow. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application at aviary.gregbigelow.com (the "Service").

The Service is intended solely for users located in the United States. By using the Service, you represent that you are located in the United States. If you are located outside the United States, you may not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Display name (or derived from your email)
  • Password (hashed and salted by Supabase Auth; we never store or have access to your plaintext password)

Google OAuth

If you sign in with Google, we receive your name and email address from Google. We do not receive or store your Google password. We request only the minimum scopes necessary (email and basic profile). You may revoke Aviary's access at any time via your Google Account settings.

Usage Data

We collect data you voluntarily enter into the Service, including:

  • Group names and membership
  • Expense descriptions, amounts, dates, and split details
  • Activity logs generated by your actions within the Service

Automatically Collected Information

We use Vercel Web Analytics to collect anonymous, aggregated usage statistics (page views, visitor counts). Vercel Web Analytics does not use cookies, does not collect personally identifiable information, and does not track individual users across sites. No advertising trackers, fingerprinting scripts, or third-party tracking pixels are used anywhere in the Service.

Authentication Tokens

The Service stores authentication session tokens in your browser (via HTTP-only cookies) for the sole purpose of keeping you logged in. These are functional tokens, not tracking cookies. No other cookies are set.

3. How We Use Your Information

We use the information we collect exclusively to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Calculate balances and debts between group members
  • Display your activity within groups you belong to
  • Send essential account-related communications (e.g., email confirmation)

We do not use your data for advertising, profiling, behavioral targeting, data mining, or selling to third parties. We will never sell, rent, or trade your personal information.

4. Data Sharing and Disclosure

Your data is shared only in the following limited circumstances. There are no other circumstances in which we share your data.

  • Within groups: Other members of a group you belong to can see your display name, expenses you've added, and balance information within that group. They cannot see your email address, your data in other groups, or any other account information.
  • Service providers: We use the following third-party services that process data on our behalf:
    • Supabase (database hosting and authentication) — stores all user data; hosted on AWS in the United States. Supabase Privacy Policy
    • Vercel (application hosting and anonymous analytics) — processes HTTP requests; hosted in the United States. Vercel Privacy Policy
    • Google (OAuth authentication only, when user chooses Google sign-in) — provides email and name. Google Privacy Policy
  • Legal requirements: We may disclose your information if required to do so by law, court order, subpoena, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5. Data Storage and Security

Your data is stored in Supabase's cloud infrastructure in the United States (AWS). We implement the following security measures:

  • Row-Level Security (RLS) policies on all database tables
  • Server-side authentication verification on all API routes
  • Input validation using schema validation (Zod) at all API boundaries
  • HTTPS encryption for all data in transit
  • Encryption at rest for all stored data (provided by AWS/Supabase)
  • Passwords hashed using bcrypt (handled by Supabase Auth)
  • Atomic database transactions for all multi-table mutations (preventing partial writes)

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from factors beyond our reasonable control.

6. Data Breach Notification

In the event of a data breach that compromises your personal information, we will make reasonable efforts to notify affected users without unreasonable delay, consistent with the needs of law enforcement and any measures necessary to determine the scope of the breach. Notification will be sent to the email address associated with your account.

7. Data Retention and Deletion

We retain your data for as long as your account is active. You may request deletion of your account and all associated data by contacting us. Upon receiving a verified deletion request:

  • Your account, email, display name, and personal information will be permanently deleted within 30 days
  • Expenses you created will be retained in anonymized form for the integrity of other users' group records, or deleted entirely if you are the sole member of a group
  • Data may persist in encrypted backups for up to 30 additional days

We reserve the right to delete accounts that have been inactive for more than 24 months, with 30 days' prior notice sent to your registered email address.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your data in a portable format
  • Withdraw consent for data processing at any time by deleting your account

9. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

We do not sell your personal information. We have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.

Categories of personal information we collect (per CCPA definitions): Identifiers (email address, display name, account ID); Internet or electronic network activity information (anonymous aggregated analytics only); Financial information (expense amounts you enter — we do not collect bank, credit card, or payment information).

10. US State Privacy Rights

If you are a resident of a US state with a comprehensive privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other states that enact such laws), you may have additional rights similar to those listed above. We will honor valid requests to access, correct, or delete your personal information. To exercise these rights, contact the Service operator.

11. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices, content, or security of those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. This policy is reviewed at least annually. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

14. Contact

For questions about this Privacy Policy, to exercise your data rights, or to submit a data deletion request, post to our support group at groups.google.com/g/aviary-support.