Privacy Policy

Effective May 9, 2026

Overview

Halver ("Halver," "we," "our") is operated by CloudPath, LLC. We built Halver with privacy as a core principle. Receipts stay on your device, money never flows through us, and email is transactional only — addresses you enter in the app are used to send you the receipts you asked for, nothing else.

Roles

Halver has two kinds of user, with different data flows:

  • Host. Uses the iOS app to scan a receipt, share it with guests, track claims, and confirm payments. Signs in with Apple. Receives transactional email.
  • Guest. Joins a session from any browser using a link or QR — no account or install required. Guests who already have the Halver iOS app installed are routed into the app instead via Universal Link; the data flow is identical. Types a display name, claims items, and follows a deep-link to their preferred payment app.

Receipt Photos and OCR

When the host snaps a photo of a receipt, the photo is processed entirely on the iPhone using the system Vision framework. Specifically:

  • Receipt photos never leave your device. The image is not uploaded to our servers, not sent to any third-party OCR provider, and not retained in cloud storage.
  • Only the extracted line-item text (item name, price, quantity), the merchant name, and the totals are uploaded — and only after the host reviews the extraction.
  • If on-device OCR returns low-confidence results, there is no cloud fallback. The host is asked to retry or correct the items manually.
  • The receipt photo itself remains in the host's iOS Photos library or app sandbox per the host's normal device behavior.

Authentication

Hosts sign in with Sign in with Apple. We validate the identity token against Apple's public key directory, then map the Apple identity (the sub claim) to an internal user identifier. We store:

  • Provider and provider subject identifier (e.g., apple:001234.abc) — used to recognize you on subsequent sign-ins.
  • An internal user ID we generate, used to associate your sessions and points contributions.
  • The display name you choose.
  • The email address described in the next section.

We do not store passwords.

Email — Address, Use, and Opt-Out

This section describes everything we do with your email address.

How we get the address.

  • Hosts: the first time you sign in, Apple gives us the email associated with your Sign in with Apple identity — typically your iCloud Hide-My-Email relay address unless you've configured otherwise. We store this as the initial default. You can change the address Halver sends to at any time in iOS Settings → Halver → Receipt Email; the override applies immediately.
  • Guests: the web guest flow includes an optional email field. There is no first-touch capture — the address is provided explicitly by the guest at the time of the session, and is used solely to send the single payment-confirmation receipt described below. Skip the field and Halver has no way to email you.

What we send. Halver sends transactional email only — never marketing, never newsletters, never promotional content. There are three triggers:

  • Session summary to the host. When you close a session, you receive one email summarizing the meal — restaurant, date, line items, per-guest totals, payment status, and grand total. This is your durable accounting record.
  • Per-payment confirmations to the host. When you confirm a guest's payment, you can optionally receive a separate "Y paid you $X for Z" email. Default off. Toggle in iOS Settings → Halver → Email me when I confirm a payment.
  • Payment-confirmation receipt to the guest. When the host marks a guest's payment as received, Halver automatically sends a confirmation email to that guest. This trigger fires only if the guest provided an email address during the session; guests who don't enter an email don't receive anything.

Recipients. Hosts receive session summaries and (if enabled) per-payment confirmations. Guests receive a payment-confirmation receipt only if they opted in by providing an email when joining the session — and never any other kind of mail. There are no marketing or newsletter sends to either role.

Provider. Email is sent via Amazon Simple Email Service (Amazon SES), running in the same AWS account as the rest of our infrastructure. SES is the only email processor in the loop — no third-party email vendors, no marketing platforms, no enrichment services. Mail is encrypted in transit (TLS) and at rest in AWS.

Opt-out.

  • Hosts: clear the Receipt Email field in iOS Settings → Halver → Receipt Email. Halver will stop sending you email until you re-enter an address.
  • Guests: simply do not enter an email when joining a session. Halver has no other mechanism to contact a guest, so omitting the address opts you out completely.

There is no separate "unsubscribe" link in transactional receipts because the in-app and join-time controls are the canonical opt-out.

Retention. We do not retain email content after delivery. SES delivery and bounce events are logged (sender, recipient, timestamp, status) and retained in our AWS CloudWatch logs to monitor deliverability; logs are not used for marketing, profiling, or any purpose beyond operational observability.

Bounces and complaints. If a delivery bounces or a recipient marks a Halver email as spam, the event is recorded so we can investigate. We do not currently auto-disable sending on bounce or complaint, but we monitor these events and will follow up if there is a pattern.

Session Data

For each meal, we store a session record containing:

  • The line items, totals, tax, and gratuity the host extracted from the receipt.
  • Guest display names (typed at join), their item claims, and the per-guest totals computed from those claims.
  • Payment status (confirmed by the host) for each guest.
  • The restaurant name and identifier (resolved on the host's iPhone via Apple MapKit; we do not query Google Places).

Sessions are ephemeral by design. After a session is closed, anonymous-guest claims are collapsed into a single anonymous-aggregate record so individual anonymous guests are not retained as historical rows.

Web Guest Data

The web guest experience runs in your browser on Cloudflare's edge. We collect only what's needed to participate in the session you joined:

  • The display name you type.
  • The items you claim.
  • An optional email address — only if you choose to provide one when joining. The address is used solely to send the single payment-confirmation receipt described in the Email section above, and is discarded with the rest of the session record after the session is closed.
  • Standard request metadata (IP address, user agent) which Cloudflare logs briefly for abuse prevention.

Guests do not sign in and do not install anything. Email is opt-in: skip the address field at join and Halver has no way to contact you. The browser keeps a small local-storage marker so the same device returning to the same session is recognized as the same guest.

Payments

Halver does not process payments. When a guest is ready to pay, Halver opens a deep link to their preferred payment app (Venmo, Zelle, Cash App, etc.) with the amount pre-filled. Payment happens entirely in that third-party app, between guest and host. Halver never sees or stores your card number, bank account, or payment-app credentials. Confirmation that payment was received is recorded by the host manually inside Halver.

Crash and Usage Data

We use TelemetryDeck to collect anonymous, aggregate signals only:

  • Anonymous crash reports — so we can find and fix bugs.
  • Anonymous performance signals — session-level counts that help us spot regressions.
  • Anonymous product-interaction counts — feature-usage tallies so we know which features get used.

TelemetryDeck does not collect IP addresses, does not use advertising identifiers, and does not create user profiles. We do not use Facebook Pixel, Google Analytics, AppsFlyer, Adjust, or any attribution SDK.

Third-Party Services

Halver interacts with the following external services:

  • Apple — Sign in with Apple, Apple MapKit (for restaurant identification, on-device), Apple Push Notification service, and the Vision framework (on-device OCR).
  • Amazon Web Services — our infrastructure provider. Lambda, DynamoDB, CloudFront, and SES (transactional email) all run in CloudPath's AWS account.
  • Cloudflare — hosts the web guest experience.
  • TelemetryDeck — anonymous crash and usage data as described above.

Children's Privacy

Halver is not directed at children and is rated 4+. We do not knowingly collect information from children under 13.

Your Rights (GDPR and International Users)

If you are located in the European Economic Area, United Kingdom, or another jurisdiction with comprehensive data protection laws, you have the following rights:

  • Right to access: You can request a copy of the data we hold associated with your account.
  • Right to deletion: You can request deletion of your account and associated data by contacting us at support@gethalver.com.
  • Right to opt out of email: Clear the Receipt Email field in iOS Settings, as described above.

Legal basis for processing: We process session data on the basis of contract performance — you cannot use Halver without us storing the items you've claimed and the totals owed. We process anonymous crash signals on the basis of legitimate interest in app stability. Email is sent on the basis of your explicit configuration in iOS Settings.

Data Security

All communication between Halver and our servers uses HTTPS encryption. Data is encrypted at rest in AWS DynamoDB and S3. Email is encrypted in transit via TLS and at rest in Amazon SES. Access to production systems is restricted and logged.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of Halver after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy, contact us at:
support@gethalver.com

CloudPath, LLC
Chicago, Illinois