Privacy Policy

Last updated: 30 May 2026

This Privacy Policy explains how we collect, use and protect your personal data when you use the Debty Telegram mini app and related websites (collectively, the “Service”).

We are committed to handling your data responsibly and transparently. While Debty is currently operated as an independent project without a separate legal entity, we aim to comply with applicable data protection laws, including where relevant the General Data Protection Regulation (“GDPR”) and similar laws in other jurisdictions.

1. Data controller and contact

For the purposes of data protection law, the individual developer(s) maintaining Debty act as the “data controller” for personal data processed through the Service.

If you have any questions or wish to exercise your privacy rights, you can contact us via our Telegram support bot: @debty_app_support_bot .

2. Data we collect

2.1. Data received from Telegram

When you use Debty inside Telegram, we receive authentication data from Telegram via the X-Telegram-Init-Data header. Subject to your Telegram settings, this may include:

• Your Telegram user ID;
• Your first name and last name;
• Your Telegram username;
• Your profile photo URL;
• Other technical data required to verify the request signature.

2.2. Data you provide directly

When you use the Service, you may provide the following information:

• Groups and expenses: group names and emojis, expense names, amounts, currencies, dates, who paid and who participated, and how each expense is split between users.
• Payment methods: details you choose to save so others can pay you, such as bank account information, Revolut or PayPal identifiers, or custom payment links.
• Receipt images (Premium feature): if you use the receipt-scanning feature available to Debty Premium subscribers, you may upload photos of receipts. These images are sent to our AI provider (Google Gemini) for processing and used to extract line items, prices and taxes. We do not store receipt images for longer than is reasonably needed to perform the scan and any related diagnostics — only the parsed expense data is saved in your group.
• Preferences: your preferred language and currency within Debty.

2.3. Automatically collected technical data

When you access the Service, our servers automatically collect certain technical information in logs, including:

• IP address;
• Date and time of requests;
• HTTP request data (such as requested URL and headers);
• Error messages and diagnostic information.

These logs are used for security, debugging and operational purposes and currently do not have a fixed automatic deletion date. We keep them as long as reasonably necessary for these purposes, after which they may be deleted or anonymized as part of system maintenance.

2.4. Subscription and payment data (Debty Premium)

If you subscribe to Debty Premium, payments are processed by Telegram using Telegram Stars. We do not see or store your card or banking details. We receive from Telegram only the information needed to grant you Premium access and to manage your auto-renewing monthly subscription, such as your Telegram user ID, the active Premium plan, the current billing period start and end dates, and the associated payment charge identifier (which we retain so that we can disable auto-renewal at your request). We use this information to activate Premium features, track when your subscription renews or expires, handle cancellation and support requests, and comply with applicable laws (for example, accounting and tax record-keeping where required).

2.5. eSIM order data

If you purchase an eSIM through the Service, we store information about your order so that we can deliver and operate it. This includes:

• The plan you chose, its data volume, duration and price (in Telegram Stars and in the underlying currency provided by the eSIM provider);
• The status of your order (for example: ordering, ready to install, installed, active, used up, expired or refunded);
• Provider-issued technical data needed to deliver and use the eSIM, including the ICCID, the LPA activation code, the QR code link, the order number generated by the provider and the corresponding Telegram payment charge identifier;
• Usage statistics received from the provider via webhooks (such as total, used and remaining data volume, and validity/expiration dates);
• Records of any top-ups (additional data packages) you purchase for an existing eSIM, with the same kinds of data as for the original order.

Payments for eSIM purchases are processed by Telegram via Telegram Stars; we do not see or store your card or banking details. We use eSIM order data to deliver your purchase, show you the status and usage of your eSIMs inside the mini app, handle refunds in eligible cases and respond to support requests.

3. How we use your data

We use your personal data for the following purposes:

• Providing the Service: to authenticate you via Telegram, create and manage groups, store expenses, calculate balances and debts, and display your payment methods to other group members.
• Premium features: to provide and manage your Debty Premium subscription, including processing receipt images you upload for AI-based scanning, activating Premium features for the current billing period, automatically renewing your subscription each month while it remains active, tracking when your Premium expires, handling cancellations and related support questions.
• eSIM purchases: to fulfil and operate the eSIMs you buy through the Service, including placing your order with our eSIM provider, delivering the eSIM profile (activation code and QR code) to you, displaying order status and usage information inside the mini app, processing refunds where eligible and handling related support requests.
• Operating and improving the Service: to monitor performance, detect errors, optimize user experience and plan new features.
• Security and abuse prevention: to protect the Service and its users from misuse, fraud and security incidents.
• Legal compliance: to comply with legal obligations (for example, accounting, tax and consumer-protection requirements related to Debty Premium purchases) and to respond to lawful requests from authorities, where required.
• Advertising and monetization: to display non-personalized or contextual advertising to free-tier users, and to prepare for any future use of personalized advertising. Personalized advertising or other technologies that require consent under applicable law will only be activated after we have obtained such consent.

4. Legal bases (EEA/UK users)

If you are in the European Economic Area or the UK, we rely on the following legal bases under the GDPR to process your personal data:

• Performance of a contract (Article 6(1)(b) GDPR): to provide the Service you request, including authenticating you, creating groups, storing expenses and calculating balances.
• Legitimate interests (Article 6(1)(f) GDPR): to ensure the security, stability and improvement of the Service, to keep logs for security and debugging, and to plan future features and monetization. We balance these interests against your rights and expectations.
• Consent (Article 6(1)(a) GDPR): for any future use of cookies or similar tracking technologies for advertising or analytics that require consent under applicable law. Where we rely on consent, you can withdraw it at any time with effect for the future.
• Legal obligations (Article 6(1)(c) GDPR): where we must retain or disclose data to comply with applicable laws.

5. Cookies and tracking

The mini app itself does not use browser cookies or third-party tracking pixels. We do not currently use analytics services such as Google Analytics or similar tools on the Service.

In the future, if we introduce cookies or similar technologies for analytics or advertising, we will update this Privacy Policy and, where required by law (for example in the EU/EEA), request your consent before enabling such technologies.

6. Advertising, Debty Premium, eSIM purchases and monetization

We monetize Debty in the following ways:

• Advertising on the free tier: we may show non-personalized or contextual advertising to users on the free tier of the Service. Where we use personalized or interest-based advertising, and applicable law (for example, in the EU/EEA) requires consent, we will request your explicit consent inside the Service before such advertising is enabled and will update this Privacy Policy with details of the relevant ad partners.
• Debty Premium subscription: we offer an optional auto-renewing monthly paid subscription called Debty Premium, which removes in-app advertising and unlocks additional features (such as AI receipt scanning, recurring expenses, charts, expense exports and a discount on eSIM purchases). Premium is sold through Telegram’s in-app payment system using Telegram Stars. Telegram processes the payment and we receive only the information described in section 2.4. You can cancel auto-renewal at any time inside the mini app; your Premium access remains until the end of the already-paid period.
• eSIM purchases: users can buy international mobile data plans (eSIMs) inside the mini app. eSIMs are provisioned and operated by our third-party eSIM provider (eSIMAccess) and paid for in Telegram Stars. We process the order data described in section 2.5 to deliver and operate your eSIM.

If we introduce additional monetization mechanisms that involve processing your personal data (for example, new advertising partners or analytics tools), we will update this Privacy Policy and, where required by law, obtain your prior consent.

7. How we share your data

We do not sell your personal data. We share data only in the following limited circumstances:

• Within your groups: Other members of your groups can see information necessary to understand balances and payments, such as expenses, who paid, who participated, and any payment methods you choose to share.
• Service providers and infrastructure: We may use hosting, database, logging and similar infrastructure providers who process data on our behalf and are contractually required to protect it.
• Exchange rate API: We use a third-party exchange rate service to fetch currency conversion rates. We do not send them personal data about individual users; requests typically include only technical information needed to fetch rates.
• Google Gemini (AI receipt scanning): If you use the receipt-scanning feature included in Debty Premium, the receipt image you upload is sent to Google Gemini for processing in order to extract line items, prices and taxes. Such requests are processed under Google’s applicable terms and privacy policy. We do not include your Telegram identity in those requests beyond what is necessary to operate the feature.
• Telegram (Debty Premium and eSIM payments): Purchases of Debty Premium and eSIMs are processed by Telegram via Telegram Stars. Telegram acts as the payment processor and handles your payment information under its own terms and privacy policy. We receive from Telegram only the information needed to grant Premium access and to deliver your eSIM order (see sections 2.4 and 2.5).
• eSIM provider (eSIMAccess): If you purchase an eSIM, we send our eSIM provider (eSIMAccess) technical order data such as our internal order identifier, the chosen plan code, the price and the number of eSIMs. We do not send the provider your Telegram identity, name, email, phone number, ID documents, device identifiers or IP address. The provider returns to us, via API responses and webhooks, the information needed to deliver and operate your eSIM (such as the ICCID, activation code, QR code link and usage statistics). The provider’s own processing of the data sent to it is governed by its terms and privacy policy.
• Legal reasons: We may disclose data if required by law or in response to valid legal requests (for example, from law enforcement authorities), where we believe in good faith that disclosure is necessary.

8. International data transfers

Our servers are currently located in Germany. Depending on your location and on the infrastructure providers we use, your data may be transferred to and processed in other countries that may have different data protection laws than your country.

Where required by law, we will take appropriate safeguards to protect personal data during such transfers, for example by using standard contractual clauses approved by the European Commission for transfers outside the EEA.

9. Data retention

We keep your personal data for as long as needed to provide the Service and for other legitimate purposes described in this Policy, including security, debugging and legal compliance.

In particular:

• Account and group data (such as user profiles, groups, expenses and balances) are kept while your account remains active and your groups and expenses are stored in Debty.
• Server logs are currently kept without a fixed automatic expiration date and are removed or anonymized as part of system maintenance or when no longer reasonably needed.
• If you request deletion of your account and data (see below), we will delete or anonymize your personal data unless we are legally required or allowed to keep it for longer.

10. Your rights

Depending on your location, you may have the following rights with respect to your personal data:

• Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy of it;
• Right to rectification – to have inaccurate or incomplete data corrected;
• Right to erasure – to request deletion of your personal data in certain circumstances;
• Right to restriction of processing – to request that we limit our processing of your data in certain cases;
• Right to data portability – to receive certain data in a structured, commonly used and machine-readable format and to transmit it to another controller;
• Right to object – to object to processing based on our legitimate interests, including profiling, on grounds relating to your particular situation;
• Where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us via the Telegram support bot @debty_app_support_bot . We may need to verify your identity and your relationship to the data requested.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

11. Account deletion

At the moment, you cannot delete your account directly from within the mini app. If you wish to delete your account and associated data, please contact us via the Telegram support bot @debty_app_support_bot .

After verifying your request, we will delete or anonymize your personal data unless we are legally required or allowed to keep it for longer (for example, if there are unresolved disputes or legal obligations).

12. Security

We take reasonable technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. Children

The Service is not intended for children under 16 years of age. If we learn that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date at the top of this page and, where appropriate, provide additional notice (for example, within the mini app or via Telegram).

Your continued use of the Service after the updated Privacy Policy becomes effective will constitute your acceptance of it.