Legal

Privacy Policy

Effective date: 6 April 2026 · Last updated: 6 April 2026

Defray (“we”, “us”, “our”) operates the Defray mobile application (iOS & Android) and the website at defray.app (together, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service.

By accessing or using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

• Account information — full name, email address, phone number, and password when you create an account.
• Identity verification (KYC) — government-issued ID type (driver licence or passport), ID number, date of birth, and residential address. This is required under Australian regulations before you can access card-issuing features.
• Payment information — top-up amounts and contribution details. Actual payment card numbers are processed by our payment partner Airwallex and are never stored on our servers.
• Group & event data — group names, occasion types, destinations, dates, budgets, availability responses, votes, and expenses you create or participate in.
• Receipt images — photos you capture using the receipt scanner feature for expense itemisation.
• Waitlist information — email address submitted through the website waitlist form.

1.2 Information Collected Automatically

• Device information — device model, operating system version, unique device identifiers, and app version.
• Push notification tokens — Expo push tokens stored to deliver notifications to your device.
• Security data — jailbreak/root detection results and biometric authentication events (success/failure, never biometric data itself) for fraud prevention.
• Usage data — screens visited, features used, and interaction patterns to improve the Service.
• Transaction data — card tap amounts, merchant names, timestamps, and currency for expenses processed through the shared virtual card.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account and authenticate your sessions.
• Verify your identity for KYC compliance under the Australian ePayments Code and applicable AML/CTF legislation.
• Process group fund contributions, issue shared virtual cards, and settle expense splits.
• Send push notifications about card taps, expense additions, group invitations, votes, and settlement updates.
• Calculate organiser reliability scores based on payment and event history.
• Detect compromised devices (jailbroken/rooted) and prevent fraudulent access.
• Improve, personalise, and maintain the Service.
• Communicate with you about updates, security alerts, and support requests.
• Comply with legal obligations, resolve disputes, and enforce our Terms of Service.

3. How We Share Your Information

We do not sell your personal information. We may share it with:

• Airwallex — our payments partner that issues virtual cards, processes transactions, and manages wallets. Airwallex holds an Australian Financial Services Licence (AFSL) and processes data under its own privacy policy.
• Supabase — our backend infrastructure provider (database hosting, authentication, edge functions) with servers located in Sydney, Australia.
• Expo / Expo Push Notification Service — to deliver push notifications to your device.
• Group members — your name, contribution status, reliability score, and expense activity are visible to other members of groups you join. This is essential for the Service to function.
• Law enforcement & regulators — when required by law, court order, or regulatory obligation.

4. Data Storage & Security

• All data is stored on Supabase servers in Sydney, Australia (ap-southeast-2).
• Authentication tokens are stored in the device’s secure enclave — iOS Keychain and Android EncryptedSharedPreferences via Android Keystore. Tokens are never stored in plaintext.
• High-value actions (top-ups over A$200) require biometric re-authentication (Face ID, fingerprint, or device PIN).
• The app performs jailbreak and root detection at launch and blocks access on compromised devices.
• All network communication uses TLS encryption.
• Airwallex API credentials are stored as server-side secrets and are never exposed to the client application.

5. Your Rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion — request deletion of your account and associated data, subject to legal retention requirements.
• Notification opt-out— disable push notifications at any time via the app’s profile settings or your device settings.
• Complaint — lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

To exercise any of these rights, email us at team@defray.app.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account:

• Account details and profile information are deleted within 30 days.
• Transaction and expense records may be retained for up to 7 years to comply with Australian financial record-keeping obligations (AML/CTF Act, Tax Act).
• KYC verification records are retained for the minimum period required by law.
• Anonymised, aggregated data may be retained indefinitely.

7. Cookies & Tracking (Website)

The Defray website uses minimal, essential cookies for functionality (e.g., session management). We do not use third-party advertising trackers. The waitlist form stores your email in our Supabase database solely for launch notifications.

8. Children’s Privacy

The Service is not directed at anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at team@defray.app and we will delete it promptly.

9. International Data Transfers

Your data is primarily stored in Australia. Some service providers (Expo, Airwallex) may process data in other jurisdictions. Where this occurs, we ensure appropriate safeguards are in place consistent with the Australian Privacy Principles.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the app or sending a push notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: team@defray.app
• Website: defray.app