Privacy Policy
Gaia is the data controller responsible for the processing of personal data as described in this privacy policy.
https://www.bonshare.nl/
Questions about privacy or a request to access, rectify, or delete your data? Contact us at privacy@bonshare.nl.
Personal data we process
Gaia processes your personal data because you use our services and/or because you provide this data to us yourself.
Below is an overview of the personal data we process:
- First and last name (the display name in your profile and the names you add to receipts)
- Email address
- IP address (in the server logs of our backend and authentication provider)
- Receipt images and the line items, totals, and restaurant names extracted from them by AI
- Any other personal data you actively provide, for example by creating an account or in correspondence with us
Special and/or sensitive personal data we process
Our app and/or service does not intend to collect data about users under the age of 16, unless they have permission from a parent or guardian. We cannot verify whether a user is over 16, however. We therefore encourage parents to be involved in their children's online activities to prevent data being collected about children without parental consent. If you believe we have collected personal data about a minor without that consent, please contact us at privacy@bonshare.nl and we will delete the information.
Gaia processes your personal data for the following purposes
- Creating and managing your account (authentication via email/password, Google, or Apple)
- Automatically recognising the receipts you photograph, by temporarily sending the image to Anthropic (Claude) for text extraction
- Storing your receipts, trips, and participants so you can view and edit them later
- Calculating who owes what and generating shareable summaries (PDF or screenshot)
- Contacting you by email in response to questions, error reports, or GDPR requests
- Improving the quality, reliability, and security of the service
- Manual review of uploaded receipts to diagnose recognition errors and improve scan accuracy
Automated decision-making
Gaia does not use automated decision-making.
How long we retain personal data
Gaia does not retain your personal data for longer than is strictly necessary to achieve the purposes for which it was collected. We apply the following retention period:
- 24 months — counted from the moment of your last activity in the app. After 22 months of inactivity you receive a reminder by email. If no activity has taken place after 24 months, your account and all associated data are deleted.
Sharing personal data with third parties
Gaia shares your personal data with various third parties where this is necessary to perform the agreement or to comply with a legal obligation. With companies that process your data on our behalf, we conclude a data-processing agreement to ensure the same level of security and confidentiality for your data. Gaia remains responsible for these processing activities.
| Party | Category | Jurisdiction | Data shared | Purpose |
|---|---|---|---|---|
| Microsoft Azure (Cosmos DB, Blob Storage) | Processor | Netherlands (EEA) | User data, receipts, images | Database & storage |
| Google (Firebase Auth + App Check) | Processor | US (outside EEA) | Email, display name, hashed password, sign-in times, device attestation tokens | Authentication and abuse protection |
| Anthropic (Claude API) | Processor | US (outside EEA) | Receipt images, extracted text | AI receipt recognition |
| Google / Apple | Independent controller | US (outside EEA) | Account data | App store & sign-in |
Transfers outside the EEA
Several of the parties listed above are based in the United States, outside the European Economic Area (EEA). Transfers of personal data to these parties take place on the basis of the EU Standard Contractual Clauses (SCCs). We have entered into data-processing agreements with these parties that meet the requirements of the General Data Protection Regulation (GDPR). In addition, Google and Microsoft are certified under the EU-US Data Privacy Framework, which provides an additional legal basis for transferring personal data from the EEA to the United States.
Cookies and tracking
Analytics — only if you accept. If you say yes to the cookie banner, we load Microsoft's analytics tool to see what pages people visit and where things break. It uses a couple of cookies and some browser storage. Nothing loads until you accept. We remember your choice on this device for 6 months.
Server log — always on. Every page asks our backend for a tiny invisible image. That request lands in our server logs — your IP, browser, and the page URL — which we use to spot outages and measure traffic. Nothing is stored on your device. Lawful basis: legitimate interest (GDPR Art. 6(1)(f)). Logs are stored in Microsoft Application Insights, hosted in West Europe.
You can change your mind at any time:
Accessing, rectifying, or deleting your data
You have the right to access, rectify, or delete your personal data. You also have the right to withdraw any consent you have given for processing, or to object to the processing of your personal data by Gaia, and you have the right to data portability. This means you can ask us to send the personal data we hold about you to you, or to another organisation you specify, in a computer file.
You can send a request to access, rectify, delete, or transfer your personal data, or to withdraw your consent or object to processing, to privacy@bonshare.nl.
To make sure the access request was made by you, we ask you to include a copy of your identity document with the request. In this copy, please black out your passport photo, the MRZ (machine readable zone, the strip of numbers at the bottom of the passport), the passport number, and the Burgerservicenummer (BSN — Dutch citizen service number). This is to protect your privacy. We will respond as quickly as possible, but within four weeks, to your request.
Gaia would also like to inform you that you have the option to lodge a complaint with the national supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can do so via the following link: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons
How we secure personal data
Gaia takes the protection of your data seriously and takes appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure, and unauthorised modification. In particular, we take the following measures:
- Data is transmitted over encrypted connections (HTTPS/TLS)
- Data is stored on secure servers in the EU (Azure, West Europe region)
- Authentication is handled by trusted external providers (Firebase Auth via Google/Apple)
- Access to personal data is limited to authorised personnel
- Security measures are reviewed regularly
If you believe your data is not properly secured or there are signs of misuse, please contact us at privacy@bonshare.nl.
Last updated on 17 May 2026.