Privacy Policy
Effective from June 7, 2026.
This policy explains what data the Julius app processes, why, on what legal basis, with whom we share it, and what rights you can exercise. The document applies simultaneously in the United States, the European Union, and the Russian Federation.
1. Who we are and how to reach us
The developer and data operator of the Julius app is BuddyTrips Global LLC, incorporated in the State of Wyoming, United States (registered address: 1309 Coffeen Ave ste 1200, Sheridan, WY 82801, United States), trading under the Julius / Sapa Tech brand (hereinafter — “we”, “us”, “our”).
You can contact us and submit any data-processing request via email at hello@sapa-tech.dev or by mail to our registered address: 1309 Coffeen Ave ste 1200, Sheridan, WY 82801, United States.
The same email serves as the single point of contact for requests under Articles 15–22 of Regulation (EU) 2016/679 (GDPR), Article 14 of Russian Federal Law No. 152-FZ “On Personal Data”, and the California Consumer Privacy Act (CCPA/CPRA).
2. Minimization principle
We deliberately do not ask you for your name, phone number, email, contacts, photo, or any other directly identifying information. A Julius account is anonymous by default. In this policy we describe not only what we process, but also what we intentionally do not collect — it is part of our product approach.
3. What data we process
We store on our servers:
- the anonymous account identifier (a random UUID) and the associated device identifier;
- the contents of your shared groups: expenses, shares, balances, transaction history;
- receipt photos that you upload for recognition;
- display names and comments that you voluntarily enter into a group;
- the Apple APNs push token, if you have enabled notifications;
- a short-lived authorization token (JWT) and a refresh token, in order to renew your session;
- technical request metadata: IP address, app and operating system version, interface language — in server logs and in our own error monitoring system.
If you email or call us, we additionally process the contents of your message and your contact details — solely in order to respond.
4. What we do not collect
We do not request and do not collect: geolocation, phone contacts, your real name, phone number, email (beyond voluntary correspondence with support), health data, biometrics, identification documents, banking or payment details. We do not use advertising identifiers (IDFA / GAID), do not include ad SDKs, do not transmit data to advertising networks, and do not profile you for marketing purposes. We do not sell your data and do not share it with data brokers within the meaning of the CCPA.
5. Purposes and legal grounds of processing
We process data strictly to make Julius work. The legal grounds within the meaning of Article 6 GDPR and Article 6 of Law No. 152-FZ are:
- performance of a contract (Art. 6(1)(b) GDPR; Art. 6(1)(5) of Law No. 152-FZ) — creating the anonymous account, syncing shared groups between participants, calculating balances, delivering push notifications;
- legitimate interest (Art. 6(1)(f) GDPR; Art. 6(1)(7) of Law No. 152-FZ) — protecting the service from abuse, diagnosing errors and crashes, information security;
- consent (Art. 6(1)(a) GDPR; Art. 6(1)(1) of Law No. 152-FZ) — transmission of receipt photos and audio recordings to external AI providers (see section 7). Consent is given by an explicit action — uploading a photo or tapping the voice record button — and can be withdrawn at any time.
6. Voice recording
If you use voice input to record an expense, the app records a short audio clip and sends it to our server for recognition. Once the text has been returned, the audio is not retained on the device or in our storage. You can revoke microphone access at any time in your device settings.
7. Processors and third parties
To run Julius we engage a limited set of contractors. They act as personal-data processors on our behalf (Art. 28 GDPR) and are bound by the corresponding contracts:
- Avoro IT SIA (Latvia, European Union) — hosting of servers, the database, and our own error monitoring system;
- Timeweb (timeweb.cloud) (Russian Federation) — S3-compatible object storage for receipt photos;
- Google Ireland Limited / Google LLC — the Gemini model for recognizing receipt photos and voice expense descriptions;
- Apple Distribution International Ltd. — the Apple Push Notification Service (APNs) for delivering notifications.
Requests to Gemini do not include the account identifier, push token, or any other information by which the provider could directly identify you. We run error monitoring on our own instance, deployed on the same Avoro servers as the main backend — incident data does not leave our infrastructure. We do not perform any other transfers of data to third parties.
8. Cross-border transfer
Our company is incorporated in the United States, our database servers are located in Latvia (European Union), receipt-photo storage is located in the Russian Federation, and some of our contractors operate in the United States and Ireland. When you use Julius, your data may cross national borders. For users in the Russian Federation, in accordance with Article 12 of Law No. 152-FZ, by providing data to us through the app you confirm that you are aware that processing also takes place on the territory of foreign states, and you consent to such cross-border transfer. For users in other jurisdictions whose laws restrict cross-border transfer of personal data, such transfer is performed on the basis of your explicit consent, expressed by using the app. As our audience grows, we will expand our contractual basis (including via GDPR standard contractual clauses with processors outside the EU) and notify you in an updated version of this document.
9. Where data is stored and for how long
Databases and server logs are located on Avoro IT SIA servers in Latvia (European Union). Receipt photos are in Timeweb’s S3-compatible storage in the Russian Federation. Retention periods:
- data for a shared group and its participants — as long as the group has at least one active participant;
- receipt photo — up to 90 days from upload, after which it is automatically deleted;
- refresh tokens — 60 days from the last request;
- server logs — up to 30 days;
- records in our error monitoring system — up to 90 days;
- an anonymous account that has had no activity for 12 months is deleted together with the associated content during a routine cleanup.
If you want to delete your account and its associated content immediately, email us at hello@sapa-tech.dev from the device that has Julius installed — that is enough for us to technically confirm ownership of the account.
10. Security
The connection between the app and the server is protected with TLS 1.2 or above. Authorization is based on short-lived JWTs and revocable refresh tokens. Receipt photos are served via one-time links with a limited lifetime. Database backups are stored in encrypted form; access to production infrastructure is restricted. Despite these measures, no system is absolutely secure — so we avoid storing information whose loss would cause you direct harm (payment data, identification documents).
11. Cookies and web analytics
The website julius.sapa-tech.dev does not use cookies, local storage for marketing purposes, or web analytics systems (Google Analytics, Yandex.Metrica, or similar). Inside the mobile app there are no tracking identifiers either. We do not respond to Do-Not-Track or Global Privacy Control signals simply because there is nothing for us to react to — we do not track you by default.
12. Children
Julius is intended for users 18 years of age and older. We do not request age information and we do not target the product at children. If we learn that a child under 18 has provided us with data without the consent of a legal representative, we will delete the account and the associated data upon the first reasonable request — in accordance with COPPA, GDPR-Kids (Art. 8), and the applicable Russian rules.
13. App Store
When you install and update Julius from the Apple App Store, the platform processes its own technical data (purchase identifier, device data, store analytics) under its own privacy policy. This data is not shared with us in an identifiable form. The iOS app ships with a PrivacyInfo manifest reflecting the declared data categories in the Privacy Nutrition Labels format.
14. Your rights
Depending on your country of residence, applicable law (GDPR, Law No. 152-FZ, CCPA/CPRA, and similar statutes) gives you the right to:
- obtain confirmation of processing and a copy of your data;
- request correction of inaccurate information or its deletion;
- withdraw previously given consent — at any time and without giving reasons;
- restrict processing or object to it;
- receive your data in a portable, machine-readable format;
- not be subject to fully automated decisions with legal effects (we do not make such decisions);
- opt out of the sale or sharing of personal data (we do not sell or share it — there is nothing to opt out of, but we acknowledge the right).
For California residents (CCPA/CPRA): you have the right to know what categories of personal information we collect, the right to request its deletion, the right to correction, and the right to non-discrimination for exercising these rights. To exercise them, email hello@sapa-tech.dev with the subject “CCPA Request”.
To exercise any of these rights, email hello@sapa-tech.dev. We will respond within 30 calendar days (45 days for CCPA requests) from the moment we have confirmed that the request comes from the account owner.
15. Complaints to supervisory authorities
If you believe that we are infringing your personal-data rights, you can lodge a complaint with the supervisory authority of your place of residence:
- in the Russian Federation — with Roskomnadzor;
- in the European Union — with the national data protection authority of the relevant country;
- in California — with the California Privacy Protection Agency (CPPA), as well as the Office of the Attorney General of California;
- in other U.S. states — with the Office of the State Attorney General of your place of residence.
We would be grateful if you wrote to us first — almost any question is resolved faster without a regulator.
16. Policy changes
We may update this document. The current version is always available at julius.sapa-tech.dev/privacy. We will notify you of material changes inside the app on the next launch at least 14 days before they take effect. The date of the latest update is shown at the top.
17. Contacts
Any questions about this document — to hello@sapa-tech.dev. We respond in Russian and English.
BuddyTrips Global LLC
1309 Coffeen Ave ste 1200, Sheridan, WY 82801
United States