Privacy Policy
Last updated: 14 June 2026
Draft document — legal counsel review recommended.
1. Data controller
[To be configured] [To be configured] Email: [To be configured]
For beneficiary data processed to execute a split configured by a Customer, Divide generally acts as the Customer's processor, except where Divide determines its own purposes (user account, security, Divide billing).
2. Data processed
| Category | Examples | Purposes |
|---|---|---|
| Customer account | email, name, organisation, profile | Authentication, contract, support |
| Beneficiaries | name, email, KYC status (via Stripe) | Splits, invitations, notifications |
| Payments | Stripe IDs, amounts, statuses | Split execution and audit trail |
| Imported documents | contracts, reports (AI feature) | Split proposal — Customer validation |
| Technical logs | IP, logs, essential cookies | Security, fraud, availability |
| Newsletter | explicit opt-in | Divide communications |
Divide does not store card numbers; payment is processed by Stripe.
3. Legal bases
- Contract (Art. 6(1)(b) GDPR): Service delivery.
- Legitimate interest (Art. 6(1)(f)): security, proportionate product improvement, technical logs.
- Consent (Art. 6(1)(a)): newsletter, future non-essential cookies if added.
- Legal obligation (Art. 6(1)(c)): accounting and tax retention.
4. Recipients and processors
| Provider | Role | Location |
|---|---|---|
| Supabase | Auth, database | EU / project config |
| Vercel | Application hosting | EU / US (SCC) |
| Stripe | Payments, Connect KYC | EU / US (SCC) |
| Resend | Transactional email | EU |
| Anthropic | AI document extraction | US (SCC) — when enabled |
Appropriate contractual safeguards (DPA, SCC) are in place with relevant processors.
5. Retention
- Customer account: contract duration + 3 years after closure, unless longer legal retention.
- Split records: contract duration + 5 years.
- AI-imported documents: deleted within 30 days after processing unless retained in Customer workspace.
- Security logs: 12 months maximum.
6. Your rights
Under GDPR: access, rectification, erasure, restriction, objection, portability, and withdraw consent where processing is consent-based.
Contact: [To be configured]. Response within one month (extension possible).
Complaint: your supervisory authority (e.g. CNIL in France).
7. International transfers
Where data is transferred outside the EU/EEA without adequacy decision, Divide relies on EU Standard Contractual Clauses and supplementary measures where required.
8. AI and documents
Documents submitted for extraction are sent to a third-party model only to produce a split proposal. Divide does not use them to train public models. Customer must validate any proposal before execution.
9. Security
Appropriate measures: TLS, access control, database RLS, environment secrets, least privilege.
10. Cookies
See Cookie Policy.
11. Changes
We may update this policy. Material changes will be communicated by email or in-app notice.
12. Contact
[To be configured] — [To be configured]