Privacy Policy

Version 2 — Effective April 4, 2026

1. Introduction

Split Infinity (“we”, “us”, or “our”) operates a payment-distribution platform that enables teams to receive supporter payments and distribute them to team members via Stripe Connect. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have over your data.

This policy applies to all users of the Split Infinity platform, including registered team owners, team members, and supporters who submit payments. If you have questions about this policy or wish to exercise your privacy rights, please contact us at [privacy@split-infinity.com].

Split Infinity is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent privacy frameworks in other jurisdictions. GDPR compliance forms the baseline for all data handling described in this policy.

2. Data We Collect

We collect and store the following categories of personal data:

Registered User Accounts

When you sign in using one of our trusted external identity providers, we receive your display name, email address, and a provider-specific identifier (e.g., your Google subject ID). We store these alongside a reference to your Stripe Connect account ID (an opaque identifier — no financial data). We do not store passwords or OAuth credentials; authentication is fully delegated to your chosen identity provider.

Team Memberships

We store your user ID and team ID in a membership record along with your share percentage and role. This record links your account to teams you belong to and is used to calculate your distribution amounts when payments are processed.

Payment Records

When a supporter submits a payment to a team, we store the supporter’s name and email address alongside the payment amount, Stripe charge reference IDs, and timestamp. The supporter’s name and email are used to confirm receipt, associate the payment with consent records, and support Stripe dispute resolution. We do not store card numbers, CVV codes, bank account details, or any other sensitive financial data — those are handled exclusively by Stripe.

Supporter name and email are targeted for anonymization after 180 days from payment completion, which covers Stripe’s 120-day card dispute window with a buffer. After that point, only the Stripe reference IDs and financial amounts are retained.

Distribution Records

For each payment processed, we store individual distribution records linking your member ID to the amount transferred to your Stripe account and the Stripe transfer reference ID. These are financial records required for accounting and regulatory purposes.

Team Invitations

When a team owner invites someone to join a team, we store the invitee’s email address and the inviting user’s ID. Invitation records are automatically purged after 30 days whether accepted or not.

Audit Logs

We maintain an audit log of significant platform actions (sign-ins, team changes, membership changes, payment events, administrative actions). Each entry records the action type, affected entity, the user who performed the action, and a timestamp. Audit log entries may contain user IDs and, in some cases, before/after values of changed fields (such as display names or email addresses). Audit logs are retained for 365 days and then automatically purged.

Teams

Team records store the team name, URL slug, owner reference, payment configuration settings, and timestamps for creation, modification, and archival. Teams are soft-archived rather than hard-deleted, preserving financial records for accounting purposes.

3. Lawful Basis for Processing (GDPR Article 6)

We process personal data only where we have a valid lawful basis under GDPR Article 6. The table below sets out each processing activity and its basis:

Processing Activity Lawful Basis Notes
Registered user account (email, display name, IDP reference) Contract — Art. 6(1)(b) Necessary to provide the platform service
Stripe Connect account creation and payout processing Contract — Art. 6(1)(b) Necessary to enable member payouts
Supporter name and email at checkout Consent + Contract — Art. 6(1)(a) & (b) Terms acceptance captured at checkout; required for receipt and dispute resolution
Team invitation emails Contract — Art. 6(1)(b) Performing the invite action the user requested
Transactional notifications (welcome, distributions, ownership) Contract — Art. 6(1)(b) Part of service delivery
Audit logging Legitimate Interest — Art. 6(1)(f) Security, fraud prevention, and dispute resolution
Financial records (payments, distributions, amounts) Legal Obligation — Art. 6(1)(c) Accounting and tax retention requirements (typically 7 years)
4. Data Retention

We retain personal data for the following periods:

Data Category Retention Period Reason
Registered user accounts (name, email, IDP reference) Until account deletion request is fulfilled Required for platform access
Team memberships and share percentages Until account deletion or team archival Required for distribution calculations
Financial records (payment amounts, distribution amounts, Stripe IDs) 7 years minimum Legal obligation — accounting and tax compliance
Supporter name and email 180 days from payment completion Stripe dispute window (120 days) plus buffer; anonymized thereafter
Team invitations (invitee email) 30 days (automatic purge) Invitation expiry period
Audit log entries 365 days (automatic purge) Security investigation and compliance window
Team records (name, slug, configuration) Indefinite (soft-archived) Financial record integrity
5. Third-Party Data Processors

We share personal data with the following third-party processors. Each processor acts under a Data Processing Agreement (DPA) with Split Infinity and is bound by contractual obligations to handle data only on our instructions and in compliance with applicable law.

Stripe, Inc.

Stripe processes payments, hosts the checkout experience, and manages Stripe Connect payouts to team members. Data shared: supporter email (for checkout), team member email (for Connect account creation). Stripe is certified to PCI DSS Level 1. Stripe’s privacy policy and DPA are available at stripe.com/privacy.

Microsoft Azure

Azure hosts the Split Infinity application and all data storage infrastructure (Azure Container Apps, Cosmos DB, Key Vault, Azure Communication Services for email). Data processed: all categories listed in Section 2. Microsoft’s DPA and privacy information are available at microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

Google (OAuth Identity Provider)

Google acts as an identity provider when users choose “Sign in with Google”. Google authenticates the user and provides Split Infinity with a verified name, email address, and a Google-specific subject ID. Google operates as an independent data controller for the authentication interaction. Google’s privacy policy is available at policies.google.com/privacy.

Microsoft (OAuth Identity Provider)

Microsoft acts as an identity provider when users choose “Sign in with Microsoft”. Similar to Google, Microsoft is an independent data controller for the authentication interaction. Microsoft’s privacy policy is available at privacy.microsoft.com.

GitHub (OAuth Identity Provider)

GitHub acts as an identity provider when users choose “Sign in with GitHub”. GitHub is an independent data controller for the authentication interaction. GitHub’s privacy policy is available at docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement.

6. International Data Transfers

Split Infinity’s infrastructure is currently hosted on Microsoft Azure in the United States. Where personal data of EU/EEA or UK residents is transferred to and processed in the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the lawful transfer mechanism under GDPR Chapter V. Our DPA with Microsoft incorporates the current EU SCCs.

Stripe, Inc. is also based in the United States and participates in the EU-U.S. Data Privacy Framework. Stripe’s DPA includes the applicable SCCs for EU/UK personal data transfers.

If you have questions about the specific safeguards in place for international data transfers, please contact us at [privacy@split-infinity.com].

7. Your Privacy Rights

Under GDPR and equivalent frameworks, you have the following rights with respect to your personal data:

Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you (a Subject Access Request, or SAR). We will provide a structured, machine-readable summary of your data. We aim to fulfil requests within 30 days as required by Article 12.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent. Note: we are required by law to retain financial records (payment amounts, Stripe reference IDs, distribution records) for accounting and tax purposes regardless of an erasure request. Where erasure applies, we pseudonymize your identifying data (name, email, IDP reference) rather than deleting financial records entirely.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data. Your display name and email address are synchronized from your identity provider (Google, Microsoft, or GitHub) on each sign-in. To update these, change them in your identity provider account. For other corrections, contact us directly.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON).

Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your data in certain circumstances — for example, while a rectification request is being verified, or where you have objected to processing based on legitimate interest.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interest (such as audit logging). You can also opt out of specific notification types via your account notification preferences. To lodge a broader objection, contact us at [privacy@split-infinity.com].

8. How to Exercise Your Rights

To exercise any of the rights described in Section 7, contact us by email at [privacy@split-infinity.com]. Please include “Privacy Request” in the subject line and describe the right you wish to exercise (e.g., “Subject Access Request”, “Account Deletion”, “Data Correction”).

We will acknowledge your request within 72 hours and fulfil it within 30 days (GDPR Article 12). In complex cases, we may extend this to 90 days with notice.

You also have the right to lodge a complaint with your local data protection supervisory authority. In the EU, the relevant authority is determined by your country of residence. In the UK, the relevant authority is the Information Commissioner’s Office (ICO) at ico.org.uk.

We do not charge a fee for exercising your rights unless requests are manifestly unfounded, repetitive, or excessive.

9. Cookies

Split Infinity uses a small number of cookies, all of which are strictly necessary or functional. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Cookie Inventory

Cookie Name Purpose Duration Classification
SplitInfinity.Auth Maintains your authenticated session after signing in 14 days (extended on activity) Strictly Necessary
.AspNetCore.Correlation.* Anti-CSRF security state during OAuth login redirect (Google, Microsoft, GitHub) Session (deleted after login completes) Strictly Necessary
.AspNetCore.Antiforgery.* CSRF protection token for form submissions Session Strictly Necessary
si-a11y Your accessibility preferences (colour theme, font, colour-blindness filter, motion) 365 days Functional

Authentication Session Cookie (SplitInfinity.Auth)

When you sign in, an encrypted session cookie named SplitInfinity.Auth is set to maintain your authenticated session. It is valid for 14 days and its expiry is extended on each request while you are active. This cookie is HttpOnly (not accessible to JavaScript), transmitted over HTTPS only, and scoped with SameSite=Lax. It is strictly necessary for the platform to function and is not used for tracking.

OAuth Security Cookies (.AspNetCore.Correlation.*)

When you initiate a sign-in via Google, Microsoft, or GitHub, ASP.NET Core sets a short-lived correlation cookie to protect the OAuth redirect flow against cross-site request forgery (CSRF). This cookie is deleted automatically once the login completes. It is HttpOnly, HTTPS-only, and carries no personal data.

CSRF Protection Cookie (.AspNetCore.Antiforgery.*)

A session-scoped antiforgery cookie is set by the framework to validate form submissions and protect against cross-site request forgery attacks. It is HttpOnly, HTTPS-only, scoped with SameSite=Strict, and contains no personal data. It is deleted when your browser session ends.

Accessibility Preferences Cookie (si-a11y)

We store your accessibility preferences as a browser cookie named si-a11y (expires after 365 days). This cookie holds a JSON object containing your chosen colour theme, font, colour-blindness filter, and motion preference. It contains no personal identifiers and is not used for tracking. It is read on the first page load to apply your preferences before JavaScript runs, preventing a flash of default styling.

No Consent Banner Required

Because all cookies used by Split Infinity are strictly necessary or functional, no consent banner is required under the ePrivacy Directive (2002/58/EC) or UK PECR. You may clear cookies at any time via your browser settings without affecting your ability to use the platform (you will simply need to sign in again and reconfigure your accessibility preferences).

10. California Residents (CCPA/CPRA)

This section addresses the rights of California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (Cal. Civ. Code § 1798.100 et seq.).

We Do Not Sell or Share Your Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Split Infinity does not disclose personal information to third parties for monetary consideration, and we do not share data with advertising networks or data brokers. Because no sale or sharing occurs, no “Do Not Sell or Share My Personal Information” opt-out link is required or provided.

Categories of Personal Information Collected

In the preceding 12 months, Split Infinity has collected the following categories of personal information as defined under CCPA:

CCPA Category Examples Collected by Split Infinity Purpose
Identifiers Name, email address, platform account ID, OAuth provider subject ID Account creation, authentication, team membership, payout enablement
Commercial information Payment history, distribution records, team membership and share percentages Payment processing, payout calculation, accounting
Internet or other electronic network activity Authentication session data, login timestamps, Stripe Connect account reference ID Security, audit logging, fraud prevention, payout routing

We do not collect Social Security numbers, financial account numbers, card data, geolocation data, biometric data, health information, or any other sensitive personal information as defined under CPRA. Card and bank details are handled exclusively by Stripe — we store only opaque Stripe reference IDs.

Your Rights as a California Resident

California residents have the following rights under CCPA/CPRA. The mechanisms for exercising these rights are the same as those described in Sections 7 and 8 — the rights provided to all users under GDPR apply equally to California residents.

Right to Know (CCPA § 1798.110)

You have the right to request disclosure of the specific pieces of personal information we have collected about you, the categories of personal information collected, the purposes for collection, and the categories of third parties with whom it is shared. This right is fulfilled by the Subject Access Request (SAR) process described in Section 7 (Right of Access, Art. 15).

Right to Delete (CCPA § 1798.105)

You have the right to request deletion of personal information we have collected about you, subject to exceptions for data we are required to retain by law (such as financial records). This right is fulfilled by the account deletion process described in Section 7 (Right to Erasure, Art. 17).

Right to Correct (CPRA § 1798.106)

You have the right to request correction of inaccurate personal information. This right is fulfilled by the rectification process described in Section 7 (Right to Rectification, Art. 16). Your display name can be updated in your account settings; email updates are made via your identity provider (Google, Microsoft, or GitHub).

Right to Non-Discrimination (CCPA § 1798.125)

We will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not result in denial of service, different pricing, a different level of service quality, or any other adverse treatment.

Financial Incentives

Split Infinity does not offer any financial incentives, price differences, or service differences in exchange for the collection, retention, or sale of personal information. No financial incentive disclosure is required under CPRA § 1798.125(b).

How to Exercise Your California Rights

To exercise any of the rights described above, contact us using the details in Section 12. Please include “California Privacy Request” in the subject line. We will respond within 45 days as required by CCPA § 1798.130, with a possible 45-day extension where reasonably necessary.

11. Changes to This Policy

We may update this Privacy Policy from time to time as our practices change or as required by law. When we make material changes, we will update the version number and effective date shown at the top of this page. For significant changes, we will notify registered users via email or an in-app notification before the change takes effect.

Previous versions of this policy are archived and accessible via versioned URLs in the format /privacy/v{"{N}"} (e.g., /privacy/v1). The current policy is always available at /privacy.

12. Contact Us

For questions about this Privacy Policy, to exercise your data subject rights, or to report a privacy concern, please contact us at:

Privacy Contact: [privacy@split-infinity.com]

Please allow up to 72 hours for an initial acknowledgement. Substantive responses will be provided within 30 days as required by GDPR Article 12.

An unhandled error has occurred. Reload 🗙

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.