SlyceItSplit bills instantlySign in

Privacy Policy

Last updated: June 7, 2026

SlyceIt is built to do one job — split a restaurant bill — and to keep what it needs to do that job, and nothing else. This notice describes what personal data we collect, why, who else sees it, and your rights. It is issued in accordance with Malaysia’s Personal Data Protection Act 2010 (as amended), which we refer to here as the “PDPA”.

Who we are (the data controller)

For the purposes of the PDPA, the data controller responsible for your personal data is the operator of SlyceIt (“SlyceIt”, “we”, “us”), reachable at hello@slyceit.app. This notice is published in English. A Bahasa Malaysia version is available on request via the same address; if there is any conflict between the two, the Bahasa Malaysia version prevails as required under Section 7(3) of the PDPA.

Legal basis for processing

We process your personal data on the basis of your consent, which you give by signing in and using SlyceIt, and as necessary to perform the service you ask us for (splitting and tracking a bill). Where we rely on consent, you may withdraw it at any time — see Your rights under the PDPA below. We do not process sensitive personal data (as defined in the PDPA), and we ask that you do not enter any into the service.

What we collect from hosts

When you sign in with Google, we receive and store your name and email address from Google. We use these to identify your account and show your bills back to you. We do not receive your Google password, contacts, or any other Google profile data.

You can also set, and we will store:

  • A display name (which overrides the name we received from Google)
  • A default currency and country preference
  • Payment instructions you want shown to your guests (e.g. bank, DuitNow, or e-wallet details)

What we collect from guests

Guests do not sign in. When a guest opens a bill link and starts claiming items, we store only the name they type in, the items they claim, and whether they have marked themselves as paid. No email, phone number, or account is required.

Why we collect it

We use the personal data above only for the following purposes:

  • To create your account, authenticate you, and show you your own bills.
  • To run a bill: parse a receipt, let guests claim items, and track who has claimed and paid.
  • To display the payment instructions you chose, so your guests know how to pay you.
  • To keep the service secure, prevent abuse, and diagnose technical problems.
  • To understand aggregate, non-identifying usage so we can improve SlyceIt.

We do not sell your personal data, and we do not use it for any purpose unrelated to those above without first obtaining your consent.

Receipt images

When you scan a receipt, the image is sent to our OCR provider (OpenAI), parsed into structured line items, and then discarded. SlyceIt does not store the receipt image. We only keep the parsed items, taxes, and totals as text records linked to your bill.

Payments

SlyceIt does not process payments. Friends pay you directly through whatever method you set up (bank transfer, DuitNow, e-wallet, etc.). We do not see, store, or transmit any payment credentials, card numbers, or bank passwords — only the display instructions you typed in yourself.

Third-party services we rely on

  • Google — OAuth sign-in for hosts.
  • OpenAI — vision-based OCR on receipt images (in-memory, not retained on our side).
  • Vercel — application hosting and request logs.
  • Neon — Postgres database where bills, items, and claims are stored.
  • Pusher — real-time updates so the host's view stays in sync with guest claims.
  • Google Tag Manager — analytics loader. Specific tags configured server-side may collect aggregate usage data.

These providers process data only on our instructions to deliver the service, and not for their own independent purposes.

Transfers outside Malaysia

The third-party providers listed above operate data centres and processing infrastructure located outside Malaysia (for example in the United States, the European Union, and other regions). This means your personal data may be transferred to, stored, and processed outside Malaysia. We only use reputable providers that apply security and confidentiality protections comparable to those required under the PDPA, and we transfer only the data needed for each provider’s function. By using SlyceIt, you consent to this cross-border transfer for the purposes described in this notice.

How we keep your data secure

We take practical steps to protect your personal data from loss, misuse, and unauthorised access, in line with the Security Principle of the PDPA. These include encrypted connections (HTTPS), access controls, and limiting the data we collect and retain in the first place. No method of transmission or storage is completely secure, but we work to protect your data and to use providers that do the same.

Cookies

We use a session cookie (managed by NextAuth) to keep you signed in. Guests do not get a SlyceIt cookie — their progress is held locally in their own browser (localStorage) so they can reopen the same bill link and pick up where they left off; it never leaves their device and is not used for tracking. Analytics loaded via Google Tag Manager may set additional cookies.

Data retention and deletion

In line with the Retention Principle of the PDPA, we keep personal data only for as long as it is needed for the purposes above. Your account and your bills are kept while you have an account. Guest claim data is kept as part of the bill it belongs to. When personal data is no longer required, or on a valid deletion request, we delete or irreversibly anonymise it. If you want your account deleted, or specific bills removed, reach out via the contact page and we will handle it.

Your rights under the PDPA

As a data subject under the PDPA, you have the right to:

  • Access the personal data we hold about you.
  • Correct personal data that is inaccurate, incomplete, or out of date.
  • Withdraw your consent to our processing of your personal data (this may mean we can no longer provide the service to you).
  • Limit or stop processing of your personal data, including for any direct marketing.
  • Data portability — to request, where technically feasible, that your personal data be transmitted to another data controller.

To exercise any of these rights, email hello@slyceit.app. We may need to verify your identity before acting, and we will respond within the timeframe required by the PDPA. We may charge a small prescribed fee for a data access request where the law permits.

Data breaches

If a personal data breach occurs that is likely to cause significant harm, we will notify the Personal Data Protection Commissioner, and affected individuals where required, in accordance with the PDPA and its breach notification requirements.

Children

SlyceIt is not directed at children. We do not knowingly collect personal data from anyone under the age of 18 without the consent of a parent or guardian, consistent with Malaysian law. If you believe a child has provided us personal data, contact us and we will remove it.

Changes

If we change this policy in any material way, we will update the date at the top of this page. Continued use of SlyceIt after a change means you accept the updated policy.

Contact

Questions about this policy? Email hello@slyceit.app.