Frank ("the application", "we") processes your personal data in accordance with Turkish Personal Data Protection Law No. 6698 (KVKK) and applicable regulations. This policy explains what data we collect, why, with whom we share it, and your rights.
1. Data Controller
The data controller for personal data processed through this application is Ozan Can Sisman, acting as an individual.
- Name: Ozan Can Sisman
- Address: Suadiye Mah. İclal Karabekir Sok. Ada Apt 19/26, Kadıköy 34740, İstanbul, Türkiye
- Email: privacy@unclefrank.app
- Website: unclefrank.app
2. Personal Data Processed
Account information
- Name and surname
- Email address
- Password (stored as an irreversibly encrypted hash)
- Optional profile preferences (age range, income range, household status)
Financial data — Information you enter into the app
Frank is not directly connected to any bank or financial institution and has no access to any bank API. The following information is entirely entered manually by you or extracted from documents you upload; the accuracy is your responsibility.
- Bank accounts you define (bank name, account name, user-entered balance)
- Income and expense transactions you record
- Installment purchases and subscriptions you add
- Debts and receivables you define
- Investment and asset information you add (gold, crypto, deposits, etc.)
Files you optionally upload
- Bank statements (PDF) — deleted after analysis is processed, not permanently stored
Automatically generated analytical data
The following derived data is generated as a result of Frank processing files you upload and information you enter:
- Transaction list extracted from statements you upload
- Categorized spending patterns
Usage data
- In-app interactions (page views, button clicks)
- Device information (operating system, model, language preference)
- IP address and general location (country/city level)
- Error logs and performance data
Mehmet Amca AI interactions
- Questions you ask Mehmet Amca and the responses provided
- Financial context required for the AI to provide personalized advice
3. Purposes of Processing
- Creating and managing your account
- Providing Frank's core services (bank statement analysis, expense tracking, AI advice)
- Managing your subscription
- Fulfilling our legal obligations
- Improving service quality
- Ensuring security and preventing fraud
- Communicating with you (important system notifications)
4. Legal Basis (KVKK Article 5)
- Explicit consent: The consent you provide when creating your account
- Performance of a contract: Necessary to provide the Frank service to you
- Legal obligations: Under tax and commercial record-keeping legislation
- Legitimate interests: Service improvement, security, fraud prevention
5. Data Recipients (KVKK Articles 8 and 9)
To provide its service, Frank works with the following third-party service providers:
| Provider | Purpose | Location | Data Transferred |
|---|---|---|---|
| Supabase | Database, authentication | Frankfurt, Germany (EU) | All user data |
| Vercel | Web hosting | Frankfurt + global CDN | Request logs, IP |
| Anthropic | AI services (Mehmet Amca, statement analysis) | USA | Transaction data, AI prompts |
| Apple | iOS subscription billing | USA | Email, payment information |
| Android billing, OAuth login | USA | Email, payment information | |
| RevenueCat | Subscription management | USA | User identifier, subscription status |
| PostHog | Product analytics | EU | Anonymized interaction data |
| Adjust | Mobile marketing attribution | EU | Device identifier, install events |
International transfers: Some services are located in the USA. Under KVKK Article 9, we obtain your explicit consent at registration for these transfers. Transfers to EU member states are based on the recognition that these countries provide an adequate level of protection.
6. Retention Period
- Active account: As long as your account remains active
- After account closure: 5 years (for commercial record-keeping obligations under Turkish Commercial Code and Tax Procedure Law)
- At the end of this period, data is permanently deleted or irreversibly anonymized
You may delete your account at any time. In that case, financial data is anonymized within 30 days; account metadata is retained for 5 years due to legal obligations.
7. Data Subject Rights (KVKK Article 11)
You have the following rights:
- To learn whether your personal data is being processed
- To request information if it has been processed
- To learn the purpose of processing and whether it is used appropriately
- To know the third parties to whom data is transferred domestically or internationally
- To request correction if data has been processed incompletely or incorrectly
- To request deletion or destruction of data
- To request that correction, deletion, and destruction operations be communicated to third parties
- To object to a result that arises against you through analysis solely by automated systems
- To request compensation for damages incurred due to unlawful processing
To exercise these rights, you may submit a written application to privacy@unclefrank.app. Under KVKK Article 13, your application will be answered free of charge within 30 days.
8. Data Security
- All data is encrypted in transit and at rest (TLS 1.3, AES-256)
- Passwords are irreversibly hashed using the bcrypt algorithm
- Database access is protected by Row-Level Security (RLS)
- Regular security audits are conducted
- API rate limiting and input validation are applied
9. Children
Frank does not accept users under the age of 16. Accounts identified as belonging to users under 16 are immediately closed and their data is deleted. Users between the ages of 16 and 18 require legal guardian consent to open an account.
10. Cookies
For detailed information about our use of cookies, see our Cookie Policy.
11. Policy Updates
Material changes to this policy will be communicated to you by email or in-app notification. Updates are published on this page and the last updated date is shown above.
12. Contact
For questions and applications: privacy@unclefrank.app