SmartSpend Privacy

# SmartSpend — Privacy Policy

**Last updated: 2 June 2026**

This Privacy Policy explains what data SmartSpend (“the app”, “we”) collects,
why, and your rights over it. It is written to meet the EU/UK General Data
Protection Regulation (GDPR) and the Turkish Personal Data Protection Law
(KVKK — Kanun No. 6698).

**Data controller:** İsmail Tunç Kankılıç
**Location:** Mersin, Türkiye
**Contact:** ismail.tunc.kankilic@gmail.com

## 1. What we collect

We collect only what the app needs to work:

We do **not** collect advertising identifiers (no IDFA), we do **not** track
you across other apps or websites, and we do **not** sell your data.

## 2. How your data is processed

– **On-device OCR.** Receipt text is read on your device using Google ML Kit.
This does not send your image anywhere.
– **Cloud OCR fallback (Gemini Vision).** For receipts the on-device engine
can’t read, the image may be sent to Google’s Gemini Vision API to extract
text. Only the image is sent; it is not used to train Google’s models per the
API terms, and it carries no account identifier beyond what’s needed to call
the service.
– **Backend (Supabase).** Your account, expenses, and receipt images are stored
in Supabase (Postgres database + object storage). Every record is protected
by per-user Row Level Security, so only you can access your data. Receipt
images are stored privately and served only through short-lived signed URLs.
– **Diagnostics (Sentry).** Crash and performance data is sent to Sentry.
Sensitive fields (passwords, tokens, keys) are scrubbed before sending, and
email addresses are partially masked.

## 3. Legal basis (GDPR) / grounds (KVKK)

– **Performance of a contract** — to provide the app’s features you signed up
for.
– **Legitimate interests** — to keep the app secure and stable (diagnostics).
– **Consent** — for optional features (e.g. notifications); you can withdraw it
at any time in Settings or your device settings.

Under KVKK, processing is based on Art. 5/2 (necessity for a contract) and your
explicit consent where required.

## 4. Where your data is stored

Data is hosted on Supabase’s cloud infrastructure. Where data is transferred
outside your country (e.g. to EU or US regions), it is protected by appropriate
safeguards (such as Standard Contractual Clauses). Diagnostic data is processed
by Sentry.

## 5. How long we keep it

We keep your data while your account is active. When you delete your account
(Settings → Delete account), your expenses, receipts, and stored images are
permanently removed. Diagnostic data is retained for a limited period and then
deleted automatically.

## 6. Your rights

You can, at any time:

– **Access / export** your data — Settings → Download my data (CSV) or
Download PDF report.
– **Correct** your data — edit any expense, category, or receipt in the app.
– **Delete** your data and account — Settings → Delete account (irreversible).
– **Object / restrict / withdraw consent** — contact us using the address
above.

Under GDPR you may also lodge a complaint with your local supervisory
authority. Under KVKK you may apply to the data controller and, if needed, to
the Turkish Data Protection Authority (KVKK Kurumu).

## 7. Security

– Per-user Row Level Security on every database table — you can only ever read
your own rows.
– Data in transit is encrypted with HTTPS/TLS.
– Receipt images are private; access is granted only via signed URLs that
expire.
– We never store third-party API keys or service credentials in the app.

## 8. Children

SmartSpend is not directed at children under 13 (or the minimum age in your
country) and we do not knowingly collect their data.

## 9. Changes

We may update this policy. Material changes will be noted in the app and by
updating the “Last updated” date above.

## 10. Contact

Questions or requests: **ismail.tunc.kankilic@gmail.com**.