Privacy policy

Version 1.0.0 — last updated: 16 avril 2026

1. Data controller

Ankora, published by Thierry Van Mele (Belgium). Contact: thierryvm@gmail.com.

2. Data collected

Ankora collects only the data strictly necessary to provide the service:

• Identity: email address, display name (optional).
• Financial data you enter: bills, expenses, categories, declared income, savings balance.
• Technical data: IP address, user-agent (for security logs only).
• Consents: timestamp, version, scope (terms, privacy, cookies).

Ankora does not connect to any bank (no PSD2 aggregation). You enter your bills and expenses yourself.

3. Legal bases (GDPR art. 6)

• Contract: providing the service (account, financial data).
• Consent: analytics/marketing cookies, newsletter.
• Legal obligation: security logs (12-month retention).
• Legitimate interest: fraud prevention, security maintenance.

4. Hosting and subprocessors

• Supabase (database, auth) — EU region (Frankfurt or Paris).
• Vercel (frontend hosting) — EU region (Dublin).
• Upstash (rate limiting) — EU region.

No data is transferred outside the EU/EEA.

5. Retention period

• Active account: for as long as you use the service.
• Deleted account: deletion takes effect 30 days after your request (cancellable grace period).
• Security logs: 12 months maximum, pseudonymised after account deletion.

6. Your rights (GDPR art. 15-22)

• Access: view your data at any time in your space.
• Rectification: edit profile and data in the dedicated pages.
• Erasure: "Delete my account" button in Settings → Privacy.
• Portability: "Download my data" button — full JSON export.
• Objection / Restriction: refuse or withdraw non-essential cookies at any time.
• Complaint: with the Data Protection Authority (Belgium).

7. Security

• Encryption in transit (TLS 1.3) and at rest.
• Supabase Row Level Security on all tables.
• Rate limiting, strict CSP, append-only audit log.
• Strong password authentication + MFA available.

8. Cookies

See the cookie policy.

9. Changes

Any material change to this policy is notified by email and requires your renewed consent to keep using the service.