Privacy Policy

Last updated: April 2026

Folko ("we", "our", "us") operates the Folko application and website (the "Service"). This Privacy Policy explains how we collect, use, and protect your information. The short version: your data is yours, we don't sell it, and we only use it to make Folko work for you.

1. Information We Collect

Account Information: When you sign up, we collect your email address and display name. Authentication is handled via one-time email codes — we never store passwords.

Financial Data: Transaction descriptions, amounts, categories, dates, and cashbook information you enter. This data is stored encrypted on secure cloud infrastructure and synchronized with your device for offline access.

Device Information: If you enable push notifications, we store a notification token to deliver alerts. We also collect basic platform information (iOS, Android, or Web) for compatibility purposes.

Receipt Images: If you use the receipt scanner, images are transmitted over an encrypted connection to Google's Gemini AI service for text extraction. Folko does not store the receipt image on its servers after processing — only the extracted transaction data you choose to save is retained in your account. Google's Gemini API does not use submitted images to train its AI models. Per Google's API terms, images may be retained briefly by Google for abuse monitoring before deletion.

2. How We Use Your Information

We use your information exclusively to provide and improve the Service:

• Authenticate your identity and secure your account
• Store and synchronize your financial data across your devices
• Deliver push notifications you've opted into
• Generate reports you request (CSV, Excel, PDF)
• Process optional subscription payments through platform-standard channels (Apple App Store, Google Play)

We do not use your financial data for advertising, profiling, analytics, or any purpose unrelated to the Service.

3. Data Sharing and Third-Party Subprocessors

We will never sell, rent, or trade your personal information. Period.

Your data is not shared with advertisers, data brokers, or any external parties for their own purposes. We use a small, carefully selected set of third-party service providers ("Subprocessors") to operate the Service. Each Subprocessor receives only the minimum data necessary for its function.

• Supabase, Inc. (United States) — provides our database, authentication, cloud storage, and real-time sync infrastructure. Receives: account information, financial data, member information.
• Sendinblue SAS d/b/a Brevo (France) — delivers one-time login codes by email. Receives: your email address only, for each login attempt.
• Google LLC, Gemini API (United States) — performs optical character recognition on receipt images you choose to scan. Receives: receipt image content only. Per Google's API terms, images are not used to train AI models and are retained only briefly for abuse monitoring.
• RevenueCat, Inc. (United States) — manages subscription state for Supporter and Patron tiers. Receives: anonymized subscription identifiers.
• Apple Inc. (Apple App Store) and Google LLC (Google Play) — process subscription payments. We never see or store your payment card details.
• Functional Software, Inc. d/b/a Sentry (United States) — collects crash reports and error diagnostics to help us fix bugs. We scrub personally identifiable information from error reports before transmission. Receives: anonymized crash and error data, never your financial data.
• Expo Push Notifications (United States) — delivers push notifications to your device. Receives: an anonymous device token only, never the notification content.
• CoinGecko Pte. Ltd. (Singapore) — provides Bitcoin price data for the Patron tier's cost basis feature. Receives: no user data. Folko fetches public price information.
• ExchangeRate-API (currency rates) and jsdelivr (currency rates fallback CDN) — provide currency conversion rates. Receive: no user data.

We will update this list any time we add or remove a Subprocessor. Substantial changes will be announced via email and in-app notification before they take effect.

4. Data Storage & Security

Data in transit is protected with TLS. Data at rest is encrypted on managed cloud infrastructure. Every account is isolated at the database level — no other user, and no third party, can read your cashbooks. Data stored locally on your device lives in encrypted local storage.

We follow industry-standard security practices, review our systems regularly, and run adversarial audits against our own code. No system is 100% immune, but we take every reasonable measure to protect your information.

If we discover a security breach that affects your personal data, we will notify affected users by email without undue delay and publish a public incident report describing what happened, what data was affected, and the steps we took to contain and remediate it.

5. Data Export & Deletion

Your data is always yours. You can request a copy of your personal data at any time by emailing hello@folko.io. We will provide your data in a standard machine-readable format within 30 days. For formatted, filtered reports (CSV, Excel, PDF), see the Reports feature available on Supporter and Patron tiers.

To delete your account and all associated data, open the Folko app and go to Settings → Delete Account. Deletion completes within 30 days. For questions, contact hello@folko.io.

6. Acceptable Use & Prohibited Content

Folko is a financial management tool. The receipt scanner and any file upload features are intended exclusively for legitimate financial documents. The following are strictly prohibited:

• Uploading illegal, obscene, pornographic, or otherwise inappropriate content
• Uploading files designed to exploit, damage, or compromise the Service or its infrastructure (including malware, viruses, or malicious payloads)
• Using the Service to facilitate fraud, money laundering, or any illegal activity
• Attempting to access other users' data or circumvent security measures

Violation of these terms may result in immediate and permanent account termination without prior notice. We reserve the right to report illegal activity to the appropriate authorities. No refunds will be issued for accounts terminated due to policy violations.

7. Children's Privacy

The Service is not intended for anyone under 13 years of age. We do not knowingly collect information from children. If we learn that a child under 13 has provided us with personal information, we will promptly delete it.

8. Community-Driven Development

Folko is built and maintained by an independent team committed to creating a genuinely useful finance tool — not a data harvesting operation. We have no investors pushing for user data monetization and no advertising model. The Service is free for everyone, with optional paid tiers for those who want to support ongoing development.

Your financial support as a Supporter or Patron goes directly toward maintaining our servers, keeping the app ad-free, and funding new features. We are accountable to our users, not to advertisers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date and notify you via email and an in-app notice. Continued use of the Service after changes constitutes acceptance.

10. Artificial Intelligence Features

Folko uses third-party artificial intelligence ("AI") services to provide certain features. We disclose all AI processing here so you can make informed choices about your data.

Current AI Features

Receipt Scanning (OCR). When you use Folko's camera feature to scan a paper receipt, the photographed image is transmitted to Google's Gemini API (operated by Google LLC) for optical character recognition and structured data extraction. The API returns parsed text fields — merchant, date, amount, line items — which populate a transaction draft for your review.

Data Transmitted to AI Services

For receipt scanning, only the receipt image is transmitted. No user identifiers, account information, or other personal data accompany the image. The image is transmitted over an encrypted HTTPS connection.

Data Retention by AI Processors

Google has stated that data submitted via the paid Gemini API is not used to train Google's AI models. Google retains data briefly for abuse monitoring and policy enforcement as described in Google's API terms. Folko does not store the receipt image on its own servers after the OCR result is returned; only the parsed transaction data you choose to save is retained in your account.

Automated Decision-Making

The OCR feature performs text extraction only. It does not make decisions that produce legal or similarly significant effects on you. You review and confirm every transaction before it is saved to your cashbook.

Opt-Out

You may opt out of all AI processing by not using the camera-based receipt scanning feature. Manual transaction entry is fully supported and does not involve any AI service.

Future AI Features

If we add additional AI-powered features (for example, voice command processing or automatic category suggestions), we will update this section and notify you within the app before the feature is activated for your account.

11. Contact Us

Questions, concerns, or requests? Reach us at hello@folko.io. We read every email.