Legal text
Privacy Policy
Last updated: 25 June 2026 · Version: 1.1
This Privacy Policy explains how Cepte Kalsın collects, uses, shares and protects personal data when you use our website, web app and mobile apps. It is written for users outside Türkiye with European privacy standards in mind. Separate Turkish legal notices cover users in Türkiye.
Short version: Cepte Kalsın is a personal budgeting and cash-flow app. We do not connect to your bank account, ask for online banking credentials, collect card numbers or collect CVV. You add financial records yourself or approve drafts created from documents you choose to process. Uploaded bank statements, account activity PDFs and receipt images are not kept as document files by Cepte Kalsın. We do not sell your personal data or use your financial records for advertising profiles.
1. Controller and contact
Cepte Kalsın is operated by Emrah Garip. For privacy questions, account deletion requests and data-rights requests, contact us at destek@ceptekalsin.app.
If a Data Protection Officer or EU/EEA representative becomes legally required for the way the service is offered, we will publish those details in this notice. We may ask you to verify your identity before responding to a privacy request.
2. Personal data we collect
| Category | Examples |
|---|---|
| Account data | Name or display name, email address, password hash, email verification status and account settings. |
| Financial records | Income and expense transactions, amounts, descriptions, dates, categories, accounts, balances, credit card and overdraft tracking data, scheduled payments and monthly summaries. |
| Document-derived draft data | Dates, amounts, descriptions, transaction type and similar fields extracted from a bank statement, account activity PDF, receipt image or other document you choose to process. |
| Shopping and portfolio data | Shopping lists, item names, budget estimates, stock symbols, quantities, prices, transaction dates and portfolio information you enter. |
| Subscription and payment status | Plan type, Plus status, expiry date, payment status and payment-provider identifiers if paid features are enabled. We do not store full card details. |
| Security and technical data | IP address, device/session labels, browser or device information, login times, audit logs, request metadata, error logs and security event records. |
| Support and feedback | Messages, bug reports, feature requests and other information you send to us. |
| Website analytics data | If you allow analytics cookies: page views, visit time, traffic source, approximate location, device and browser information. |
Data we do not intentionally collect
- Online banking username/password, card number, CVV or bank login credentials.
- Your complete photo gallery, contacts or precise location.
- Advertising identifiers for third-party behavioural advertising.
- Uploaded bank statements, account activity PDFs or receipt images as permanent document files.
- Raw OCR text, raw PDF text or raw AI responses as separate draft records.
Sensitive information in documents
We do not ask you to provide special-category data such as health, religion, political opinions or similar sensitive information. Receipts or statements can sometimes reveal sensitive details. Please avoid uploading documents that contain sensitive details unless they are necessary for your personal budgeting use. If sensitive details appear in a document you choose to process, we process them only to provide the document-extraction feature and, where required, on the basis of your explicit action or consent.
3. Why we use personal data and our legal bases
| Purpose | Typical legal basis |
|---|---|
| Create and manage your account, authenticate you and provide app features you request. | Performance of a contract. |
| Store and display your budgeting, cash-flow, card, overdraft, portfolio, shopping-list and monthly-summary records. | Performance of a contract. |
| Create transaction drafts from receipts, PDFs, statements or account activity documents that you choose to process. | Performance of a contract; consent or explicit consent where required by law. |
| Provide Plus features and manage subscription status. | Performance of a contract; legal obligation for billing records where applicable. |
| Send service emails such as verification, password reset, security notices and essential account messages. | Performance of a contract and legitimate interests in account security. |
| Secure the service, prevent abuse, investigate errors and maintain reliable infrastructure. | Legitimate interests and, where applicable, legal obligation. |
| Respond to support requests and feedback. | Performance of a contract and legitimate interests in supporting users. |
| Measure public website traffic through optional analytics cookies. | Consent. |
| Comply with legal obligations and protect our legal rights. | Legal obligation and legitimate interests. |
We do not currently send marketing emails. If we introduce marketing communications later, we will ask for a separate opt-in where required.
4. Document, receipt, OCR and AI processing
When you use receipt scanning, OCR-assisted autofill or PDF transaction import, only the document or image you select is processed. Supported account activity PDFs can be parsed locally where the app can reliably extract the structured fields. If AI extraction is needed, the selected document area or relevant document content is sent to the AI/document-processing provider to create draft transactions.
Cepte Kalsın does not keep uploaded PDFs or images as document files after processing. Temporary technical copies can exist briefly during upload, extraction, transmission, security controls, debugging or automated cleanup. The records that remain in your account are the structured transaction details that you review and save.
AI and OCR outputs are suggestions. You should review dates, amounts, descriptions, categories and transaction types before saving them.
5. Service providers and sharing
We share personal data only where necessary to provide, secure, support or improve the service, or where required by law.
| Provider / category | Data involved | Purpose |
|---|---|---|
| Hosting and database infrastructure | Application data, database data and technical logs. | Web, API and database hosting. |
| Email provider | Email address, verification links/codes, password-reset links/codes and service email content. | Service emails. |
| Domain and DNS providers | Technical domain and DNS records. | Domain and DNS management. |
| Market data provider | Stock symbol and market code queried by the server. | Portfolio price updates. We do not send your email address or full portfolio to the market data provider. |
| AI/document-processing provider | Selected document area or relevant document content needed for extraction. | Creating transaction drafts from receipts, PDFs, statements or account activity documents. |
| Payment provider, if payments are enabled | Payment status, subscription identifiers and billing-related metadata. | Processing Plus payments and refunds. Card details are handled by the payment provider. |
| Google Analytics / Google Tag Manager | Website usage and traffic data, if analytics cookies are allowed. | Measuring public website performance and improving user experience. |
| Public authorities or legal advisers | Data required by a valid legal request or needed to protect rights. | Legal compliance, dispute handling and rights protection. |
6. International transfers
Some providers process data outside your country or outside the European Economic Area. Where European transfer rules apply, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, data-processing terms or another permitted transfer mechanism. AI/document processing and analytics providers can operate global infrastructure.
7. Cookies and similar technologies
We use necessary cookies and local storage for login, security and preferences. Optional analytics cookies are used only after you allow them. For details, see our Cookie Policy.
8. Retention and deletion
| Data group | Retention approach |
|---|---|
| Account and profile data | Kept while your account is active. Deleted or anonymised after account deletion unless we need limited records for legal, security or dispute purposes. |
| Financial records, shopping lists and portfolio data | Kept while your account is active or until you delete them. |
| Uploaded PDFs and receipt images | Not kept as document files after processing. Temporary processing copies are removed through automated routines. |
| Document-derived transaction drafts | Kept while needed for user review and then saved, edited or deleted according to your actions. |
| Security and audit logs | Kept for the period needed to protect accounts, investigate abuse, maintain service integrity and defend legal claims. |
| Email verification and password reset tokens | Short-lived and invalidated after use or expiry. |
| Backups | Kept for a limited operational period and removed by backup rotation. |
9. Security
- Passwords are protected using hashing rather than stored as plain text.
- Connections are protected with HTTPS/TLS.
- Sessions use token-based controls.
- New or suspicious device activity can trigger additional verification.
- Audit logs, rate limits and server-side security controls help detect abuse.
- Access to production systems is limited to what is needed to operate the service.
No online service is perfectly secure. If a data breach occurs, we will take appropriate steps and make legally required notifications.
10. Your rights
Depending on where you live, you can have rights to access, correct, delete, restrict or object to the processing of your personal data, withdraw consent, request a portable copy of your data and complain to a data protection authority. Withdrawing consent does not affect processing that happened before withdrawal.
To exercise these rights, contact destek@ceptekalsin.app. We respond within the time required by applicable law.
11. Automated decision-making
Cepte Kalsın does not use automated processing to make decisions about you that produce legal or similarly significant effects. OCR and AI features create editable suggestions. You decide whether to approve, edit or delete those suggestions.
12. Children
Cepte Kalsın is intended for users aged 18 or older. We do not knowingly collect children’s data. If we learn that a child’s data has been provided, we will delete it.
13. Changes
We will update this Privacy Policy when our data practices or legal requirements change. The latest version will be published on this page. If changes are material, we will provide an appropriate in-app notice or email notice.
