Privacy Policy

Last updated: 22 February 2026

Finance Frank ABN 20 530 863 914 (“we”, “us”, “our”) operates the Finance Frank platform at financefrank.ai and app.financefrank.ai. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

1

Information we collect

We collect the following types of personal information:

Account information

Name, email address, mobile phone number, password (hashed), date of birth, state of residence.

Financial information

Assets, liabilities, income sources, transactions, budgets, goals, insurance policies, superannuation details, tax information (including Tax File Number if provided), ABN/ACN.

Entity information

Details of companies, trusts, SMSFs, and partnerships you manage.

Usage data

Pages visited, features used, API requests, IP address, browser type, device information.

AI conversation data

Messages you send to Frank (our AI advisor) and the responses generated.

Payment information

Processed by Stripe. We store your Stripe customer ID and subscription status but do not store credit card numbers.

Documents

Files you upload (e.g. loan agreements, policy schedules, valuations).

2

How we collect information

We collect personal information:

  • Directly from you when you create an account, enter financial data, upload documents, or interact with Frank.
  • Automatically through server logs and usage analytics when you use the platform.
  • From third-party services: Stripe (payment processing), Supabase (authentication), and market data providers.
3

Why we collect and use your information

We use your personal information to:

  • Provide and improve the Finance Frank platform and its features.
  • Generate personalised financial insights, health scores, and AI-powered recommendations.
  • Process subscription payments and manage your account.
  • Send service-related notifications (e.g. bill reminders, compliance alerts).
  • Maintain audit logs for security and compliance purposes.
  • Comply with legal obligations under Australian law.

We will not use your personal information for purposes unrelated to the above without your consent.

4

Third-party service providers

We share personal information with the following third parties, solely for the purpose of providing our services:

ProviderPurposeData sharedLocation
SupabaseDatabase & authenticationAll user data (encrypted at rest)Australia / US
StripePayment processingEmail, subscription statusUS (PCI-DSS)
Anthropic (Claude)AI advisor (Frank)Conversation messages, financial contextUS
RailwayBackend API hostingAll API requests (processed in memory, not stored)US
VercelWebsite hostingIP address, usage dataGlobal CDN

We do not sell, rent, or trade your personal information to any third party.

5

Cross-border data transfer (APP 8)

Overseas disclosure

In accordance with Australian Privacy Principle 8, we inform you that some of your personal and financial information is disclosed to overseas recipients as part of providing our services.

When you use Frank (our AI data assistant), a summary of your financial data and your conversation messages are sent to Anthropic (based in the United States) for AI processing. This includes:

  • Your conversation messages with Frank.
  • A contextual summary of your financial data (asset values, liability balances, income amounts, budget categories, goals, and transactions) used to provide relevant responses.
  • Your profile information (name, age, state, household type) for context.

Important safeguards:

  • Anthropic’s API does not use your data to train their AI models (per their commercial API terms).
  • Data is encrypted in transit (TLS) between our servers and Anthropic’s API.
  • We do not send raw sensitive identifiers (e.g. Tax File Numbers, bank account numbers, credit card numbers) to Anthropic.
  • Other overseas providers (Stripe in the US, Supabase with US infrastructure) process data as described in Section 4 above.

By using Finance Frank, you consent to this cross-border disclosure. If you do not wish your financial data to be processed overseas, you may use the platform without the Frank AI feature.

6

Data security

We take reasonable steps to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest (database-level encryption).
  • Application-level Fernet encryption (AES-128-CBC with HMAC-SHA256) of sensitive fields (e.g. Tax File Number).
  • Row-level security (RLS) ensuring users can only access their own data.
  • JWT-based authentication with token expiry and verification.
  • Rate limiting and input sanitisation to prevent abuse.
  • Audit logging of API access for security monitoring.
  • Security headers (X-Frame-Options, CSP, etc.) to prevent common web attacks.
7

Data retention

Active accounts

We retain your data for as long as your account is active.

Deleted accounts

Upon account deletion, we delete or anonymise your personal data within 30 days, except where retention is required by law.

AI conversations

Chat history is retained while your account is active and deleted upon account deletion.

Audit logs

Retained for 2 years for compliance and security purposes.

Payment records

Retained for 7 years as required by Australian tax law.

8

Your rights

Under the Australian Privacy Principles, you have the right to:

Access

Request a copy of the data we hold about you.

Correction

Request correction of inaccurate or incomplete information.

Deletion

Request deletion of your account and personal data.

Complaint

Lodge a complaint if you believe we have breached the Privacy Act.

To exercise any of these rights, contact us at the details below.

9

Data breach notification

In the event of a data breach that is likely to result in serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988:

  • Conduct a reasonable and expeditious assessment within 30 days of becoming aware of grounds to suspect a breach.
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable if a breach is assessed as an eligible data breach.
  • Notify affected individuals directly via email, including a description of the breach, the types of information involved, and recommended steps to protect themselves.
  • Take reasonable steps to contain the breach and mitigate any resulting harm.
10

Cookies and tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or tracking pixels. Local storage is used for user preferences (theme, notification settings).

11

Children

Finance Frank is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

12

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification. The “Last updated” date at the top of this page reflects the most recent revision.

13

Contact us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

privacy@financefrank.ai

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).