Privacy Policy

Effective date: March 2026 · LevelUp Advisory Pty Ltd

Short version: Frank stores your notes, documents, and reminders to help you remember things. Your data is yours — you can export or delete it anytime. Photos you send are processed by AI but never stored as images.

🇦🇺 Australian Privacy Act 1988 GDPR-aligned No ads, ever

1. What we store

Account info: your name, email address, and encrypted password
Notes (snippets): text you type or dictate to Frank
Documents: files you upload (PDF, DOCX, TXT) — stored in your encrypted vault
Reminders: scheduled reminders you create, including date and recurrence settings
Telegram/WhatsApp chat ID: if you connect a messaging account, we store only the numeric chat ID to send you reminders
Subscription data: billing info is handled by Stripe — we never store card numbers

2. Photos and document scans

When you send a photo or scan to Frank:

The image is sent to Anthropic's Claude Vision API for text extraction
We use a strict, hardcoded prompt — your photo is never paired with user-supplied instructions
The raw image is deleted immediately after text extraction — it is never written to disk or stored in your vault
EXIF metadata (GPS, device info) is stripped before processing
Only the extracted text is saved to your vault — with your confirmation

📸 Your photos are processed ephemerally. We see only what the text says, not the image itself.

3. How we use your data

To answer your questions using your own vault content
To send you reminders via Telegram or WhatsApp
To maintain your account and subscription

We do not use your data to train AI models. We do not share your data with third parties except as required to operate the service (Anthropic for AI, Stripe for billing).

4. Security

Passwords are hashed with bcrypt — we cannot recover your password
All data is encrypted at rest on our servers
Sessions use secure, HTTP-only, same-site cookies
Rate limiting and login lockout protect against brute-force attacks
File uploads are validated by MIME type — not just extension

5. Your rights

Under the Australian Privacy Act 1988 and GDPR, you have the right to:

Access your data: GET /api/account/export — download everything as JSON
Delete your data: POST /api/account/delete — permanently removes your account, vault, and all associated data including ChromaDB vectors
Correct your data: contact us at justin@lvlup.org
Portability: your exported JSON is human-readable and machine-parseable

6. Data retention

We retain your data for as long as your account is active. If you delete your account, all data is permanently removed within 24 hours. Backups are rotated within 30 days.

7. Third-party services

Anthropic (Claude): AI language model provider — anthropic.com/privacy
Stripe: Payment processing — stripe.com/privacy
Telegram: Optional messaging channel — telegram.org/privacy

8. Contact

Privacy questions, access requests, or complaints:

LevelUp Advisory Pty Ltd
Email: justin@lvlup.org
Perth, Western Australia

We respond to privacy inquiries within 5 business days.