Privacy Policy

Last updated: May 2026

This policy explains what data Inkome collects, why, where it lives, and the rights you have over it. We keep it short and plain because there is not much to hide: we do not run ad networks, we do not sell data, and we do not track you across the web.

Who we are

Inkome is an AI-native revenue operations platform operated by Ozan Gencer. When this policy says “we”, “us”, or “Inkome”, that is who we mean.

Contact: hello@inkome.app

Controller and processor roles

Inkome is a multi-tenant B2B product. For your account information (email, profile) we act as the data controller. For the business data your organization enters into the platform — deals, collections, costs, customers, employees, chat content — we act as a data processor on behalf of your organization, which remains the controller of that data. If you use Inkome as part of an organization, your organization's own privacy terms may also apply.

What we collect

• Account data: your email address and a hashed password, stored in Supabase (EU region). If you sign in with Google or GitHub, we receive your email address and basic profile from that provider.
• Profile data: display name and organization details, if you set them.
• Business data: the content you create inside Inkome — opportunities, collections, cost entries, employees, spaces, and related records — scoped to your organization and isolated per space.
• AI chat data: the messages you send to the in-app AI assistants and the relevant business records needed to answer them.
• Operational data: standard server logs (IP address, timestamps, request paths) used for security, debugging, and rate limiting.
• Cookies: a single session cookie for authentication. No tracking cookies, no analytics cookies, no advertising cookies.

We do not currently process payments. When paid plans are introduced, billing will be handled by a PCI-DSS compliant payment processor (e.g. Stripe) and this policy will be updated before any card data is collected — we will never see or store your full card number.

Why we collect it

• To authenticate you and keep your session alive.
• To provide the platform's features — revenue tracking, collections, cost management, dashboards, and the AI assistants.
• To support multi-organization and team collaboration (invitations, roles, shared spaces).
• To keep the service secure and reliable (logging, rate limiting, abuse prevention).

We do not sell, rent, or share your data for advertising. Period.

Where your data lives

Your data is stored in Supabase (EU region) and served via Railway (EU — europe-west4). DNS and CDN are provided by Cloudflare. Transactional email is sent through Resend. Some sub-processors (see below) may process limited data outside the EU under appropriate safeguards.

AI processing

The in-app AI assistants are powered by Google's Gemini API. When you chat with an assistant, your message and the business records needed to answer it are sent to Google for processing and returned to you. When an assistant performs a web search, the search query is sent to our search providers (Tavily and Perplexity). These providers process the data to deliver the result; we do not use this data to train models, and we do not allow it to be used for advertising. If you would rather not send any data to these providers, do not use the AI chat features.

Cookies

We use a single, strictly necessary authentication cookie to keep you signed in. We do not use analytics, marketing, or third-party tracking cookies. Because this cookie is strictly necessary for the service to function, no cookie consent banner is required under the GDPR / ePrivacy rules or Turkey's KVKK guidance. If we ever add optional analytics in the future, we will introduce a proper consent banner at that point and update this section.

Third-party services (sub-processors)

• Supabase — authentication and database (EU region).
• Railway — application hosting (EU — europe-west4).
• Cloudflare — DNS and CDN.
• Resend — transactional email delivery (invitations, notifications).
• Google (Gemini API) — powers the in-app AI assistants.
• Tavily & Perplexity — web search used by the AI assistants.
• Google & GitHub — optional OAuth sign-in providers.

Data retention

We keep your account and business data for as long as your account is active. When you delete your account, the associated data is removed from our production systems; routine backups are rotated out shortly after. Server logs are retained for a limited period for security and debugging.

Your rights

Under the GDPR, Turkey's KVKK, and equivalent regulations, you have the right to:

• Access your data — email us and we will export it.
• Correct inaccurate data — most of it you can edit directly in the app.
• Delete your account and associated data — email us and we will action it.
• Port your data — we can provide an export of your organization's records on request.
• Object or restrict certain processing, and lodge a complaint with your local data protection authority.

If you use Inkome through an organization, requests about the business data your organization controls may need to go through that organization.

Children

Inkome is a business tool and is not directed at children. We do not knowingly collect data from anyone under 16.

Changes

If we make material changes to this policy, we will update the date above and notify active users by email.