Privacy Policy
Version: 2026-05-20 Last updated: 20 May 2026
Frankly ("we", "us") is operated by [Operator name — set LEGAL_OPERATOR_NAME in environment] in South Africa. This policy explains how we handle personal information when you use Frankly, in line with the Protection of Personal Information Act, 2013 (POPIA) and related South African law.
Prototype notice: Frankly is in limited release. The responsible party may be replaced by a registered entity later; we will update this policy and may ask you to accept the new version in the app.
1. Responsible party and Information Officer
| Role | Contact |
|---|---|
| Responsible party | [Operator name — set LEGAL_OPERATOR_NAME in environment] |
| Information Officer (POPIA section 51) | [Operator name — set LEGAL_OPERATOR_NAME in environment] |
| Privacy enquiries | [[privacy email — set LEGAL_PRIVACY_EMAIL in environment]](mailto:[privacy email — set LEGAL_PRIVACY_EMAIL in environment]) |
Physical address is available on request by emailing the address above.
2. What personal information we collect
2.1 Your account
- Email address (and name or profile image if you sign in with Google)
- Authentication and session metadata
- Billing identifiers if you subscribe (processed by Stripe; we do not store full card numbers)
2.2 Content you enter
- Feedback module: request titles, prompts, respondent email addresses, and responses (including optional anonymous responses)
- Management module: names, email addresses, phone numbers, organisations, time zones, notes, calendar blocks, and appointment details for people you add
- Operational data: audit logs (who did what and when), rate-limit counters, and support-related correspondence
2.3 What we do not require
You do not need to provide special personal information (e.g. health, religion, political views, ID numbers) to use Frankly. Use only information that is necessary for scheduling or feedback (for example, a first name and work email is often enough).
3. Why we process personal information
| Purpose | Typical lawful basis |
|---|---|
| Provide and improve the service | Contract; legitimate interest |
| Authentication and security | Contract; legitimate interest |
| Billing and account management | Contract |
| Compliance with law | Legal obligation |
| Respond to privacy requests | Legal obligation |
Data about your clients, assistants, and respondents: you decide what to upload. You must have a lawful basis under POPIA (for example consent, contract, or legitimate interest in your organisation). We process that data only on your instructions as an operator (see our Terms of Service).
4. How we use personal information
We use personal information to:
- Operate, maintain, and secure Frankly
- Send transactional email (magic links, invites, notifications you configure)
- Process payments through our payment provider
- Investigate abuse and enforce our terms
- Comply with legal obligations
We do not sell or rent your personal information. We do not use your content for third-party advertising or unrelated marketing.
5. Sub-processors (service providers)
We use trusted providers who process data only to deliver the service, including:
- MongoDB — application database hosting
- Resend — transactional email delivery
- Stripe — payments (if you subscribe)
- Google — optional OAuth sign-in
- Upstash — optional rate limiting and job queues (if configured)
Each provider is bound by its own terms and security measures. Confirm your deployment regions in your environment and update this policy if you host data outside South Africa.
6. Cross-border transfers
Some sub-processors may store or process data outside South Africa. Where that applies, we rely on appropriate safeguards (including contractual protections with processors) as permitted under POPIA section 72.
7. Retention
- Active accounts: we retain data while your account is active and as needed to provide the service.
- Cancellation: you may export your data before cancelling. After cancellation, we retain data for 30 days unless a longer period is required by law, then delete or anonymise it.
- Audit logs: retained for security and compliance for a limited period, then purged or anonymised where possible.
8. Security
We apply reasonable technical and organisational measures, including encryption in transit (HTTPS), access controls, authentication requirements for account holders, rate limiting on sensitive APIs, and audit logging for important actions. No system is perfectly secure; please use a strong email account and report suspected incidents promptly.
9. Your rights (POPIA)
You may request:
- Access to personal information we hold about you
- Correction of inaccurate information
- Deletion where we no longer have a lawful reason to retain it
- Objection to processing in certain circumstances
Contact [privacy email — set LEGAL_PRIVACY_EMAIL in environment]. We will respond within a reasonable time as required by POPIA.
If you are unhappy with our response, you may lodge a complaint with the Information Regulator (South Africa): https://inforegulator.org.za.
People whose data you uploaded: you are responsible for handling their rights requests; we will assist you as operator where POPIA requires.
10. Children
Frankly is not directed at children under 18. Do not use the service to collect children's personal information without appropriate authority and safeguards.
11. Changes to this policy
We may update this policy. The version number at the top will change. Material changes may require you to accept the updated policy in the app before continuing to use protected features.
12. Contact
Privacy and Information Officer enquiries: [privacy email — set LEGAL_PRIVACY_EMAIL in environment]