Legal

Privacy Policy

Last updated: 22 April 2026

1. Who we are

ClaimSpot ("we", "our", "us") is operated from Australia. This policy describes how we handle personal information in line with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

2. What we collect

  • Account data. Email address and authentication tokens issued by our identity provider.
  • Profile inputs. Occupation, industry, and the work-use percentages you provide to tailor categorisation.
  • Transaction data. The bank-statement lines you upload (date, description, amount). We do NOT ask for account numbers, BSBs, or credentials.
  • Uploaded files. CSV files are parsed in your browser. PDF files are uploaded to our server and sent to Anthropic for transaction extraction; we do not intentionally retain the raw PDF after extraction.
  • Usage telemetry. Aggregated product-analytics events (button clicks, funnel steps) via PostHog. No transaction content is sent to PostHog.

3. Why we collect it

Your transaction data is used solely to categorise expenses against ATO deduction codes and produce your personal report. We do not sell, rent, or share your data with advertisers.

4. Who we share it with

  • Supabase — hosted database and authentication. Data at rest is encrypted by the provider.
  • Anthropic— we send sanitised transaction descriptions to Claude for categorisation. Anthropic's default terms do not use API content to train models.
  • Stripe — payment processing when you purchase a financial-year pass. Stripe independently handles card data; we never see your card number.
  • Upstash — rate-limit counters and background job queue (no transaction content).

5. Where your data lives

Primary data is stored in Supabase in a region we select for AU proximity. Some processing (Anthropic, Stripe, Upstash) happens in the United States. By using ClaimSpot you consent to this cross-border processing.

6. How long we keep it

Transaction data is retained while you hold an active financial- year pass. You can trigger a soft-delete at any time from your account page; our retention job purges soft-deleted statement rows after 30 days, subject to any ATO record-keeping obligation on your side.

7. Your rights

Under the APPs you can request access to the personal information we hold about you, correction of inaccurate data, and deletion. Send requests to our contact page.

8. Security

Data is encrypted in transit (TLS) and at rest. Access to production is restricted and audited. If we ever suffer a data breach that is likely to result in serious harm, we will notify affected users and the OAIC as required by the Notifiable Data Breaches scheme.

9. Changes

We may update this policy. Material changes will be communicated by email to account holders.

10. Contact

Privacy questions: contact page. If your concern is unresolved you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.