Privacy Policy

1. Overview

ClaimMyBond ("we", "us", "our") respects your privacy. This policy explains what personal information we collect, how we use and disclose it, how we store and protect it, and your rights regarding your data.

We comply with the Australian Privacy Principles ("APPs") contained in the Privacy Act 1988 (Cth) ("Privacy Act"), as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth). Where applicable, we also comply with the Notifiable Data Breaches ("NDB") scheme under Part IIIC of the Privacy Act.

2. What we collect

We collect only the personal information reasonably necessary to provide and improve the Service (APP 3). The types of information we collect depend on how you use the Service:

Information you provide (free analysis): Your state or territory, tenancy start and end dates, bond amount, property address (optional), property age and type, property manager type, landlord's claimed deductions (type, amount, description, item age), whether you have a condition report and its quality, whether a final inspection was conducted, photo evidence details, per-deduction evidence information (such as cleaning receipts, carpet condition, wall condition, mould details, repair attempts), routine inspection history, joint tenancy details, dispute status, and any counterclaim information you provide (such as failed repairs, broken essential services, or unlawful entry by the landlord).

For paid users: We additionally collect your email address, which is required to deliver your dispute package.

Payment information: Payments are processed by Stripe. We do not receive, store, or have access to your full credit card number, CVV, or bank account details. Stripe provides us with a transaction confirmation, your email address, a truncated card identifier, and a Stripe session identifier only.

Technical and usage data: We collect anonymised analytics events (page views, form steps completed, button clicks) to understand how the Service is used and to improve it. Our web hosting provider (Vercel) may automatically collect limited technical data such as IP addresses, browser type, and request logs as part of standard web server operations. We do not use third-party advertising trackers, remarketing pixels, or sell analytics data.

Information we do not collect: We do not collect your full name, phone number, physical home address (the property address field is optional and used solely for analysis context), government identifiers (such as tax file numbers or driver licence numbers), or sensitive information as defined under section 6 of the Privacy Act.

3. Legal basis for collection

We collect personal information with your consent, which you provide by voluntarily submitting information through the Service (APP 3.3). For paid users, collection of your email address is also reasonably necessary for the performance of our contract with you (that is, to deliver the dispute package you have purchased). You may choose not to provide certain optional information (such as property address), but this may affect the specificity of your analysis.

4. How we use your information

We use your information for the following purposes (APP 6):

— analyse your bond deductions against applicable tenancy legislation in your state or territory;

— calculate depreciation, evidence strength, and procedural compliance assessments;

— generate your dispute package, demand letter, evidence checklist, and tribunal guide (paid users);

— deliver your dispute package via a secure download link;

— process your payment through Stripe (paid users);

— improve the accuracy, reliability, and usability of the Service;

— detect and prevent fraud, abuse, or misuse of the Service; and

— comply with applicable legal obligations, including the Privacy Act and Australian Consumer Law.

We do not use your personal information for direct marketing, profiling, or any purpose unrelated to the delivery and improvement of the Service (APP 6.1).

5. Automated decision-making and AI

The Service uses automated processes and artificial intelligence in the following ways:

Automated analysis (rules engine): Your tenancy and deduction information is processed by our automated rules engine to classify each deduction as likely lawful, likely unlawful, or dependent on evidence. This classification is based on the relevant Residential Tenancies Act in your jurisdiction, ATO depreciation schedules, and general fair wear and tear principles. The automated analysis also calculates evidence strength scores, procedural flags, and estimated tribunal outcome probabilities.

AI-generated content (demand letter): If you purchase a dispute package, your tenancy details and deduction analysis results (but not your name or email address) are sent to Anthropic's Claude API to generate a formal demand letter. This data is sent as a structured prompt. We do not use your data to train AI models, and Anthropic's API terms prohibit the use of API inputs and outputs for model training.

These automated processes produce assessments and content based on general legal principles and the information you provide. They do not constitute legal advice and may contain errors. You should review all outputs before relying on them. In accordance with the automated decision-making transparency requirements under the Privacy and Other Legislation Amendment Act 2024 (commencing 10 December 2026), we are committed to providing clear information about how automated systems process your personal information.

6. Who we share your information with

We do not sell, rent, or trade your personal information to any third party for any purpose. We share data only with the following service providers, solely for the purpose of operating the Service (APP 6 and APP 8):

Supabase Pty Ltd (database hosting, Sydney, Australia) — stores your analysis data, dispute packages, and analytics events. Data remains within Australia.

Stripe, Inc. (payment processing, United States with global infrastructure) — processes your payment securely under PCI DSS Level 1 compliance. We share your email address and transaction amount with Stripe.

Anthropic, PBC (AI services, United States) — generates your demand letter. Only tenancy details and deduction analysis are sent; your name, email address, and payment information are never transmitted to Anthropic.

Vercel, Inc. (web hosting, United States with global CDN) — serves the website and may process IP addresses and request metadata as part of standard hosting operations.

We may also disclose personal information where required or authorised by law, including in response to lawful requests by Australian courts, tribunals, or regulatory bodies (APP 6.2(b)).

7. Cross-border disclosure of personal information

In accordance with APP 8, we disclose that your personal information may be transferred to, and processed in, countries outside Australia. Specifically:

— United States: Stripe (payment processing), Anthropic (AI demand letter generation), and Vercel (web hosting) are headquartered in the United States and may process data there or in other countries where they maintain infrastructure.

— Australia: Supabase (database) stores your data in the Sydney region within Australia.

By using the Service, you acknowledge and consent to the transfer of your personal information to these overseas recipients. We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs (APP 8.1). Each of our service providers maintains their own privacy and security policies, and we encourage you to review them.

8. Data storage and security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11.1). Our security measures include:

— encrypted connections (HTTPS/TLS) for all data in transit;

— row-level security policies on database tables;

— environment-variable-based access controls for API keys and secrets;

— Stripe webhook signature verification for payment events;

— separation of identity data (email) from tenancy data in AI processing; and

— no storage of credit card numbers or payment credentials on our systems.

No system is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security. You are responsible for keeping your email address and any download links confidential.

9. Data retention and destruction

We retain your personal information only for as long as reasonably necessary for the purposes for which it was collected, or as required by law (APP 11.2):

— Analysis data (free users): Retained for up to 12 months from the date of creation, then automatically deleted.

— Paid report data: Retained for up to 12 months to allow you to re-download your dispute package, then automatically deleted.

— Payment records: Transaction metadata (amount, date, Stripe session ID) may be retained as required for tax, accounting, and legal compliance purposes.

— Anonymised analytics: Aggregated, anonymised data that cannot identify you personally may be retained indefinitely for service improvement purposes.

When personal information is no longer needed, we take reasonable steps to destroy or de-identify it (APP 11.2).

10. Data breach notification

In the event of an eligible data breach (as defined under Part IIIC of the Privacy Act), we will take all reasonable steps to contain the breach, assess its likely impact, and notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") as soon as practicable, and in any event within the timeframes required by the Notifiable Data Breaches scheme. We will provide affected individuals with recommendations about the steps they should take in response to the breach.

11. Cookies and local storage

The Service does not use advertising cookies, remarketing pixels, or third-party tracking cookies. We use essential browser sessionStorage to maintain your form data during a single visit. This data is stored locally in your browser, is not transmitted to any server, and is automatically cleared when you close your browser tab. No persistent cookies are set by the Service for tracking or identification purposes.

12. Your rights

Under the Privacy Act and the APPs, you have the right to:

— request access to the personal information we hold about you (APP 12);

— request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information (APP 13);

— request deletion of your personal information, subject to any legal obligation we have to retain it;

— withdraw your consent to data processing at any time, noting this may affect your ability to use the Service; and

— request information about how your personal information has been used in automated decision-making processes.

To exercise any of these rights, contact us at help@claimmybond.com. We will acknowledge your request within 7 days and respond substantively within 30 days, in accordance with our obligations under the Privacy Act.

13. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with us by emailing help@claimmybond.com. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner ("OAIC") at www.oaic.gov.au or by calling 1300 363 992.

14. Children

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at help@claimmybond.com and we will take reasonable steps to delete it promptly. We are aware of and will comply with any applicable requirements under the Children's Online Privacy Code being developed by the OAIC under the Privacy and Other Legislation Amendment Act 2024, once registered.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top indicates when it was last revised. We encourage you to review this policy periodically. Where changes are material, we will take reasonable steps to notify affected users (for example, by displaying a notice on the Service). Continued use of the Service after changes are posted constitutes acceptance of the revised policy.

16. Contact

For any privacy-related questions, access or correction requests, or complaints, contact us at: help@claimmybond.com