Privacy Policy

Last updated: March 2026

ClaimFlow ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

Account Information: When you create an account, we collect your email address and name. We use Supabase for authentication via magic link (one-time password) — we never store passwords.

Project Data: Information you provide about your R&D projects, including project descriptions, core activities, evidence, cost records, team members, and documents uploaded to the knowledge base.

Third-Party Integrations: If you connect services like GitHub or Jira, we store OAuth access tokens and refresh tokens to access your data on those platforms. We only request read-level permissions and fetch data relevant to your R&D documentation.

Usage Data: We may collect information about how you access and use the platform, including your IP address, browser type, and pages visited.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the ClaimFlow platform
• Process and organise your R&D tax credit documentation
• Generate AI-powered summaries and match evidence to activities
• Send transactional emails (e.g. magic link login, team invitations)
• Respond to your enquiries and provide customer support

3. Data Sharing

We do not sell your personal information. We may share data with:

• Service providers: Supabase (database & auth), OpenAI (AI processing), SendGrid (email), Stripe (payments)
• Consultants: If you are linked to an R&D tax consultant on our platform, they can access your project data as authorised by you
• Legal requirements: When required by law or to protect our rights

4. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest. OAuth tokens for third-party services are stored securely in our database and are only used to fetch data you have explicitly authorised.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide our services. You can request deletion of your account and associated data by contacting us.

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data. To exercise these rights, please contact us at the email below.

7. Third-Party Services

Our platform integrates with third-party services (GitHub, Jira, Stripe, etc.). Your use of these services is governed by their respective privacy policies. We encourage you to review them.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date.

9. Contact Us

If you have questions about this Privacy Policy, please contact us at: hello@aird.io