ADS BY FLYCRICKET

Claimio Privacy Policy

Effective date: 4 April 2026

This Privacy Policy applies to the Claimio app (hereby referred to as "Application") for mobile devices, created by Claimio (hereby referred to as "Service Provider" or "we" or "us") as a Freemium service. This service is intended for use "AS IS".

The Service Provider is the data controller in respect of personal data collected through the Application. If you have any questions about this Policy or how your data is handled, please contact us at support@claimio.org.

1. Information Collection and Use

The Application collects information when you download and use it. This information may include:

  • Your device's Internet Protocol address (e.g. IP address)
  • The pages of the Application that you visit, the time and date of your visit, and the time spent on those pages
  • The time spent on the Application
  • The operating system you use on your mobile device

The Application does not gather precise information about the location of your mobile device.

For a better experience, while using the Application, the Service Provider may require you to provide certain personally identifiable information, including but not limited to your email address, username, expense claims, receipt images, and financial information. The information that the Service Provider requests will be retained by us and used as described in this Privacy Policy.

2. Account Registration and Sign-In

You may create a Claimio account using your email address and password, or by signing in through a third-party provider as described below.

2.1 Email and Password Registration

When you register with an email address and password, we collect and store your email address, chosen username, and a securely hashed version of your password. Your email address is used to verify your account, send service notifications, and allow account recovery.

2.2 Sign-In via Google

If you choose to sign in using Google, we receive limited profile information from Google — specifically your name and email address — solely to create and identify your Claimio account. We do not receive your Google password. Your use of Google Sign-In is also governed by Google's Privacy Policy and Google's Terms of Service.

2.3 Sign-In via Apple

If you choose to sign in using Apple, we receive your name and email address from Apple solely to create and identify your Claimio account. We do not receive your Apple ID password. If you use Apple's "Hide My Email" feature, Apple provides a private relay email address; all communications from Claimio will be sent to that relay address. Your use of Apple Sign-In is also governed by Apple's Privacy Policy.

2.4 Revoking Third-Party Sign-In Access

If you signed in via Google or Apple, you may revoke Claimio's access to your account at any time through your Google account settings (myaccount.google.com) or Apple ID settings (Settings → Apple ID → Password & Security → Apps Using Apple ID). Revoking access does not automatically delete your Claimio account or data. To request deletion, contact legal@claimio.org.

3. Camera and Photo Library

The Application requests access to your device's camera and photo library solely to allow you to photograph and upload receipt images for expense claims. Receipt images are stored securely on Google Cloud (Firebase Storage) and are only accessible to members of your organisation. The Application does not use the camera for any other purpose and does not capture or transmit images without your direct action.

4. Push Notifications

The Application may send push notifications to inform you of updates to your expense claims, approvals, rejections, reimbursements, and other important account activity. You may disable notifications at any time through your device settings. Disabling notifications will not affect your ability to use the Application.

5. Artificial Intelligence

5.1 Overview

The Application uses artificial intelligence ("AI") features powered by Microsoft Azure AI services to deliver core functionality. This section explains what data is processed by AI, how it is used, and your rights in relation to that processing. All AI processing is performed by Microsoft Corporation acting as a data processor on the Service Provider's behalf.

5.2 Receipt Scanning and OCR

When you use the receipt scanning feature, the image you capture is transmitted to Microsoft Azure AI services for optical character recognition (OCR) processing. Azure extracts structured data including merchant name, date, line items, and total amount. This extracted data is returned to the Application and used to pre-fill your expense claim.

  • Data processed: Receipt images, extracted text (amounts, dates, vendor names, item descriptions)
  • Purpose: Automating data entry and reducing manual input errors
  • Retention: Receipt images are not stored by the Service Provider beyond the duration required to complete the extraction. Extracted data is stored as part of your claim record in accordance with Section 9 of this Policy.

5.3 AI Expense Assistant (Chatbot)

The Application includes an AI-powered virtual assistant that answers questions about your expense claims, organisation policies, and general tax and accounting guidance. When you use the assistant, the following data is transmitted to Microsoft Azure OpenAI for processing:

  • Your message and conversation history (up to the last 10 messages)
  • A summary of your expense claims (amounts, categories, merchants, dates, statuses)
  • Your organisation's active expense policies

This data is used solely to generate a relevant, contextual response. Responses generated by the AI assistant are for guidance purposes only and do not constitute professional tax, accounting, or legal advice. Tax rules vary by jurisdiction — always verify with a qualified adviser.

  • Data processed: Chat messages, claim summaries, policy rules
  • Purpose: Providing personalised expense and policy guidance

5.4 Analytics Insights

Administrators and Pro/Business plan users may request AI-generated insights from the Analytics dashboard. When this feature is used, aggregated spending statistics including totals, category breakdowns, merchant summaries, monthly trends, and approval rates are transmitted to Microsoft Azure OpenAI to generate a written summary of spending patterns.

  • Data processed: Aggregated spend statistics. No individual receipt images are transmitted for this feature.
  • Purpose: Identifying spending trends and anomalies to support business decision-making

5.5 Policy Parsing

When an administrator creates an expense policy using natural language, the policy text is transmitted to Microsoft Azure OpenAI to interpret and categorise the rule. The parsed rule is then stored and applied to future claim validations.

  • Data processed: Policy text entered by the administrator
  • Purpose: Converting plain-language rules into enforceable expense policies

5.6 Claim Compliance Checking

When a claim is submitted, it may be automatically checked against your organisation's active policies using AI. Where a policy cannot be verified by a simple numeric rule, claim details including merchant name, amount, category, and date are transmitted to Microsoft Azure OpenAI to assess compliance. This check is advisory — final approval decisions remain with your organisation's administrators.

  • Data processed: Claim details (merchant, amount, category, date)
  • Purpose: Automatically enforcing organisation expense policies

5.7 Microsoft Azure as Data Processor

All AI processing described in this section is performed by Microsoft Corporation as a data processor on our behalf. Data transmitted to Azure AI services is processed in accordance with Microsoft's privacy commitments and the applicable data processing agreement between the Service Provider and Microsoft.

Data transmitted to Microsoft Azure is not used to train AI models, for advertising, or for any purpose beyond delivering the features described above. Microsoft does not retain submitted prompts or data beyond the duration required to return a response, in accordance with their zero data retention commitments for Azure OpenAI where applicable.

5.8 Legal Basis for AI Processing (UK and EEA Users)

For users in the United Kingdom or European Economic Area, the legal basis for processing personal data through AI features is:

  • Contract performance (Article 6(1)(b) UK/EU GDPR) — where AI processing is necessary to deliver the service you have subscribed to; and
  • Legitimate interests (Article 6(1)(f) UK/EU GDPR) — to provide and improve the core functionality of the Application.

You may object to processing based on legitimate interests at any time by contacting us at support@claimio.org. Note that objecting may limit your ability to use certain AI features within the Application.

6. Payment Processing

Subscription payments are processed by Stripe, Inc. The Application does not store your full card number on its servers. Only non-sensitive payment information such as card brand and the last four digits of your card number may be stored to display your current payment method within the Application. For full details on how Stripe handles your payment data, please refer to Stripe's Privacy Policy at https://stripe.com/privacy.

7. Third Party Access

Only aggregated, anonymised data is periodically transmitted to external services to aid the Service Provider in improving the Application and their service. The Service Provider may share your information with third parties in the ways that are described in this Privacy Policy.

The Application utilises third-party services that have their own Privacy Policies about handling data. Below are the links to the Privacy Policy of the third-party service providers used by the Application:

The Service Provider may disclose User Provided and Automatically Collected Information:

  • as required by law, such as to comply with a subpoena or similar legal process;
  • when they believe in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
  • with their trusted service providers who work on their behalf, do not have an independent use of the information disclosed to them, and have agreed to adhere to the rules set forth in this Privacy Policy.

8. International Data Transfers

The Application is operated from the United Kingdom. By using the Application, you acknowledge that your data may be transferred to, stored, and processed in countries outside your country of residence, including the United States, where Microsoft Azure, Google, Apple, and other third-party processors operate their infrastructure.

Where personal data is transferred outside the UK or European Economic Area, the Service Provider ensures that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the relevant supervisory authority, or relies on the processor's certification under an equivalent adequacy framework. For further details on the safeguards used by our third-party processors, please refer to the links provided in Section 7.

9. Data Retention Policy

The Service Provider will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. Expense claim records, receipt images, and related financial data will be retained for a minimum of six years from the date of submission in order to meet standard accounting and tax record-keeping obligations.

If you would like us to delete User Provided Data that you have provided via the Application, please contact us at support@claimio.org and we will respond within a reasonable time. Please note that certain data may be retained where required by law or to fulfil a legitimate business purpose.

10. Your Rights

Depending on your country of residence, you may have the following rights in relation to your personal data:

  • Right of access — to request a copy of the personal data we hold about you.
  • Right to rectification — to request that inaccurate or incomplete data be corrected.
  • Right to erasure — to request that your personal data be deleted, subject to legal retention requirements.
  • Right to restriction — to request that we limit how we use your data in certain circumstances.
  • Right to data portability — to receive your data in a structured, commonly used format.
  • Right to object — to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at support@claimio.org. We will respond within 30 days. If you are located in the UK or EEA and you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (in the UK, this is the Information Commissioner's Office at https://ico.org.uk).

11. Opt-Out Rights

You can stop all collection of information by the Application by uninstalling it. You may use the standard uninstall processes available as part of your mobile device or via the mobile application marketplace or network.

12. Children

The Service Provider does not use the Application to knowingly solicit data from or market to children under the age of 13. The Application does not address anyone under the age of 13. The Service Provider does not knowingly collect personally identifiable information from children under 13 years of age. In the case the Service Provider discovers that a child under 13 has provided personal information, they will immediately delete this from their servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us at support@claimio.org so that we are able to take the necessary actions.

13. Security

The Service Provider is concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. All data is stored securely on Google Cloud (Firebase) infrastructure with industry-standard encryption in transit and at rest. Access to personal data is restricted to authorised personnel and members of your organisation only.

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee the absolute security of your data, and you use the Application at your own risk.

14. Changes to This Policy

This Privacy Policy may be updated from time to time for any reason. The Service Provider will notify you of any material changes by updating this page and, where required, through an in-app notification. You are advised to consult this Privacy Policy regularly for any changes, as continued use of the Application following the posting of changes constitutes your acceptance of those changes.

15. Your Consent

By using the Application, you are consenting to the processing of your information as set forth in this Privacy Policy now and as amended by us.

16. Contact Us

If you have any questions regarding privacy while using the Application, or have questions about our practices, please contact the Service Provider at: