Privacy Policy

1. Introduction

This Privacy Policy explains how Core Stack Systems Pte Ltd (UEN: 202552936E), a company incorporated in Singapore with its registered office at 1 Jurong East Street 32, #08-01, The Mayfair, Singapore 609477 ("ExpenseFlow", "we", "us", "our"), collects, uses, shares, and protects personal data in connection with the ExpenseFlow platform and related websites and services (the "Services").

ExpenseFlow processes financial documents on behalf of bookkeepers and accounting professionals serving SMB clients in Australia, New Zealand, the United Kingdom, Canada, the United States, and other jurisdictions. We take the responsibility of handling financial data seriously, and this policy explains exactly what we do with it.

This policy should be read alongside our Terms of Service, which govern your use of the Services.

2. Our Role: Controller and Processor

ExpenseFlow plays two distinct roles in respect of personal data, and the rules that apply depend on which role we are playing:

This dual role matters because many of the questions a privacy regulator or enterprise customer will ask us (about training, transfers, retention, and rights handling) have different answers depending on which role we are in.

3. Personal Data We Collect

4. How We Use Personal Data and Our Legal Bases

We process personal data for the purposes set out below. Where the UK GDPR, EU GDPR, or a comparable law applies, the legal basis for each purpose is identified in brackets.

• Providing the Services. Receiving documents, running the AI extraction pipeline, classifying and categorising data, syncing to connected accounting platforms, and making Output available within your account. (Performance of a contract.)
• Authentication and account security. Sending magic-link emails, verifying Google OAuth sign-ins, detecting and preventing unauthorised access, applying rate limits, and investigating suspected abuse. (Performance of a contract; legitimate interests in keeping the Services secure.)
• Billing and payments. Charging your nominated payment method, processing renewals and overage charges, issuing receipts, and meeting tax and accounting record-keeping obligations. (Performance of a contract; legal obligation.)
• Customer support. Responding to enquiries, troubleshooting issues, and communicating about your account. (Performance of a contract; legitimate interests in supporting our users.)
• Service improvement. Analysing aggregated and de-identified usage patterns, AI accuracy metrics, and error reports to improve the Services. (Legitimate interests in operating and improving a high-quality product.)
• Marketing communications. Sending product updates, beta announcements, and newsletters about ExpenseFlow. We send these only to people who have opted in or who are existing customers receiving information about a similar service, in line with applicable law. You can unsubscribe at any time using the link in any marketing email. (Consent, or legitimate interests where permitted.)
• Legal compliance. Meeting our obligations under Singapore law, the laws of jurisdictions where our customers are based, and responding to lawful requests from authorities. (Legal obligation.)

We do not sell personal data. We do not use Customer Data to train AI models without your explicit consent.

5. Sub-processors and Third-Party Services

We rely on a small set of carefully selected sub-processors to deliver the Services. As of the date of this policy, our sub-processors are:

We may add or replace sub-processors over time. We impose data protection obligations on each sub-processor that are no less protective than those in this policy, and we remain responsible for their handling of personal data on our behalf. A current list is available on request to [email protected].

6. AI Processing by Anthropic

Because AI processing is the core of what ExpenseFlow does, this section describes it specifically.

When you upload or forward a document, the document and the data extracted from it are sent to Anthropic via the Claude API for AI inference. This is necessary to provide the Services and is the basis on which Output is generated.

We use the standard Anthropic API. Under Anthropic's published terms applicable to API usage, API inputs and outputs are not used to train Anthropic's models by default, and Anthropic retains API request data for a limited operational period (currently up to 30 days) before deletion, subject to legal hold exceptions. For more detail, see Anthropic's privacy policy and API terms at anthropic.com.

We do not authorise Anthropic to use Customer Data for training, and we do not opt in to any training programme.

7. International Data Transfers

The Services are operated primarily from Singapore. Where we have a choice, we host the components we control in the Asia-Pacific region: our application infrastructure and primary database are hosted in Singapore, and uploaded files are stored with an Asia-Pacific location preference. Our long-term posture is global, starting from Southeast Asia.

Some sub-processors are not regionally configurable on our side. Anthropic, Intuit (QuickBooks Online), and parts of Stripe's back-end processing are based in the United States. Sentry and Mailgun are hosted in the European Union. Personal data may therefore be transferred to and processed in jurisdictions outside your country of residence, including Singapore, the European Union, and the United States.

Where transfers are subject to the UK GDPR or EU GDPR, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (and the UK Addendum / International Data Transfer Agreement, as applicable), or other lawful transfer mechanisms. For transfers from Australia, New Zealand, or Canada, we apply contractual and technical safeguards designed to provide a comparable level of protection.

You can request more information about our transfer mechanisms by emailing [email protected].

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected and to meet legal obligations:

• Active accounts. Account data and Customer Data are retained for as long as your account is active.
• After cancellation or termination. Customer Data is retained for 30 days following cancellation or termination, during which you may export it. After that period, Customer Data is deleted from active systems. Backups containing residual data may persist for a further period in line with our standard backup rotation.
• Email forwarding logs. Logs of emails received at your fwd.expenseflow.ai address are retained for 90 days for audit and troubleshooting.
• Billing records. Invoices, receipts, and related accounting records are retained for at least 5 years from the end of the financial year to which they relate, in accordance with Singapore's Companies Act and tax legislation.
• Support correspondence. Retained for as long as necessary to resolve the matter and for a reasonable period thereafter for quality and audit purposes.
• Anonymised data. Aggregated and de-identified data used for service improvement may be retained indefinitely.

You may request deletion of your account at any time as described in Section 12.

9. Security

We implement and maintain technical and organisational measures designed to protect personal data, including:

• Transmission. All data is transmitted over HTTPS/TLS.
• Storage. Receipt files are stored in Cloudflare R2 with access-controlled signed URLs that expire after 15 minutes. The database is hosted on Railway's managed PostgreSQL with encryption at rest. OAuth tokens are stored encrypted.
• Access controls. Role-based access controls and rate limiting throughout the application. Magic-link authentication eliminates password-related risks.
• Engineering practices. Input validation, automated testing, and structured monitoring of errors and anomalies.

No system is perfectly secure. We do not warrant that the Services will be free from intrusion or compromise, but we work continuously to reduce risk. If you discover a security vulnerability, please report it to [email protected].

10. Cookies and Local Storage

We use a single session cookie to keep you signed in. This cookie:

• Is HTTP-only (not accessible to JavaScript) and Secure (transmitted only over HTTPS)
• Stores only a session identifier; the actual session data is stored server-side in our database
• Expires after 30 days of inactivity

We do not use advertising cookies, tracking pixels, or third-party analytics cookies beyond what is strictly necessary for the operation of the Services and the sub-processors listed in Section 5.

11. Marketing Communications

We send product updates, beta announcements, and newsletters to users who have opted in or who are existing customers receiving information about features and updates relevant to their use of the Services. You can unsubscribe from marketing communications at any time using the link in the footer of any marketing email, or by emailing [email protected].

Unsubscribing from marketing does not stop transactional emails (such as magic links, billing receipts, and security notices), which we must continue to send to operate your account.

We comply with applicable marketing laws including the Australian Spam Act 2003, Canada's Anti-Spam Legislation (CASL), the UK Privacy and Electronic Communications Regulations (PECR), and the US CAN-SPAM Act.

12. Your Rights

Depending on where you live, you may have some or all of the following rights in respect of personal data we hold as a controller:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Deletion: request deletion of your account and associated data
• Portability: receive your data in a structured, machine-readable format
• Restriction: request that we restrict processing in certain circumstances
• Objection: object to processing based on our legitimate interests, including profiling
• Withdraw consent: withdraw consent to any processing based on consent, without affecting prior lawful processing
• Lodge a complaint with your local data protection authority

To exercise these rights, email [email protected]. We will respond within 30 days, or sooner where required by applicable law. We may need to verify your identity before acting on a request.

If you are a data subject whose information appears in Customer Data uploaded by a bookkeeper or firm using the Services, please contact that bookkeeper or firm directly. They are the controller of that data, and we will assist them in responding to your request as a processor.

Where to complain. If you believe we have not handled your data properly, you may lodge a complaint with your local supervisory authority. For UK users, the Information Commissioner's Office (ICO). For EU users, your national data protection authority. For Australian users, the Office of the Australian Information Commissioner (OAIC). For New Zealand users, the Office of the Privacy Commissioner. For Canadian users, the Office of the Privacy Commissioner of Canada (OPC). For Singapore users, the Personal Data Protection Commission (PDPC). We would appreciate the chance to address your concerns directly first by writing to [email protected].

13. US State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another US state with a comprehensive privacy law, you may have additional rights including the right to know what categories of personal information we collect, the right to access and delete personal information, the right to correct inaccurate information, the right to opt out of "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights.

We do not sell personal information and we do not share it for cross-context behavioural advertising. We do not use sensitive personal information for purposes that require an opt-out under California law.

To exercise your US state privacy rights, email [email protected]. You may also designate an authorised agent to make a request on your behalf, subject to our verification of the agent's authority.

14. Automated Decision-Making

The Services use AI to extract data from documents and to suggest classifications, categorisations, and tax treatments. These outputs are intended for review by a qualified bookkeeper or accounting professional and are not used to make decisions that produce legal or similarly significant effects on individuals without human involvement. Output is presented as a draft for human review before being posted to a ledger or used for any filing.

If you believe a decision has been made about you solely on the basis of automated processing, you can contact us at [email protected] to discuss it.

15. Indirect Data Subjects

When a bookkeeper or firm uploads documents to the Services, those documents may contain personal data about individuals who are not ExpenseFlow users (for example, vendor contacts, employees named on receipts, or signatories on invoices). We process this data only as a processor on the bookkeeper's behalf, and the bookkeeper or its underlying SMB client is responsible for providing any notice to those individuals required by applicable law.

If you are an individual whose data appears in records uploaded to the Services and you would like to exercise your rights, please contact the bookkeeper or firm that holds your records. We will support them in responding to your request.

16. Data Breach Notification

If we become aware of a personal data breach affecting Customer Data, we will notify the affected customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach, providing the information required to enable the customer to meet its own notification obligations. Where a breach affects personal data for which we are the controller, we will notify affected individuals and supervisory authorities as required by applicable law.

17. Children

The Services are intended for use by adults in a professional bookkeeping or business context and are not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will delete it.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the Services at least 30 days before the changes take effect. The "Last updated" date at the top reflects when the policy was last revised. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

19. Contact

For privacy questions, data subject requests, or any other matter relating to this policy, contact: