Legal

Privacy Policy

Last updated: 29 April 2026

This Privacy Policy explains how Kilkelly Enterprises (ABN 82 862 013 361) ("we", "us", "our") collects, uses, stores and discloses personal information when you use Flatmate Flow (the "Service") at flatmateflow.com and app.flatmateflow.com.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Where you are located in the European Economic Area or the United Kingdom, the rights set out under the EU General Data Protection Regulation (GDPR) and UK GDPR apply to you and are honoured below.

1. Information we collect

We collect the following categories of information:

• Account information: name, email address, password (hashed), and the household name you create or join.
• Household data you enter: bills, splits, chores, shopping list items, calendar events, polls, notice-board posts and similar content you and your roommates add to the Service.
• Receipt images: photos you upload to the receipt scanner. These are processed by our AI provider (see "Third parties" below) and the extracted data is stored against your shopping list and budget.
• Payment information: handled by Stripe. We do not see or store full card numbers; we receive only a token, the last four digits, expiry month/year and country.
• Usage and device information: pages visited, actions taken, IP address, browser type, device type and approximate location, collected via Google Tag Manager and Google Analytics 4.
• Communications: emails you send to us and our replies.

2. How we use your information

We use the information we collect to:

• provide, maintain and improve the Service;
• authenticate you, secure your account and prevent fraud;
• operate your free account and any future paid subscription you elect to take up;
• respond to support requests and product feedback;
• send service-related emails (e.g. password resets, household activity, billing receipts where applicable);
• understand how the Service is used so we can improve it;
• comply with our legal obligations.

We do not sell your personal information. We do not use your household data to train machine-learning models.

3. Legal bases (GDPR)

If you are in the EEA or UK, our legal bases for processing your personal information are:

• Contract: to provide the Service you have signed up for;
• Legitimate interests: for fraud prevention, security and basic product analytics;
• Consent: for non-essential cookies and marketing communications, where applicable;
• Legal obligation: where the law requires us to retain or disclose information.

4. Third parties (data processors)

We use the following third parties to operate the Service. They process information on our behalf under written contracts:

• Supabase: database, authentication and file storage.
• Stripe: payment processing.
• Anthropic: receipt scanning via Claude. Receipt images are sent for processing; they are not used to train Anthropic's models under our contract with them.
• Vercel: application hosting.
• Google (LLC): Tag Manager and Analytics 4 for product analytics.

5. International transfers

Some of the third parties listed above are located outside Australia, including in the United States and the European Union. When personal information is transferred overseas we take reasonable steps to ensure it remains protected to a standard equivalent to the APPs, including by using Standard Contractual Clauses where required.

6. How we keep information secure

Data is encrypted in transit (TLS) and at rest where supported by our infrastructure providers. Passwords are hashed using industry-standard algorithms; we never store passwords in plain text. Access to production data is restricted to authorised personnel and audit-logged.

No system is completely secure. If we become aware of a security incident affecting your personal information we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

7. Data retention

We retain account and household data for as long as your subscription is active. If you cancel, your data is retained for 30 days to allow reactivation, then permanently deleted from production systems. Billing records are retained for the period required by Australian tax law (currently five years).

You can request earlier deletion at any time by emailing admin@clearwayapps.com.au.

8. Your rights

You have the right to:

• access the personal information we hold about you;
• request correction of information that is inaccurate or out of date;
• request deletion of your personal information (subject to legal retention requirements);
• request a copy of your data in a portable, machine-readable format;
• object to or restrict certain processing (where GDPR applies);
• withdraw consent at any time, where consent is the legal basis;
• lodge a complaint with the OAIC (oaic.gov.au) or, in the EEA/UK, your local data protection authority.

To exercise any of these rights, email admin@clearwayapps.com.au. We'll respond within 30 days.

9. Cookies and analytics

We use first-party cookies for authentication and to remember your preferences. We use Google Analytics 4 (loaded via Google Tag Manager) to understand how the Service is used. Analytics cookies do not personally identify you and can be disabled via your browser's do-not-track or cookie controls.

10. Children

Flatmate Flow is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we'll delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be notified to active users by email or through the Service before they take effect.

12. Contact us

If you have questions or concerns about this Privacy Policy or how we handle your information:

• Email: admin@clearwayapps.com.au
• Kilkelly Enterprises (ABN 82 862 013 361)