Privacy Policy

What We Collect

We collect information you provide directly to us, including:

• Account information from Google (name, email address) when you sign in
• Bank transaction data you upload (CSV or PDF files)
• Emails you forward to your unique mailbox address
• Information about claims you track through our service

We do not access your bank accounts directly. We only process data that you explicitly provide to us through file uploads or email forwarding.

How We Process

We process your data to identify potential refunds and compensation opportunities. This involves:

• Parsing and categorising your transactions
• Extracting relevant information from forwarded emails
• Matching transactions and emails to known refund schemes
• Generating personalised claim instructions

Our processing is automated but may be supplemented by human review to improve accuracy and service quality.

Where We Store

Your data is stored securely in data centres located within the European Economic Area (EEA). We use industry-standard encryption for data in transit and at rest.

We use Supabase for our database and storage infrastructure, which maintains SOC 2 Type II compliance and implements comprehensive security measures.

AI Processing (OpenAI)

To read the booking confirmations, statements, and documents you submit, Untap sends the contents of those documents to OpenAI's API for extraction and, in some categories, for drafting claim letters or appeal text. This is the only way the structured data on your dashboard gets created.

We use OpenAI under their commercial API terms. Under those terms:

• OpenAI does not use API inputs or outputs to train their models.
• OpenAI retains API data for a short period (currently 30 days) solely to investigate abuse, after which it is deleted.
• Processing happens on OpenAI's infrastructure, which may include data centres outside the EEA. OpenAI is certified under the EU-US Data Privacy Framework.

We do not send OpenAI your name, email, login tokens, or account identifiers -- only the booking / document text itself, together with the instructions needed to extract structured fields. For full details, see OpenAI's API data-usage policies.

AI output can be wrong or incomplete. Anything Untap surfaces is a suggestion, not verified legal or financial advice -- please double-check before acting on it.

Who We Share With

We do not sell your personal data. We share only what is needed to run the service, with:

• Supabase -- our database and authentication provider (EEA region).
• OpenAI -- for AI extraction and drafting (see above).
• Vercel -- for hosting the web application.
• Law enforcement only if required by law or to protect our legal rights.

We do not share your financial data or transaction information with third parties for marketing purposes.

How Long We Keep

We retain your data for as long as your account is active. You can delete your data at any time through the Your Data page. When you delete your account, we remove all your personal data within 30 days.

We may retain anonymised, aggregated data for analytical purposes, but this cannot be used to identify you.

Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate personal data
• Erase your personal data
• Restrict processing of your personal data
• Data portability (receive your data in a structured format)
• Object to processing of your personal data

You can exercise most of these rights directly through the Your Data page. For other requests, contact us at contact@untap.money.

Contact

For any questions about this privacy policy or our data practices, please contact:

Data Protection Officer
Untap
Email: contact@untap.money

ICO Complaint Right

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk