Privacy Policy

1. Who We Are

CheckSpent (“we”, “us”, “our”) operates the website at checkspent.com. CheckSpent is operated by CheckSpent (ABN 44 692 416 783, registered in Australia). We provide an AI-powered tool that analyses bank statements to detect recurring subscription charges. For privacy inquiries, contact us.

2. Information We Collect

We collect only what is necessary to provide and improve the service:

3. How We Use Your Information

We use your information for the following purposes and legal bases:

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

4. Data Retention

• Uploaded files: Deleted immediately after analysis. Not stored on disk.
• Subscription reports: Expire automatically after 14 days.
• Anonymous analytics: Retained indefinitely (no PII).
• Email addresses: Retained until you unsubscribe or request deletion.
• Payment records: Retained as required by Australian tax law (typically 5–7 years).
• Consent records: Retained for the duration of your use of the service plus 7 years.

5. Third-Party Service Providers

We use the following categories of third-party service providers to operate CheckSpent:

• Cloud database providers — secure database and analytics storage (no PII stored).
• AI processing providers — for automated bank statement analysis. Files are processed transiently and are not used to train AI models under our data processing agreements. The specific AI provider may change from time to time; any provider used will be bound by equivalent or stronger data protection obligations.
• Payment processors (such as Stripe) — to handle secure payment transactions.
• Hosting and CDN providers — to serve the website globally.

We do not share transaction data or bank statement contents with any of these providers beyond what is strictly necessary to perform the analysis. All third-party providers are bound by data processing agreements that require them to protect your data in accordance with applicable privacy laws.

Changes to subprocessors: We may add, remove, or replace third-party service providers from time to time as our services evolve. When we make a material change involving a new processor that handles personal data, we will update this Privacy Policy and indicate the change with an updated “Last updated” date. For changes that materially affect how your personal data is processed, we will provide reasonable advance notice to active users (typically by email or by prominent website notice) before the change takes effect.

6. International Data Transfers

CheckSpent is based in Australia. Some of our third-party service providers may process data in jurisdictions outside Australia, including the United States and the European Economic Area. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (for EU/UK data).
• Data processing agreements with all providers.
• Verification that the receiving jurisdiction provides adequate data protection or that appropriate contractual protections are in place.

By using CheckSpent, you consent to the transfer of your information to these jurisdictions for the purposes described in this policy.

7. Cookies and Similar Technologies

CheckSpent uses two categories of cookies and similar technologies.

Strictly necessary cookies: required to operate the website, remember your session state, process payments, and record consent at checkout. These cookies do not require your consent and cannot be disabled.

Analytics cookies: aggregated, anonymised measurement of usage patterns to help us improve the service (currently Google Analytics and Microsoft Clarity). We do not use third-party advertising or cross-site tracking cookies.

For users in the European Economic Area, the United Kingdom, and other jurisdictions requiring prior consent under Article 5(3) of the ePrivacy Directive 2002/58/EC and corresponding national law, analytics cookies are only set after you have given your explicit consent via our cookie banner. You can withdraw consent at any time via the “Cookie preferences” link in the website footer. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

For users outside those jurisdictions, you can disable cookies through your browser settings. Some site features may not function correctly if you do.

For full details, see our Cookie Policy.

8. Security

We take reasonable technical and organisational measures to protect information against unauthorised access, loss, or disclosure, including:

• Bank statement files are processed in isolated server memory and are not persisted to any storage medium.
• Our analytics database uses row-level security and is accessible only via server-side credentials.
• All data in transit is encrypted using TLS/SSL.
• Access to production systems is restricted to authorised personnel only.
• We conduct periodic security reviews of our infrastructure and third-party providers.

Despite these measures, no internet transmission is completely secure and we cannot guarantee absolute security. If you become aware of any security incident affecting your data, please contact us immediately at contact us.

Data Protection Impact Assessment (DPIA): CheckSpent processes bank statement data using AI systems, which may constitute high-risk processing under the GDPR and UK GDPR. We have conducted an internal assessment of the privacy risks associated with our AI analysis pipeline and have implemented technical controls (in-memory processing, no persistent storage of raw files, no retention of personal banking identifiers) to mitigate those risks. We will repeat this assessment whenever we make material changes to our data processing activities. EU/UK users who wish to raise concerns about our processing may contact our representative or lodge a complaint with their local supervisory authority.

9. Data Breach Notification

In the event of an eligible data breach under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law. We will also notify affected EU/UK residents under GDPR Article 33 and UK GDPR Article 33 where applicable. Notification will be provided without undue delay and, where feasible, within 72 hours of becoming aware of a qualifying breach.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request erasure of personal data (subject to legal retention obligations).
• Portability (GDPR/UK GDPR): Request your data in a structured, machine-readable format.
• Objection (GDPR/UK GDPR): Object to processing based on legitimate interests.
• Restriction (GDPR/UK GDPR): Request restriction of processing in certain circumstances.
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Automated decision-making (GDPR/UK GDPR): You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. CheckSpent's AI analysis produces informational reports only and does not make decisions with legal or similarly significant effects on you.

To exercise any of these rights, contact us. We will respond within 30 days. Australian users may also lodge a complaint with the OAIC at oaic.gov.au. EU users may lodge a complaint with their local data protection authority. UK users may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Children's Privacy

CheckSpent is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Do Not Track

CheckSpent does not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard interpretation of DNT. We do not use third-party advertising or tracking cookies regardless of your DNT setting.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by an updated “Last updated” date at the top of this page. If a change materially affects how we handle your personal data, we will make reasonable efforts to notify you (for example, by email or prominent website notice). Continued use of the service after changes constitutes acceptance of the revised policy.

14. Contact Us

For privacy requests, questions, or complaints, please use our contact form. This form is our official channel for all written communications, including those required under the Australian Privacy Act 1988, the EU GDPR, and the UK GDPR. We aim to respond to all enquiries within 30 days. We do not publish a direct email address to reduce phishing and spam risk; messages submitted through the contact form are routed to our support team.

14a. EU/UK Representative

CheckSpent is established in Australia and not in the European Economic Area (EEA) or the United Kingdom. Where we process personal data of individuals in the EEA or the UK in connection with offering goods or services to those individuals, we are subject to the GDPR and UK GDPR respectively.

Pursuant to Article 27(2)(a) of the GDPR and the equivalent provision under UK GDPR, CheckSpent relies on the exemption available to controllers that process personal data only occasionally, do not process special categories of data at large scale, and are unlikely to result in a risk to the rights and freedoms of natural persons. On this basis, CheckSpent does not currently appoint a formal EU or UK representative under Article 27(1).

EEA and UK residents may still exercise their rights under GDPR/UK GDPR by contacting us directly. We will respond within the applicable statutory timeframe. If we believe this exemption no longer applies due to a material change in our processing activities, we will appoint a representative and update this policy accordingly.

15. Submit a Privacy Request

Under the Australian Privacy Act 1988 (APP 12 and APP 13), you have the right to access and request deletion of personal data we hold about you. Use the form below to submit a request. Requests are processed immediately; complex cases may take up to 30 days.