Privacy policy.

01Introduction

Maimoney Capital Pty Ltd ACN 677 407 868 (trading as Kleev, we, us or our) is committed to protecting your privacy and handling your personal information in an open and transparent manner.

This Privacy Policy explains how we collect, use, hold, disclose and otherwise handle your personal information when you access or use the Kleev website, platform, applications and related services (together, the Services).

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

If you have any questions or concerns about this Privacy Policy or our privacy practices, you can contact us using the details at the end of this policy.

02About Kleev

Kleev is an AI-native personal finance platform that allows users to upload bank statements and other financial information to gain spending insights, track investment property cash flow, receive AI-generated financial insights, and view deal recommendations.

Kleev is not a licensed financial adviser and does not hold an Australian Financial Services Licence. Nothing on Kleev constitutes financial, investment, tax or legal advice.

03What Personal Information We Collect

The personal information we collect depends on how you use the Services and what information you choose to provide.

3.1Information you provide directly

We may collect personal information such as:

• your name;
• email address;
• phone number;
• account login credentials;
• communication and marketing preferences;
• business or company name and ABN, where relevant;
• financial transaction data contained in uploaded bank statements or similar files, including transaction descriptions, dates, amounts and merchant information;
• property-related information you choose to provide;
• payment and billing information required to manage subscriptions and payments; and
• communications and correspondence with us, including support enquiries.

3.2Information we collect automatically

When you use the Services, we may automatically collect:

• device information;
• browser type;
• IP address;
• usage data;
• log data, including access times;
• analytics and performance data; and
• information about how you interact with the Services.

3.3Information we receive from third parties

We may receive limited personal information from third parties where you choose to use those services with Kleev, including third-party authentication providers such as Google or Apple. In those cases, we may receive information such as your name, email address, and authentication-related details made available to us by that provider.

We may also receive personal information from payment processors, service providers, or other third parties where reasonably necessary to operate the Services.

3.4Sensitive information

We do not generally seek to collect sensitive information. If we do collect sensitive information, we will only do so where permitted by law and will handle it in accordance with the Privacy Act.

3.5Information we do not intentionally collect

Kleev does not connect directly to your bank accounts and does not use Open Banking.

We do not ask you to provide your internet banking credentials.

To the extent possible within the design of the Services, we do not intentionally collect bank account numbers or BSB numbers as part of our ordinary data handling processes. If such information is incidentally included in an uploaded document or file, it will be handled in accordance with this Privacy Policy.

We do not permanently retain raw uploaded CSV files where those files have been processed into structured records, unless retention is reasonably required for operational, legal, security or dispute-resolution purposes.

04How We Collect Your Personal Information

We collect personal information in several ways, including when you:

• register for an account;
• upload bank statements, CSV files, or other financial information;
• use the Services;
• contact us by email, phone, or through support channels;
• subscribe to marketing communications;
• interact with cookies and similar technologies on our website or platform; or
• sign in using a third-party authentication provider.

Where reasonable and practicable, we collect personal information directly from you. In some cases, we may receive information from third parties. Where appropriate, we will take reasonable steps to make you aware of that collection.

If you do not provide certain personal information, some parts of the Services may not function properly or may not be available to you.

05Why We Collect, Use and Hold Your Personal Information

We may collect, use and hold your personal information for purposes including:

• providing, operating and maintaining the Services;
• creating and managing your account;
• processing uploaded financial information and generating insights;
• personalising your experience;
• communicating with you about your account, support requests, updates and service-related matters;
• processing payments and managing subscriptions;
• improving, testing and monitoring the performance of the Services;
• detecting, preventing and investigating fraud, misuse, security incidents and other unlawful activity;
• complying with legal and regulatory obligations; and
• sending marketing communications where you have consented or where otherwise permitted by law.

5.1AI processing

Kleev uses AI tools and service providers — currently Anthropic (Claude) — to help deliver features such as transaction categorisation, transfer and duplicate detection, recurring-charge detection, mortgage and loan extraction, financial insights, AI chat, and deal recommendations.

To operate these features, we send the following types of data to our AI provider when you use them:

• transaction descriptions, dates, amounts and source bank or account labels;
• mortgage and loan statement rows, including running balances;
• summarised wealth context such as total net worth, total cash, total liabilities, monthly income, cash-buffer months and top account names and balances;
• goal names and target amounts;
• aliases you have told us refer to you (used to identify your own transactions); and
• the message you type into AI chat, together with a contextual snapshot of the page you are on.

When personal information is processed using AI tools on our behalf:

• we limit the data shared to what is reasonably necessary for the relevant function;
• Kleev uses Anthropic's standard API tier. Inputs to standard API and Console usage are subject to Anthropic's standard 30-day retention for abuse monitoring. Anthropic does not use API inputs to train their general models. For details, see Anthropic's usage policies and data retention disclosures;
• data sent to our AI provider is transmitted to and processed on infrastructure located in the United States (see clause 9);
• we cache results of AI calls in your browser where possible so we do not re-send the same data on each page load; and
• AI-generated outputs are probabilistic and may be incomplete, inaccurate, or outdated. They should be independently assessed before being relied on for significant financial or other decisions.

If you do not wish your data to be processed by our AI provider, you can avoid using AI-driven features (categorisation, AI chat, narratives, deal recommendations). Some Kleev features will not function without AI processing.

5.2Direct marketing

We may send you marketing or promotional communications about our Services where you have consented, where you would reasonably expect to receive those communications, or where otherwise permitted by law.

You can opt out of direct marketing communications at any time by using the unsubscribe link in the communication or by contacting us using the details below.

We do not use sensitive information for direct marketing.

06How We Handle Your Financial Data

Your financial data is used to provide the Services to you, including in-app personalisation, analytics, insights and related functionality.

We do not sell your personal information or your individual financial transaction data.

We do not share your individual transaction-level financial data with merchants for their own marketing purposes.

Where we provide recommendations or promotional content based on spending patterns or categories, that matching is performed within our own systems using first-party data unless we tell you otherwise.

Payment card information is handled by our payment processor and is not stored by us except to the extent necessary to maintain billing records, payment status, or limited transaction metadata.

07Disclosure of Your Personal Information

We may disclose your personal information to third parties where reasonably necessary for the purposes described in this Privacy Policy, including to:

• cloud hosting and infrastructure providers;
• analytics providers;
• authentication providers;
• AI and data processing providers;
• payment processors;
• customer support, email, error monitoring and communications providers;
• professional advisers, auditors and insurers;
• contractors, maintenance personnel and support personnel acting in the ordinary course of their duties;
• regulators, courts, tribunals, law enforcement bodies or government agencies where required or authorised by law; and
• a purchaser or potential purchaser in connection with a sale, merger, restructure or transfer of our business or assets.

At the date of this Privacy Policy, our main service providers may include the following:

We do not sell, trade or rent your personal information to third parties.

08Cookies and Similar Technologies

We use cookies and similar technologies to:

• keep you logged in;
• remember your preferences;
• understand how users interact with the Services;
• monitor performance, reliability and security; and
• improve the functionality and user experience of the Services.

We do not currently use third-party advertising cookies.

We use PostHog session recording to understand how people use the app and diagnose bugs — clicks, navigations, timing, and what was on screen. Form input values are masked client-side before the recording leaves your browser — that means anything you type (passwords, the bank-name field on upload, manual transaction descriptions, goal amounts, support messages) never reaches PostHog. On-screen text is visible to Kleev staff for debugging purposes — that includes balances, merchant names, category labels, and error messages that the app renders. Recordings are accessed only by the Kleev team, stored encrypted at PostHog (US), and used solely to fix bugs and improve the product. If you do not want your sessions recorded, contact us to opt out.

You may be able to control cookies through your browser settings, but doing so may affect the functionality of the Services.

09Overseas Disclosure and International Data Transfers

Some of our service providers are located outside Australia, including in the United States and other countries from time to time.

As a result, your personal information may be disclosed to, stored by, or processed by overseas recipients.

Where we disclose personal information overseas, we take reasonable steps to ensure the recipient handles the information in a manner consistent with applicable privacy and data protection requirements, including through contractual arrangements and vendor due diligence where appropriate.

Privacy laws in other countries may differ from Australian privacy laws, and overseas recipients may be subject to lawful access requirements in their local jurisdictions.

10Data Security

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

These steps may include administrative, technical and physical safeguards such as:

• encryption in transit (HTTPS / TLS) for all traffic to and from the Services;
• encryption at rest for data stored on our database and infrastructure providers;
• access controls and authentication measures, including optional two-factor authentication (TOTP) which you can enable in your account settings;
• row-level security on our database so each user can only access their own records;
• rate limiting on AI and other sensitive endpoints to limit abuse;
• logging and monitoring, including error monitoring configured to strip sensitive payloads before transmission;
• secure development and deployment practices; and
• regular review of security measures.

10.1Browser local storage

To make Kleev fast and to allow you to work with your CSV uploads without round-tripping every action to our servers, certain financial data — including parsed transactions, balances, account names, derived salary patterns, mortgage and property details, goals, and net-worth snapshots — is stored locally in your browser's localStorage.

This locally stored data is in plaintext, not encrypted at rest in the browser. It is protected by your operating system's user-account isolation and by our session-aware cleanup, which wipes this data when you sign out or when a different user signs in on the same browser.

You should treat your browser profile as you would treat a banking app's offline cache: do not sign in on a shared, public, or otherwise untrusted device, and be aware that browser extensions with permission to read page data, malware, or local disk forensics on a stolen device may be able to access this data.

No method of transmission over the internet, and no method of electronic storage, is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and for using appropriate security practices on your own devices and networks.

11Data Retention

We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain appropriate business and security records.

If you delete your account from Settings → Delete account, your authentication record and all linked rows in our database (including transactions, mortgage and property data, goals, AI chat history, wealth narratives, and watchlists) are removed immediately via cascade deletion. Locally cached data in the browser is also wiped on sign-out. Backups and routine operational logs may persist for a short period before they are overwritten.

We may retain a minimal record of the deletion event itself (for audit and abuse-prevention purposes), and we may retain or be required to retain certain information for legal, regulatory, dispute-resolution, fraud prevention, or security reasons.

We may retain de-identified, anonymised or aggregated information for longer periods, including indefinitely, where that information no longer identifies you.

12Children's Privacy

The Services are not directed to children under 18 years of age.

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a person under 18 in circumstances where that information should not have been collected, we will take reasonable steps to delete it.

13Access, Correction and Other Privacy Rights

Under the Australian Privacy Principles you have the right to access the personal information we hold about you (APP 12) and to request correction of inaccurate, out-of-date, incomplete, irrelevant or misleading information (APP 13).

Most of your personal information is visible to you directly within the Services. You can view, edit, re-categorise, or remove your transactions, property records, goals, AI chat history, and account profile at any time from within the app. We do not currently provide a single-click export of all your data in a portable format; if you would like a copy of your data in a structured format, contact us using the details below and we will assist.

You may delete your account and all associated data at any time from Settings → Delete account. You may also request deletion by contacting us, subject to any legal or operational basis for retention.

To make a privacy request, please contact us using the details below. We may need to verify your identity before actioning your request.

We will respond to privacy requests within a reasonable period and aim to do so within 30 days.

14Complaints

If you have a complaint about how we have handled your personal information, please contact us using the details below and provide as much detail as possible.

We will consider your complaint, may ask you for further information, and will respond within a reasonable period.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.

15Future Advertising and Commercial Arrangements

Kleev does not currently display third-party advertising within the Services.

If we introduce future promotional or commercial arrangements with merchants or partners:

• we will not share your individual financial transaction data with advertisers for their independent use unless we clearly disclose this and have a lawful basis to do so;
• any matching of promotional content to user interests or spending categories will, unless otherwise disclosed, occur within our own systems using first-party data;
• promotional content will be clearly identified; and
• we may update this Privacy Policy to reflect any material change in our practices.

16Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If we make a material change, we may notify you by email, through the Services, or by publishing an updated version on our website or platform.

The updated version will take effect from the date stated at the top of this Privacy Policy.

17Contact Us

Maimoney Capital Pty Ltd
ACN 677 407 868
Trading as Kleev

35 Belgrave St, Burwood NSW 2134, Australia

hello@kleev.ai

+61 2 8880 5874

18What Changed Recently

• 1 June 2026 — Enabled PostHog session replay with form-input masking client-side, to help diagnose upload flow issues. Form input values you type stay masked. On-screen text (balances, merchant names, error messages) is visible to Kleev staff in recordings for debugging. Updated sub-processor table and §8 to reflect this scope. Recordings are accessed only by the Kleev team and stored encrypted at PostHog (US).
• 31 May 2026 — Clarified the scope of data sent to our AI provider (clause 5.1); added a plain-English disclosure that data stored in browser localStorage is plaintext (clause 10.1); documented that two-factor authentication and rate limiting are now in place; described the account deletion flow which now cascades across our database (clauses 11 and 13); added Upstash to the list of service providers; noted the absence of a one-click data export and how to request one. 2026-05-31 (later): Corrected Anthropic data-retention language (no ZDR enrollment — standard API tier with 30-day retention for abuse monitoring). Removed Stripe from sub-processor list pending actual integration.

This Privacy Policy was prepared for Maimoney Capital Pty Ltd and is governed by the laws of New South Wales, Australia. This document does not constitute legal advice. Maimoney Capital Pty Ltd recommends seeking independent legal advice to ensure compliance with all applicable laws.