Privacy Policy

Clan AI ("Clan AI", "we", "us", or "our") operates AutoBooks (the "Service") and respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and other applicable data protection laws.

By using the Service, you consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy.

1. Personal Data We Collect

We may collect the following categories of personal data:

• Account information: name, email address, profile photo, and authentication credentials (handled by our identity provider).
• Business information: company name, business address, industry, primary services, common vendor types, GST registration status, and other workspace context you choose to provide.
• Bill and invoice data: documents you upload or that arrive via connected email accounts, including vendor names, invoice numbers, line items, amounts, dates, payment terms, and any text or metadata extracted from those documents.
• Email integration data: OAuth tokens for Gmail or Microsoft Outlook (encrypted at rest), email metadata (sender, subject, received date), and the contents of messages with invoice attachments processed by the Service.
• Accounting integration data: OAuth tokens for Xero (encrypted at rest) and chart-of-accounts data synced from your accounting system.
• AI configuration: the AI provider, model, and API key you configure for your workspace (API keys are encrypted at rest).
• Usage and technical data: log data, IP addresses, browser type, device identifiers, and timestamps generated when you interact with the Service.

2. How We Collect Personal Data

We collect personal data when you:

• Create an account or sign in to the Service;
• Configure your workspace, settings, or integrations;
• Connect your email inbox or accounting software;
• Upload bills, invoices, or other documents;
• Receive emails with invoice attachments through a connected mailbox;
• Communicate with us by email or other means.

3. How We Use Your Personal Data

We use your personal data to:

• Provide, operate, and maintain the Service;
• Extract structured data from invoices and bills using artificial intelligence and present the results for your review and approval;
• Match invoices to vendors and chart-of-accounts entries;
• Sync approved bills to your connected accounting software (e.g., Xero);
• Authenticate users and prevent fraud or abuse;
• Respond to support requests, queries, or complaints;
• Improve the Service, including reliability, performance, and accuracy;
• Comply with our legal, regulatory, and contractual obligations.

4. AI Processing

The Service uses third-party AI providers (such as Anthropic, OpenAI, or Google) to extract structured data from invoice documents. The AI provider, model, and API key used to process your data are configured by you within your workspace settings.

We do not use your bill, invoice, email, or workspace data to develop, improve, or train generalised machine-learning or artificial-intelligence models for Clan AI or third parties. Data is sent to the configured AI provider only for the purpose of extracting fields from the specific document being processed, and is subject to that provider's own data handling policies, which we encourage you to review.

5. Google Gmail API Data Usage

When you connect a Gmail account to AutoBooks, the Service accesses your Gmail data via the Gmail API to identify and process invoice attachments. AutoBooks' use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

• Email metadata (sender, subject, received timestamp) for messages received in your connected Gmail account;
• Attachment files (PDFs and images) on those messages, for processing through our invoice-extraction pipeline;
• Push-notification updates via Google Cloud Pub/Sub when new messages arrive in your inbox.

How we use Gmail API data

• To detect new messages with invoice attachments and download those attachments;
• To extract structured invoice data using the AI provider you configure, with the attachment and minimal email context as input;
• To present extracted data to you in your AutoBooks workspace for review and approval.

Limited Use commitments

In compliance with the Google API Services User Data Policy and its Limited Use requirements, AutoBooks does NOT:

• Use Gmail API data to develop, improve, or train generalised machine-learning or artificial-intelligence models, whether for AutoBooks, Clan AI, or third parties;
• Transfer Gmail API data to third-party AI/ML tools or any other parties for the purpose of developing or improving generalised AI models;
• Use Gmail API data for advertising, marketing, or profiling purposes;
• Sell Gmail API data to any third party;
• Allow humans to read Gmail API data, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations such as troubleshooting;
• Use Gmail API data beyond the functionalities required to provide the Service as described in this Privacy Policy.

Storage and retention

Email metadata and downloaded attachments are stored only within your AutoBooks workspace database. OAuth tokens used to access the Gmail API on your behalf are encrypted at rest using AES-256-GCM. We retain Gmail-derived data only for as long as necessary to provide the Service, as described in our Data Retention section.

Revoking access

You may revoke AutoBooks' access to your Gmail data at any time:

• Within AutoBooks: Settings → Email Connections → Disconnect;
• In your Google Account at https://myaccount.google.com/permissions.

6. Disclosure of Personal Data

We do not sell your personal data. We may disclose your personal data to the following categories of recipients:

• Service providers: hosting, database, file storage, identity, email delivery, AI inference, and analytics providers acting on our behalf under appropriate contractual safeguards.
• Integrations you authorise: Gmail, Microsoft 365 / Outlook, Xero, and other systems you connect to the Service.
• Other workspace members: if you are part of a multi-user workspace, authorised members may view bills, vendors, settings, and activity recorded under that workspace.
• Legal and regulatory authorities: where disclosure is required by law, court order, or to protect our rights, property, or safety.
• Successors in interest: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.

7. International Transfers

Your personal data may be processed and stored on servers located outside Singapore, including those operated by our cloud and AI service providers. Where personal data is transferred outside Singapore, we take steps to ensure that the recipient provides a standard of protection comparable to that under the PDPA.

8. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to provide the Service, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. When data is no longer required, we will delete or anonymise it.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data, including:

• Encryption of OAuth tokens and API keys at rest using AES-256-GCM;
• Transport-layer encryption (HTTPS/TLS) for data in transit;
• Authentication, role-based access controls, and least-privilege practices;
• Workspace-level data isolation in our database;
• Regular security updates and patching of underlying systems.

However, no method of transmission or storage is completely secure. You are responsible for keeping your account credentials and any AI provider API keys you supply confidential.

10. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate or incomplete personal data;
• Withdraw your consent to our collection, use, or disclosure of personal data;
• Request deletion of your account and associated data.

We will respond to access requests within seven (7) business days where reasonably practicable, and to consent withdrawal requests within twenty-one (21) business days. Withdrawing consent may prevent us from continuing to provide the Service to you.

11. Children's Privacy

The Service is intended for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact our Data Protection Officer at support@clanai.sg.