Privacy Policy

The short version

✓ Your financial data is encrypted in your browser before it reaches us. We store ciphertext — we cannot read it, even if we wanted to.
✓ We never connect to your bank. We only read CSV files you choose to upload manually.
✓ We never sell your data, serve you ads, or share anything with third parties beyond what's described below.
✓ If you use AI insights, your financial data goes directly from your browser to Anthropic — Comma's servers are never involved.
✓ We collect minimal usage analytics on the marketing site only (no cookies, no fingerprinting).

1. Who we are

Comma App is an Australian software product operated by [YOUR NAME], trading as Comma App (ABN [YOUR ABN]), based in Melbourne, Victoria, Australia.

We are subject to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you have a privacy question or complaint, contact us at privacy@getcomma.com.au.

2. What data we collect

Financial data (encrypted, app users only)

If you are a Pro or Lifetime user with cloud sync enabled, your transaction data is encrypted using AES-256-GCM in your browser before being transmitted to our servers. We store only encrypted blobs. We do not have access to your encryption key and cannot read the content of your financial data under any circumstances.

Important: Your encryption key is derived from your password using PBKDF2-SHA256 (600,000+ iterations). Your password never leaves your device. If you forget your password, your data cannot be recovered — by you or by us. This is by design.

Account information

If you create a Pro or Lifetime account, we collect your email address for authentication and account management. This is stored in Supabase (our database provider) and is never used for advertising.

Waitlist email

If you submit your email on the Comma website to join the waitlist, we store your email address in our database and in Kit (our email marketing platform). We will use this to notify you of launch and major updates. You can unsubscribe at any time via the link in any email we send.

Website analytics

The Comma marketing site (getcomma.com.au) uses Vercel Analytics, a privacy-friendly analytics tool. Vercel Analytics does not use cookies, does not fingerprint your device, and does not track you across sites. It records aggregate page view data to help us understand traffic. No personal data is collected or stored.

What we do not collect

Your banking credentials or login details — ever
Any data via open banking connections — we don't use open banking
Precise location data
Device identifiers or advertising IDs
Any financial data in plaintext — everything is encrypted client-side before transmission

3. How we use your data

To provide the Comma service, including syncing your encrypted data across devices
To authenticate your account and verify your licence
To send you important service communications (account emails, security notices)
To send waitlist updates and launch announcements (if you opted in)
To understand aggregate usage of the marketing site (via Vercel Analytics)

We do not use your data for advertising, profiling, or any purpose beyond operating the service.

4. AI insights — your data, your key

Comma's AI insights feature is entirely optional and requires you to provide your own Anthropic API key. When you use this feature, your financial data is sent directly from your browser to Anthropic's API using your key. Comma's servers are never in the loop — we do not proxy, log, or receive any data from these requests.

Anthropic's API data usage policy states that data submitted via the API is not used to train their models. We recommend reviewing Anthropic's Privacy Policy for full details.

You can disable the AI insights feature at any time in the app settings, in which case no data is ever sent to Anthropic.

5. Third-party services

Comma uses the following third-party services to operate. Each receives only the minimum data necessary to function.

Supabase

Database and authentication. Stores encrypted data blobs and your account email. SOC 2 Type II certified. Data hosted in Sydney, Australia (ap-southeast-2 region).

Encrypted only

Vercel

Hosts the marketing website (getcomma.com.au). Provides privacy-friendly aggregate analytics with no cookies or cross-site tracking.

No personal data

GitHub Pages

Hosts the Comma app as static files. Processes standard web server logs (IP address, browser). No financial data is ever transmitted to GitHub.

Server logs only

Kit (ConvertKit)

Email marketing platform. Stores your email address if you joined the waitlist or subscribed to updates. You can unsubscribe at any time.

Email only

Lemon Squeezy

Payment processor and Merchant of Record. Handles all purchase transactions. We never receive or store your payment card details. Lemon Squeezy manages GST collection and remittance on our behalf.

No financial data

Anthropic

AI insights (optional). Your data is sent directly from your browser to Anthropic using your own API key. Comma does not proxy or receive this data.

Direct — not via us

We do not sell data to any third party, and we do not permit any third party to use your data for their own purposes.

6. Data retention

Encrypted app data is retained as long as you have an active account. You can delete your account at any time from the app settings, which permanently deletes all encrypted data from our servers within 30 days.

Waitlist emails are retained until you unsubscribe. You can unsubscribe at any time via the link in any email, or by emailing privacy@getcomma.com.au.

Free tier (browser storage) — if you use Comma without an account, no data is sent to our servers. All data is stored locally in your browser's storage and can be deleted by clearing your browser data.

7. Data security

Financial data is encrypted using AES-256-GCM with a key derived from your password via PBKDF2-SHA256 (600,000+ iterations) — all performed in your browser using the Web Crypto API. The encryption key never leaves your device.

Our servers store only encrypted ciphertext. Even in the event of a database breach, your financial data could not be read without your password.

Account authentication is handled by Supabase, which is SOC 2 Type II certified. All data in transit is protected by TLS.

8. Your rights

Under the Australian Privacy Act, you have the right to:

Access the personal information we hold about you
Correct inaccurate personal information
Request deletion of your personal information
Complain about a breach of the Australian Privacy Principles

To exercise any of these rights, contact us at privacy@getcomma.com.au. We will respond within 30 days.

If you are unsatisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9. Cookies

The Comma marketing site does not use tracking cookies. Vercel Analytics operates without cookies. The Comma app uses browser local storage to persist your session and preferences — this is not transmitted to any third party.

10. Children's privacy

Comma is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page and — for material changes — notify account holders by email. Continued use of Comma after changes take effect constitutes acceptance of the updated policy.

12. Contact us

For any privacy questions, access requests, or complaints:

Comma App · Melbourne, Victoria, Australia

privacy@getcomma.com.au

We aim to respond to all privacy enquiries within 30 days.