Privacy Policy

Effective Date: 5 May 2026

This Privacy Policy explains how COMMA APP PTY LTD (“Comma,” “we,” “us,” or “our”) collects, uses, and protects your information when you use our website at https://comma.finance and the Comma application (together, the “Service”).

We comply with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). If you are located in the European Union or United Kingdom, this policy is also designed to be consistent with the General Data Protection Regulation (GDPR) and UK GDPR. If you are a California resident, see the California-specific section below.

1. Our Privacy Philosophy

Your password never leaves your browser. We use Argon2id to derive an authentication token and a wrapping key from your password — entirely on your device. Only the derived authentication token reaches our servers, where it is bcrypt-hashed again before storage. We never see your password in any form, at any point in any flow.

Your transaction data is encrypted with AES-256-GCM by a key derived from your password (also never transmitted). The server stores encrypted blobs only — your transactions, categories, goals, and balances are unreadable to anyone without your password, including us. See our Security page and the Security Architecture deep-dive for the full mechanism.

We are still upfront about what our infrastructure CAN see — email addresses, sync timing, IP addresses, payment metadata, and anything you explicitly send us. The list is documented under What our infrastructure can see.

2. Information We Collect

Account information

• Email address (required for account creation, sign-in, and account-management correspondence)
• A hashed form of your password (stored by our auth provider, Supabase; never the plaintext password — see Section 12 for the known limitation)

Encrypted financial data

• Your transactions, categorisation rules, goals, and other financial information are encrypted in your browser using AES-256-GCM before being uploaded
• The server stores the encrypted blobs only — they are unreadable without your password

Payment information (when you upgrade to a paid tier)

• Processed by Stripe Inc. We do not store full card details
• We retain limited transaction metadata: transaction ID, amount, currency, date, and last four digits of the card used (required for refunds and customer service)

Support correspondence

• When you contact hello@comma.finance, we store your email and message content so we can reply

Usage data

• We use Vercel Analytics to track aggregated, anonymous page-view metrics on our marketing site. This does not identify individual users and does not set cookies

Login security data

• Your IP address at login (for abuse prevention and unusual-login alerts)

3. Information We Do NOT Collect

• We do not connect to your bank accounts via Open Banking, Plaid, or any third-party aggregator
• We do not collect your name unless you provide it voluntarily in support correspondence
• We do not collect billing addresses (Stripe handles this directly)
• We do not sell, rent, or trade your information
• We do not display advertising
• We do not use cookies or fingerprinting to track behaviour outside of Comma
• We do not use third-party analytics that profile users

4. How We Use Your Information

• To provide the Service and process payments
• To send transactional emails (welcome emails, receipts, account notifications, support replies)
• To send occasional product updates only if you have explicitly opted in
• To detect, prevent, and respond to fraud or abuse
• To meet legal and regulatory obligations

5. Subprocessors

We use the following third-party providers (“subprocessors”) to deliver the Service. Each only processes data necessary for its function.

Subprocessor	Purpose	Data processed	Region
Supabase (Supabase Inc., US)	Authentication and encrypted-blob storage	Email, hashed password, encrypted financial blobs	Sydney, Australia (AWS ap-southeast-2)
Stripe (Stripe, Inc., US)	Payment processing	Payment metadata, card details (never seen by Comma)	US / Australia
Vercel (Vercel, Inc., US)	Hosting, edge delivery, analytics	Aggregated page-view metrics, IP-derived geolocation, server logs	US edge (primary), Sydney where available
Resend (Resend Inc., US)	Transactional and marketing email delivery	Email address, message content	US
Help Scout (Help Scout PBC, US)	Live chat / support — only when you opt in via the consent banner	IP address, browser info, page URL, anything you submit through chat	US
AI providers — Anthropic, OpenAI, Google (US-based)	AI Chat feature, only when you enable it with your own API key	Prompts and any financial context you choose to share	US (and global, depending on provider)

6. International Transfers

Some subprocessors process data outside Australia (primarily the US). Where this involves the personal information of EU or UK residents, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and equivalent mechanisms approved under UK GDPR.

If you are an Australian user, please be aware that some of your metadata (email, support correspondence, payment metadata) may be processed in the United States by the subprocessors listed above.

7. AI Chat

The AI Chat feature is opt-in and uses your own API key.

When enabled:

• Your prompts and any financial context you choose to share are sent directly from your browser to the AI provider you select (Anthropic, OpenAI, or Google)
• This data does not pass through Comma’s servers
• The relevant AI provider’s privacy policy governs that interaction
• An “Anonymise data sent to AI” toggle is available, replacing your name, account nicknames, goal names, and health labels with generic placeholders before sending
• Your API key stays in your browser’s local storage and is never sent to our servers

You can disable the AI Chat feature at any time from Settings.

8. Cookies and Local Storage

Comma does not use third-party cookies for advertising or cross-site tracking.

We do use the following items in your browser’s local storage:

• Authentication session (managed by Supabase) — to keep you signed in
• Encrypted financial data (cached locally for offline access and performance)
• comma_beacon_consent_v1 — your consent decision for the Help Scout live chat widget
• Help Scout device ID (hs-beacon-*) — only if you opt in to live chat; remembers your support conversations on return visits

You can clear local storage at any time using your browser’s settings. The “Manage cookie preferences” button below resets the Help Scout consent decision and removes any data Help Scout has placed in your browser.

9. Data Retention

Data type	Retention period
Encrypted financial data	While your account is active. Removed within 30 days of account closure.
Account record (email, hashed password)	While your account is active. Removed within 30 days of account closure.
Email correspondence	Up to 3 years after your last interaction
Payment metadata (Stripe)	Retained as required by Australian tax law (typically 7 years)
Server logs (IP at login)	30 days
Vercel Analytics aggregates	Approximately 30 days at the individual session level, then aggregated indefinitely without individual identifiers

If you delete your account, your encrypted data is permanently removed within 30 days. Your Stripe customer record (if you ever paid) is preserved for billing-history reasons; contact Stripe to remove that record.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal information
• Rectify inaccurate information
• Erase your account and personal data (subject to legal retention obligations)
• Restrict processing
• Object to processing
• Port your data in a machine-readable format
• Withdraw consent for any processing based on consent
• Lodge a complaint with a privacy regulator (OAIC in Australia, ICO in the UK, your local Data Protection Authority in the EU, the California Attorney General in California)

To exercise any of these rights, email hello@comma.finance with the subject line “Privacy request”. We will acknowledge your request within 7 days and provide a substantive response within 30 days.

You can also delete your account directly via Settings → Account → Delete Account.

11. California Residents (CCPA / CPRA)

If you are a California resident, you have the additional rights described in the California Consumer Privacy Act (as amended by the CPRA).

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not engage in cross-context behavioural advertising.

You can exercise your CCPA rights using the contact channel above.

12. Security Architecture

We protect your data through:

• Client-side key derivation. Argon2id (memory-hard, expensive to brute-force) derives an authentication token and a wrapping key from your password, entirely in your browser. Only the auth token reaches our servers, and we then bcrypt-hash it again (cost-12) before storage. The wrapping key never leaves your browser.
• AES-KW-wrapped data encryption key. Your data encryption key (DEK) is generated once on your device and wrapped with the wrapping key. The server stores the wrapped DEK; the unwrapped DEK never reaches us.
• AES-256-GCM data encryption. Transactions, categories, goals, and other financial information are encrypted in your browser using the DEK before being uploaded.
• TLS encryption for all data in transit
• Encrypted local storage for sensitive browser-side data
• Industry-standard security practices on our infrastructure

Honest caveat: forgotten passwords. Because the wrapping key is derived from your password and we never see either, we cannot recover an account when the user forgets the password. If you forget your password, your encrypted cloud data is mathematically inaccessible — to you and to us. Existing devices may still hold readable local copies if you act quickly; we recommend exporting to CSV from a still-signed-in device. A printable recovery phrase is on our roadmap but not currently shipped.

13. Data Breach Notification

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach likely to result in serious harm:

• We will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• We will notify affected individuals directly (or by published statement where direct notification is impracticable)
• We will provide details of the breach, the kinds of information affected, and recommended steps you can take to protect yourself

If you suspect a data breach involving your information, contact hello@comma.finance immediately.

14. Children’s Privacy

Comma is not intended for users under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a person under 18, contact hello@comma.finance and we will delete it.

15. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies before providing any personal information.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. Non-material changes (clarifications, formatting, contact updates) will be posted to this page with an updated Effective Date.

17. Contact

For privacy questions, requests, or complaints:

Email: hello@comma.finance (subject line: “Privacy request”) Postal: Comma App Pty Ltd, Melbourne, Victoria, Australia

If you are not satisfied with our response, you may lodge a complaint with:

• Australia: Office of the Australian Information Commissioner — oaic.gov.au
• UK: Information Commissioner’s Office — ico.org.uk
• EU: Your country’s Data Protection Authority
• California: California Attorney General — oag.ca.gov/privacy

---

Comma App Pty Ltd ABN 21 696 227 746 ACN 696 227 746 Melbourne, Australia