Privacy

Privacy Policy

Last updated: May 2026

1. Who we are

Claima.ai Ltd (“Claima”, “we”, “us”) is a UK company providing verified UK funding discovery and reusable evidence for accountants advising SMEs. Claima is the data controller for the personal data described in this policy.

  • Company name: Claima.ai Ltd
  • UK company number: 17158580
  • Registered office: 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
  • Contact: hello@claima.ai

2. What data we collect

We collect and process the following personal and business data:

  • Account data: email address, name, password (hashed)
  • Company data: company name, registration number, SIC codes, registered address, director names — sourced from Companies House (public record)
  • Profile data: sector, employee count, annual revenue, company description, team members, R&D activities, track record, previous funding
  • Application data: eligibility assessments, fit signals, evidence items, and compliance reports. Drafted grant application sections are not a current processing category and would only be collected [if drafting is enabled in future].
  • Usage data: pages visited, features used, session duration (via PostHog analytics)
  • Prospective-contact outreach data: for a small number of named UK accountants and advisers we contact about Claima’s private beta, we hold the contact’s name, business email, firm name, public role, and a record of any reply or opt-out signal. The source of this data is either (a) publicly listed business contact details on the contact’s firm website, or (b) a pre-existing professional relationship. We do not buy contact lists, do not scrape websites for contacts, and do not use automated mass-email tooling for this activity. Each batch is limited to founder-approved named contacts. If you opt out by any signal — replying “no thanks”, “unsubscribe”, “remove me”, silence, or any equivalent — your email is added to a suppression list and you will not be contacted again under any banner. The presence of this clause in our Privacy Policy does not by itself authorise sending; sending only occurs under a separate, documented founder ruling.

3. How we use your data

  • Matching your company profile to relevant UK grant schemes
  • Assessing eligibility against scheme criteria
  • Generating cautious fit signals with reasoning and source context
  • Organising reusable evidence in your Evidence Vault
  • Generating compliance and expert review reports
  • Sending email notifications (grant alerts, deadline reminders, monthly digests)
  • Improving our matching algorithms and application quality

We do not sell your data. We do not use your data to train AI models. Your application drafts are yours.

4. Legal basis for processing

We process your data under the following legal bases (UK GDPR):

  • Contract: to provide the grant discovery and application services you signed up for
  • Legitimate interest: to improve our service, prevent fraud, and send relevant notifications
  • Legitimate interest (limited private-beta outreach): for the small set of named UK accountants and advisers we contact about Claima’s private beta, we rely on legitimate interest after weighing the recipient’s reasonable expectations as a B2B professional contact and our minimal-contact, opt-out-respecting approach. Each outreach activity is documented in an internal Legitimate Interests Assessment. Outreach is limited to founder-approved named contacts and never uses automated mass tooling, scraping, or bought lists. Recipients can object at any time using the suppression mechanism described in section 2 or by emailing hello@claima.ai.
  • Consent: for optional email communications (you can unsubscribe anytime)

5. Data storage and security

  • Database: Supabase (PostgreSQL), AWS eu-west-2 (London region), encrypted at rest and in transit
  • Authentication: Supabase Auth with bcrypt-hashed passwords and JWT tokens, AWS eu-west-2 (London region)
  • Hosting: Vercel (frontend, global CDN; no customer data stored on Vercel) and Railway (backend API, EU region)
  • Encryption: TLS 1.3 for all connections, AES-256 at rest

6. Third-party processors

We share data with the following processors, all under appropriate data processing agreements:

  • Anthropic (Claude API) — processes company profiles and scheme data to generate application drafts. Data is not used for model training.
  • Companies House — public company data lookup via their API
  • Supabase — database and authentication hosting
  • Vercel — frontend hosting
  • Railway — backend API hosting
  • Resend — transactional email delivery
  • PostHog — product analytics (anonymised usage data)
  • Sentry — error monitoring (no personal data)

7. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Port your data to another service
  • Object to processing based on legitimate interest
  • Withdraw consent for optional communications

To exercise any of these rights, email hello@claima.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk/concerns.

8. Data retention

We retain your data for as long as your account is active. When you delete your account, all personal data is permanently deleted within 30 days. Anonymised usage data may be retained for analytics.

For prospective contacts (private-beta outreach):

  • Outreach records (name, business email, firm name, last interaction, reply or opt-out signal) are retained for up to 12 months from the last interaction, after which they are deleted.
  • Suppression-list entries (email addresses of contacts who have opted out) are retained indefinitely. The only way “do not contact again” can be honoured permanently is for the suppression record itself to persist; the suppression list contains no data beyond the email and the opt-out marker.

9. Cookies

We use minimal cookies:

  • Authentication cookies: required for login sessions (Supabase Auth)
  • Analytics cookies: PostHog (can be opted out)

We do not use advertising cookies or tracking pixels.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email. The latest version is always available at claima.ai/privacy.

11. Contact

For any privacy-related questions or requests:

Email: hello@claima.ai
Company: Claima.ai Ltd (UK)