← Klearburn

Privacy Policy

Last updated 17 July 2026.

1. Who we are and when this policy applies

HamburgerLabs Limited is a company registered in England and Wales under company number 17211878, with its registered office at 5 Temple Road, Croydon, England, CR0 1HU. HamburgerLabs Limited trades as Klearburn and operates the Klearburn service at klearburn.com. This Privacy Policy explains how HamburgerLabs Limited ("Klearburn", "we", "us") handles personal data when you visit, create an account, connect another service, or contact us. Read it alongside our Terms of Service.

HamburgerLabs Limited is the controller of account, billing, service-administration, security, and support data. When a business customer gives us records about its staff, customers, vendors, or other people, that customer decides why the records are used and Klearburn generally processes them on the customer’s instructions to provide the service. Customers are responsible for having a lawful basis and giving any notices required for personal data they place in Klearburn.

Privacy questions and rights requests can be sent to privacy@klearburn.com.

2. Information we collect

  • Account and authentication data: your name, email address, profile image, Google account identifier, login records, sessions, and OAuth grants and tokens.
  • Workspace and financial data: business names, currencies, budgets, forecasts, formulas, scenarios, vendors, invoices, contracts, bank and card transactions, balances, reconciliation decisions, hiring plans, compensation figures, tags, and files or CSVs you choose to submit.
  • Connected-service data: data obtained from Google, GoCardless Bank Account Data, connected bank APIs, Stripe, and other services you deliberately connect. This may include transaction counterparties, payment references, invoice email metadata, and contract or invoice documents.
  • AI data: the provider and model you select, your encrypted provider credentials, prompts or questions you submit, the relevant business content sent for a requested AI task, AI outputs, token counts, estimated provider cost, and billing-audit usage records.
  • Billing data: plan, trial and subscription status, metered AI-spend units, invoices, and identifiers used by Autumn and its underlying payment processor, Stripe. Autumn administers Klearburn’s subscription checkout and metering through Stripe; Klearburn does not store complete card numbers or card security codes.
  • Technical and support data: IP address, browser and device information, request times, security events, error and diagnostic logs, and anything you include in a support or privacy request.

We receive this information from you, from services you connect, and from calculations or AI operations you ask Klearburn to perform. We do not intentionally ask for special-category personal data. Because emails, financial records, and contracts can contain such information, only connect or upload what is necessary for your use of the service.

3. Google user data: what we access and why

Google permissions are requested incrementally. Signing in does not start Gmail or Drive scanning. We ask for an additional permission only when you enable the feature that needs it:

  • openid, email, profile — to authenticate you and show your name, email, and profile image.
  • gmail.readonly (https://www.googleapis.com/auth/gmail.readonly) — read-only access used to inspect new-message and attachment metadata, search mailbox history for likely vendor invoices and receipts, and download candidate PDF attachments for invoice extraction. Klearburn does not send email, alter messages, or request permission to do so.
  • drive.file (https://www.googleapis.com/auth/drive.file) — access to files Klearburn creates in your Drive and files you deliberately open or upload with Klearburn. We use it to create Klearburn folders, file invoice PDFs, and process selected contracts.

For a matching Gmail attachment, Klearburn processes the message sender, subject, date, snippet, attachment name, and PDF bytes. It stores the Gmail message and attachment identifiers, a content hash, Drive file identifiers or links, and extracted invoice fields such as vendor, dates, amount, currency, and tax. PDF bytes are sent to your chosen AI provider for the requested extraction and, when Drive is connected, saved to your own Google Drive; Klearburn does not store a separate PDF copy in its database. Klearburn does not persist message bodies or attachment bytes for non-candidates. For rejected messages or attachments, we may retain the message identifier, attachment index, filename, hash, and rejection reason so the same item is not repeatedly processed.

4. Google Limited Use and AI processing

The use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google user data is used only to provide or improve the user-facing features described in this policy. We do not sell it, use it for advertising, use it to create credit or lending profiles, or transfer it to data brokers. We do not use Gmail or Drive content to develop, improve, or train generalized (non-personalized) AI or machine-learning models. Human access is limited to what is necessary for security, legal compliance, or support you request, with access controls appropriate to the task.

Klearburn is bring-your-own-key. You select Anthropic, OpenAI, or Google and provide the API credential, which is encrypted at rest. When you request extraction, tagging, modelling, or a question-answering feature, Klearburn sends only the content relevant to that task to your chosen AI provider, under your own API key, solely to perform that specific, user-facing feature and return the result. The provider processes it under your provider account, settings, and terms. Provider retention and training choices differ, so review and configure the provider’s data controls before connecting a key. Klearburn does not use that content to train its own generalized model.

5. Why we use personal data and our lawful bases

PurposeUK/EU GDPR lawful basis
Create and secure your account; import, organise, calculate, reconcile, forecast, export, and sync your data; provide support.Contract — to provide the service you request and take steps at your request before subscription.
Operate optional Google, banking, Stripe, Drive, and AI-provider connections.Contract, and consent where the law requires consent for a particular optional connection. You can disconnect a source at any time.
Administer trials, subscriptions, usage billing, payments, refunds, tax, and accounting records.Contract and legal obligation.
Prevent abuse and fraud, rate-limit requests, investigate faults, secure the service, and maintain business continuity.Legitimate interests in protecting users and operating a reliable service.
Comply with law, enforce our terms, respond to valid legal process, and protect legal rights.Legal obligation, or legitimate interests in establishing, exercising, or defending legal claims.

Where we rely on legitimate interests, we consider whether the processing is necessary and balance those interests against your rights. We do not currently use account data for third-party advertising or send third-party marketing through Klearburn.

6. Who we share data with

We disclose data only as needed for the purposes above, including to:

  • Infrastructure and operations providers, including Vercel for application hosting, Supabase for the PostgreSQL database, and Inngest for background jobs.
  • Services you connect, including Google, GoCardless, your selected bank or payment provider, your own optional read-only Stripe data source, and your chosen AI provider. A Stripe account you connect for financial reporting is separate from Klearburn’s subscription billing.
  • Klearburn billing providers, Autumn and its underlying payment processor Stripe, to create billing customers, administer trials and subscriptions, report metered usage, and collect payment.
  • Professional advisers and authorities where reasonably necessary for legal, tax, audit, security, or compliance purposes, or where disclosure is required by valid legal process.
  • A buyer, investor, or successor in a genuine financing, reorganisation, sale, or transfer of Klearburn, subject to confidentiality and applicable data-protection requirements.

We do not sell or rent personal data and do not share it with data brokers or advertising networks.

7. International data transfers

Klearburn’s database is hosted in the European Union, while Klearburn and some providers may process data in the United Kingdom, United States, or other countries. Your chosen AI, Google, banking, and payment providers may also process data where they operate. Where a restricted transfer is subject to UK or EU data-protection law, we use an applicable adequacy decision or contractual safeguards such as approved standard contractual clauses, the UK International Data Transfer Agreement, or the UK Addendum, together with supplementary measures where required. Contact us to ask about the safeguard relevant to a transfer.

8. How long we keep data

  • Account and workspace data is kept while your account is active and afterwards only as needed to close the account, resolve disputes, meet legal duties, or restore data from a short-lived backup cycle.
  • Google, bank, Stripe, and AI-provider credentials are kept until you disconnect the integration or delete the account, unless an earlier expiry or provider revocation makes them unusable.
  • Session, security, diagnostic, and request logs are kept for the shortest period reasonably needed for authentication, abuse prevention, fault investigation, and provider operations.
  • Klearburn’s own invoices, payment records, and related tax or accounting records may be kept for up to six years, or longer when law, an audit, or a legal claim requires it.

When data is deleted from the live service, encrypted backup copies may remain inaccessible until they are overwritten on the provider’s normal backup schedule. Files Klearburn placed in your Google Drive remain in your Drive until you delete them. Data held by a connected provider is governed by your account and relationship with that provider.

9. Your choices, exports, and deletion

  • Download available financial and accountant exports from Settings → Exports.
  • Ask for a copy of your account data or deletion of your account and associated Klearburn data by emailing privacy@klearburn.com. We may verify your identity.
  • Disconnect integrations in Settings → Connections and revoke Google access in your Google Account’s third-party connections page. Revocation stops new access but does not automatically erase data already processed; use the deletion route above for that.

We normally respond to a valid privacy request within one month, subject to extensions allowed by law. Account deletion removes Klearburn-held workspace data, extracted records, sessions, OAuth tokens, and encrypted connection credentials. It does not delete files in your own Drive or data held independently by a provider. Subscription cancellation is handled separately through Settings → Billing; cancel there before deleting an account, or ask us to coordinate both in your deletion request.

10. Your data-protection rights

Depending on your location and the lawful basis used, you may have rights to access, correct, erase, or receive your personal data; restrict or object to processing; and withdraw consent without affecting processing already carried out. The right to object applies in particular where we rely on legitimate interests. Some rights are limited by law and may not apply to data we must keep.

Contact privacy@klearburn.com to exercise a right. You may also complain to the UK Information Commissioner’s Office through its complaints service, or to the supervisory authority where you live or work in the EEA. We would appreciate the opportunity to address your concern first.

11. Cookies and similar technologies

Klearburn currently uses only cookies and equivalent storage that are necessary to authenticate users, maintain sessions, protect requests, and remember security state. We do not currently use advertising or cross-site tracking cookies. If we introduce optional analytics or marketing cookies, we will update this policy and request consent where required before setting them.

12. Security

Klearburn uses transport encryption, access controls, tenant-scoped data access, HttpOnly and SameSite session cookies, rate limiting, and encryption at rest for provider credentials and OAuth tokens using AES-256-GCM. Credentials are decrypted server-side only when needed for the requested connection. No online service can guarantee absolute security. If a personal-data breach creates a legal notification duty, we will notify affected people and regulators as required.

13. AI output and automated decisions

Klearburn uses AI to suggest extracted fields, tags, reconciliation matches, and model structures. These outputs can be wrong and are presented for your review. Klearburn does not use personal data to make solely automated decisions that produce legal or similarly significant effects on individuals.

14. Children

Klearburn is a business service for users aged 18 or over. It is not directed to children, and we do not knowingly create accounts for or collect personal data directly from children.

15. Changes and contact

We may update this policy as Klearburn or the law changes. We will update the date above and give reasonable notice by email or in the service before a material change takes effect. We will seek fresh permission before using Google user data for a materially new purpose.

Questions, complaints, and rights requests: privacy@klearburn.com.