Privacy Policy

Jarrah ("we", "us", or "our") operates the personal finance application available at jarrah.money. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

By using Jarrah, you consent to the practices described in this policy.

We collect the following types of information:

Account information

• Email address
• Name (when provided via Google or Apple sign-in)
• Authentication credentials (managed securely by our auth provider)

Financial data

• Bank accounts, balances, and institution names
• Transactions (dates, descriptions, amounts, merchants)
• Budgets and category allocations
• Investment portfolios and contributions
• Recurring commitments and bills
• Reminders and IOUs
• Vendor names and categorisation rules

Preferences

• Display settings (start page, period type, country)
• CSV import templates

• Directly from you — when you create an account, add transactions, set budgets, or configure your preferences.
• Via Google or Apple sign-in — we receive your name and email address from the identity provider you choose.
• Via bank sync — when you connect a bank account through our Open Banking integration, transaction and balance data is imported with your explicit consent.

We use your information to:

• Provide and maintain the Jarrah service
• Synchronise your bank transactions and balances
• Generate budgets, reports, and financial insights
• Power the AI budget assistant — anonymised and aggregated financial context (such as category totals and income figures) is sent to our AI provider. No personally identifiable information (name, email, account numbers) is included in these requests.
• Improve the service and fix issues

We do not sell your personal information. We do not use your data for advertising.

We rely on the following third-party services to operate Jarrah:

• Supabase — provides authentication and database hosting. Your data is stored in Supabase-managed infrastructure with row-level security policies ensuring you can only access your own data.
• Basiq — provides Open Banking connectivity for Australian bank accounts. When you connect a bank, you authenticate directly with your institution through Basiq's consent flow. Basiq operates under the Consumer Data Right (CDR) framework. You can revoke bank access at any time.
• Anthropic — provides the AI model powering the budget assistant. Only anonymised financial context is shared; no personal identifiers are sent.
• Vercel — hosts the Jarrah web application.

Each third-party service is governed by its own privacy policy. We encourage you to review them.

Jarrah uses a minimal number of cookies:

• Session cookies (essential) — managed by our authentication provider to keep you signed in.
• Preference cookie (functional) — stores your preferred start page (dashboard or transactions).

We do not use analytics, advertising, or tracking cookies of any kind.

We take reasonable steps to protect your information from unauthorised access, modification, or disclosure:

• All connections are encrypted via HTTPS/TLS
• Row-level security policies ensure each user can only access their own data
• Authentication tokens are managed by Supabase and are not accessible to client-side code
• Bank credentials are never stored by Jarrah — authentication happens directly with your bank through Basiq's secure consent flow

Your data is retained for as long as your account is active. When you delete your account, all associated data — including transactions, budgets, accounts, and preferences — is permanently and immediately deleted from our systems.

You can delete your account at any time from the Settings page within the app.

Under the Australian Privacy Principles, you have the right to:

• Access your personal information that we hold
• Correct any inaccurate or out-of-date information
• Request deletion of your data by deleting your account
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

To exercise any of these rights, contact us using the details below.

Jarrah is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

privacy@jarrah.money