Data Handling

When you engage RecurSave for a Financial Leakage Review, you are asked to share sensitive financial information from your business. This page explains, in plain English, exactly what happens to that information between the moment you send it and the moment the engagement ends.

This page is not a legal document. Our Privacy Policy and Terms of Use are our legal documents. This page exists because we believe you deserve to know how your financial data is handled before you decide to share it, and because the security of your information is not something we treat as boilerplate.

Confidentiality first. Before any financial data is discussed, reviewed, or transferred, you will be asked to sign a mutual Non-Disclosure Agreement (NDA). The NDA binds both parties: RecurSave will not disclose your information to any third party, and you will not disclose proprietary aspects of our review methodology. The NDA is signed before any financial information changes hands.

Scope is agreed in writing. Before data is requested, the scope of the review is agreed in writing as part of the engagement agreement. The engagement agreement specifies exactly which categories of financial leakage will be reviewed and what data is needed to perform that review. We do not request data that is outside the agreed scope.

For a standard Financial Leakage Review covering the Band A categories (duplicate payments, clean receivables recovery, and directly provable missed billing), the following data is typically requested:

• Profit and loss statement, 12 months
• Aged receivables report, current
• Invoice listing or export, 12 months
• Vendor payment listing or export, 12 months
• Bank statements for the primary operating account, 12 months

These files are standard exports from Xero, QuickBooks, MYOB, or any comparable accounting system. We request exports as static files, not live system access.

What we do not request. We do not ask for:

• Login credentials to your accounting system, bank, or any other service
• Direct connection or integration with your accounting software
• Personal information about your staff, clients, or vendors beyond what naturally appears in the financial exports
• Any information not required for the agreed review scope

Financial data is transferred through a secure access-restricted folder in Google Drive, provided by RecurSave from our Google Workspace account. Specifically:

• A dedicated folder is created for each engagement, named after the client
• Access to the folder is restricted to named email addresses only — yours and ours — and cannot be accessed by anyone else, including via public link
• Two-factor authentication is enabled on the RecurSave Google Workspace account that owns the folder
• You upload files to the folder directly from your browser
• We do not accept financial data via standard email attachments, because email is not encrypted end-to-end and is unsuitable for sensitive financial information
• We do not use third-party file-transfer services that do not offer access controls

About Google Drive specifically. Google Drive provides enterprise-grade encryption of files in transit (via HTTPS) and at rest (via AES-256 encryption). Access is controlled by Google account permissions and enforced at Google's infrastructure level. Google Workspace is used by millions of businesses worldwide including healthcare, legal, and financial services organisations handling sensitive data. For the level of information you will share, Google Drive with access controls is an appropriate and industry-standard choice.

If you prefer an alternative secure file transfer method (such as Dropbox with password-protected access, or a one-time secure transfer service), let us know during qualification and we will accommodate reasonable requests.

While your financial data is in our possession:

• It is stored only in the dedicated Google Drive folder for your engagement
• It is not copied to any other location, device, or service
• It is not printed or downloaded to personal devices
• It is accessed only by Scott (the RecurSave operator), using a work device with full disk encryption, two-factor authentication, and screen lock enabled
• It is not shared with any third party, subcontractor, or service provider
• It is not used to train any AI model, and no part of it is submitted to public-facing AI tools

About AI tools specifically. Our review process may use AI-assisted analysis tools in controlled workflows to help identify patterns and potential issues. Where AI-assisted tools are used, we take reasonable steps to use configurations and services designed to limit retention and training on submitted content. We do not submit client financial data to public consumer AI tools for general-purpose use.

Client-shared source files are deleted within 30 days of the end of the measurement window unless a longer retention period is agreed in writing or required by law. If you want deletion earlier, you may request it in writing at any time after the findings report is delivered.

Deletion is confirmed to you in writing. Any copies held in backups are deleted according to Google Workspace's standard retention schedule (maximum 30 days).

The only records retained after deletion are the engagement agreement itself, the findings report we produced, and the commercial records of the engagement (invoices, payments, correspondence), which we retain for legal and tax compliance for seven years.

The security of your financial data depends partly on your own practices during the engagement. We ask that you:

• Use a strong password and two-factor authentication on the Google account you use to upload files
• Verify the email address before uploading files — the dedicated folder will always be shared from an @recursave.com email, and any other address should be treated as suspicious
• Do not share the folder link with anyone else, including members of your own team, unless that person is authorised to access the data
• Notify us immediately if you believe your Google account has been compromised or if you suspect unauthorised access to the shared folder

If we become aware of any security incident affecting your data, we will notify you within 72 hours with full details of what happened, what data was affected, and what actions we are taking. We will cooperate fully with any investigation you undertake and will comply with breach notification requirements under applicable privacy law.

If you have any questions about how your data is handled, or if you would like to see the technical details of any of the above, contact hello@recursave.com. We will answer any question a prospective client reasonably asks about data security before you sign an engagement agreement.