Data Handling

When you engage RecurSave for a Financial Leakage Review, you are asked to share sensitive financial information from your business. This page explains, in plain English, exactly what happens to that information between the moment you send it and the moment the engagement ends.

This page is not a legal document. Our Privacy Policy and Terms of Use are our legal documents. This page exists because we believe you deserve to know how your financial data is handled before you decide to share it, and because the security of your information is not something we treat as boilerplate.

Engagement Agreement first.Before any financial records are shared, you are asked to sign RecurSave's Engagement Agreement. The Engagement Agreement sets out the review scope, the fee structure, how your data will be handled, and confidentiality obligations binding on both parties. No financial information is requested or transferred until the Engagement Agreement is signed.

Secure upload after signing.Once the Engagement Agreement is signed, RecurSave provides secure upload instructions for the agreed evidence set. Depending on the engagement workflow, this may be through RecurSave's native secure upload portal or another approved secure transfer method. We request only the exports and files needed for the agreed scope. We do not request data that falls outside that scope.

For a standard Financial Leakage Review covering the Band A categories (duplicate payments, clean receivables recovery, and directly provable missed billing), the following data is typically requested:

• Profit and loss statement, 12 months
• Aged receivables report, current
• Invoice listing or export, 12 months
• Vendor payment listing or export, 12 months
• Bank statements for the primary operating account, 12 months

These files are standard exports from Xero, QuickBooks, MYOB, or any comparable accounting system. We request exports as static files, not live system access.

What we do not request. We do not ask for:

• Login credentials to your accounting system, bank, or any other service
• Direct connection or integration with your accounting software
• Personal information about your staff, clients, or vendors beyond what naturally appears in the financial exports
• Any information not required for the agreed review scope

Financial data is transferred using an approved secure transfer method provided or approved by RecurSave.

Native secure upload portal.Where RecurSave's native secure upload portal is used:

• Each engagement uses access-controlled upload access
• Files are uploaded from your browser
• Files are uploaded directly to private Supabase Storage using short-lived signed upload URLs
• The storage region is West US (North California), us-west-1, United States
• Upload access is not public

Alternative transfer methods. Where another approved method is used:

• Google Drive from RecurSave's Google Workspace may be used where appropriate or agreed
• Any Google Drive folder is access-restricted to named email addresses
• Public links should not be used for sensitive engagement evidence

We do not accept financial data via standard email attachments, because email is not suitable for sensitive financial information in the ordinary course.

While financial data is in RecurSave's possession, it is stored only in approved engagement storage locations.

• For the native upload portal, files are stored in private Supabase Storage in West US (North California), us-west-1
• If Google Drive is used for an engagement, files are stored in the dedicated access-restricted Google Drive folder for that engagement
• Access is restricted to authorised RecurSave personnel and authorised client-side users
• RecurSave does not publish uploaded files publicly
• RecurSave does not request login credentials to your accounting system, bank, or other services
• RecurSave does not submit client financial data to public consumer AI tools
• It is not printed or downloaded to personal devices except as reasonably required for the review
• It is accessed only by authorised RecurSave personnel, using work devices with appropriate security controls

About AI tools specifically. Our review process may use AI-assisted analysis tools in controlled workflows to help identify patterns and potential issues. Where AI-assisted tools are used, we take reasonable steps to use configurations and services designed to limit retention and training on submitted content. We do not submit client financial data to public consumer AI tools for general-purpose use.

Client-shared source files are deleted from approved engagement storage locations within 30 days of the end of the measurement window unless a longer retention period is agreed in writing or required by law. If you want deletion earlier, you may request it in writing after the findings report is delivered.

Deletion is confirmed to you in writing. Any copies held in provider backups are deleted according to the relevant provider's standard retention schedule, where applicable.

The only records retained after deletion are the engagement agreement itself, the findings report we produced, and the commercial records of the engagement (invoices, payments, correspondence), which we retain for legal and tax compliance for seven years.

The security of your financial data depends partly on your own practices during the engagement. We ask that you:

• Use a secure email account and strong authentication where available
• Verify the upload instructions and sender before uploading files
• Do not share upload links, portal access, or folder links with unauthorised people
• Notify RecurSave immediately if you suspect unauthorised access to your upload access or shared files

If we become aware of any security incident affecting your data, we will notify you within 72 hours with full details of what happened, what data was affected, and what actions we are taking. We will cooperate fully with any investigation you undertake and will comply with breach notification requirements under applicable privacy law.

If you have any questions about how your data is handled, or if you would like to see the technical details of any of the above, contact hello@recursave.com. We will answer any question a prospective client reasonably asks about data security before you sign the Engagement Agreement.