Skip to main content

Privacy Policy

Last updated: May 4, 2026

Claimful (“we,” “us”) helps you find money you're owed. This page explains, in plain English, what data we collect, why, how long we keep it, and the controls you have. Claimful is operated for users in the United States; if you reach us from outside the US, your data is processed in the US under our standard practices. If anything is unclear, email privacy@claimful.app.

1. What we collect

We try to collect only what's needed to surface opportunities you actually qualify for. Specifically:

  • Account data: email address (required for sign-in), optional name, and a hashed password or OAuth identifier if you sign in with Google.
  • Profile data you provide: state, ZIP code, banks, credit cards, retailers, past employers, and any notes you add. Each field is optional — more data means better matches, but you can skip anything.
  • Claim activity: which opportunities you've bookmarked, started, or marked as paid; claim status, timestamps, and the amount you report receiving.
  • Usage analytics: pages visited and aggregate funnels, collected through Cloudflare Web Analytics. No cookies, no cross-site tracking, no Google Analytics, no Meta pixel.
  • IP address (hashed): we hash your IP with a rotating salt for rate limiting and fraud detection. Raw IPs are never persisted.
  • Device info: browser user agent, screen size, and OS (for bug triage and responsive rendering). We do not fingerprint.
  • Email engagement: whether you opened or clicked emails we send, so we can stop emailing people who clearly aren't reading them.

2. How we use your data

  • Match opportunities to your profile (state-specific settlements, bank bonuses for institutions you don't already have, etc.).
  • Notify youabout deadlines, new matches, and weekly digests — only the channels you've opted into.
  • Operate the service: authentication, bug fixing, fraud prevention, rate limiting.
  • Improve matching: aggregate click-through and conversion data trains the ranking model. We do not train any AI on your personal data.

We do not sell your data. We do not share your email with partners. We do not run ad retargeting.

3. Subprocessors

We use the following vendors to run the service. Each receives only the data they need:

VendorPurposeData
RailwayApp hosting + Postgres DBAll application data
CloudflareDomain registration, DNS, inbound email forwarding (Email Routing), and cookieless web analyticsDomain WHOIS contact, inbound mail metadata, aggregated page-view counts (no cookies, no per-user identifiers)
ResendTransactional + marketing emailEmail address, email content
AnthropicAI extraction from public scraping sourcesPublic website HTML only — no user data
Railway (managed Redis)Rate limiting, session cacheHashed IP, session IDs
SentryError monitoring (optional)Error traces, user ID (no PII in logs)
GoogleOAuth sign-in (only if you use it)Email, Google user ID

4. Data transfers

Claimful is operated for users in the United States and all processing happens in the US. We do not target users outside the US, and we do not maintain EU or UK data-protection representatives.

5. Retention

  • Account data: kept while your account is active.
  • After deletion: profile data and claims are purged within 30 days. Audit logs (who deleted what, when) are kept for 30 additional days to support abuse investigations.
  • Notification logs: which emails we sent and whether they delivered — kept for 90 days for deliverability diagnostics.
  • Aggregate analytics: anonymized counts (e.g., “10% of users from California”) are kept indefinitely.

6. Your rights

Regardless of where you live in the US, you can:

  • Access: download a JSON copy of everything we store about you at Settings → Your data.
  • Correct: edit your profile at any time in settings.
  • Delete: permanently delete your account from the Danger Zone in settings. We email a 6-digit code to confirm.
  • Export: download your claims as CSV for tax season.
  • Opt out of marketing: every email has a one-click unsubscribe link; push and digest toggles live in settings.
  • Object / restrict: email privacy@claimful.app to object to any processing.

7. California residents (CCPA / CPRA)

If you're a California resident, you have additional rights under the CCPA and CPRA:

  • Right to know: what categories of personal information we've collected in the past 12 months (see section 1).
  • Right to delete: request deletion of your personal information.
  • Right to correct: request correction of inaccurate information.
  • Right to opt out of sale / sharing: we do not sell or share personal information for behavioral advertising. Still, you can confirm this preference below.
  • Right to limit use of sensitive information: we do not use sensitive personal information beyond what's needed to provide the service.
  • Right to non-discrimination: we will not charge you more or provide a worse service for exercising any right.

Do Not Sell or Share My Personal Information

We do not sell or share personal information. You can still record a permanent “do not sell” preference on your account:

Open privacy controls →

To submit a CCPA request, email privacy@claimful.app with “CCPA request” in the subject line. You may designate an authorized agent to submit a request on your behalf. We'll respond within 45 days.

8. Children's data

Claimful is for adults. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created an account, email privacy@claimful.app and we'll delete it. We do not target children and do not direct marketing at minors.

9. Cookies & local storage

  • Session cookie: an essential HTTP-only cookie that keeps you signed in. Set after you authenticate, cleared on logout.
  • CSRF cookie: an essential cookie protecting forms from cross-site request forgery.
  • localStorage: theme preference, onboarding progress, and last-visit timestamp for the notification bell.

We use no third-party cookies, no tracking pixels, and no advertising cookies. Cloudflare Web Analytics is cookieless by design.

10. Do-Not-Track & Global Privacy Control

We honor the Global Privacy Control (GPC) signal and legacy Do-Not-Track headers. When set, we disable all analytics collection for your browser. Essential authentication and CSRF cookies are still required for the site to work.

11. Security & breach notification

We use encryption in transit (TLS 1.2+), encryption at rest for the database, hashed passwords (bcrypt), and short-lived tokens for email sign-in. We enforce rate limits on all auth endpoints and log admin actions for audit.

If we discover a security breach that affects your personal data, we'll notify affected users and any applicable regulators within the timeframe required by US state breach-notification laws.

12. Changes to this policy

We update this page when we change how we process data. Material changes (new vendors, new purposes) are emailed to users at least 30 days before they take effect. Minor wording fixes are rolled in silently — the “Last updated” date at the top always reflects the most recent revision.

13. Contact

Questions, requests, or concerns: