Privacy Policy

Last updated: 20 February 2026

1. Who We Are

Cleo ("we", "us", "our") is an AI-powered business assistant for small and medium-sized businesses operating in Ireland and the United Kingdom. This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 to 2018.

2. Data We Collect

We collect the following categories of data:

  • Account information — your name, phone number, email address, business name, trade type, and location.
  • Financial data — bank balances, invoices, bills, and revenue figures accessed via your connected accounting tool (e.g., Xero, QuickBooks) through secure OAuth connections.
  • Email data — email subjects, senders, and snippets accessed via your connected email provider (e.g., Gmail, Outlook) through secure OAuth connections.
  • Conversation data — messages exchanged with Cleo via WhatsApp, including questions, commands, and briefing replies.
  • Usage data — engagement patterns, feature usage, and briefing interaction metrics.

3. How We Use Your Data

  • To provide AI-powered business briefings and alerts via WhatsApp.
  • To generate cash flow forecasts and financial insights.
  • To send invoice payment reminders on your behalf via your connected accounting tool.
  • To learn your business patterns and improve the relevance of information provided.
  • To personalise your briefing content and frequency.

4. AI Processing

Cleo uses artificial intelligence (Anthropic Claude) to process your business data and generate insights. Your data is sent to Anthropic's API for processing. Anthropic does not use your data to train their models. We do not sell or share your data with third parties for marketing purposes.

5. Data Storage & Security

Your data is stored in encrypted PostgreSQL databases hosted on AWS in the EU (Ireland region). OAuth tokens for connected tools are encrypted at rest using AES-256 encryption. All data transmission uses TLS 1.2 or higher. We implement multi-tenant isolation ensuring your data is never accessible to other businesses.

6. Data Retention

We retain your data for as long as your account is active. Conversation data older than 90 days is automatically summarised and the original messages are deleted. You can request deletion of all your data at any time.

7. Your Rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate personal data.
  • Erase your personal data ("right to be forgotten").
  • Restrict processing of your personal data.
  • Data portability — receive your data in a structured format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

8. Third-Party Services

We use the following third-party services:

  • Twilio — WhatsApp message delivery.
  • Anthropic — AI processing (Claude API).
  • Nango — Secure OAuth connection management for accounting and email tools.
  • AWS — Cloud infrastructure (EU Ireland region).

9. Contact Us

If you have any questions about this privacy policy or wish to exercise your rights, please contact us at privacy@runcleo.com.