Legal · GDPR

Privacy Policy

How Catcher collects, uses, shares and protects your personal data. Written for clarity, built for the GDPR.

Effective: [INSERT DATE]

Last updated: [INSERT DATE]

Version: 1.0

At a glance

Who we are. Catcher is an Irish AI financial advocacy app that helps you find and recover overcharges from banks, insurers, telecoms and subscription providers.
What we connect to. Your bank accounts, via a regulated Open Banking provider (TrueLayer). You authorise access yourself, you can revoke it any time, and we never see your banking password or PIN.
What we do with it. We scan your transactions to find overcharges, then generate complaint and negotiation letters citing Irish consumer law. You review and approve every letter before it is sent.
What we don't do. We do not sell your data. We do not share it with advertisers. We do not use your data to train AI models.
Your rights. You can access, correct, export or delete your data at any time, and complain to the Irish Data Protection Commission if we get it wrong.
Contact. privacy@catcher.ie

Section 01Who we are

This privacy policy is issued by [CATCHER LEGAL ENTITY NAME] ("Catcher", "we", "us", "our"), a company registered in Ireland under company number [CRO NUMBER], with its registered office at [REGISTERED ADDRESS].

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Irish Data Protection Act 2018, Catcher is the Data Controller of the personal data described in this policy.

You can reach our privacy team at privacy@catcher.ie. We have not appointed a statutory Data Protection Officer because our processing activities do not currently meet the threshold under Article 37 GDPR; however, our privacy contact handles all data protection queries and you can address rights requests directly to that address.

Section 02Scope of this policy

This policy applies to your use of:

The Catcher mobile application for iOS and Android (the "App");
The website at catcher.ie and any sub-domains (the "Site"); and
Any related services we provide, including our overcharge detection engine, letter generation tools and claim tracking features (together with the App and Site, the "Service").

It does not apply to third-party services we link to or integrate with (such as your bank, TrueLayer, or any merchant you contact through Catcher). Those services have their own privacy policies, and you should read them.

Section 03What personal data we collect

We have grouped the categories of personal data we collect into the table below.

Category	What it includes
Account & identity data	Your name, email address, phone number (if you provide it), password (stored as a salted hash, never in plain text), date of birth (for age verification), and country of residence.
Open Banking data	Once you authorise it through TrueLayer: the institutions you bank with, your account names and types, account numbers and sort codes (stored in masked form), current balances, and the full history of transactions on connected accounts, including merchant names, amounts, dates, transaction references and categorisations.
Derived & analytical data	Information we infer from your transactions — for example: detected subscriptions, recurring bills, suspected loyalty penalties, price increases, duplicate charges, and the merchant categories we have assigned to your spending.
Claim & correspondence data	The complaint and negotiation letters generated for you, the status of each claim, your notes, the responses you receive from merchants, and any refund amounts that are verified through your bank account.
Payment data	If you upgrade to Catcher Pro or pay a success fee, our payment processor Stripe will collect your payment card details. Catcher itself does not store your full card number, CVV or expiry date — we only retain a token, the last four digits, the card brand and the billing country.
Device & usage data	Device model, operating system version, app version, language, time zone, anonymised crash reports, and aggregated information about which screens you visit and which features you use.
Communications	Any messages you send us (support requests, feedback, replies to our emails) and our responses.
Marketing preferences	Whether you have opted in or out of marketing emails, in-app notifications and push notifications.

We do not knowingly collect any data we have not described above. We do not collect biometric data, precise GPS location, contacts, photos or any data from other apps on your device.

Section 04Where we get your data from

We collect personal data from three sources:

Directly from you — when you create an account, complete onboarding, contact support, or use the App;
From your bank, through TrueLayer — once you have given your explicit consent, TrueLayer Ireland Limited (a regulated Account Information Service Provider authorised by the Financial Conduct Authority and passported into Ireland) retrieves your account and transaction data from your bank and passes it to us. This is the only way we obtain your banking data; and
Automatically — when you use the App, we and our analytics provider record device and usage information as described above.

This disclosure is provided to satisfy Article 14 GDPR for any data we do not collect directly from you.

Section 05Why we process your data and the legal basis

Under Article 6 GDPR, every act of processing must have a lawful basis. The table below sets out, for each purpose, which lawful basis we rely on.

Purpose	Lawful basis (Art. 6 GDPR)
Creating and maintaining your account	Performance of a contract (Art. 6(1)(b)) — our terms of service.
Connecting to your bank and retrieving transaction data via TrueLayer	Your explicit consent (Art. 6(1)(a)), as required by Article 94(2) of PSD2. You give this consent inside the TrueLayer authorisation flow and you can revoke it at any time.
Analysing your transactions to detect overcharges, subscriptions and other findings	Performance of a contract (Art. 6(1)(b)) — this is the core service you signed up for.
Generating complaint and negotiation letters using AI	Performance of a contract (Art. 6(1)(b)).
Processing payments and success fees	Performance of a contract (Art. 6(1)(b)).
Preventing fraud, abuse, and securing the Service	Our legitimate interests (Art. 6(1)(f)) in keeping the Service safe — and our legal obligation to do so.
Complying with legal, regulatory and tax obligations	Compliance with a legal obligation (Art. 6(1)(c)).
Sending you transactional emails (e.g. confirmation, security, claim updates)	Performance of a contract (Art. 6(1)(b)).
Sending you marketing emails about new Catcher features	Your consent (Art. 6(1)(a)), which you can withdraw at any time.
Product analytics and improving the Service	Our legitimate interests (Art. 6(1)(f)) in understanding how Catcher is used, using pseudonymised data where possible.

Where we rely on legitimate interests, we have completed a balancing test and concluded that our interests do not override your rights and freedoms. You can ask us for a summary of that balancing test at any time.

Section 06Open Banking and PSD2

Catcher uses Open Banking to read your account and transaction data. This is a regulated activity under the EU's revised Payment Services Directive (PSD2), implemented in Ireland by the European Union (Payment Services) Regulations 2018.

To do this, we partner with TrueLayer Ireland Limited, a regulated Account Information Service Provider (AISP). When you choose to connect a bank account:

You are redirected to TrueLayer's secure consent screen, where you select your bank and review what data will be shared;
You authenticate directly with your bank using its own login. Catcher and TrueLayer never see your online banking password, PIN, or any other security credential;
Your bank issues an access token that allows read-only access to the accounts you authorised. We cannot move money, initiate payments, change your bank details, or take any other action on your account;
Under PSD2, your initial consent lasts for 180 days, after which you must reconfirm it for us to continue accessing your data. You will be prompted to reconfirm before the access expires; and
You can revoke this access at any time — from inside the Catcher app, from inside TrueLayer's consent dashboard, or directly with your bank.

TrueLayer acts as a separate Data Controller for the data it collects from your bank, and as our processor in passing that data to us. TrueLayer's own privacy policy is available at truelayer.com/legal/privacy and we recommend you read it.

Section 07How we use AI (and what it sees)

Catcher uses artificial intelligence to do two things: (1) classify and group your transactions in order to detect overcharges, and (2) draft the complaint and negotiation letters you send to merchants.

For both of these we use models provided by Anthropic, PBC (the makers of Claude), accessed through Anthropic's commercial API. Specifically:

Transaction classification uses Claude Haiku. The data sent to Anthropic is limited to merchant name, amount, date, currency and a transaction reference — never your name, your account number, or any other directly identifying field.
Letter generation uses Claude Sonnet. To draft a letter, we send the relevant claim details (merchant, amounts, dates, the nature of the overcharge), the legal grounds being cited, and the information needed to personalise the letter (such as your first name and the customer reference for the account in dispute).

Anthropic acts as our data processor and is bound by Anthropic's Commercial Terms and Data Processing Addendum. Under those terms:

Anthropic does not use your data to train its models;
API inputs and outputs are retained by Anthropic only for the limited periods specified in its terms (typically 30 days for abuse-monitoring, and longer only if there is a safety reason); and
Anthropic processes data in the United States. We address the safeguards for that transfer in Section 11.

You can read Anthropic's privacy policy at anthropic.com/legal/privacy.

Important. The letters generated by AI are drafts. You review every letter before it is sent, and you decide whether to send it. Catcher does not send letters to merchants on your behalf without your explicit, per-letter authorisation.

Section 08Automated decision-making and profiling

Catcher's overcharge detection engine performs automated profiling within the meaning of Article 4(4) GDPR: we analyse patterns in your spending in order to flag possible overcharges, subscriptions and price increases.

This profiling does not produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22(1) GDPR, because:

Catcher does not make any decision about you on the basis of this profiling — we make recommendations to you, not about you;
No findings are acted on without your review and explicit approval; and
You retain full control over whether, when and how to act on any finding.

That said, our findings are not infallible. AI models can make mistakes. You have the right to:

Request a human review of any finding that you believe is incorrect (write to privacy@catcher.ie);
Contest a finding and have it removed; and
Add your own explanation to any finding so that future processing takes it into account.

Section 09Special category data

Bank transactions can sometimes reveal information that falls within the "special categories" of personal data under Article 9 GDPR — for example, payments to a pharmacy or hospital may reveal information about your health, donations may reveal religious or political affiliations, and certain subscriptions may reveal information about your sex life or sexual orientation.

Catcher does not seek out, ask for, or knowingly use this kind of information. However, because we read your full transaction history, such data may be present in what we process. Our position is as follows:

We do not categorise, profile or make decisions about you on the basis of any special category data;
Where it is technically possible to identify a transaction as falling into a sensitive category (for example, a pharmacy purchase), our detection engine is designed to exclude such transactions from analysis or to treat them as generic "spending" without further inference;
To the extent that Article 9 GDPR applies to any incidental special category data, we rely on Article 9(2)(a) — your explicit consent — which you give as part of connecting your bank account. You may withdraw that consent at any time, in which case we will stop processing the data, although this will also end our ability to provide the Service; and
We will never share any data that could reveal special category information with third parties, except where strictly necessary to deliver the Service (for example, an AI classification call) and under contractual safeguards.

Section 10Who we share your data with

We do not sell your personal data. We do not share it with advertisers or data brokers. We share it only with the parties listed below, and only to the extent necessary for the purposes set out in this policy.

Service providers (data processors)

Provider	Purpose	Location
TrueLayer Ireland Limited	Open Banking connectivity (AISP)	Ireland / UK / EU
Supabase Inc.	Application database, authentication and serverless functions	EU region (Frankfurt)
Anthropic, PBC	AI classification and letter generation (Claude)	United States
Stripe Payments Europe Ltd	Payment processing for subscriptions and success fees	Ireland
Cloudflare, Inc.	Website hosting, content delivery, DDoS protection	Global edge network
Sentry (Functional Software, Inc.)	Error and crash monitoring (with PII scrubbing enabled)	United States
PostHog Inc.	Product analytics	EU region (Frankfurt)
Apple Inc. / Google LLC	App distribution, push notifications, in-app purchases	Ireland / US

Each of these providers acts as our processor under a written agreement that meets the requirements of Article 28 GDPR.

Third parties you instruct us to contact

When you approve a complaint or negotiation letter, that letter — which contains your name, contact details and the details of the dispute — is sent to the merchant, bank, insurer or other organisation you are complaining about. We act on your instruction; from that point onwards, the recipient becomes a separate controller of the information you have shared with them.

Regulators and authorities

We may share data with regulators (such as the Irish Data Protection Commission, the Central Bank of Ireland, the Financial Services and Pensions Ombudsman, the Competition and Consumer Protection Commission, ComReg or the CRU), law enforcement, or courts, where we are required to do so by law or where doing so is necessary to protect our rights or the rights of others.

Corporate transactions

If Catcher is involved in a merger, acquisition, financing or sale of assets, your data may be transferred as part of that transaction. We will notify you in advance and any acquirer will be bound by this policy or a successor that offers equivalent protections.

Section 11International data transfers

We keep your data inside the European Economic Area ("EEA") wherever possible. Our primary database (Supabase) and our product analytics (PostHog) are hosted in the EU.

However, some of our providers are based in the United States. In particular:

Anthropic processes AI requests in the United States;
Sentry processes error reports in the United States; and
Cloudflare may serve our website and route traffic through US-based edge nodes.

For each transfer outside the EEA, we rely on one or more of the following safeguards:

The EU–US Data Privacy Framework, where the recipient is certified under it;
The European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by additional technical and organisational measures where appropriate; and
A transfer impact assessment for each provider, where the volume or sensitivity of the data warrants it.

You can ask us for a copy of the safeguards in place for any specific transfer by contacting privacy@catcher.ie.

Section 12How long we keep your data

Data category	Retention period
Account & identity data	For as long as your account is open, then deleted within 30 days of account closure (unless we are required to retain it for a specific legal reason).
Open Banking transaction data	For as long as you maintain an active bank connection in Catcher, and for up to 12 months after the connection is removed so we can show you historical findings. You can request earlier deletion at any time.
Derived findings and claim history	For as long as your account is open. After account closure, we retain anonymised, aggregated statistics only.
Letters and correspondence	For 6 years after a claim is resolved, in line with the Statute of Limitations and to defend any legal claims that may arise.
Payment records and invoices	6 years, as required by the Irish Revenue Commissioners under section 886 of the Taxes Consolidation Act 1997.
Support tickets and communications	3 years from last contact.
Marketing preferences and consent records	For as long as required to demonstrate compliance with the law, typically 6 years.
Error logs and analytics	90 days, then aggregated or deleted.

Where we anonymise data, the resulting information is no longer personal data and may be retained indefinitely for analytical and product purposes.

Section 13How we protect your data

We have put in place technical and organisational measures appropriate to the sensitivity of the data we handle, including:

Encryption in transit — all traffic between you, our servers and our providers is encrypted using TLS 1.2 or higher;
Encryption at rest — your data is encrypted on disk in our database (Supabase / PostgreSQL with AES-256);
Row-level security — our database enforces, at the database level, that you can only ever access your own data;
Authentication tokens — bank access tokens supplied by TrueLayer are stored encrypted using the operating system's secure enclave (iOS Keychain / Android Keystore) when held on your device, and encrypted at rest server-side;
PII scrubbing — automated removal of personal identifiers from error reports before they leave our servers;
Access controls — strict access controls on our infrastructure, with multi-factor authentication and the principle of least privilege;
Vendor diligence — every processor we use has been reviewed against GDPR requirements and signed a written Data Processing Agreement; and
Incident response — a written process for detecting, investigating and notifying personal data breaches.

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours of becoming aware of it, as required by Article 33 GDPR. If the risk is high, we will also notify you directly without undue delay.

No system is perfectly secure. While we take every reasonable step to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at security@catcher.ie.

Section 14Your rights under GDPR

You have the following rights in relation to your personal data. To exercise any of them, email privacy@catcher.ie. We will respond within one month of receiving your request (extendable by two further months for complex requests, with notice to you).

Right of access (Art. 15) — to be told what data we hold about you and to receive a copy of it.
Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
Right to erasure (Art. 17) — to have your data deleted, where one of the legal grounds applies. Most of the time, closing your account is the simplest way to exercise this right; the App contains a self-service delete-account function.
Right to restriction (Art. 18) — to ask us to stop using your data while a question (about its accuracy, for example) is being resolved.
Right to data portability (Art. 20) — to receive the data you have given us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to object (Art. 21) — to object to processing based on our legitimate interests, including for direct marketing (which we will always honour without question).
Right to withdraw consent (Art. 7(3)) — where we rely on your consent, to withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Right not to be subject to automated decisions (Art. 22) — as set out in Section 08.
Right to lodge a complaint with a supervisory authority — see Section 19.

We will not charge a fee for handling a request unless it is manifestly unfounded or excessive. We may ask you to verify your identity before we can act on a request, to make sure we do not disclose your data to somebody else.

Section 15Cookies and analytics

The Catcher website uses a small number of cookies and similar technologies. We classify them as follows:

Strictly necessary cookies — required for the site to function (for example, to remember your session). These do not require consent.
Analytics cookies — set by PostHog (hosted in the EU) to help us understand how the site is used. These are only set if you give consent through our cookie banner.

We do not use advertising cookies, social media tracking pixels, or third-party trackers for marketing purposes. You can change your cookie preferences at any time using the link in the footer of our website.

The Catcher mobile app does not use cookies, but does use the equivalent local-storage technologies provided by iOS and Android.

Section 16Marketing communications

We will only send you marketing emails about new Catcher features, money-saving tips and product updates if you have opted in. Every marketing email contains a one-click unsubscribe link. You can also update your preferences from inside the App at any time.

Transactional messages — for example, security alerts, claim status updates, and changes to this policy — are part of the Service and are not subject to marketing consent.

Section 17Children

Catcher is not intended for, and is not directed at, children. The Service is available only to individuals aged 18 or over. We do not knowingly collect personal data from anyone under that age. If you are a parent or guardian and you believe a child has provided us with personal data, please contact us at privacy@catcher.ie and we will delete it.

Section 18Changes to this policy

We will update this policy from time to time. The "Last updated" date at the top of this page tells you when the current version came into force.

If we make changes that materially affect how we process your personal data, we will notify you in the App and by email at least 30 days before the changes take effect, so that you have an opportunity to review them and, if you wish, close your account before they apply to you. We keep an archive of previous versions; ask privacy@catcher.ie if you want a copy.

Section 19Complaints and the DPC

If you are unhappy with how we have handled your personal data, please contact us first at privacy@catcher.ie — we take complaints seriously and will try to resolve them quickly.

You also have the right to complain at any time to the Irish supervisory authority:

Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Web: dataprotection.ie
Telephone: +353 (0)761 104 800

If you live in another EU or EEA country, you can complain to the supervisory authority in that country instead.

Section 20How to contact us

For any question about this policy, or to exercise any of the rights described above, please get in touch.

privacy@catcher.ie

Postal address

[CATCHER LEGAL ENTITY NAME]
[REGISTERED ADDRESS]
Ireland

Company number

[CRO NUMBER]

DPC registration

[INSERT WHEN COMPLETED]