Legal

Privacy Policy

Last updated: March 2026

This Privacy Policy applies to Claims Passport, operated by XS AU Pty Ltd (ABN 77 672 009 764) ("we", "us", "our"). We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy describes the types of personal information we may collect, how we use and protect that information, and your rights.

The information we collect

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act 1988.

We may collect the following types of personal information:

• Preferred name (first name or display name only)
• Mobile phone number or email address
• Matter registrations, intent, and intake answers
• Eligibility screening results
• Device and browser information (IP address, browser type, operating system)
• Usage data (pages visited, timestamps, referral sources)

Sensitive information

Sensitive information is a subset of personal information that is given a higher level of protection under the APPs. We will only collect sensitive information where you consent, where collection is required or authorised by law, or where collection is otherwise permitted by the APPs.

How we collect personal information

We collect personal information through:

• Direct collection: When you register via the Claims Passport widget on a participating site
• Automated collection: Browser and device data collected when you visit our site
• Cookies and analytics: Session cookies and Google Analytics for site usage statistics
• Third parties: We may receive eligibility-related data from participating sites if you provide it through their platforms

Why we collect, hold, use and disclose personal information

We collect, hold, use, and disclose your personal information for the following purposes:

• To operate the Claims Passport platform and provide our services
• To register your interest in class action and compensation matters
• To issue and maintain your Passport ID
• To verify your contact method via magic link
• To deduplicate registrations across participating sites
• To screen eligibility using AI tools (anonymised intake answers only)
• To route registrations to the appropriate law firm partner
• To deliver matter updates and notices through your Passport Inbox
• To comply with our legal obligations

Data minimisation and contact protections

Claims Passport is built on the principle of data minimisation:

• We collect only the minimum personal information necessary for the stated purposes
• Participating sites store only your Passport ID — never your contact details
• Law firms receive your eligibility summary — never your raw contact
• Your contact details are encrypted at rest with per-record keys
• Contact details are decrypted only when the vault needs to send you a message, and the plaintext is discarded immediately after

Disclosure of personal information

We may disclose personal information to:

• Our employees and contractors who require access to provide our services
• IT service providers (hosting, security, analytics)
• Law firm partners — receiving only Passport ID, matter ID, eligibility result, and summary (never raw contact)
• Twilio — for magic link delivery (SMS and email)
• Anthropic — for AI eligibility screening (anonymised intake answers only)
• Google Cloud Platform — for infrastructure and encryption services
• Government or regulatory bodies where required by law

Overseas disclosure

Some of our service providers are based overseas, including Twilio (US) and Anthropic (US). These providers process limited data as described above. Encryption keys and contact records remain in the Sydney (ap-southeast-2) GCP region.

Your rights and controlling your personal information

Your choice

You can choose not to provide personal information to us. However, if you do not provide the information we request, we may not be able to provide our services to you — specifically, we cannot issue a Passport ID without a contact method.

Information from third parties

If we receive personal information about you from a third party, we will protect it as set out in this policy. If you are a third party providing personal information about someone else, you represent that you have their consent to do so.

Restrict and unsubscribe

You can pause all forwarded notifications from your Passport Dashboard at any time. Platform inbox messages will still accumulate, but no forwarded messages will be sent to your registered contact.

Access

You may request a copy of the personal information we hold about you by contacting us.

Correction

If you believe the information we hold about you is inaccurate, out of date, incomplete, or misleading, please contact us. We will take reasonable steps to correct any information found to be inaccurate.

Complaints

If you believe we have breached the APPs and wish to make a complaint, please contact us with details of the alleged breach. We will investigate and respond within a reasonable period. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Storage and security

We are committed to ensuring that the personal information we collect is secure. We take the following steps:

• Envelope encryption: per-record data encryption keys (AES-256-GCM) wrapped by GCP KMS
• Data residency: encryption keys and contact records in Sydney (ap-southeast-2)
• Transport security: all connections use TLS 1.2 or later
• Access control: strict role-based access — administrators cannot view raw contact details
• Magic links: single-use, short-lived tokens — no passwords to breach

User-generated content

Any information you submit through the platform (intake answers, messages, contact enquiries) may be retained as part of your Passport record. This content is protected by the same encryption and access controls as your contact details.

Cookies and analytics

We use the following technologies:

Sessions

Session tokens are issued after magic link verification and expire after 24 hours. They are stored as secure, HTTP-only cookies.

Google Analytics

We use Google Analytics 4 to understand how visitors use our site. GA4 collects anonymised usage data including pages visited, time on page, and referral source. No personal information (name, contact, Passport ID) is sent to Google Analytics.

Meta advertising tools

We may use Meta (Facebook) Pixel or Conversions API to measure the effectiveness of advertising campaigns. These tools may collect device and browser information. No personal contact information is shared with Meta.

Links to other websites

Our site may contain links to other websites. We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any linked sites you visit.

Use of Artificial Intelligence (AI)

Overview

Claims Passport uses AI tools (specifically Anthropic's Claude) to assist with eligibility screening of class action registrations.

How we may use AI tools

• To screen intake answers against per-matter eligibility criteria
• To generate a plain-English lead summary for the receiving law firm
• To assign an eligibility result (strong / possible / unlikely)

Data protection and safeguards

• AI tools receive only anonymised intake answers — never your Passport ID, name, or contact details
• AI outputs are stored on your matter link and included in the routing payload
• We review AI outputs for accuracy and bias on an ongoing basis

Your rights and our commitments

• You can request a human review of any AI-generated eligibility result
• AI screening does not replace the receiving firm's own assessment
• We are committed to transparency about how AI is used in the platform

Amendments

We may amend this Privacy Policy at any time by publishing the amended version on our website. The amended version will apply from the date of publication. We encourage you to review this page regularly.

Contact details

If you have any questions about this Privacy Policy or how we handle your personal information, please contact us:

• Via the contact page
• By email: privacy@claims.au