Trust
Privacy & Security
This page explains — in plain English — how Claims Passport protects your personal information and what law firms and partner organisations can and cannot see.
Our commitment
Your contact details — mobile number, email address — stay inside Claims Passport. They are encrypted at rest and decrypted only when the vault needs to send you a message. Law firms, participating sites, and administrators never see your raw contact.
What we collect — and what we don't
At registration, we collect:
- Your preferred name (first name only in Stage 1)
- One contact method — mobile number or email address
- Your intent — claimant or keep me updated
- Your intake answers for eligibility screening
We do not collect: surname, date of birth, postal address, government ID, tax file number, bank details, or payment card information.
What law firms receive — and what they never see
| Data point | Firm receives | Vault holds only |
|---|---|---|
| Passport ID | ✓ | ✓ |
| Matter ID | ✓ | ✓ |
| Intent | ✓ | ✓ |
| Eligibility result | ✓ | ✓ |
| Summary | ✓ | ✓ |
| Source tag | ✓ | ✓ |
| Name | — | ✓ |
| Mobile / Email | — | ✓ (encrypted) |
| Contact fingerprint | — | ✓ (one-way hash) |
Your contact details stay protected. The firm receives a Passport ID and eligibility summary — never your mobile number, email address, or name.
How we protect what we hold
🔐 Envelope encryption
Each contact record is encrypted with its own data key (AES-256-GCM). That key is then wrapped by GCP KMS. The plaintext key is zeroed out immediately after use.
#️⃣ One-way fingerprint
An HMAC-SHA256 of your contact is used only for deduplication. It cannot be reversed to your actual contact.
🌏 Sydney residency
Encryption keys and contact data reside in the ap-southeast-2 (Sydney) GCP region.
🚫 No passwords
Claims Passport uses magic links — not passwords. There is no password database to breach.
↔ Separate requests
Your name and contact method arrive in separate API requests. They are never combined in transit.
⏱ Auto-expiry
Magic links and tokens are single-use and short-lived. Expired tokens cannot be replayed.
How we verify it's you
New registration
- You enter your contact method (mobile or email) in the widget.
- The vault sends a magic link to that contact.
- Clicking the link verifies ownership and completes registration.
Returning to your Passport
- Enter your Passport ID at claims.au/passport.
- The vault sends a magic link to your registered contact.
- Clicking the link opens a secure 24-hour session.
Your controls
Update contact
Change your registered mobile or email at any time from your Passport Dashboard.
Pause notifications
Temporarily stop all forwarded messages. Inbox items still accumulate — you just won't receive forwards.
Delete Passport
Permanently delete your Passport and all linked data. This action is irreversible.
Withdraw consent
Withdraw consent for any specific matter without deleting your entire Passport.
Questions about your data?
Contact us via the contact page or email security@claims.au.