Privacy Policy — clarity.ai

1. Who We Are

clarity.ai ("we", "us", "our") is the data controller responsible for your personal data. We operate the clarity.ai platform, accessible at clarity-ai.work.

For all data protection enquiries, please contact us at [email protected].

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, username, and password (stored using bcrypt hashing — we never store plain-text passwords). If you register via Google OAuth, we receive your name and email address from Google.

2.2 Documents and Content You Upload

We collect and store documents you upload for analysis, along with any context or notes you provide. Your documents are stored in isolated, access-controlled storage and are never accessible to other users. We do not use your documents to train or fine-tune any AI model.

2.3 Usage Data

We automatically collect IP address, browser type and version, pages visited, features used, and timestamps of access. This data is used solely to operate, monitor, and improve the Service.

2.4 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store, transmit, or have access to your card details. We retain only a Stripe customer ID and subscription status to manage your account. Stripe's privacy policy is available at stripe.com/privacy.

3. Legal Basis for Processing (UK & EU GDPR)

We process your personal data on the following legal bases under Article 6 of the UK GDPR / EU GDPR:

Processing Activity	Legal Basis
Creating and managing your account	Performance of a contract (Art. 6(1)(b))
Processing and analysing your documents	Performance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of a contract (Art. 6(1)(b))
Sending service-related communications	Performance of a contract (Art. 6(1)(b))
Fraud prevention and security monitoring	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. Confidentiality of Uploaded Documents

We understand that legal professionals routinely handle privileged and confidential material. The following measures are in place:

No AI training: Your documents and queries are never used to train, fine-tune, or improve any AI model — by us or by our AI providers.
No human review: We do not review the content of your documents unless you explicitly request support and share content with us.
User isolation: Each user's documents, findings, and knowledge base are fully isolated. No other user can access your data.
AI processing: Documents are sent to AWS Bedrock solely to generate your requested analysis. AWS does not retain document content for its own purposes under our enterprise agreement.
Deletion: You may delete any document at any time from your dashboard. Deletion removes the document and all associated data from our systems within 30 days.

Important note for solicitors and barristers: You remain responsible for ensuring that uploading client documents to clarity.ai is consistent with your professional obligations, including duties of confidentiality and any client authorisation requirements. We recommend reviewing your firm's data processing policies before uploading privileged material.

5. How We Use Your Information

To provide, operate, and maintain the Service
To process and analyse your documents using AI
To manage your account and subscription
To send essential service notifications (e.g. subscription changes, security alerts)
To prevent fraud and ensure the security of the Service
To respond to support requests
To comply with applicable legal obligations

We do not use your personal data for marketing without your explicit consent, and we do not engage in profiling or automated decision-making that produces legal effects.

6. Sub-Processors and Third-Party Services

We do not sell your personal data. We engage the following sub-processors to operate the Service:

Sub-Processor	Purpose	Location
Amazon Web Services (AWS Bedrock)	AI model inference (document analysis, chat responses)	USA (us-east-1)
Amazon Web Services (AWS Textract)	OCR processing for scanned documents and images	USA (us-east-1)
Stripe, Inc.	Payment processing and subscription management	USA / EU
Google (OAuth)	Optional sign-in authentication only	USA / EU

Transfers to the USA are made under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by UK GDPR / EU GDPR Chapter V.

7. Data Security

We implement the following technical and organisational measures to protect your data:

All data transmitted over HTTPS/TLS (TLS 1.2 minimum)
Passwords hashed using bcrypt with salt
User data isolated at the database and storage layer — no cross-user access
Session tokens stored server-side with secure, HttpOnly cookies
Access to production systems restricted to authorised personnel only
Uploaded files stored in access-controlled object storage, not publicly accessible

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by UK GDPR Article 33–34.

8. Your Rights

Under UK GDPR and EU GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Correct inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or your local supervisory authority if you are based in the EU.

9. Data Retention

Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
Uploaded documents: Retained until you delete them or close your account. You can delete individual documents at any time from your dashboard.
Usage logs: Retained for up to 90 days for security and operational purposes.
Payment records: Retained for 7 years as required by applicable financial regulations.

10. Cookies and Tracking

We use only strictly necessary session cookies to maintain your authenticated session. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No cookie consent banner is required as we use only essential cookies.

11. Children's Privacy

The Service is intended solely for users aged 18 and over. We do not knowingly collect personal data from persons under 18. If we become aware that a minor has provided personal data, we will delete it promptly.

12. International Data Transfers

Some of our sub-processors are located outside the UK and EEA (see Section 6). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK ICO or the European Commission, as applicable.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the "Last updated" date above. Continued use of the Service after notification constitutes acceptance of the revised policy.

14. Contact Us

For any questions, requests, or complaints relating to this Privacy Policy or your personal data:

Email: [email protected]

Web: Contact Form

Supervisory Authority (UK): Information Commissioner's Office — ico.org.uk