Privacy Policy

1. Information We Collect

• · Account information — email address, password (stored hashed), and optional two-factor (TOTP) settings.
• · Decision content — the scenarios you submit, resumes, Vent transcripts, voice recordings, and any uploads used to run the council.
• · Usage & analytics — product usage events, device/browser metadata, and error diagnostics needed to operate and improve the service.
• · Billing metadata — subscription tier and status. Card numbers are handled by Stripe, not stored by Clarity.

2. How We Use It

• · To run the AI council and return your synthesis, risk register, action plan, and conviction score.
• · To authenticate you, manage subscriptions, and process payments.
• · To maintain security, prevent abuse, and debug errors.
• · To improve the service. Your sensitive content is excluded from model training unless you explicitly opt in, and you may opt out at any time.

3. Encryption & Security

Sensitive inputs — decision scenarios, resumes, Vent transcripts, and voice — are encrypted at rest with a per-user key, isolated per user, and never written to logs. Full architecture and compliance commitments are published in our Trust Center.

4. Third Parties / Subprocessors

We share data with the vetted subprocessors below only as needed to operate the service. The Trust Center holds the canonical, versioned list.

• · Anthropic (Claude API) — decision content for inference, not retained
• · Vercel — hosting + edge firewall, encrypted at rest
• · Supabase — database, RLS-enforced, encrypted at rest
• · Stripe — payment processing, no decision content
• · Upstash — Redis for app-layer rate limiting, no user content
• · Cloudflare — Turnstile widget + CDN, no Clarity user content
• · Doppler — secrets management, no user data
• · Sentry — error tracking, PII scrubbed before ingestion
• · PostHog — product analytics, privacy-mode default

5. Cookies & Analytics

We use essential cookies for authentication and session management. Product analytics run through PostHog in privacy mode, and error tracking through Sentry with PII scrubbed before ingestion. We do not sell your personal information.

6. Your Rights

Subject to GDPR and CCPA, you have the right to:

• · Access the personal data we hold about you.
• · Request correction or deletion of your data.
• · Opt out of inclusion of your content in training data.
• · Opt out of the “sale” or “sharing” of personal information (CCPA). We do not sell personal data.

Exercise these rights from your account settings or by contacting support.

7. Data Retention & Cryptographic Erasure

We retain your content for as long as your account is active or as needed to provide the service. When you delete your account, Clarity performs cryptographic erasure — destroying your per-user encryption key so the associated encrypted content becomes permanently unrecoverable, satisfying GDPR Article 17 (right to erasure). Some non-content records (e.g. billing history) may be retained where required by law.

8. Children’s Privacy

Clarity is not directed to anyone under 18 (or under 16 in the EEA) and we do not knowingly collect their personal data. If you believe a minor has provided us data, contact support and we will delete it.

9. Changes

We may update this policy from time to time. Material changes will be communicated with reasonable notice. Continued use after changes take effect constitutes acceptance of the revised policy.

10. Contact

Questions about your privacy? Contact support through your account or via the channels listed in our Trust Center.