Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Personal Data We Collect

We collect the minimum data necessary to provide the Clarnix service.

2.1 Account Information

When you create an account we collect your name, email address, and (if applicable) password hash. If you sign in via OAuth (Google, Microsoft), we receive the profile data returned by that provider.

2.2 Email Metadata — Not Email Content

Clarnix is built on a privacy-by-design principle: email body content is never stored in our systems. We process email bodies transiently in-memory to classify messages and generate digest summaries, and then discard them immediately. What we do persist is limited to:

• Sender name and email address
• Subject line
• Received and sent timestamps
• Message ID and thread ID (provider-issued identifiers)
• AI-generated classification labels and priority scores
• AI-generated digest summaries (never verbatim body content)

2.3 Connected Email Account Credentials

To connect your email provider we store OAuth access tokens and refresh tokens (or, for IMAP, encrypted credentials). These are stored encrypted at rest and used solely to access your mailbox on your behalf.

2.4 Payment Information

Payment card data is collected and stored exclusively by Stripe, our payment processor. We store only the Stripe customer ID, subscription status, and invoice history. We never see or store full card numbers.

2.5 Usage and Technical Data

We collect usage data such as features accessed, rules created, digest delivery events, and technical data such as IP address (for security rate-limiting), browser type, and error logs. This data is used to operate, secure, and improve the service.

3. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6:

• Consent (Art. 6(1)(a)): When you create an account you consent to us processing your data to provide the Clarnix service. You may withdraw consent at any time by deleting your account.
• Contract Performance (Art. 6(1)(b)): Processing your email metadata and account data is necessary to deliver the triage, classification, and digest features you have subscribed to.
• Legitimate Interests (Art. 6(1)(f)): We process technical and usage data to maintain service security, prevent abuse, detect errors, and improve platform reliability. Our interests are balanced against your rights and do not override them.
• Legal Obligation (Art. 6(1)(c)): Where required, we process data to comply with applicable law (e.g., retaining invoicing records under Spanish tax law).

4. How We Use Your Data

• Providing, operating, and maintaining the Clarnix service
• Classifying your incoming email and applying the rules you configure
• Generating AI-synthesised digest summaries and delivering them to your chosen channel (email, WhatsApp, Telegram, Slack, Teams)
• Processing payments and managing your subscription
• Sending transactional emails (account confirmation, receipts, digest delivery)
• Security monitoring, fraud prevention, and abuse detection
• Responding to support requests and communicating service updates
• Complying with legal obligations

We do not use your data for behavioural advertising, sell it to third parties, or use email content for any purpose other than in-memory triage processing.

5. Third-Party Data Processors

We engage the following sub-processors to operate the service. Each processes only the data strictly necessary for their role and is bound by a Data Processing Agreement.

"SCCs" refers to the EU Standard Contractual Clauses adopted pursuant to Commission Decision (EU) 2021/914, which provide an adequate level of protection for transfers of personal data to third countries.

6. International Data Transfers

Some of our sub-processors operate outside the European Economic Area (EEA). Where this occurs, we ensure an appropriate safeguard is in place — in all current cases, EU Standard Contractual Clauses — so that your data receives a level of protection equivalent to that guaranteed within the EEA.

7. Data Retention

• Email body content: Never stored. Processed in-memory and immediately discarded.
• Account data: Retained for the duration of your account and deleted within 30 days of account closure or subscription cancellation.
• Email metadata and digest summaries: Retained while your account is active and deleted within 30 days of account closure.
• Payment records: Retained for seven years as required by Spanish tax and commercial law (Ley General Tributaria).
• Security logs: Retained for up to 90 days for fraud detection and incident response.

During your 14-day free trial, all data is treated identically to that of a paying subscriber. If you do not convert to a paid plan, your data is deleted within 30 days of trial expiry.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., invoicing records).
• Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
• Right to restriction of processing (Art. 18): You may ask us to restrict processing of your data in certain circumstances.
• Right to object (Art. 21): You may object to processing based on legitimate interests. We will comply unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@clarnix.app. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish data protection authority (AEPD — Agencia Española de Protección de Datos) or the supervisory authority in your EU member state of habitual residence.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including: encryption at rest and in transit (TLS 1.2+), Row Level Security enforced at the database layer, encrypted storage of OAuth tokens and credentials, rate-limiting on authentication endpoints, and regular security reviews. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the AEPD within 72 hours and, where required, notify affected individuals without undue delay.

10. Cookies and Similar Technologies

Clarnix uses strictly necessary cookies to manage authentication sessions. We do not use tracking, analytics, or advertising cookies. Session cookies are deleted when you close your browser; persistent authentication tokens expire after 30 days or upon logout.

11. Children's Privacy

The Clarnix service is intended for individuals aged 18 and over. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a prominent notice in the Clarnix dashboard at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact our privacy team: