Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

The supervisory authority for data protection in Spain is the Agencia Española de Protección de Datos (AEPD), accessible at www.aepd.es.

2. Data We Collect

We collect the minimum data necessary to provide the Clarnix service.

2.1 Account Data

When you create an account we collect your name, email address, and (if applicable) a hashed password. If you sign in via OAuth (Google or Microsoft), we receive your name, email address, and provider-issued user ID.

2.2 Email Data Accessed via OAuth — Privacy by Design

Clarnix is built on a privacy-by-design principle: email body content is never stored in our systems. We process email bodies transiently in-memory to classify messages and generate digest summaries, and then discard them immediately. The Gmail OAuth scopes we request are https://www.googleapis.com/auth/gmail.readonly (read mail) and https://www.googleapis.com/auth/gmail.modify (apply labels/archive). For Microsoft accounts we request the equivalent Microsoft Graph Mail.Read and Mail.ReadWrite permissions. The metadata we do persist is limited to:

• Sender name and email address
• Subject line
• Received timestamp (received_at)
• Message ID and thread ID (provider-issued identifiers)
• AI-generated classification labels and priority scores
• AI-generated digest summaries (never verbatim body content)

2.3 Connected Email Account Credentials

To connect your email provider we store OAuth access tokens and refresh tokens (or, for IMAP, encrypted credentials). These are stored encrypted at rest using an ENCRYPTION_MASTER_KEY and used solely to access your mailbox on your behalf.

2.4 Billing Data

Payment card data is collected and processed exclusively by Stripe. We store only your Stripe customer ID, subscription status, last-4 card digits, billing name, billing address, and VAT ID where provided. We never see or store full card numbers.

2.5 Usage Data

We collect aggregated, anonymised usage data such as features accessed, number of rules created, digest count, and delivery events. We also collect technical data such as IP address (for security rate-limiting), browser type, and error logs.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Providing, operating, and maintaining the Clarnix service
• Classifying your incoming email using AI and applying the rules you configure
• Generating AI-synthesised digest summaries and delivering them to your chosen channel (email, WhatsApp, Telegram, Slack, Teams)
• Processing payments and managing your subscription via Stripe
• Sending transactional emails (account confirmation, receipts, digest delivery)
• Aggregated and anonymised product analytics to understand feature usage and improve the service
• Security monitoring, fraud prevention, and abuse detection
• Complying with legal obligations

We do not use your data for behavioural advertising, sell it to third parties, or use email content for any purpose other than in-memory triage processing.

5. Legal Basis for Processing (GDPR Art. 6)

We rely on the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing your email metadata and account data is necessary to deliver the triage, classification, and digest features you have subscribed to.
• Legitimate Interests (Art. 6(1)(f)): We process technical and usage data to maintain service security, prevent abuse, detect errors, and improve platform reliability. Our interests are balanced against your rights and do not override them.
• Consent (Art. 6(1)(a)): For non-essential cookies and marketing communications, we rely on your consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation (Art. 6(1)(c)): Where required, we process data to comply with applicable law (e.g., retaining invoicing records under Spanish tax law).

6. Subprocessors

We engage the following sub-processors to operate the service. Each processes only the data strictly necessary for their role.

"SCCs" refers to the EU Standard Contractual Clauses adopted pursuant to Commission Decision (EU) 2021/914, which provide an adequate level of protection for transfers of personal data to third countries.

7. International Data Transfers

Some of our sub-processors operate outside the European Economic Area (EEA). Where this occurs, we ensure an appropriate safeguard is in place — in all current cases, EU Standard Contractual Clauses — so that your data receives a level of protection equivalent to that guaranteed within the EEA.

8. Data Retention

• Email body content: Never stored. Processed in-memory and immediately discarded.
• Account metadata: Retained until account deletion, then removed from active systems within 30 days.
• Email metadata and digest summaries: Retained while your account is active and deleted within 30 days of account closure.
• Billing records: Retained for 6 years as required by Spanish tax law (Ley General Tributaria).
• Audit logs: Retained per your plan's audit_log_visibility_days. Server-side logs retained up to 90 days for security purposes, with user identity redacted upon deletion.

During your 14-day free trial, all data is treated identically to that of a paying subscriber. If you do not convert to a paid plan, your data is deleted within 30 days of trial expiry.

9. Account Deletion

• You can delete your account at any time from Settings → Delete Account (self-service). Account closure is permanent and cannot be reversed.
• What gets deleted within 30 days: your profile, all connected email accounts and OAuth tokens (revoked at the provider immediately upon deletion), all classification data, digests, rules, and team memberships. If you are the sole owner of a team, the team is deleted or ownership is transferred.
• What is retained: billing records (Spanish tax law, 6 years) and audit logs with your identity redacted.
• Removal from active systems is completed within 30 days, in line with Section 8. This timeframe accounts for backups, replicated storage, and batch deletion processes, and is consistent with the "reasonable timeframe for effective erasure" recognised under Article 17 GDPR.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., billing records).
• Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
• Right to restriction of processing (Art. 18): You may ask us to restrict processing of your data in certain circumstances.
• Right to object (Art. 21): You may object to processing based on legitimate interests. We will comply unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at legal@clarnix.app. In accordance with Article 12(3) GDPR, we will respond to your request within one month of receipt. Where a request is particularly complex or where we receive a high number of requests, that period may be extended by up to two further months; we will inform you within one month of receiving the request of any such extension and the reasons for it. If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish data protection authority (AEPD — Agencia Española de Protección de Datos) or the supervisory authority in your EU member state of habitual residence.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including: TLS 1.3 encryption in transit, encryption at rest managed by Supabase, OAuth tokens encrypted with an ENCRYPTION_MASTER_KEY, Row Level Security enforced at the database layer, and access controls limiting who can access production systems. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the AEPD within 72 hours.

12. Cookies

Clarnix uses strictly necessary cookies to manage authentication sessions. We also offer optional analytics cookies subject to your consent. For full details see our Cookie Policy. Cookie Policy.

13. Children

The Clarnix service is not directed at users under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete the account promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via an in-app banner and by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

15. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please use the addresses below. Two specialised inboxes are operated by NEXTGENWEBS, S.L.: legal@clarnix.app, monitored by the Legal & Privacy team, which handles GDPR data-subject requests, contractual queries, and other legal matters; and support@clarnix.app, monitored by the Customer Support team, which handles day-to-day product, account, and billing questions. We aim to acknowledge incoming requests within two business days. Substantive responses to data-subject requests are issued within the statutory deadlines set out in Section 10 above. Personal data you share with us through these inboxes (your name, email address, and the content of your request) is processed on the legal basis of Article 6(1)(c) GDPR (compliance with a legal obligation, where we are responding to a data-subject request) or Article 6(1)(f) GDPR (our legitimate interest in answering correspondence). Records of these communications are retained for as long as necessary to evidence our response, and in any event no longer than 6 years where required by Spanish law.