Privacy Policy

Last updated: April 12, 2026

1. Introduction

ClearAct ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our EU AI Act compliance platform ("Service").

We process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

ClearAct is the data controller for the personal data processed through the Service. For data protection inquiries, contact us at privacy@clearact.ai.

3. Personal Data We Collect

3.1 Information You Provide

  • Account information: Name, email address, company name, and password when you register.
  • Organization data: Company name, department names, and organizational structure.
  • AI system information: Names, descriptions, vendors, use cases, and risk classifications of your AI systems.
  • Compliance documents: Content of documents generated and edited within the Service.
  • Payment information: Billing details processed securely through Stripe. We do not store credit card numbers.

3.2 Information Collected Automatically

  • Usage data: Pages visited, features used, and interactions with the Service (via Vercel Analytics).
  • Device information: Browser type, operating system, and device identifiers.
  • Log data: IP addresses, access times, and referring URLs.

4. How We Use Your Data

We process your personal data for the following purposes:

  • Service delivery: To provide, maintain, and improve the compliance platform.
  • AI document generation: To generate compliance documents using AI (data is sent to Anthropic's Claude API for processing).
  • Account management: To manage your account, authentication, and subscription.
  • Communication: To send transactional emails (welcome, trial expiring, billing notifications).
  • Analytics: To understand usage patterns and improve the Service (anonymized, aggregated data only).
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

5. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to.
  • Legitimate interests (Art. 6(1)(f)): Analytics, security, and service improvement.
  • Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies.
  • Legal obligation (Art. 6(1)(c)): Tax and accounting requirements.

6. Data Sharing and Third-Party Processing

We share your data with the following categories of service providers:

  • Anthropic (Claude API): AI system descriptions and metadata you provide are sent to Anthropic's Claude API for compliance document generation. Anthropic processes this data in the United States. Anthropic does not use API inputs to train its models. Anthropic's data retention and processing terms apply to API interactions.
  • Supabase / AWS: Database hosting, authentication, and data storage. Data is processed and stored in the United States.
  • Vercel: Application hosting, serverless functions, and analytics. Data is processed in the United States.
  • Stripe: Payment processing. Subject to Stripe's Privacy Policy. We do not store credit card numbers.

All data processed through the Service is stored and processed in the United States via our sub-processors (Supabase, Vercel, Anthropic).

We do not sell your personal data to third parties. We do not share your data with advertisers.

7. International Data Transfers

Your data is transferred to and processed in the United States by our sub-processors (Anthropic, Supabase/AWS, Vercel). We rely on the following legal mechanisms for these transfers:

  • EU-U.S. Data Privacy Framework (DPF): Where our sub-processors are certified under the EU-U.S. Data Privacy Framework, transfers are made on the basis of that adequacy decision.
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) to ensure an adequate level of data protection.

You may request a copy of the applicable transfer safeguards by contacting us at privacy@clearact.ai.

8. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion.
  • Compliance documents: Retained for the duration of your subscription plus 30 days.
  • Payment records: Retained for 7 years as required by tax regulations.
  • Analytics data: Aggregated and anonymized; retained indefinitely.

9. Your Rights (GDPR)

You have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Request correction of inaccurate data.
  • Erasure (Art. 17 — Right to be Forgotten): Request deletion of your account and all associated data. You can exercise this right directly from your account settings ("Delete Account") or by contacting us. Upon request, we will permanently delete your account, organization, AI systems, documents, and audit logs. Deletion is irreversible.
  • Restriction (Art. 18): Request limitation of processing.
  • Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format (JSON). You can export your data directly from your account settings ("Export My Data") or by contacting us.
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise your rights, contact us at privacy@clearact.ai. We will respond within 30 days as required by GDPR.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest (AES-256).
  • Row-level security (RLS) policies for complete tenant isolation.
  • Regular security assessments and updates.
  • Access controls and authentication mechanisms.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

12. Cookies

We use the following types of cookies:

  • Essential cookies: Required for authentication and core Service functionality. These cannot be disabled.
  • Analytics cookies (optional): Vercel Analytics cookies help us understand usage patterns and improve the Service. You can opt out of analytics cookies via the cookie consent banner or your browser settings.

For more information, see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

14. Contact and Supervisory Authority

For privacy-related inquiries: privacy@clearact.ai

You have the right to lodge a complaint with a supervisory authority. In Germany, the relevant authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).