Privacy Policy

• Provide the Service: Process your customer signals, generate AI-powered insights, create specifications, and deliver platform features.
• AI Processing: Your data is sent to our AI providers (described in Section 5) for classification, theme extraction, sentiment analysis, PRD generation, and other intelligence features. Your data is never used to train AI models.
• Communication: Send transactional emails (invitations, anomaly alerts, digest reports, password resets) and respond to your inquiries.
• Security: Monitor for unauthorized access, detect abuse, and maintain platform integrity.
• Improvement: Analyze aggregate, anonymized usage patterns to improve features and performance. We never analyze your customer signal content for this purpose.
• Billing: Process payments, manage subscriptions, and apply coupon codes.

Clarion is a multi-tenant platform. All data is logically isolated by organization:

• Every database query is scoped to your organization ID — no cross-tenant data access is possible.
• Customer signals, insights, opportunities, specifications, competitive intelligence, and all generated content belong exclusively to your organization.
• Organization members can only access data within their own organization based on their assigned role (Owner, Admin, Member, or Viewer).
• AI processing is performed per-organization — your data is never mixed with another organization’s data in any AI request.

We implement industry-standard security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
• Encryption at Rest: Sensitive fields (API keys, integration tokens, webhook secrets) are encrypted using AES-256-GCM with unique initialization vectors.
• Password Security: Passwords are hashed using bcrypt with a cost factor of 10. We never store plain-text passwords.
• Authentication: JWT-based session management with secure, HTTP-only tokens. Support for Google OAuth 2.0.
• API Key Security: API keys are displayed once at creation, stored as SHA-256 hashes, and can be revoked instantly.
• Infrastructure: Hosted on Google Cloud Platform with automated SSL certificate management, network firewalls, and regular security updates.
• Access Control: Role-based access control (RBAC) with four permission levels. Super admin actions are logged.

Clarion uses AI services to power its intelligence features. Here is how your data is handled:

• AI Processing: We use industry-leading AI models for language processing and semantic embeddings. Data sent to our AI providers is processed in real-time and not stored beyond the immediate request.
• No Model Training: Your data is never used to train, fine-tune, or improve any AI model — ours or any provider’s. This is guaranteed by our provider agreements.
• Data Minimization: We send only the minimum data necessary for each AI task. For example, signal classification sends the signal content and category definitions — not your entire database.
• Vector Embeddings: Semantic search embeddings are generated from your content and stored in our database. These numerical vectors cannot be reverse-engineered back into the original text.

• Active Account: Your data is retained for as long as your account is active and you maintain a subscription.
• Deleted Content: When you delete signals, insights, opportunities, or specifications, they are soft-deleted (marked with a timestamp) and permanently purged within 30 days.
• Account Deletion: If you request account deletion, we will remove all your personal data and organization data within 30 days. Some anonymized, aggregated data may be retained for analytics purposes.
• Backups: Database backups are retained for up to 7 days for disaster recovery, after which they are automatically deleted.
• Login Activity: Login records (IP address, browser, timestamp) are retained for 90 days for security auditing purposes.

We do not sell your data. We share data only in these cases:

• Service Providers: We use third-party services to operate the platform: Google Cloud (hosting), Razorpay (payment processing), Resend (transactional email), and AI providers. Each provider processes data only as necessary to provide their service.
• Team Members: Data within your organization is accessible to other members of the same organization based on their role permissions.
• Legal Requirements: We may disclose data if required by law, regulation, legal process, or governmental request. We will notify you when legally permissible.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data and account.
• Export: Export your data in standard formats (CSV, JSON, DOCX) using our built-in export features.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent for optional processing (e.g., digest email reports) at any time from Settings.

To exercise any of these rights, contact us at admin@getclarion.in. We will respond within 30 days.

Clarion uses only essential cookies:

• Session Cookie: A secure, HTTP-only cookie that maintains your authentication state. Expires when you sign out or after 30 days of inactivity.
• CSRF Token: A cookie to prevent cross-site request forgery attacks.

We do not use advertising cookies, analytics cookies, or any third-party tracking technologies. We do not participate in cross-site tracking.

Clarion’s servers are located in the United States (Google Cloud Platform, us-west1 region). If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

Clarion is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16, we will delete that data promptly. If you believe a child has provided us with personal data, contact us at admin@getclarion.in.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will also send an email notification to your registered email address. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: admin@getclarion.in
• Website: getclarion.in