Skip to main content

Privacy Policy

Your data matters to us — just like a great tutorial matters to you.

Effective date: April 4, 2026

1. Data Controller

The data controller is Tomasz Sawko, a natural person based in Warsaw, Poland, operating the clarife platform. For all data protection inquiries, please contact support@clarife.app.

2. Registration Data

When you create an Account, we collect the following personal data:

  • Email address (required for authentication and communication)
  • Display name (optional, shown on shared tutorials)
  • Password (stored as a bcrypt hash; we never store plaintext passwords)
  • Profile avatar (optional, synced from OAuth provider or uploaded)
  • OAuth provider identifier (if you sign in with Google, Apple, or GitHub)

3. Document Data

When you create and edit tutorials, we process:

  • Document content (text blocks, headings, callouts, step descriptions, code blocks, tables)
  • Screenshots and images uploaded via the web editor or clarife capture app
  • Annotations added to screenshots (arrows, highlights, text labels, blur regions, numbering)
  • Screenshot enhancements (device frames, backgrounds, backdrops)

4. AI Generation Data

If you use the AI video generation feature, we additionally process:

  • AI-generated tutorial scenarios (derived from your document content via OpenRouter)
  • Text-to-speech voiceover audio (generated via Google Cloud TTS and stored for video rendering)
  • Generation metadata (token count, character count, estimated cost, render status)

5. Sharing Data

When you share a tutorial publicly or with specific recipients, we process:

  • Share slug (unique URL identifier for your shared tutorial)
  • Email or domain gating list (email addresses or domains of users allowed to view a gated share)
  • Email verification codes (hashed one-time OTP codes for recipient identity verification)
  • View statistics (view count, unique viewer count; IP addresses are hashed and not stored in raw form)

6. Payment Data

Payment processing is handled entirely by Paddle.com Market Ltd. We do not store credit card numbers, bank account details, or any other payment instrument data. From Paddle, we receive and store: Paddle customer ID, subscription status, plan type (Free, Pro, Business), billing interval (monthly or yearly), AI credits status, and transaction identifiers. Paddle acts as the Merchant of Record and independently processes payment data under their own privacy policy.

7. API Access Data

If you use API access, we process:

  • API keys (stored as a hash; shown in truncated form after generation)
  • Webhook configurations (URLs, signing secrets — encrypted with AES-256-GCM)
  • API usage logs (key identifier, endpoint, method, response code, timestamp)

8. Technical Data

We collect anonymized technical data via self-hosted Umami analytics (no cookies, no cross-site tracking):

  • IP address (used only for geolocation, never stored in raw form)
  • User agent string (browser type, operating system version)
  • Pages visited and features used within the application
  • Session duration and referral source

9. Error Monitoring Data

To detect and fix software errors, we use Sentry (Functional Software Inc.). Sentry collects: error stack traces (without personal data), session metadata (browser, operating system, screen resolution), user navigation paths leading to the error (breadcrumbs), and performance data (page load times, Web Vitals metrics). Sentry does not collect document content or personally identifying data. Data in Sentry is retained for 90 days.

10. Security Verification Data

The Service uses Cloudflare Turnstile to protect login and registration forms against bots. Turnstile collects a minimal set of session data necessary for verification (no tracking cookies) and the verification result (pass/fail). Turnstile does not require users to solve CAPTCHAs and is designed with privacy in mind.

11. Login Notification Data

To protect Account security, we detect logins from new devices and send email notifications. For this purpose, we process: device fingerprint (SHA-256 hash based on User Agent and IP address; we do not store raw values), login date and time, and approximate location (based on IP).

12. Technical Communications

We send transactional emails necessary for Service operation: account confirmation, password reset, share notifications, new device login notifications, payment alerts (dunning), and critical security notices. These emails are sent via Amazon SES (Dublin region, eu-west-1) and cannot be opted out of while your Account is active, as they are essential to service delivery under Art. 6(1)(b) GDPR.

13. Marketing Communications

During Account registration, the Customer may consent to receiving marketing communications (tutorials, product updates, offers). Consent is voluntary and does not affect the ability to use the Service. The Customer may withdraw consent at any time via the unsubscribe link included in every marketing message or through Account settings. The mailing list is managed via a self-hosted Mailwizz instance. Withdrawing marketing consent does not affect the receipt of transactional emails (§12), which are necessary for Service delivery.

14. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Art. 6(1) GDPR:

  • Art. 6(1)(b) — Contract performance: Processing of registration data, document data, payment data, API data, and technical communications is necessary to provide the Service you signed up for.
  • Art. 6(1)(a) — Consent: Marketing communications are based on your explicit consent, which you may withdraw at any time.
  • Art. 6(1)(f) — Legitimate interest: Collection of anonymized analytics data, error monitoring (Sentry), security logging, new device detection, and fraud prevention serve our legitimate interest in maintaining security and improving the Service. You may object to this processing at any time.

15. Data Retention Periods

We retain your personal data for the following periods:

  • Account data: Retained while your Account is active. Accounts inactive for more than 12 consecutive months may be deleted after notification with 30 days' advance notice.
  • Documents and media: Retained while your Account exists. Deleted documents are moved to trash for 30 days, then permanently deleted. Upon Account deletion, all data is permanently deleted within 30 days.
  • AI generations: Retained while your Account exists. Video files, audio files, and scenario data are deleted together with the Account.
  • API keys and webhook configurations: Deleted immediately upon revocation by the Customer or Account deletion.
  • Share view statistics: IP hashes in view logs are retained for 90 days, then permanently deleted. Aggregate view counts are retained indefinitely.
  • Analytics data: Anonymized Umami data is retained for 26 months.
  • Error monitoring data: Data in Sentry is retained for 90 days.
  • System logs: Server logs are retained for 90 days for debugging and security purposes.
  • Billing data: Subscription metadata (status, plan type, interval) is retained while the Account exists and deleted with the Account. Transaction records, invoices, and payment data are managed and retained by Paddle.com in accordance with their data retention policy and applicable tax regulations.

16. Data Processors

Your data is processed with the involvement of the following third-party sub-processors. We only use providers that offer appropriate personal data protection guarantees in accordance with the GDPR, including standard data processing terms (DPA) available as part of their terms of service:

  • Vercel Inc. (AWS Frankfurt eu-central-1, Paris eu-west-3, Dublin eu-west-1): Web application hosting and edge delivery. Serverless functions run exclusively in EU regions (Frankfurt, Paris, Dublin). Data remains in the EU.
  • Supabase Inc. (AWS Frankfurt, eu-central-1): PostgreSQL database hosting and authentication service. Data remains in the EU.
  • Backblaze Inc. (EU, eu-central-003): Object storage for screenshots and media files. Data is stored in the EU.
  • Google Cloud Platform: Text-to-Speech API for AI video narration. Only document-derived text is sent; no personal identifiers. Processing is covered by Google's Data Processing Amendment with EU Standard Contractual Clauses (SCC).
  • Paddle.com Market Ltd (UK): Payment processing as Merchant of Record. The UK has an EU adequacy decision (28 June 2021), ensuring equivalent data protection.
  • Amazon Web Services (Dublin, eu-west-1): Simple Email Service (SES) for transactional emails, Lambda for video rendering, and S3 for storing generated video files. Data remains in the EU.
  • OpenRouter (USA): AI model API for scenario generation. Only document content (no personal data) is sent. Transfers covered by EU SCC.
  • Functional Software Inc. / Sentry (USA): Application error and performance monitoring. Only technical data (stack traces, performance metrics) is collected — no document content or personal data. Transfers covered by EU SCC.
  • Cloudflare Inc. (USA): Turnstile — security verification for forms (bot protection). Minimal session data, no user tracking. Transfers covered by EU SCC.
  • Umami (self-hosted, Hetzner Helsinki): Privacy-focused web analytics. Hosted on our own infrastructure in the EU; no data leaves our servers. No cookies, no cross-site tracking.
  • Mailwizz (self-hosted, Hetzner Helsinki): Technical and marketing mailing list management. Hosted on our own infrastructure in the EU; subscriber data does not leave our servers.

We do not sell, rent, or trade your personal data to any third party. Data is shared only with the processors listed above, strictly for the purposes described in this policy.

17. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): You may request a copy of all personal data we hold about you. We will provide this within 30 days in a structured, commonly used format.
  • Right to rectification (Art. 16): You may correct inaccurate or incomplete data at any time through your Account settings or by contacting us.
  • Right to erasure (Art. 17): You may delete your Account and all associated data from the Settings page. Deletion is processed within 30 days, including backups.
  • Right to data portability (Art. 20): You may export your documents and data in a machine-readable format (JSON) from the Settings page.
  • Right to object (Art. 21): You may object to processing based on legitimate interest (e.g., analytics, error monitoring). We will cease such processing unless we demonstrate compelling legitimate grounds.
  • Right to restriction (Art. 18): You may request that we limit processing of your data while a dispute is being resolved.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@clarife.app. We will respond within 30 days.

18. Data Export

You can export all your data (documents, annotations, profile information) in JSON format directly from the Settings page in the Service. Go to Settings.

19. Automated Decision-Making

clarife does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, within the meaning of Art. 22 GDPR. The AI video generation feature creates content based on your documents but does not make any decisions about you or your access to the Service.

20. Security Measures

We implement technical and organizational measures to protect your data:

  • All data in transit is encrypted via HTTPS/TLS 1.3
  • Passwords are hashed with bcrypt (cost factor 10+); we never store plaintext passwords
  • API keys stored as hashes; webhook secrets encrypted with AES-256-GCM
  • Row-Level Security (RLS) policies enforce data isolation at the database level
  • Two-factor authentication (TOTP) is available for all accounts
  • Regular encrypted backups with 30-day retention
  • Comprehensive security audits completed (internal and independent)

21. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland. Website: uodo.gov.pl. You may also contact your local EU/EEA data protection authority.

22. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be announced via a notice on the Service website and, for registered Customers, via email at least 14 days before they take effect. The updated policy takes effect on the date indicated at the top of this page.