Skip to main content

Privacy Policy

Effective date: February 24, 2026

1. Data Controller

The data controller is Tomasz Sawko, operating as Clarife, based in Warsaw, Poland. For all data protection inquiries, please contact privacy@clarife.app.

2. Registration Data

When you create an account, we collect the following personal data:

  • Email address (required for authentication and communication)
  • Display name (optional, shown on shared tutorials)
  • Password (stored as a bcrypt hash; we never store plaintext passwords)
  • Profile avatar (optional, synced from OAuth provider or uploaded)
  • OAuth provider identifier (if you sign in with Google, Apple, or GitHub)

3. Document Data

When you create and edit tutorials, we process:

  • Document content (text blocks, headings, callouts, step descriptions)
  • Screenshots and images uploaded from the macOS app or web editor
  • Annotations added to screenshots (arrows, highlights, text labels, blur regions)

4. AI Generation Data

If you use the AI video generation feature, we additionally process:

  • AI-generated tutorial scenarios (derived from your document content via OpenRouter)
  • Text-to-speech voiceover audio (generated via Google Cloud TTS and stored temporarily)
  • Generation cost tracking (token count, character count, estimated cost per generation)

5. Sharing Data

When you share a tutorial publicly or with specific recipients, we process:

  • Share slug (unique URL identifier for your shared tutorial)
  • Email gating list (email addresses of users allowed to view a gated share)
  • View statistics (view count, unique viewer count; IP addresses are hashed and not stored in raw form)

6. Payment Data

Payment processing is handled entirely by Paddle.com Market Ltd. We do not store credit card numbers, bank account details, or any other payment instrument data. From Paddle, we receive and store: your subscription status, plan type (Free, Pro, Business), billing interval (monthly or yearly), AI addon status, and transaction identifiers. Paddle acts as the Merchant of Record and independently processes payment data under their own privacy policy.

7. Technical Data

We collect anonymized technical data via self-hosted Umami analytics (no cookies, no cross-site tracking):

  • IP address (used only for geolocation, never stored in raw form)
  • User agent string (browser type, operating system version)
  • Pages visited and features used within the application
  • Session duration and referral source

8. Technical Communications

We send transactional emails necessary for the operation of the Service: account confirmation, password reset, share notifications, sync conflict alerts, and critical security notices. These emails are sent via Amazon SES (Frankfurt region) and cannot be opted out of while your account is active, as they are essential to service delivery under Art. 6(1)(b) GDPR.

9. Optional Newsletter

You may separately opt in to our product newsletter. Subscription uses a double opt-in process: after signing up, you must confirm via a link sent to your email. Every newsletter includes a one-click unsubscribe link. The newsletter mailing list is managed via a self-hosted Mailwizz instance. Your newsletter consent is independent of your account — unsubscribing does not affect your use of the Service.

10. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Art. 6(1) GDPR:

  • Art. 6(1)(b) — Contract performance: Processing of registration data, document data, payment data, and technical communications is necessary to provide the Service you signed up for.
  • Art. 6(1)(a) — Consent: Newsletter subscription, optional AI video generation, and optional sharing features are based on your explicit consent, which you may withdraw at any time.
  • Art. 6(1)(f) — Legitimate interest: Collection of anonymized analytics data, security logging, and fraud prevention serve our legitimate interest in maintaining and improving the Service. You may object to this processing at any time.

11. Data Retention Periods

We retain your personal data for the following periods:

  • Account data: Retained while your account is active. Accounts inactive for more than 12 consecutive months may be flagged for deletion with 30 days advance notice by email.
  • Documents and media: Retained while your account exists. Upon account deletion, all documents, screenshots, and annotations are permanently deleted within 30 days.
  • AI generations: Retained while your account exists. Video files, audio files, and scenario data are deleted together with the account.
  • Share view statistics: IP hashes in view logs are retained for 90 days, then permanently deleted. Aggregate view counts are retained indefinitely.
  • Analytics data: Anonymized Umami analytics data is retained for 26 months, then automatically purged.
  • System logs: Server logs containing request metadata are retained for 90 days for debugging and security purposes.
  • Billing data: Transaction records and invoices are retained for 5 years after the end of the subscription, as required by Polish tax law (Ordynacja podatkowa, Art. 86 § 1).

12. Data Processors

We share your data with the following processors, each bound by a Data Processing Agreement (DPA):

  • Vercel Inc. (USA): Web application hosting and edge delivery. Data transfers to the US are covered by EU Standard Contractual Clauses (SCC).
  • Supabase Inc. (AWS Frankfurt, eu-central-1): PostgreSQL database hosting, authentication service, and real-time sync. Data remains in the EU.
  • Backblaze Inc. (USA): Object storage for screenshots, media files, and exports. Data transfers covered by EU SCC.
  • Google Cloud Platform (USA): Text-to-Speech API for AI video narration. Only document-derived text is sent; no personal identifiers. Transfers covered by EU SCC.
  • Paddle.com Market Ltd (UK): Payment processing as Merchant of Record. The UK has an EU adequacy decision (28 June 2021), ensuring equivalent data protection.
  • Amazon Web Services (Frankfurt, eu-central-1): Simple Email Service (SES) for transactional emails and Lambda for video rendering. Data remains in the EU.
  • OpenRouter (USA): AI model API for scenario generation. Only document content (no personal data) is sent. Transfers covered by EU SCC.
  • Umami (self-hosted): Privacy-focused web analytics. Hosted on our own infrastructure; no data leaves our servers. No cookies, no cross-site tracking.
  • Mailwizz (self-hosted): Newsletter mailing list management. Hosted on our own infrastructure; subscriber data does not leave our servers.

We do not sell, rent, or trade your personal data to any third party. Data is shared only with the processors listed above, strictly for the purposes described in this policy.

13. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of all personal data we hold about you. We will provide this within 30 days in a structured, commonly used format.
  • Right to rectification (Art. 16): You may correct inaccurate or incomplete data at any time through your account settings, or by contacting us.
  • Right to erasure (Art. 17): You may delete your account and all associated data from the Settings page. Deletion is processed within 30 days, including backups.
  • Right to data portability (Art. 20): You may export your documents and data in a machine-readable format (JSON) from the Settings page.
  • Right to object (Art. 21): You may object to processing based on legitimate interest (e.g., analytics). We will cease such processing unless we demonstrate compelling legitimate grounds.
  • Right to restriction (Art. 18): You may request that we limit processing of your data while a dispute is being resolved.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., newsletter), you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@clarife.app.

14. Data Export

You can export all your data (documents, annotations, profile information) in JSON format directly from your account. Go to Settings.

15. Automated Decision-Making

Clarife does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, within the meaning of Art. 22 GDPR. The AI video generation feature creates content based on your documents but does not make any decisions about you or your access to the Service.

16. Security Measures

We implement technical and organizational measures to protect your data:

  • All data in transit is encrypted via HTTPS/TLS 1.3
  • Passwords are hashed with bcrypt (cost factor 10+); we never store plaintext passwords
  • Row-Level Security (RLS) policies enforce data isolation at the database level
  • Two-factor authentication (TOTP) is available for all accounts
  • Nightly encrypted backups with 30-day retention
  • Comprehensive security audit completed (321 issues identified and resolved)

17. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland. Website: uodo.gov.pl. You may also contact your local EU/EEA data protection authority.

18. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be announced via a notice on our website and, for registered users, via email. The updated policy takes effect on the date indicated at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Privacy Policy | Clarife