Privacy Policy

Welcome to ClearlyT("we," "us," or "our"). We are committed to protecting the privacy and security of the personal data entrusted to us by our customers, users, and website visitors. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our compliance management platform, website, and related services (collectively, the "Services").

This Policy applies to all individuals who access or use the Services, including account holders, team members invited to an organisation's workspace, and visitors to our website. It does not apply to information collected by third-party services that may be linked from or integrated with our platform, which are governed by their own privacy policies.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of an organisation, you represent that you are authorised to accept this Policy on behalf of that organisation.

For the purposes of the EU General Data Protection Regulation (GDPR) and applicable data protection laws, ClearlyT acts as the data controller for personal data collected through account registration, website usage, and platform analytics. When our customers upload compliance documentation, employee records, or other organisational data to the platform, ClearlyT acts as a data processor on behalf of the customer (the data controller).

Our processing activities are governed by Data Processing Agreements (DPAs) with our customers, which are available upon request. These agreements define the scope, nature, and purpose of processing, as well as the obligations of each party.

We collect and process the following categories of information in connection with the Services:

3.1 Account Data

When you create an account, we collect your name, email address, organisation name, job title, and authentication credentials. If you sign in via a third-party identity provider (such as Google or Microsoft), we receive the profile information you authorise.

3.2 Compliance Data

Our customers upload policies, procedures, evidence artefacts, risk assessments, and other compliance-related documents to the platform. This data may include personal information about individuals within the customer's organisation. We process this data solely on behalf of and under the instructions of our customers.

3.3 Cloud Scan Results

When you connect your cloud infrastructure (AWS, GCP, or Azure) toClearlyTfor security scanning, we collect configuration metadata, security findings, and resource inventories. We do not access the content of your data stored in those cloud environments — only the configuration and security posture information necessary to assess compliance.

3.4 Usage Analytics

We automatically collect information about how you interact with the Services, including pages visited, features used, session duration, browser type, operating system, IP address, and referring URLs. This information helps us understand usage patterns and improve the platform.

3.5 Cookies and Similar Technologies

We use essential cookies to maintain your session and authentication state. For further details, please refer to Section 11 of this Policy.

We use the information we collect for the following purposes:

• Provide and operate the Services: To deliver compliance assessments, generate reports, run cloud security scans, manage policies, and enable all core platform functionality.
• Improve and develop the platform: To analyse usage patterns, identify areas for improvement, develop new features, and optimise performance and reliability.
• Billing and subscription management: To process payments, manage subscriptions, send invoices, and handle billing-related communications.
• Customer support: To respond to your enquiries, resolve technical issues, and provide onboarding assistance.
• Security and fraud prevention: To monitor for suspicious activity, prevent unauthorised access, and protect the integrity of the platform and user data.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Communications: To send you service-related notifications, security alerts, compliance deadline reminders, and, where you have opted in, product updates and educational content.

Under Article 6 of the GDPR, we process personal data on the following legal bases:

5.1 Performance of a Contract (Article 6(1)(b))

Processing is necessary for the performance of the contract between you (or your organisation) and ClearlyT, including providing the Services, managing your account, and fulfilling our contractual obligations.

5.2 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, including improving the platform, ensuring security, preventing fraud, and conducting analytics. We conduct balancing tests to ensure that our interests do not override your fundamental rights and freedoms.

5.3 Consent (Article 6(1)(a))

Where required, we obtain your explicit consent before processing your data — for example, for marketing communications or non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5.4 Legal Obligation (Article 6(1)(c))

We may process personal data where necessary to comply with a legal obligation, such as tax reporting requirements, regulatory audits, or lawful requests from public authorities.

We do not sell, rent, or trade your personal data to third parties. We share data only in the following circumstances and with the following categories of service providers:

6.1 Authentication Provider

We use Clerk for user authentication and identity management. Clerk processes your name, email address, and authentication tokens in accordance with their privacy policy and our Data Processing Agreement.

6.2 Infrastructure and Storage

We use Supabase for database storage and backend services. Your account data, compliance documents, and platform data are stored in Supabase-managed databases with encryption at rest and in transit.

6.3 Cloud Scanning Services

When you authorise cloud security scans, we interact with Amazon Web Services (AWS) and Google Cloud Platform (GCP)APIs using read-only credentials you provide. We access only configuration and security metadata — never your stored data.

6.4 Payment Processing

We use third-party payment processors to handle billing transactions. Your payment card information is processed directly by the payment processor and is never stored on our servers. Our payment processors are PCI DSS compliant.

6.5 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, or protect the personal safety of users or the public.

All third-party service providers are bound by Data Processing Agreements and are required to implement appropriate technical and organisational measures to protect personal data.

ClearlyT may transfer and process personal data in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place to protect your data in accordance with the GDPR:

• Standard Contractual Clauses (SCCs): We enter into EU-approved Standard Contractual Clauses with our sub-processors located outside the EEA to ensure an adequate level of data protection.
• Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission.
• Supplementary Measures: We implement additional technical and organisational measures, including encryption and access controls, to supplement the safeguards provided by SCCs.

You may request a copy of the relevant Standard Contractual Clauses by contacting us at the address provided in Section 14.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law:

• Account data: Retained for the duration of your active account and for a reasonable period thereafter (up to 30 days) to allow for account recovery before permanent deletion.
• Compliance data:Retained for the duration of the customer's subscription. Upon account closure or written request, compliance data is permanently deleted within 30 days, unless regulatory obligations require longer retention.
• Cloud scan results:Retained for the duration of the customer's subscription to enable historical trend analysis and compliance reporting. Deleted within 30 days of account closure.
• Audit logs: Platform audit logs (such as user activity, access logs, and configuration changes) are retained for a minimum of 12 months and a maximum of 36 months to support security investigations and compliance audits.
• Usage analytics: Aggregated and anonymised analytics data may be retained indefinitely, as it cannot be used to identify individual users.

You may request deletion of your personal data at any time by contacting us at privacy@clearlyt.com. We will process your request in accordance with applicable data protection laws.

Under the GDPR and applicable data protection laws, you have the following rights in relation to your personal data:

• Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions (such as data required for legal compliance or the exercise of legal claims).
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Restriction (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances, such as when you contest its accuracy.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. This does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact our Data Protection Officer at the details provided in Section 14. We will respond to your request within 30 days (or within the timeframe required by applicable law). If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

We implement comprehensive technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security practices include:

• Encryption at rest and in transit: All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Database connections, API communications, and file storage are fully encrypted.
• Role-Based Access Control (RBAC): Access to data is restricted based on user roles and the principle of least privilege. Administrative access to production infrastructure requires multi-factor authentication.
• Audit logging: All access to sensitive data and administrative actions are logged and monitored. Logs are tamper-resistant and retained in accordance with our data retention policy.
• Infrastructure security: Our platform is hosted on industry-leading cloud infrastructure with SOC 2 Type II and ISO 27001 certifications. We employ network segmentation, intrusion detection, and automated vulnerability scanning.
• Incident response: We maintain a documented incident response plan and will notify affected data subjects and supervisory authorities of any personal data breach within 72 hours, as required by the GDPR.
• Vendor security assessments: All sub-processors undergo security assessments before onboarding and are subject to ongoing monitoring.

ClearlyT uses a minimal number of cookies that are strictly necessary for the operation of the Services:

11.1 Essential Cookies

We use essential cookies to maintain your authentication session, remember your preferences, and ensure the security of your account. These cookies are required for the platform to function and cannot be disabled.

11.2 No Third-Party Tracking by Default

We do not use third-party tracking cookies, advertising cookies, or social media pixels by default. We do not engage in cross-site tracking or behavioural advertising.

11.3 Analytics

If we use analytics services to understand platform usage, we configure them to anonymise IP addresses and minimise data collection. We do not share analytics data with third parties for their own purposes.

You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Services.

The Services are designed for business-to-business use and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as promptly as possible.

If you believe that a child under 16 has provided us with personal data, please contact us immediately at privacy@clearlyt.com so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify account holders via email or through an in-platform notification at least 30 days before the changes take effect.
• Where required by law, obtain your consent to material changes in data processing.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject requests (such as access or deletion requests), we will respond within 30 days as required by the GDPR.

If you are located in the European Economic Area and believe that your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at edpb.europa.eu.