Privacy Notice
Last updated:
1. Introduction
Clarium Limited ("Clarium", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Notice explains how we collect, use, store, and protect your personal information when you use our GDPR compliance documentation platform (the "Service").
We are a Jersey-registered company and process personal data in accordance with the Data Protection (Jersey) Law 2018, which is equivalent to the EU General Data Protection Regulation (GDPR) with Jersey-specific provisions.
Please read this Privacy Notice carefully. By using Clarium, you acknowledge that you have read and understood how we process your personal data.
2. Data Controller Information
Data Controller: Clarium Limited
Jurisdiction: Jersey, Channel Islands
Contact Email: [email protected]
Data Protection Officer: [email protected]
3. Supervisory Authority
Our supervisory authority for data protection matters is:
Jersey Office of the Information Commissioner (JOIC)
Website: https://oicjersey.org/
Email: [email protected]
Phone: +44 (0) 1534 716530
Adequacy Status: Jersey has been granted adequacy status by the European Union (January 2024) and is recognized as adequate by the UK, meaning data transfers between Jersey, the EU, and UK do not require Standard Contractual Clauses.
If you are based in the UK or EU, you also have the right to lodge a complaint with your local data protection authority (e.g., UK Information Commissioner's Office or your EU Member State authority).
4. What Personal Data We Collect
4.1 Account Information
- Full name
- Email address
- Job title/role
- Organization name
- Profile picture (if using Google or Microsoft authentication)
Legal Basis: Contract (Article 6(1)(b)) - necessary to provide the Service
4.2 Authentication Data
- Login credentials via OAuth providers (Google Workspace, Microsoft Entra ID/Azure AD)
- OAuth tokens (temporary, not stored long-term)
- Session tokens (JWT - JSON Web Tokens)
- Login timestamps and IP addresses
Note: We do not support email/password authentication.
4.3 GDPR Compliance Documentation (Customer Content)
- Business process descriptions (Article 30 Records of Processing Activities)
- IT system names, vendors, locations
- Data flow maps and visual diagrams
- Data categories, data subjects, lawful basis selections
- System verification details and security certifications
- Uploaded documents (policies, procedures - PDF, DOCX, max 5MB)
Important: We are a data processor for this content. You (the customer organization) are the data controller and determine what personal data (if any) is included in your business process descriptions. We recommend not including individual names or contact details of data subjects in your process descriptions.
4.4 Billing & Payment Information
- Billing name and address
- Organization tax/VAT number (if applicable)
- Payment card details (last 4 digits only - full card data stored by SumUp, not by us)
- Payment history and invoice records
Third-Party Processor: SumUp (SumUp Limited, London/Dublin)
4.5 Usage & Analytics Data
- Pages visited and features used
- Time spent on platform
- Actions performed (e.g., "created process", "verified system")
- Browser type, device type, operating system
Legal Basis: Legitimate Interests (Article 6(1)(f)) - improve Service quality
4.6 Technical & Log Data
- IP addresses
- Error logs and debugging information
- API request logs (rate limiting, performance monitoring)
- Platform Admin impersonation logs (when support accesses your account)
Retention: 30 days (logs), 12 months (Platform Admin impersonation logs)
5. How We Use Your Personal Data
| Purpose | Legal Basis |
|---|---|
| Provide the Service (account access, GDPR documentation features) | Contract (Article 6(1)(b)) |
| Process payments & billing | Contract (Article 6(1)(b)) |
| Send transactional emails (invitations, notifications) | Contract (Article 6(1)(b)) |
| Customer support | Contract & Legitimate Interests |
| Improve Service quality (analytics) | Legitimate Interests (Article 6(1)(f)) |
| Security & fraud prevention | Legitimate Interests (Article 6(1)(f)) |
| Comply with legal obligations | Legal Obligation (Article 6(1)(c)) |
6. Data Storage & Location
✅ All customer personal data is stored exclusively in the European Union.
We have configured all our infrastructure providers to process your data within the European Union:
- Database & Files: Supabase (PostgreSQL database, file storage) - eu-central-1 (Frankfurt, Germany)
- Application Hosting: Vercel (Next.js application) - dub1 (Dublin, Ireland)
- Email Delivery: Resend (transactional emails) - eu-west-1 (Dublin, Ireland)
- Rate Limiting & Caching: Upstash Redis (distributed rate limiting and application caching) - eu-west-1 (Dublin, Ireland)
- Backups: Daily automated backups stored in eu-central-1 (30-day retention)
No customer data is stored in the USA or any other non-EU country.
7. Third-Party Data Processors
7.1 Infrastructure & Hosting
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting | EU-West-1 (Dublin) |
| Supabase | Database, authentication, file storage | EU-Central-1 (Frankfurt) |
| Cloudflare | CDN, DDoS protection | EU edge nodes |
| Upstash | Rate limiting, application caching | EU-West-1 (Dublin) |
| Resend | Transactional email delivery | EU-West-1 (Dublin) |
7.2 Payment Processing
SumUp (SumUp Limited, London/Dublin) handles all payment processing. We do NOT store your full credit card number - we only receive and store the last 4 digits for identification.
7.3 AI Processing
Perplexity AI (current) - Used for AI extraction of GDPR fields. Data is processed temporarily (5-15 seconds) and NOT stored. No data is used for AI model training. We are evaluating EU-based AI providers (e.g., Mistral AI) for future migration.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Active Account Data | Duration of subscription + 30 days |
| Deleted Records (Soft Delete) | 30 days (recovery window) |
| Audit Logs | 12 months |
| Backup Data | 30 days rolling |
| Session Data | 24 hours or logout |
| Email Delivery Logs | 90 days |
| Error Logs | 30 days |
| Platform Admin Impersonation Logs | 12 months |
9. Your Data Subject Rights
Under the Data Protection (Jersey) Law 2018 and GDPR, you have the following rights:
Right of Access (Article 15)
Obtain confirmation of whether we process your personal data and access a copy.
How: Settings → Export → Download your data (UROPA JSON format)
Right to Rectification (Article 16)
Correct inaccurate personal data and complete incomplete data.
How: Edit your profile and organization settings directly in the platform
Right to Erasure (Article 17)
Request deletion of your personal data in certain circumstances.
How: Settings → Account → Delete Account
Right to Data Portability (Article 20)
Receive your data in a structured, commonly used, machine-readable format.
How: Settings → Export → Download your data
Right to Restrict Processing (Article 18)
Contact [email protected] to request account pause (read-only mode).
Right to Object (Article 21)
Contact [email protected] with details of your objection.
Response Time: Within 28 days (Data Protection (Jersey) Law 2018)
Contact: [email protected]
10. Cookies & Tracking Technologies
We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.
For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
11. Technical Measures
Technical Measures
- Encryption at Rest: AES-256 encryption (Supabase/AWS)
- Encryption in Transit: TLS 1.3 (HTTPS only)
- Database Security: Row-Level Security (RLS) with organization isolation
- Authentication: OAuth 2.0 via Supabase Auth, JWT tokens (7-day expiry, HTTP-only cookies)
- Access Control: Role-based permissions (5 roles: Platform Admin, Superuser, DPC, Contributor, Viewer)
Organizational Measures
- Staff access to customer data on need-to-know basis only
- All Platform Admin access to customer accounts is logged (12-month retention)
- Breach notification within 72 hours (Jersey Law requirement)
- Daily automated backups (Supabase-managed, eu-west-1, 30-day retention)
12. Changes to This Privacy Notice
We may update this Privacy Notice from time to time.
- Material Changes: Email notification to account administrators at least 30 days before changes take effect
- Minor Changes: Updated "Last Updated" date; continued use constitutes acceptance