Legal
Privacy Policy
Effective date: March 18, 2026
This policy describes how aclearly ("we", "us", "our") collects, uses, stores, and protects information when you use our document intelligence platform at aclearly.com (the "Service").
1. Data Controller
aclearly is the data controller for personal data processed through this Service. For questions or requests, contact us at privacy@aclearly.com.
2. Information We Collect
Account Data
When you create an account we collect your email address and authentication credentials (managed by Supabase Auth). We do not store passwords directly.
Documents You Upload
When you use the extraction service, you upload PDF, PNG, or JPEG files. These documents are:
- Transmitted over TLS to our servers
- Sent to Azure OpenAI (GPT-4o) for processing — see Section 6
- Stored in Supabase Storage (encrypted at rest) tied to your account
- Never shared with other users or third parties beyond what is described here
Extracted Data
Structured JSON output from document extraction (field names, values, confidence scores) is stored in our database associated with your user account. This data is used to power your dashboard, insights, and knowledge base features.
Embeddings
We generate vector embeddings of extracted content using Azure OpenAI's embedding models. Embeddings are numerical representations used for semantic search and are not human-readable. They are stored alongside your extraction records.
Usage Data
We collect standard server logs (IP address, user agent, request timestamps) and usage metrics (extraction counts, feature usage) to operate and improve the Service.
Payment Data
Payment processing is handled by Stripe. We do not store credit card numbers. Stripe's privacy policy governs payment data: stripe.com/privacy.
3. How We Use Your Information
- Provide the Service — process documents, generate extractions, power search and insights
- Improve accuracy — analyze aggregate extraction patterns to improve our prompts and processing pipeline (we do not use your documents to train AI models)
- Billing — track usage for metered billing and subscription management
- Security — detect abuse, enforce rate limits, and protect the platform
- Communication — send transactional emails (account verification, billing receipts, security alerts)
4. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) |
| Billing and payments | Performance of contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
5. Data Retention
- Account data — retained while your account is active, deleted within 30 days of account deletion
- Uploaded documents — retained while your account is active; you may delete individual documents at any time
- Extracted data and embeddings — retained while your account is active
- Server logs — retained for 90 days
- Billing records — retained for 7 years as required by tax law
6. Third-Party Processors
We use the following sub-processors to deliver the Service:
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure (OpenAI Service) | Document extraction (GPT-4o), embeddings | US |
| Supabase | Authentication, database, file storage | US |
| Stripe | Payment processing | US |
| Microsoft Azure (App Service) | Application hosting | US (Central) |
| Cloudflare | DNS, DDoS protection | Global |
Documents sent to Azure OpenAI are processed under Microsoft's data processing terms. Azure OpenAI does not use customer data to train or improve models. See Microsoft's data privacy documentation.
7. Your Rights
GDPR Rights (EEA/UK/Switzerland)
You have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — restrict processing of your personal data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
To exercise these rights, email privacy@aclearly.com. We respond within 30 days.
CCPA Rights (California Residents)
California residents have the right to:
- Know what personal information is collected and how it is used
- Request deletion of personal information
- Opt out of the sale of personal information — we do not sell personal information
- Non-discrimination for exercising privacy rights
8. International Data Transfers
Your data may be transferred to and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement where applicable.
9. Cookies
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Authentication session | Session |
| sb-refresh-token | Authentication refresh | 7 days |
We do not use third-party advertising or analytics cookies.
10. Security
- All data transmitted over TLS 1.2+
- Documents encrypted at rest in Supabase Storage
- Database access restricted by Row Level Security (RLS) policies
- Azure Front Door WAF for application-layer protection
- Authentication via Supabase Auth with secure token handling
11. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 30 days before they take effect.
13. Contact
For privacy questions, data requests, or complaints:
Email: privacy@aclearly.com
If you are in the EEA and believe your data protection rights have not been addressed, you have the right to lodge a complaint with your local supervisory authority.