Privacy Policy

1. Introduction

Clavisage ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights with respect to that information when you use our AI-powered study platform at clavisage.com.

By using Clavisage, you agree to the collection and use of information as described in this policy. This policy applies to all users of the Service regardless of location. We have written it to be compatible with applicable privacy laws including the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR).

2. Information We Collect

Account Information (via Clerk)

When you create an account, we collect your email address, full name (optional), and profile image. If you sign in with Google, we also receive an OAuth token and any profile information you authorize Google to share. This data is managed by Clerk, our authentication provider.

Usage Data (via Supabase)

We store records of your study sessions including: the names of files you uploaded, the detected course type and course name, the study mode you used (flashcards, quiz, or spreadsheet), your quiz score, session duration, and the timestamp of each session. We also track your credit usage (monthly and daily counts), your subscription plan, and your Stripe customer ID.

Payment Data (via Stripe)

Subscription payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Clavisage does not store your payment card numbers, bank account information, or other sensitive payment details. We only store your Stripe customer ID and subscription status in our database.

File Content (Temporary Processing via OpenAI)

When you upload a file, we extract its text content and send a portion of that text to OpenAI's API to generate your study materials. This transmission is transactional:

• File content is not stored on Clavisage servers after your session ends
• File content is not used to train AI models (consistent with OpenAI's API data usage policies, which exclude API data from model training by default)
• Only the text portions needed for generation are transmitted — original files are not forwarded

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Provide, operate, and improve the Service
• Process subscription payments and manage billing
• Send account-related emails such as verification, password reset, and billing receipts
• Display your study history and track credit usage
• Enforce our Terms of Service and prevent abuse
• Respond to support requests

We do not sell your personal information. We do not use your information for advertising or marketing profiling.

4. Third-Party Service Providers

We share your information with the following third-party service providers only as necessary to provide the Service. Each provider has their own privacy policy governing how they handle data:

• Clerk (authentication) — clerk.com/privacy
• Supabase (database) — supabase.com/privacy
• Stripe (payments) — stripe.com/privacy
• OpenAI (AI generation) — openai.com/privacy
• Vercel (hosting) — vercel.com/legal/privacy-policy

We do not share your personal information with any other third parties without your consent, except where required by law.

5. Data Retention

We retain your account and usage data for as long as your account is active. If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance reasons (such as Stripe billing records, which are retained for up to 7 years per financial regulations).

Study session records are retained for up to 12 months. We may introduce automated data retention limits in the future and will notify you before doing so.

6. Data Security

We implement industry-standard security measures to protect your data, including HTTPS encryption for all data in transit, Supabase row-level security to ensure users can only access their own data, and Clerk-managed authentication tokens with secure session handling. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law, including within 72 hours where required by GDPR.

7. Your Privacy Rights

All Users

Regardless of your location, you have the right to access, correct, or request deletion of your personal data. To exercise these rights, email us at support@clavisage.com. We will respond to all requests within 30 days.

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know what personal information is collected about them and how it is used
• Request deletion of their personal information
• Opt out of the sale of personal information — Clavisage does not sell personal information
• Non-discrimination for exercising these rights

To exercise your CCPA rights, contact us at support@clavisage.com.

EU/EEA Residents (GDPR)

If you are located in the European Economic Area, you have the following rights under the GDPR:

• Right of access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your personal data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to restriction — request that we limit how we use your data
• Right to object — object to processing based on legitimate interests

Legal basis for processing: We process your personal data on the basis of contract performance (to provide the Service you signed up for), legitimate interests (including operating and improving the Service, detecting and preventing fraud or abuse, and ensuring platform security), and legal obligation (to comply with applicable laws).

To exercise your GDPR rights, contact us at support@clavisage.com. You also have the right to lodge a complaint with your local data protection authority. A list of EU DPAs is available at edpb.europa.eu.

As Clavisage does not have an establishment in the EU, we are evaluating our obligations under GDPR Article 27 regarding the designation of an EU representative.

8. Cookies

Clavisage uses cookies only for essential functionality — specifically, authentication session cookies managed by Clerk to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can disable cookies in your browser settings, but doing so will prevent you from staying signed in to the Service.

Because these cookies are strictly necessary for authentication, they do not require your prior consent under EU ePrivacy Directive rules. We disclose them here to keep you fully informed.

9. Children's Privacy

Clavisage is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information promptly. If you believe a child under 13 has created an account, please contact us at support@clavisage.com.

Users between 13 and 17 years of age may use the Service as described in our Terms of Service. We do not independently verify age or obtain parental consent directly; responsibility for obtaining and enforcing parental consent rests with the parent or guardian.

10. International Data Transfers

Clavisage is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. For users in the EU/EEA, this transfer occurs through our third-party sub-processors (Clerk, Supabase, Stripe, OpenAI, Vercel), each of which conducts such transfers under Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or equivalent transfer mechanisms recognized under applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The updated policy will be posted at clavisage.com/privacy with a new "Last updated" date. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us at: support@clavisage.com

We are committed to working with you to resolve any concerns about your privacy in a fair and timely manner.