Privacy Policy

Introduction

Claiv ("we," "us," or "our") operates claiv.io and echo.claiv.io (collectively, the "Platform"), including CLAIV Memory, our Context as a Service API platform, and CLAIV Echo, our multi-model AI chat application. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform and services.

By using Claiv, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Platform.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

• Full name
• Email address
• Password (encrypted and hashed)
• Company or business name

API Usage Information:

• Projects created and configured
• API keys generated and managed
• Events ingested via the API
• Recall queries submitted
• Forget requests processed
• Memory blocks stored and retrieved

API Data:

• Events ingested via /v6/ingest endpoint
• Recall queries and responses
• Forget requests and deletion receipts
• Extracted facts and context data

Payment Information:

• Billing name and address
• Payment method details (processed securely by Stripe)
• Transaction history
• Subscription plan details

Communications:

• Support inquiries and correspondence
• Feedback and feature requests
• Email communication preferences

Usage Preferences:

• Project configurations
• API key preferences
• Notification settings

1.2 Information Collected Automatically

Usage Data:

• Pages visited and features used
• Time spent on the Platform
• API request usage
• API endpoint usage patterns
• Browser type and version
• Device information
• Operating system
• IP address
• Referring website addresses

Cookies and Tracking Technologies:

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See our Cookie Policy for detailed information.

2. How We Use Your Information

2.1 To Provide and Improve Our Services (Legal Basis: Performance of Contract)

• Deliver Context as a Service API functionality
• Process and store memory events
• Process and manage your subscription
• Process ingest, recall, and forget API requests
• Maintain multi-tenant data isolation
• Process payments and send transaction confirmations
• Provide customer support and respond to inquiries

2.2 For Legitimate Business Interests (Legal Basis: Legitimate Interest)

• Analyze usage patterns to improve our Platform
• Conduct research and development for new features
• Detect, prevent, and address fraud and security issues
• Monitor and analyze Platform performance
• Debug and fix technical issues
• Ensure Platform stability and security
• Improve API performance and reliability

2.3 With Your Consent (Legal Basis: Consent)

• Send marketing and promotional communications
• Display personalized content and recommendations
• Use analytics cookies and similar technologies for non-essential tracking

2.4 To Comply with Legal Obligations (Legal Basis: Legal Obligation)

• Comply with applicable laws and regulations
• Respond to legal requests and prevent harm
• Enforce our Terms of Service
• Protect our rights and property

3. How We Share Your Information

3.1 Third-Party Service Providers

We share your information with trusted third-party service providers who process data on our behalf:

Payment Processing:

• Stripe - Processes subscription payments and manages billing information. Stripe is PCI-DSS compliant. Stripe Privacy Policy

Database and Hosting:

• Neon - Provides PostgreSQL database hosting for storing account and API data. Neon Privacy Policy
• Replit - Hosts our application infrastructure. Replit Privacy Policy

Analytics:

• Google Analytics - Tracks Platform usage and performance metrics using cookies. Google Privacy Policy

Marketing and Advertising:

• Meta (Facebook/Instagram) - For social media advertising and analytics. Meta Privacy Policy
• TikTok - For social media advertising and analytics. TikTok Privacy Policy
• LinkedIn - For social media advertising and analytics. LinkedIn Privacy Policy
• Twitter/X - For social media advertising and analytics. X Privacy Policy

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify. We have data processing agreements in place with all processors handling EU/UK personal data.

3.2 Business Transfers

In connection with any merger, sale of company assets, financing, acquisition, or similar transaction, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Platform of any such change in ownership or control of your personal information.

3.3 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Government or regulatory requests
• Protection of our rights, privacy, safety, or property
• Prevention of fraud or illegal activities
• Enforcement of our Terms of Service

3.4 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, and Platform improvement purposes.

4. International Data Transfers

Claiv is based in the United Kingdom. However, some of our service providers (including Stripe, Google, and Replit) are based in the United States and other countries outside the UK and European Economic Area (EEA).

When we transfer your personal information internationally, we ensure appropriate safeguards are in place:

For transfers to the United States:

• Standard Contractual Clauses (SCCs) - We use European Commission-approved SCCs with our US service providers
• EU-U.S. Data Privacy Framework - Some providers (including Google) are certified under the Data Privacy Framework
• Contractual protections - All providers must maintain equivalent data protection standards

Your Rights: These transfers do not affect your data protection rights under UK GDPR or EU GDPR.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

Technical Measures:

• Encryption in transit (TLS/SSL)
• Encryption at rest for databases
• Secure password hashing (bcrypt/Argon2)
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Secure API authentication and authorization

Organizational Measures:

• Access controls and role-based permissions
• Employee confidentiality agreements
• Regular security training
• Incident response procedures
• Data minimization practices

Note: While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

Active Accounts:

We retain your personal information for as long as your account is active and as needed to provide our services.

Account Deletion:

• When you delete your account, we delete your personal information within 30 days unless we're required to retain it for legal, regulatory, or legitimate business purposes.
• API data and memory blocks are permanently deleted within 30 days of account deletion.
• Billing records may be retained for up to 7 years for tax and accounting purposes as required by law.

Backup Systems:

Deleted data may persist in backup systems for up to 90 days before being permanently purged.

Aggregated Data:

We may retain aggregated or anonymized data indefinitely for analytics and research purposes.

7. Your Privacy Rights

Your rights vary depending on your location. We respect and facilitate the exercise of all applicable rights.

7.1 Rights for UK and EU Users (GDPR)

You have the right to:

• Right to Access: Obtain confirmation of whether we process your personal data and request a copy of your data.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data when no longer necessary, you withdraw consent, you object to processing, or data was unlawfully processed.
• Right to Restriction of Processing: Request limitation of processing when you contest data accuracy, processing is unlawful, or you've objected to processing.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where consent is the legal basis.
• Right to Lodge a Complaint: File a complaint with your local data protection authority (UK: ICO).

7.2 Rights for California Users (CCPA/CPRA)

California residents have the right to:

• Right to Know: Request disclosure of categories and specific pieces of personal information collected.
• Right to Delete: Request deletion of personal information (subject to certain exceptions).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information. Note: We do not sell or share your personal information.
• Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment.

7.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: [email protected]
• Subject Line: "Privacy Rights Request"

We will respond to your request within 30 days (or as required by applicable law).

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our Platform. For detailed information about our use of cookies, please see our Cookie Policy.

Types of Cookies We Use:

• Strictly Necessary Cookies: Essential for Platform functionality
• Analytics Cookies: Help us understand how you use the Platform (Google Analytics)
• Functional Cookies: Remember your preferences and settings
• Advertising Cookies: Deliver relevant advertisements (with your consent)

Your Choices:

• You can control cookies through our cookie consent banner
• You can manage cookie preferences in your browser settings
• You can opt-out of Google Analytics using the Google Analytics Opt-out Browser Add-on

9. Children's Privacy

CLAIV Memory is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected]. We will delete such information from our systems within 30 days.

10. API and Data Processing Privacy Considerations

10.1 CLAIV Echo Chat Data

When you use CLAIV Echo (echo.claiv.io), we process the following data to deliver the service:

• Chat messages you send and receive, including the AI model used and conversation context
• Model selection, online search mode, and other per-message settings
• Echo Token (ET) consumption per message for billing and plan enforcement
• Project workspace configurations and per-project instructions you create
• Images generated through CLAIV Echo image generation features
• Memory data stored via the CLAIV Memory API on your behalf

Important: Your chat messages are transmitted to third-party AI model providers (OpenAI, Anthropic, Google, and others) to generate responses. We do not sell your conversation data. We do not use your conversations to train AI models unless you explicitly opt-in.

10.2 Processing of Your CLAIV Memory API Data

Your API data, including ingested events, recall queries, and memory blocks, is processed by the CLAIV Memory backend. This processing occurs to:

• Process and store ingested memory events
• Respond to recall and forget API requests
• Maintain context data across your projects
• Ensure multi-tenant data isolation and security

Important: CLAIV Memory processes and stores data as provided. Always ensure that data ingested through the API does not contain sensitive information beyond what is necessary for your use case.

10.3 Data Processing and Improvement

Your Data and Platform Improvement:

• We do not use your API data to train third-party AI models unless you explicitly opt-in.
• Your data is stored with strict multi-tenant isolation to prevent cross-project or cross-account access.
• We may use aggregated, anonymized usage patterns to improve our API platform and infrastructure.

10.4 Human Review

We may review a limited sample of API interactions for:

• Quality assurance and Platform improvement
• Customer support resolution
• Safety and abuse prevention
• Debugging technical issues

When human review occurs, we minimize access to personal information and maintain strict confidentiality.

11. Third-Party Links and Services

Our Platform may contain links to third-party websites, services, or resources not operated by Claiv. We are not responsible for the privacy practices of these third parties.

Recommendation: Review the privacy policies of any third-party services before providing your personal information.

12. Marketing Communications

12.1 Types of Communications

With your consent, we may send you:

• Product updates and new feature announcements
• Tips for using CLAIV Memory effectively
• Memory blocks and context data best practices
• Special offers and promotions
• Newsletters and blog updates

12.2 Opting Out

You can opt-out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your email preferences in your account settings
• Contacting us at [email protected]

Note: You cannot opt-out of transactional or service-related emails (account notifications, billing confirmations, security alerts, etc.).

13. Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature. Currently, there is no industry standard for how to respond to DNT signals. We do not currently respond to DNT browser signals.

We do, however, honor opt-out preferences set through our cookie consent banner and respect Global Privacy Control (GPC) signals where legally required.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal, regulatory, or operational requirements
• New features or services

Notification of Changes:

• Material Changes: We will notify you via email or prominent notice on the Platform at least 30 days before changes take effect.
• Non-Material Changes: We will update the "Last Updated" date at the top of this policy.

Your Rights: Continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy. If you disagree with changes, you may delete your account.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

• Email: [email protected]
• Subject Line: "Privacy Inquiry"

Data Protection Inquiries: For specific data protection questions, please use the subject line "Data Protection Request."

Response Time: We aim to respond to all privacy inquiries within 5 business days.

16. Supervisory Authority Contact Information

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

United Kingdom:

• Organization: Information Commissioner's Office (ICO)
• Website: https://ico.org.uk/
• Phone: 0303 123 1113

European Union:

Find your local supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

California (USA):

• Organization: California Attorney General's Office
• Website: https://oag.ca.gov/privacy