Privacy Policy

Last updated on September 10, 2025

1. Introduction: Our Commitment to Your Privacy

Welcome to Clareo App. This Privacy Policy explains how Clareo App (“we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use our decision-tracking web application (the “Service”). Our mission is to provide you with a powerful tool to understand and improve your decision-making process. The nature of this service means you will be entrusting us with information that is deeply personal, and we take that responsibility with the utmost seriousness.

This policy is designed to be a comprehensive guide to our data practices, written in clear and plain language to ensure you are fully informed and empowered. We are committed to upholding the highest standards of data protection, in full compliance with the European Union’s General Data Protection Regulation (GDPR), regardless of where you are located.

We believe that privacy is not just a legal requirement but a fundamental right and a core feature of our Service. You are in control of your data. This policy will detail what data we collect, why we need it, how we use it, and, most importantly, the rights and tools you have to manage it. We encourage you to read this document carefully to understand our commitment to protecting your privacy and how you can exercise your rights.

2. Who We Are and How to Contact Us (The Data Controller)

Under the GDPR, the “Data Controller” is the entity responsible for your personal data — the one that determines the purposes and means of processing that data. For the Service provided by Clareo App, the Data Controller is an individual developer based in Dublin, Ireland (operating as a sole proprietor and not a registered company). You can contact this person (the Data Controller) at clareoapp@gmail.com for any privacy-related matters.

As we are established in Ireland, our lead supervisory authority for data protection is the Irish Data Protection Commission (DPC). You have the right to lodge a complaint with them at any time.

3. The Personal Data We Collect

To provide and improve our Service, we collect certain personal data. We are committed to the principle of data minimization, meaning we only collect data that is adequate, relevant, and strictly necessary for the purposes outlined in this policy. The data we collect can be categorized as follows:

A. Information You Provide Directly to Us

This is data that you actively and voluntarily submit when using our Service:

  • Account Registration Data: When you create an account, we collect information to identify you and secure your access.
    • Email and Password Registration: If you sign up directly, we collect your email address. We do not store your password in a readable format; instead, we store a secure, cryptographically salted and hashed version of it.
    • Google Sign-In: If you choose to register or log in using your Google account, we receive a limited set of data from Google, which you authorize during the sign-in process. This data is strictly limited to your name, email address, and profile picture. We do not receive your Google account password or any other information from your Google account.
  • Decision Log Data: This is the core data you create within the application. It includes all the text, answers to questions, and any other information you enter into the decision-logging modals. This data is personal to you and may, depending on what you choose to write, include special categories of personal data (e.g., information about health, beliefs, etc.) as defined by the GDPR. We treat all Decision Log Data with the highest level of security and confidentiality.
  • User-Generated Content: This includes the content of any custom decision templates you create and save within the application. This content is visible only to you.
  • Communications Data: When you contact us for customer support, provide feedback, or make any other inquiry, we collect the content of those communications, along with your name and email address, to respond to you effectively.
  • Payment Information (Subscriptions): If you choose to purchase a subscription or other paid service (in the future when available), you may provide payment details such as your name, billing address, and payment information. This data is collected to process your transaction. Please note that we do not store full payment card details on our servers; any payment information will be processed securely by our third-party payment processor (e.g., Stripe) on our behalf.

B. Information We Collect Automatically

This is technical data generated automatically as you interact with our Service:

  • Technical and Usage Data: To ensure the security, stability, and proper functioning of our Service, we automatically collect certain technical information. This includes your Internet Protocol (IP) address, browser type and version, operating system, device information, and basic aggregated usage analytics (such as login frequency and features used). This data is essential for diagnosing technical issues, preventing fraudulent activity, and ensuring the integrity of our platform.
  • Analytics and Marketing Data: We use third-party analytics and marketing tools (such as Google Analytics and related services) to collect information about how you navigate and use our Service. This includes metrics like pages visited, features used, time spent on the site, and interactions with content. These tools may set cookies or similar technologies on your device. With your consent, this information may also be combined with data from other sites and services you visit in order to build a profile of your interests and deliver relevant advertising (sometimes called “cross-site tracking”).

4. How and Why We Use Your Data (Our Purposes and Lawful Bases)

Under the GDPR, every data processing activity must be justified by a specific purpose and a corresponding lawful basis. We are transparent about why we process your data and our legal grounds for doing so. The principles of Purpose Limitation and Lawfulness, Fairness, and Transparency are fundamental to our operations.

The table below provides a clear overview of our data processing activities, the types of data involved, and the lawful basis under Article 6 of the GDPR that we rely upon for each activity. This structured approach ensures you can easily understand how your data is used in a concise and intelligible format, as required by law.

Overview of Processing Activities

Purpose of ProcessingTypes of Data UsedLawful Basis under GDPR
To create and manage your account and provide the core decision-tracking serviceAccount Registration Data, Decision Log Data, User-Generated ContentArt. 6(1)(b) GDPR – Performance of a contract: We need this data to provide the Service you signed up for.
To suggest relevant tags for your decisions using our AI featureThe text content from your Decision Log Data fields that you choose to analyze.Art. 6(1)(a) GDPR – Consent: We will ask for your explicit, separate consent before sending any of your data to our AI service provider for this purpose. This is an optional feature.
To allow you to sign in using your Google AccountYour name, email address, and profile picture from your Google AccountArt. 6(1)(a) GDPR – Consent: You provide this consent directly to Google when you choose to use this sign-in method.
To maintain the security of our application, prevent fraud, and troubleshoot technical issuesTechnical and Usage Data, Account Registration DataArt. 6(1)(f) GDPR – Legitimate Interest: We have a legitimate interest in protecting our Service and our users from security threats and ensuring the application functions correctly.
To respond to your support requests and other communicationsAccount Registration Data, Communications DataArt. 6(1)(b) GDPR – Performance of a contract: Responding to your requests is part of providing our Service to you.
To send you product updates and marketing communications (optional)Email address (used for account)Art. 6(1)(f) GDPR – Legitimate Interests: We have a legitimate interest in informing our users about new features or offers related to the Service. You can opt out of these communications at any time, and we will only send such emails where permitted by applicable law or with your consent (Art. 6(1)(a)).
To analyze usage of our Service and improve performance (Analytics)Technical and Usage Data (Analytics Data, cookies)Art. 6(1)(a) GDPR – Consent: We only collect and use analytics data with your consent (e.g., via our cookie consent). This helps us understand how the Service is used and improve it.
To process payments and subscriptions (when you opt for a paid plan)Account Registration Data, Payment InformationArt. 6(1)(b) GDPR – Performance of a contract: This data is necessary to process your payments and provide the paid service. We also rely on Art. 6(1)(c) GDPR – Legal Obligation to retain transaction records as required by financial regulations.

5. A Deeper Look: AI Tag Suggestions and Automated Processing

One of the innovative features of Clareo App is the ability to receive AI-generated suggestions for tags to help you categorize and analyze your decisions. We are committed to being fully transparent about how this feature works and how your data is handled in the process. This constitutes a form of automated processing, and under Articles 13 and 22 of the GDPR, you have the right to receive meaningful information about the logic involved, its significance, and its consequences.

  • What This Feature Is: This is an entirely optional tool designed to enhance your experience. It analyzes the text of your decision log and suggests relevant keywords or “tags” that you might find useful for organization.
  • How It Works: When you explicitly choose to use this feature for a specific decision, the text you have written in the relevant input fields is securely transmitted via an encrypted API call to our third-party AI service provider. Their Large Language Model (LLM) processes this text solely to identify and generate relevant tags, which are then sent back to our application and presented to you as suggestions.
  • Data Minimization in Practice: We are fundamentally committed to the principle of data minimization. In line with this, we only send the minimum amount of text necessary from your decision log to the LLM to generate useful tags. We do not send your account information, IP address, or any other identifying metadata along with this request. We also take steps to anonymize or pseudonymize personally identifiable information (PII) before transmission where feasible, further reducing privacy risks.
  • Your Data Is Not Used for AI Model Training: A primary concern with AI services is the potential for user data to be used to train the underlying models. We have a robust Data Processing Agreement (DPA) with our AI service provider that contractually prohibits them from using any data sent from our Service to train, retrain, or improve their AI models. Your data is processed only to fulfill the immediate request and is not retained by the provider for any other purpose beyond a short, contractually defined period for abuse monitoring.
  • Significance and Consequences for You: The processing is automated, but its output is purely a suggestion. You retain full human control at all times. You can review, accept, edit, or completely reject the tags suggested by the AI. This process does not result in any decisions that produce legal effects concerning you or similarly significantly affect you. Its sole purpose is to serve as a helpful organizational assistant, and it has no binding impact. This ensures that our use of this technology aligns with the safeguards outlined in Article 22 of the GDPR concerning automated individual decision-making.

6. Who We Share Your Data With (Third-Party Recipients)

We do not sell your personal data. However, to provide our Service, we rely on a small number of trusted third-party service providers who process data on our behalf. We only share the minimum data necessary and have legally binding agreements (Data Processing Agreements) in place with each provider to ensure they protect your data to the same high standards we do. The categories of these recipients are:

  • Authentication Provider: For users who choose to log in with Google, we share data with Google LLC. As described previously, this is limited to confirming your identity and receiving your name, email, and profile picture upon your authorization. Our use of this service is governed by Google’s Privacy Policy and our strict adherence to their API Services User Data Policy, which requires transparency and data minimization.
  • AI Service Provider: To provide the optional AI Tag Suggestion feature, we share the anonymized or pseudonymized text from your decision logs with Google LLC. As detailed in Section 5, this sharing is subject to your explicit consent and is governed by a strict DPA that protects the confidentiality and security of your data and prohibits its use for model training.
  • Analytics and Marketing Services: We use Google Analytics and related Google services (provided by Google LLC) to collect usage statistics, understand user behavior, and support marketing activities (such as measuring the effectiveness of campaigns and delivering more relevant ads). This means that some data (such as your IP address, device identifiers, and usage information) may be shared with Google when analytics or marketing cookies are enabled.
    • This data is collected and shared only with your consent (see Section 11 on Cookies). You can withdraw your consent at any time through our cookie banner, browser settings, or Google’s own opt-out tools (such as the Google Analytics opt-out browser add-on or Google Ads settings).
    • While Google provides us with aggregated reports, Google may also use this data in accordance with its own Privacy Policy, including for advertising and cross-site tracking purposes.
  • Infrastructure and Hosting Providers: Our application, including its databases, is hosted on secure cloud infrastructure provided by Google LLC and MongoDB. These providers are responsible for the physical and network security of the servers that store your data. All data is stored in an encrypted format, and the provider does not have access to the plaintext content.
  • Payment Processor: If you make a purchase or subscribe to a paid plan, payments are processed through Stripe, Inc. We do not store or process your credit card details on our servers; these are handled directly by Stripe via their secure payment system. We share only the necessary information with Stripe (such as your email address or a transaction ID to link the payment to your account). Stripe is a PCI-DSS compliant service provider, and we have an agreement in place to ensure your payment data is handled safely and in accordance with privacy laws. Any personal data processed by Stripe is subject to their privacy policy and applicable data protection laws.
  • Legal and Regulatory Obligations: In rare circumstances, we may be required to disclose your personal data if compelled to do so by law, a court order, or a valid and binding request from a law enforcement or public authority. We will only do so after carefully reviewing the legality of the request and will only disclose the minimum data necessary to comply.

7. International Data Transfers

Our Service is available globally, and to provide it, we use service providers who may be located in countries outside of the European Economic Area (EEA), such as the United States (where some of our service providers like Google and Stripe are based). Consequently, when you use our Service, your personal data may be transferred to, stored, and processed in these countries, which may have different data protection laws than those in your country of residence.

The GDPR places strict rules on the transfer of personal data outside the EEA to ensure that the high level of protection it affords is not undermined. We take all necessary steps to ensure that any international data transfer is lawful and that your data remains protected to the standards required within the EEA.

The primary legal mechanism we rely on to safeguard these transfers is the use of Standard Contractual Clauses (SCCs). These are model data protection clauses approved by the European Commission and incorporated into our contracts with our third-party service providers. By signing these clauses, the data importer (e.g., our U.S.-based providers) makes a binding commitment to protect your personal data in accordance with EU data protection standards. This ensures that your data receives an equivalent level of protection, no matter where it is processed.

8. Data Security

We are deeply committed to the GDPR principle of “Integrity and Confidentiality”. We have implemented appropriate technical and organizational security measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our approach is grounded in the principles of Security by Design and by Default, meaning we build security and privacy considerations into our systems from the outset. Our security measures include:

  • Encryption: We use industry-standard Transport Layer Security (TLS/SSL) to encrypt all data in transit between your device and our servers, protecting it from interception. All of your data, including Decision Log Data and User-Generated Content, is also stored in an encrypted format at rest on our servers, rendering it unreadable without the appropriate cryptographic keys.
  • Access Controls: We enforce strict access control policies within our organization. Access to your personal data is limited to a small number of authorized personnel who have a legitimate business need to access it, such as for providing technical support or maintaining the system. All such access is logged and monitored.
  • Secure Development Practices: We follow a secure software development lifecycle, which includes regular code reviews, vulnerability scanning, and timely application of security patches to our systems and their dependencies to protect against known threats.
  • Password Security: As stated earlier, we never store your password in a readable format. We use strong, industry-standard one-way hashing and salting algorithms to protect your account credentials.
  • Data Breach Response Plan: We have a formal incident response plan in place to promptly detect, investigate, and respond to any potential data breaches. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority (the Irish DPC) without undue delay, as required by Articles 33 and 34 of the GDPR.

9. Data Retention and Deletion

In line with the GDPR’s Storage Limitation principle, we are committed to not keeping your personal data for longer than is necessary for the purposes for which it was collected. Our retention policy is simple and user-centric:

  • General Retention Period: We retain your personal data for as long as you maintain an active account with our Service. We hold your data to provide you with the Service you have requested, and this purpose remains valid as long as your account exists.
  • User-Controlled Deletion: You have complete and granular control over your data.
    • Individual Item Deletion: You can delete individual decision logs or custom templates at any time through the application interface. This action is immediate and irreversible on our live systems.
    • Full Account Deletion: You can delete your entire account at any time from your account settings. This action is also immediate and irreversible. It will permanently erase all your Account Registration Data, all Decision Log Data, and all User-Generated Content from our live systems. (There is no recovery process.)
  • Data in Secure Backups: For security and business continuity, we maintain secure, isolated backups of our systems to protect against catastrophic data loss. While deletion from our live systems is immediate, residual copies of your data may remain in these encrypted backup archives for a limited period (up to 30 days) before they are automatically erased as part of our standard backup rotation. These backups are strictly for disaster recovery purposes and are not used for any other processing. The data within them is considered “beyond use” and will not be restored to live systems except in a disaster recovery scenario. This approach balances your right to erasure with technical realities and the legitimate need for robust backups.
  • Inactive Accounts: To ensure we do not hold data indefinitely, we have a policy for inactive accounts. If an account has no recorded activity for a continuous period of 24 months, we will send a notification to the registered email address. If there is no response or activity within 30 days of the notification, we will consider the account abandoned and will permanently delete the account and all associated personal data.

10. Your Data Protection Rights

Under the GDPR, you have a comprehensive set of rights over your personal data. We are fully committed to enabling you to exercise these rights easily and effectively. Your rights include:

  • The Right to be Informed (Articles 13 & 14 GDPR): You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and about your rights. This Privacy Policy is the primary means by which we fulfill this obligation.
  • The Right of Access (Article 15 GDPR): You have the right to obtain access to your personal data (if we are processing it) and to certain other information (similar to that provided in this Privacy Policy). This is so you are aware of and can verify that we are using your information in accordance with data protection law. You can request a copy of your data by contacting us at clareoapp@gmail.com.
  • The Right to Rectification (Article 16 GDPR): You are entitled to have your personal data corrected if it is inaccurate or incomplete. You can update your core Account Registration Data (such as your email) directly within your account settings. For any other corrections, please contact us.
  • The Right to Erasure (Article 17 GDPR): Also known as the “right to be forgotten,” this enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. As detailed in Section 9, you can exercise this right at any time by deleting individual items or your entire account through the Service interface. This is a fundamental right (not a conditional one) for the data you have entrusted to us.
  • The Right to Restrict Processing (Article 18 GDPR): You have the right to “block” or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your data but not use it further. This might apply, for example, while we verify the accuracy of data you have contested.
  • The Right to Data Portability (Article 20 GDPR): You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy, or transfer your personal data easily from our IT environment to another in a safe and secure way, without affecting usability. This right applies to data you have provided to us where the processing is based on your consent or on the performance of a contract, and when processing is carried out by automated means.
  • The Right to Object (Article 21 GDPR): You have the right to object to certain types of processing, specifically processing based on our legitimate interests (such as for security monitoring or analytics). This includes the absolute right to object to the use of your personal data for direct marketing purposes; if you object to direct marketing, we will stop using your data for that purpose immediately. If you object, we must stop processing the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
  • Rights in Relation to Automated Decision-Making and Profiling (Article 22 GDPR): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects on you. As explained in Section 5, our use of AI for tag suggestions does not fall into this category, as it is a non-binding, optional tool that you fully control.
  • The Right to Withdraw Consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time (per Article 7(3) GDPR). Withdrawing consent will not affect the lawfulness of processing that occurred before your withdrawal. For example, you can withdraw your consent for receiving marketing emails or for optional features like analytics cookies or AI tag suggestions by contacting us or using the provided opt-out mechanisms.

How to Exercise Your Rights: For actions like rectification of account details and erasure of your data (or your entire account), we provide self-service tools in your account settings for immediate effect. For other requests, such as data access or portability, please contact us at clareoapp@gmail.com. We will respond without undue delay and at the latest within one month of receiving your request, as required by law.

Right to Lodge a Complaint: If you have concerns about how we handle your personal data, you have the right to lodge a complaint with your national data protection authority. As we are based in Ireland, our lead supervisory authority is the Irish Data Protection Commission (DPC). You can find their contact details on their official website.

Cookies are small text files stored on your device when you visit a website. We use cookies to ensure our Service functions properly and to help us improve it through analytics (with your consent).

  • Types of Cookies We Use:
    • Strictly Necessary Cookies: These cookies are essential for the operation of our Service. For example, we use session cookies to keep you logged in as you navigate, and security cookies to protect your account and maintain the integrity of our platform. These cookies may be temporary or persistent as required, and without them the Service may not function correctly.
    • Analytics Cookies: We use analytics cookies (for example, through Google Analytics) to understand how users interact with our Service — such as which pages are visited, how often, and how long users stay. This helps us improve the Service. Analytics cookies are only set with your consent.
    • Marketing/Advertising Cookies: We use marketing cookies to deliver more relevant content and measure the effectiveness of our marketing campaigns. For example, these cookies may allow us (or our service providers, like Google) to show you relevant ads on other websites or platforms. Marketing cookies are only set with your consent.

When you first visit our Service, you will be presented with a cookie banner that allows you to accept or decline non-essential cookies (analytics and marketing). You can change your preferences at any time by revisiting the cookie settings on our site or adjusting your browser settings to block or delete cookies.

If you disable non-essential cookies, you can continue to use the core functionality of our Service, but some features (like personalized content or marketing) may not work as intended.

12. Children’s Privacy

Our Service is not intended for or directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. Additionally, in compliance with the United States Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from anyone under 13 years of age. If we become aware that a child under 16 has provided us with personal data without verifiable parental consent, we will take steps to delete such information from our files immediately. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us at clareoapp@gmail.com so we can investigate and take prompt action.

13. Changes to This Privacy Policy

The world of data protection is constantly evolving. We may need to update this Privacy Policy from time to time to reflect changes in our Service, our data processing activities, or applicable law.

The “Last updated” date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically for any updates. If we make material changes that significantly affect how we handle your personal data, we will provide you with prominent notice (for example, by sending an email to the address associated with your account or by placing a notice within the Service). Where required by law, we will obtain your consent before applying material changes to how we process your personal data.