Privacy Policy

Claro ("we," "us," or "our") operates an AI-powered customer support platform for e-commerce businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, website, and related services (collectively, the "Service").

In this policy, "merchant" refers to businesses that use Claro to manage customer support, and "end-customer" refers to the customers of those merchants whose communications are processed through Claro.

We recommend that you read this policy in full. If you have questions, contact us at hello@useclaro.io.

When you create an account and use Claro, we collect the following categories of information:

Account Information

• Email address, full name, and password (hashed and managed by Supabase Auth; we never store plaintext passwords)
• Organization details: company name, domain, website URL, industry, and team size
• Team member information: email, name, and role for users you invite to your organization

Billing Data

• Billing is managed through Stripe. We store a Stripe customer identifier to link your account; we do not store credit card numbers, CVVs, or full payment details on our servers

Cookies and Session Data

• Supabase authentication cookies (essential for maintaining your login session)
• Organization context cookie (claro_org_context) used to persist your selected workspace
• We do not use analytics, advertising, or tracking cookies

Audit Logs

• Records of actions taken within the platform (who, what, when), which may include IP addresses

When merchants connect their support channels and commerce platforms to Claro, we process the following end-customer data as a data processor acting on the merchant's instructions:

End-Customer Personal Information

• Name, email address, phone number, and avatar/profile image

Conversations and Messages

• Full message content, including HTML formatting, email headers, and file attachments
• Images attached to support tickets may be analyzed by AI for purposes such as product damage assessment

Commerce Data

• Order information, fulfillment details, and tracking data synced from connected e-commerce platforms (e.g., Shopify)

AI-Generated Data

• Intent classifications and confidence scores
• Draft responses generated by AI and any corrections made by human agents
• Customer abuse scores and behavioral memory summaries
• Shadow mode logs, learning events, and action audit trails

At the merchant's direction, Claro may scrape publicly available pages from the merchant's own website (such as return policies, FAQ pages, and shipping information) for knowledge base ingestion. This data is used solely to train the AI to respond accurately on behalf of that merchant and is not shared with other merchants.

Claro uses artificial intelligence to process customer communications. This is central to our service and includes:

• Intent classification: automatically categorizing incoming messages to determine customer needs
• Response generation: drafting replies based on merchant policies, knowledge base content, and conversation history
• Image analysis: customer-attached images may be sent to our AI provider (Google Gemini) for automated assessment, such as evaluating product damage claims
• Abuse detection: scoring customer interactions to identify patterns of abuse or fraud, helping merchants protect their businesses
• Cross-conversation memory: Claro maintains contextual memory about customers across conversations to provide consistent, informed support

Under GDPR Article 22, these processes may constitute automated decision-making. Merchants are responsible for providing appropriate notice to their end-customers and ensuring a lawful basis for this processing. Claro provides configurable guardrails, shadow mode, and human review features to support merchant compliance.

We use the following third-party sub-processors to deliver the Service:

• Supabase: authentication and database hosting (PostgreSQL)
• Google Cloud / Gemini: AI model provider for intent classification, response generation, and image analysis
• Vercel: application hosting and edge network
• Stripe: billing and payment processing
• Resend: transactional email delivery
• Inngest: background job processing
• Typesense: search indexing
• Upstash: rate limiting (Redis)

Additionally, merchants may connect their own third-party integrations (such as Shopify, Gmail, Outlook, Slack, Meta, HubSpot, Salesforce, Klaviyo, Zendesk, and others). Data flows through these integrations at the merchant's direction; Claro acts as a processor for this data.

We implement the following security measures to protect your data:

• Encryption at rest: all integration credentials (OAuth tokens, API keys) are encrypted using AES-256-GCM with scrypt-based key derivation
• Encryption in transit: all data transmitted between your browser and our servers is protected by TLS encryption
• Multi-tenant isolation: all data queries are scoped by organization at the application layer, with tenant identifiers derived from authenticated sessions
• Credential management: OAuth tokens are encrypted at rest, decrypted only in memory at time of use, and automatically refreshed
• Rate limiting: per-tenant sliding window rate limiting to prevent abuse

For more details on our security posture, visit our Security page.

• Conversation data: retained while your account is active and for a reasonable period thereafter to fulfill our obligations
• Audit logs: retained for a minimum of 12 months
• Account data: retained while your account is active

Upon account termination, you will have a 30-day window to export your data. After this window, we will delete your data from our active systems within a commercially reasonable timeframe. Copies may persist in encrypted backups for a limited period before automatic expiry.

Our sub-processors are primarily based in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States.

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers, ensuring that your data receives an adequate level of protection regardless of where it is processed.

Claro's Service is not directed at children under the age of 13 and we do not knowingly collect personal information from children under 13. Merchants are responsible for ensuring their own compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent regulations with respect to their end-customers. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at hello@useclaro.io.

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data, subject to legal retention obligations
• Right to data portability: receive your data in a structured, commonly used, machine-readable format
• Right to object: object to processing based on legitimate interests, including automated decision-making
• Right to restriction: request that we limit processing of your data in certain circumstances

For end-customer data processed on behalf of merchants, the merchant is the data controller and should be contacted directly. We will assist merchants in fulfilling such requests.

To exercise your rights, contact us at hello@useclaro.io.

If you are a California resident, the California Consumer Privacy Act provides you with the following rights:

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected
• Right to delete: request deletion of personal information we have collected
• Right to opt-out of sale: Claro does not sell personal information to third parties

We will not discriminate against you for exercising any of your CCPA rights. To submit a request, contact us at hello@useclaro.io.

Claro does not sell, rent, or trade personal information to third parties. We do not use merchant or end-customer data for advertising purposes. Data is processed solely to provide and improve the Service as directed by merchants.

Claro uses only essential cookies required for the Service to function:

• Authentication cookies: managed by Supabase Auth, necessary to maintain your login session
• Organization context cookie: stores your selected workspace for navigation purposes

We do not use analytics cookies, advertising cookies, or any form of cross-site tracking. No cookie consent banner is required because we use only strictly necessary cookies.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@useclaro.io

This policy is provided for informational purposes. We recommend that merchants consult their own legal counsel to ensure compliance with applicable data protection laws.