Privacy & security

What we do with your data, and what we don't.

The short version: your data is yours, encrypted in transit, never sold, deletable on request. The longer version is below — and the DPA is the contract version.

Where data lives

Clearly runs on Cloudflare Workers + Durable Objects. Each workspace is a single Durable Object backed by SQLite. Files live in Cloudflare R2. Auth + identity live in Firebase. AI inference runs on Vertex AI (Google) and OpenRouter — but transcripts are not retained by them.

Encryption

TLS 1.2+ in transit. Encryption at rest on every backend (Cloudflare R2, Firebase, Cloudflare DO storage). Sensitive secrets live in Cloudflare Secrets — not in code, not in logs.

Retention

Workspace data is retained as long as your account is active. On account deletion: a 30-day soft-delete grace, then a permanent purge across all sub-processors. Cancel within 30 days to restore.

Sub-processors

Cloudflare (hosting + storage), Google (auth + Vertex AI), Stripe (billing), Mailgun (email), OpenRouter (secondary AI). Full list with a 30-day notice rule for changes is in the DPA.

GDPR rights

Self-serve export and deletion are available from Settings → Account. Larger exports or assisted deletions: email privacy@clearly.sh.

SSO: Google SSO is included on every plan. SAML SSO is available on Studio and Enterprise.

Reporting a vulnerability

Email security@clearly.sh. We acknowledge within 24 hours and respect responsible disclosure.

Integrations