Privacy & security
What we do with your data, and what we don't.
The short version: your data is yours, encrypted in transit, never sold, deletable on request. The longer version is below — and the DPA is the contract version.
Where data lives
Clearly runs on a global edge cloud. Each workspace is an isolated instance backed by SQLite. Files live in encrypted object storage. Auth + identity live in Firebase. AI inference runs on Vertex AI (Google) and OpenRouter — but transcripts are not retained by them.
Encryption
TLS 1.2+ in transit. Encryption at rest on every backend (object storage, Firebase, workspace storage). Sensitive secrets live in a dedicated secrets manager — not in code, not in logs.
Retention
Workspace data is retained as long as your account is active. On account deletion: a 30-day soft-delete grace, then a permanent purge across all sub-processors. Cancel within 30 days to restore.
Sub-processors
Our cloud infrastructure provider (hosting + storage), Google (auth + Vertex AI), Stripe (billing), Resend (email, Mailgun fallback), OpenRouter (secondary AI). Full list with a 30-day notice rule for changes is in the DPA.
GDPR rights
Self-serve export and deletion are available from Settings → Account. Larger exports or assisted deletions: email privacy@clearly.sh.
Reporting a vulnerability
Email security@clearly.sh. We acknowledge within 24 hours and respect responsible disclosure.