Privacy Policy
Last reviewed: 2026-04-23
This Privacy Policy explains how AL-IT Services (“we”, “us”, “Clariflow”) processes your personal data when you use https://clariflow.ai (the “Service”). It is written to comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Data controller
AL-IT ServicesTBD
TBD TBD, Belgium
KBO/BCE: TBD · VAT: TBD
privacy@clariflow.app
We have not appointed a Data Protection Officer because we are not required to under GDPR Art. 37. For any privacy question, contact privacy@clariflow.app.
2. What we collect and why
2.1 Account & authentication
When you create an account, we store your email address, a hashed password (or OAuth identifier when you use Google/Microsoft sign-in), your locale, and your role. This is necessary to provide the Service (GDPR Art. 6(1)(b)).
2.2 Intake answers and generated reports
Your answers to the intake questionnaire (industry, team size, current tools, budget, regions, language preferences, and free-text descriptions) and the AI-generated reports derived from them are stored under your account. Legal basis: contract performance (Art. 6(1)(b)).
2.3 Operational logs and security data
We log IP address, user-agent, and request metadata for the duration needed to operate and secure the Service. Legal basis: legitimate interest in fraud prevention and platform integrity (Art. 6(1)(f)).
2.4 Analytics (with your consent)
If you accept analytics cookies, we load Google Analytics 4 with IP anonymisation enabled. Without your consent, no analytics scripts are loaded. Legal basis: consent (Art. 6(1)(a)).
2.5 Vercel Analytics (no personal data)
Vercel Analytics collects aggregated, cookieless page-view counts and Core Web Vitals. It does not set cookies, does not use cross-site identifiers, and IP addresses are hashed in-flight by Vercel; we therefore consider it as not processing personal data and rely on legitimate interest (Art. 6(1)(f)).
3. AI processing
The Service uses Large Language Models (“LLMs”) to extract structured data from your intake answers and to generate recommendation reports. The following providers may process your prompts depending on the model selected:
- Anthropic (Claude) — US, EU data residency available.
- OpenAI — US.
- Google (Gemini) — US/Global.
- Mistral — EU.
- Moonshot AI (Kimi) — China.
- DeepSeek — China.
You can opt out of any provider at any time in your account settings via the “excluded providers” preference; we will not send your prompts to a provider you have excluded. We do not allow our LLM providers to use your prompts to train their models. Where transfers to third countries occur (notably to the US and China), they rely on the EU Commission's adequacy decisions where applicable, on Standard Contractual Clauses (SCCs), and on supplementary technical measures. The use of Chinese providers carries elevated transfer risk; you can disable them in your settings.
4. Sub-processors
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Supabase, Inc. | database | EU | link |
| Supabase Auth | auth | EU | link |
| Anthropic, PBC | llm | US | link |
| OpenAI, LLC | llm | US | link |
| Google LLC (Gemini) | llm | US | link |
| Mistral AI | llm | EU | link |
| Moonshot AI (Kimi) | llm | CN | link |
| DeepSeek | llm | CN | link |
| Resend | US | link | |
| Vercel, Inc. | hosting | Global | link |
| Google Analytics 4 (Google Ireland Ltd.) | analytics | EU | link |
| Vercel Analytics | analytics | Global | link |
5. International transfers
Personal data may be transferred outside the European Economic Area to the providers listed above. We rely on (i) European Commission adequacy decisions where available (e.g. EU-US Data Privacy Framework for participating US providers), and (ii) Standard Contractual Clauses, supplemented by technical measures such as transport encryption.
6. Retention
- Account data: until you delete your account, plus 30 days backup retention.
- Intake answers and reports: until you delete them or your account.
- Security/operational logs: up to 12 months.
- Analytics events: up to 14 months.
- Billing records: 7 years (Belgian accounting obligation).
7. Your rights
Under GDPR Art. 15 to 22 you have the right to access, rectify, erase, restrict and port your data, and to object to processing based on legitimate interest. You may withdraw consent at any time without affecting the lawfulness of prior processing. Email us at privacy@clariflow.app to exercise any right; we respond within 30 days.
You also have the right to lodge a complaint with the supervisory authority of your Member State. In Belgium this is the Gegevensbeschermingsautoriteit (Belgian Data Protection Authority) .
8. Security
Data is stored at Supabase in the EU region with encryption at rest and in transit. Passwords are hashed using bcrypt. Access to production data is restricted to the founder and is logged.
9. Children
The Service is not directed to children under 16 and we do not knowingly collect their personal data.
10. Changes
We will notify substantive changes by email or in-app message at least 30 days in advance. The current version is dated above.