Privacy Policy

Clariantix is operated by Clariantix Inc. ("Clariantix," "we," "our," or "us"), the data controller responsible for the Clariantix enterprise AI governance, security, and compliance platform. This Privacy Policy explains what data we collect, why we collect it, and the rights you have over it.

This policy is written to be consistent with the GDPR (EU), the UK GDPR, PIPEDA (Canada), and equivalent regional privacy frameworks. Where local law grants you stronger rights, those rights apply.

Account and business contact data

Name, work email, company, role, and phone number when you create an account, request a demo, or contact us.

Platform telemetry

When Clariantix is deployed inside your environment, the platform processes metadata about AI interactions (timestamps, user IDs as provided by your identity provider, AI tool, classification of detected content categories, and policy outcomes). Customers configure what content, if any, is retained.

Usage and device data

Browser type, operating system, IP address, pages visited, referring URLs, and interactions with our website and product. Used for security, fraud prevention, and product improvement.

Cookies and similar technologies

We use a small number of strictly necessary cookies to run authenticated sessions, plus optional analytics cookies that you can accept or reject from the cookie banner.

Clariantix uses machine learning and large language models to classify prompts, detect sensitive content (such as PII, source code, or financial data), score risk, and generate compliance summaries. We:

• Do not use customer prompt content to train foundation models.
• Process AI classification inferences inside our trust boundary, not on public AI APIs, unless a customer explicitly enables a third-party model integration.
• Retain only the minimum metadata required to deliver governance, security, and audit functionality.

• To deliver and operate the Clariantix platform under our customer contracts.
• To prevent abuse, fraud, and security incidents.
• To meet legal, regulatory, and audit obligations.
• To improve product quality and develop new governance capabilities.
• To communicate with you about your account, security notices, and service changes.

Legal bases under GDPR include performance of a contract, legitimate interests, consent (for optional cookies and marketing), and legal obligation.

We share data only with vetted sub-processors who help us run the platform. Current sub-processors include:

• Paddle.com Market Limited ("Paddle") — Our Merchant of Record. Paddle processes all payments, subscription billing, invoicing, sales tax, and refunds on our behalf. When you purchase a Clariantix subscription, Paddle collects and processes your billing name, billing address, email, payment method details, and transaction history. Paddle acts as an independent data controller for payment data under its own Privacy Notice and Checkout Buyer Terms.
• Cloud infrastructure and hosting providers (compute, storage, CDN).
• Observability, logging, and error-monitoring providers.
• Customer support and communications tooling.

All sub-processors are bound by data processing agreements and confidentiality obligations. A current sub-processor list is available on request from your customer success contact.

We never sell personal data. We do not share customer telemetry with third parties for advertising.

Account data is retained for the life of the contract and for a reasonable period after termination to meet legal and audit requirements. Platform telemetry retention windows are configurable per customer, typically between 30 and 365 days. Aggregated, anonymized analytics may be retained longer for product improvement.

Clariantix maintains a security program aligned with SOC 2 Type II and ISO/IEC 27001 controls, including encryption in transit and at rest, role-based access controls, least-privilege production access, continuous monitoring, vulnerability management, and incident response procedures. Security questionnaires and audit summaries are available to enterprise customers under NDA.

Clariantix operates a globally distributed infrastructure. Where personal data is transferred across borders, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards.

Depending on your jurisdiction, you may have the right to access, correct, port, restrict, or delete your personal data, withdraw consent, and lodge a complaint with a supervisory authority. To exercise any of these rights, contact us at the address below and we will respond within the timeframe required by applicable law.

Clariantix is an enterprise platform and is not directed to anyone under 16. We do not knowingly collect personal data from children.

We may update this policy from time to time. If we make material changes we will notify customers through the platform or by email. The "Last updated" date at the top of this page always reflects the current version.

Privacy questions and data subject requests: privacy@clariantix.com

Clariantix Inc. — Calgary, Alberta, Canada