Privacy Policy & Cookie Policy

1. Data Controller

The data controller for personal data processed through the ClariCard website and platform is:

If you are located in the European Economic Area (EEA) or the United Kingdom, this policy also constitutes our record of processing activities under GDPR Article 30 and applies in full.

2. Data We Collect

2.1 Account Data

• Email address (required for account creation)
• Full name (optional, for personalization)
• Profile avatar (optional)
• Authentication provider data (if you sign in with Google)

2.2 Usage Data

• URLs and domain names you submit for analysis
• AI Score results and dimension breakdowns
• FAQ content you generate via the platform
• Credit usage logs and action history
• Feature usage events for product improvement

2.3 Payment Data

Payment information (card number, billing address) is collected and processed entirely by Lemon Squeezy, LLC as Merchant of Record. We never store raw card data. We receive only subscription status, plan type, and transaction IDs.

2.4 Technical & Analytics Data

• IP address and approximate location (country / city)
• Browser type and operating system
• Referral URL and UTM parameters
• Page views and session duration (Vercel Analytics — cookieless)
• Session recordings and heatmaps (Microsoft Clarity — requires consent)

2.5 Support & Chat Data

When you use our live chat (Crisp), we collect your messages, email if provided, and IP address. This data is stored by Crisp and subject to their privacy policy.

2.6 Waitlist Data

If you join the waitlist, we collect your email, referring URL, and browser user-agent for fraud prevention. Waitlist data is used solely for launch communication.

3. Legal Basis for Processing (GDPR)

4. How We Use Your Data

• Provide, operate, and maintain the Service
• Process payments and manage subscriptions
• Send transactional emails (receipts, password resets, service notices)
• Send marketing emails — only with your explicit consent
• Analyze and improve platform features
• Detect and prevent fraud or abuse
• Comply with legal obligations

5. Sub-processors & Third Parties

We do not sell your personal data. We share data only with the following sub-processors under Data Processing Agreements (DPA):

6. International Data Transfers

Your data may be transferred to and processed in countries outside the EEA, including the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) with US-based sub-processors where required
• EU–US Data Privacy Framework participation (Vercel, Google, Microsoft)
• Sub-processor DPAs that include SCCs by reference

7. Data Retention

• Account data: retained while active; deleted within 30 days of account deletion request.
• AI Score history: retained for 12 months, then automatically purged.
• Payment records: retained for 7 years (legal obligation).
• Waitlist data: deleted 90 days after product launch or upon request.
• Chat logs (Crisp): deleted after 12 months per Crisp's retention policy.
• Clarity session recordings: retained for 30 days per Microsoft's default policy.

8. Cookie Policy

This section explains what cookies and similar technologies we use, why, and how you can control them.

8.1 What Are Cookies?

Cookies are small text files placed on your device. We also use similar technologies such as local storage and session identifiers. References to "cookies" below include these technologies.

8.2 Cookies We Use

8.3 Managing Your Cookie Preferences

You can control cookies in the following ways:

• Cookie banner: When you first visit the site, a consent banner lets you accept or decline non-essential cookies.
• Browser settings: You can delete or block cookies at any time via your browser settings. Note that blocking strictly necessary cookies will affect login functionality.
• Opt-out links:
  • Microsoft Clarity: clarity.microsoft.com/optout
  • Crisp: close and clear chat widget via browser storage settings

Note for EU/EEA visitors: Under ePrivacy Directive (EU Cookie Law) and GDPR, we require your prior consent before setting any non-essential cookies. Strictly necessary cookies are exempt from this requirement under Recital 47 of GDPR.

9. Your Rights (GDPR & CCPA)

Depending on your location, you have the following rights:

To exercise any right, email contact@easyspark.io with subject "Data Request — [Right Type]". We respond within 30 days (extendable to 90 days for complex requests with notice).

10. Marketing Communications

We send marketing emails only to users who have explicitly opted in. You can withdraw consent at any time by:

• Clicking "Unsubscribe" in any marketing email
• Visiting your Marketing Consent settings page
• Emailing us at contact@easyspark.io

Transactional emails (receipts, password resets) are exempt from opt-out as they are essential to the Service.

11. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If we become aware of such collection, we will delete the data promptly and notify the guardian.

12. Security Measures

• All data in transit encrypted via TLS 1.2+
• Database encrypted at rest (AES-256) via Supabase / AWS
• Row Level Security (RLS) enforced on all user-scoped tables
• Access tokens rotated; no long-lived API keys in client code
• Data breach notification within 72 hours to affected users and relevant supervisory authority (GDPR Art. 33–34)

13. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email at least 14 days before they take effect. The current effective date is always shown at the top of this page. Continued use after the effective date constitutes acceptance.

14. Contact & Data Protection Inquiries