Clarvia AS — Privacy Policy

Clarvia AS (org. nr. 936201520) ("Clarvia", "we", "us", "our") is the data controller responsible for the processing of your personal data. We operate the Clarvia AI Visibility Score platform at clarvia.io.

Contact details:
Clarvia AS
Org. nr. 936201520
Kråketorpveien 8A
1626 Manstad, Norway
Email: [email protected]

For questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, contact us at the email address above.

We collect and process the following categories of personal data in connection with your use of the Clarvia platform:

• Account information — your name, email address, and company name, as provided during registration or onboarding.
• Page URLs submitted for analysis — the web page addresses you submit to Clarvia for AI-powered analysis. By submitting a URL, you represent that you have the right to authorize analysis of the content at that address.
• AI-generated analysis results — scores, suggestions, reports, and other outputs produced by our AI analysis of your submitted URLs.
• Usage data — credit consumption, feature usage, actions performed within the platform, and session metadata used for service delivery and abuse prevention.
• Technical metadata — IP address, country derived from IP (geolocation), browser user-agent string, page referrer, and UTM campaign parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content). Collected automatically when you visit or use Clarvia. Used for security and abuse prevention, locale and language detection, aggregate marketing analytics, and to debug failed requests. Retained for 90 days, then purged automatically.
• Payment information — all payment processing is handled by Stripe. Clarvia never stores, processes, or has access to your full payment card details. Stripe operates as an independent data controller for payment data under their own privacy policy.

Under GDPR Article 6 and the Norwegian Personal Data Act (Personopplysningsloven), we process your personal data based on the following legal grounds:

• Performance of a contract (Art. 6(1)(b)) — processing your account information, submitted URLs, and AI analysis results is necessary for performing our contract with you (i.e., delivering the Clarvia service you have subscribed to).
• Legitimate interest (Art. 6(1)(f)) — processing usage data for platform improvement, security monitoring, fraud prevention, and anonymized analytics. Our legitimate interest in improving and securing the service does not override your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)) — optional analytics cookies are only activated with your consent. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal obligation (Art. 6(1)(c)) — retaining certain financial and transactional records where required by Norwegian accounting law (Bokføringsloven) or tax regulations.

We use the data we collect strictly for the following purposes:

• Service delivery — to scrape, analyze, and score web pages you submit, and to generate reports and suggestions.
• AI analysis — to process page content through our AI pipeline and produce actionable insights.
• Transactional communications — to send you emails related to your account, analyses, subscription status, and service updates.
• Platform improvement — to analyze anonymized, aggregated usage patterns to improve our product, fix bugs, and develop new features.
• Legal compliance and security — to detect and prevent fraud, abuse, and unauthorized access, and to comply with applicable legal obligations.

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising or profiling purposes unrelated to service delivery.

When you submit a URL for analysis, we scrape the publicly accessible content of that page and transmit a processed version to a third-party AI inference provider for analysis. This processing is necessary for the performance of our contract with you (Art. 6(1)(b) GDPR). The following safeguards apply:

• Our AI inference providers do not store or retain your data after processing is complete. Content is processed in-transit only.
• Our AI inference providers do not use API inputs to train or improve their AI models.
• We transmit only page content relevant to analysis. Your personal account information (name, email, payment details) is never sent to the AI provider.

Automated decision-making (Art. 22 GDPR). Clarvia uses AI to generate visibility scores, content suggestions, and optimization recommendations for web pages you submit. These scores are produced through automated processing. However, they are informational and advisory in nature — they do not produce legal effects or similarly significant effects on you. The scores are intended to assist your content optimization decisions, not to replace human judgment. You are free to accept, modify, or disregard any AI-generated suggestion.

If you have questions about the logic involved in the scoring, or wish to contest a particular result, you may contact us at [email protected].

We rely on a small set of carefully vetted third-party services to operate Clarvia. We have entered into Data Processing Agreements (DPAs) with each processor in accordance with GDPR Article 28. The named sub-processors we use are:

• Supabase (Supabase Inc., USA — EU infrastructure region) — managed Postgres database and authentication. Primary storage of account, project and analysis data. Data location: EU (Frankfurt, Germany). Transfer safeguard: Standard Contractual Clauses.
• Anthropic (Anthropic PBC, USA) — AI inference for content scoring and Canvas rewrite suggestions. Inputs processed in-transit; not retained or used for model training under our zero-retention API terms. Transfer safeguard: EU-US Data Privacy Framework certification + Standard Contractual Clauses.
• OpenAI (OpenAI OpCo LLC, USA) — secondary AI inference for Citation Simulation (ChatGPT engine). Zero-retention API terms, no training on customer data. Transfer safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.
• Google (Google Cloud / Generative AI APIs, Google Ireland Ltd.) — Gemini inference for Citation Simulation. Transfer safeguard: EU-US Data Privacy Framework + Standard Contractual Clauses.
• Stripe (Stripe Inc., USA — Stripe Payments Europe Ltd. for EU customers) — subscription management and payment processing. Stripe acts as an independent data controller for payment data under their own privacy policy. Transfer safeguard: EU-US Data Privacy Framework.
• Resend (Resend Inc., USA) — transactional email delivery (account, magic-link sign-in, drip sequences, scoring notifications). Transfer safeguard: Standard Contractual Clauses.
• PostHog (PostHog EU Cloud, Frankfurt, Germany) — anonymised product analytics. Active only after explicit cookie-banner consent. Data location: EU.
• Sentry (Functional Software Inc. dba Sentry, USA) — error monitoring and crash diagnostics. Form inputs are masked; passwords and payment data are never captured. Transfer safeguard: Standard Contractual Clauses.
• Cloudflare (Cloudflare Inc., USA — global edge) — CDN, DDoS protection, secure tunnel to backend. Transfer safeguard: EU-US Data Privacy Framework.

To subscribe to notifications of changes to this sub-processor register, email [email protected] with the subject line "Sub-processor updates".

Your primary account data is stored within the European Union (Frankfurt, Germany). However, certain processing activities require transferring data to service providers located outside the EU/EEA, primarily in the United States.

For all transfers of personal data outside the EU/EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• EU-US Data Privacy Framework — where the receiving organization is certified under the EU-US Data Privacy Framework (adequacy decision by the European Commission, July 2023).
• Standard Contractual Clauses (SCCs) — where the Data Privacy Framework does not apply, we rely on the European Commission's Standard Contractual Clauses as the legal mechanism for the transfer.

You may request a copy of the relevant transfer safeguards by contacting us at [email protected].

We retain your data according to the following schedule:

• Active accounts — your data is retained for as long as your subscription is active and your account is in good standing.
• Cancelled accounts — personal data is retained for 30 days following cancellation to allow for reactivation, after which it is permanently and irreversibly deleted.
• Analysis HTML content — raw HTML is archived after 6 months to manage storage. Scores, suggestions, and report data are retained for the lifetime of your account.
• Financial records — transaction and billing records may be retained for up to 5 years after the end of the financial year in which the transaction occurred, as required by Norwegian accounting law (Bokføringsloven § 13).
• Data deletion requests — you may request full deletion of your data at any time by contacting [email protected]. We will process your request within 30 days, except where retention is required by law.

Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for statistical and product improvement purposes.

Under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven), you have the following rights regarding your personal data:

• Right to access (Art. 15) — request a copy of the personal data we hold about you, along with information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17) — request deletion of your personal data, subject to legal retention requirements.
• Right to restriction of processing (Art. 18) — request that we restrict the processing of your data in certain circumstances, such as when you contest the accuracy of your data or object to our processing.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller.
• Right to object (Art. 21) — object to our processing of your personal data where we rely on legitimate interest, including for direct marketing purposes.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right not to be subject to automated decisions (Art. 22) — you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects on you. See Section 5 for details on how Clarvia uses automated processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days in accordance with GDPR Article 12. We may request verification of your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

If you believe that our processing of your personal data violates your rights under the GDPR or Norwegian data protection law, you have the right to lodge a complaint with the supervisory authority. In Norway, the competent authority is:

Datatilsynet (Norwegian Data Protection Authority)
Postboks 458 Sentrum
0105 Oslo, Norway
Phone: +47 22 39 69 00
Website: datatilsynet.no

You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence or place of work.

We implement appropriate technical and organizational measures to protect your data, including but not limited to:

• Encryption in transit — all data is transmitted over HTTPS/TLS.
• Database security — Row Level Security (RLS) policies ensure users can only access their own data.
• Credential encryption — CMS API credentials and sensitive integration keys are encrypted at rest using Fernet symmetric encryption.
• EU-hosted infrastructure — primary data storage is in the EU (Frankfurt, Germany).
• Access controls — role-based access controls for administrative functions.

While we take commercially reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. Clarvia cannot guarantee absolute security and shall not be held liable for unauthorized access resulting from circumstances beyond our reasonable control, including but not limited to user negligence, compromised credentials, or force majeure events.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with GDPR Article 34, describing the nature of the breach, likely consequences, and measures taken or proposed to address it.

We use the following categories of cookies:

• Essential cookies — required for authentication sessions and locale preferences. These cannot be disabled as they are necessary for the platform to function. No consent is required for essential cookies.
• Analytics cookies (optional) — anonymized analytics cookies are used to understand usage patterns and improve the product. These cookies are only placed with your prior consent. You may withdraw consent or opt out at any time via the cookie consent banner or your browser privacy settings.

For a complete list of cookies used on our platform, see our Cookie Policy.

Clarvia is not intended for use by individuals under the age of 16. We do not knowingly collect, solicit, or process personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us immediately at [email protected].

We reserve the right to update this Privacy Policy at any time. If we make material changes that affect how we collect, use, or share your personal data, we will notify you by email at the address associated with your account at least 14 days before the changes take effect. Your continued use of Clarvia after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with the updated policy, you must discontinue use of the platform and may request deletion of your data.

For any questions, concerns, or requests related to this Privacy Policy or our data practices, contact us at:

Clarvia AS
Org. nr. 936201520
Kråketorpveien 8A
1626 Manstad, Norway
[email protected]