ClarAudit

Privacy Policy

Last updated: 23 April 2026

1. Data Controller

The data controller for this website is:

Sotekna
Box 86058 Rpo Upper Oakville, 4-1011 Upper Middle Rd E, Oakville, Ontario, L6H 5V6, Canada

For privacy-related enquiries, please use our contact form or refer to our Legal Notice for additional contact details.

ClarAudit does not process personal data on a scale that requires the appointment of a Data Protection Officer under Article 37 of the GDPR.

2. Overview

ClarAudit is designed with privacy at its core. It does not store your data. Your audit responses, risk classifications, and generated documents exist only during your active browser session. When your session ends, everything is deleted. There is no user account system, no database of customer information, and no way for us to retrieve your data after your session expires.

3. What Data We Process, Why, and on What Legal Basis

3.1 Audit Session Data

Data processed: Your responses to audit questions about your business and its use of AI systems. This may include the names of AI tools you use, how you use them, and the types of data they process. Also includes the resulting risk classifications and generated compliance documents.

Purpose: To perform the risk classification and generate your compliance documentation pack.

Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract between you and Sotekna (provision of the ClarAudit service).

Retention: Your assessment inputs (your answers to the risk-classification questions) are not retained beyond document generation. Once your compliance pack has been built, the inputs are discarded.

Your generated documents are temporarily stored for up to 48 hours after purchase to enable email-backup retrieval, then permanently deleted by an automated cleanup process (typically within one hour of the 48-hour window closing). The 48-hour link is delivered to the email address Stripe provides at checkout.

3.1a Data we hold

For each completed purchase, the data ClarAudit holds — and the windows it is held for — are:

  • Order number (e.g. CA-2026-XXXXX) — derived from the Stripe session ID; logged for support correlation, no separate database.
  • Email address (the address Stripe collects at checkout) — used to send the backup-link email and to handle replies to support correspondence.
  • Generated ZIP archive — held in Vercel Blob for up to 48 hours, then permanently deleted.
  • Stripe transaction record — held by Stripe per its retention policy, not by ClarAudit.

3.2 Payment Data

Data processed:We do not process your payment card details. Payment is handled entirely by Stripe, Inc. Your card information is entered directly on Stripe's hosted checkout page and is never transmitted to or stored on ClarAudit's servers.

We receive from Stripe only: confirmation of successful payment, the transaction reference, and (if you provided one) your EU VAT identification number.

Purpose: To confirm payment and deliver your compliance documentation pack. VAT identification numbers are used for tax compliance (reverse charge mechanism).

Legal basis: Article 6(1)(b) GDPR — necessary for the performance of the contract (payment and delivery). For VAT processing: Article 6(1)(c) GDPR — necessary for compliance with a legal obligation (EU VAT regulations).

Retention: Stripe retains transaction records in accordance with its own privacy policy and applicable financial regulations. ClarAudit does not maintain a separate record of individual transactions beyond the active session. VAT-related records (transaction amounts and VAT IDs) are retained as required by EU tax law (minimum 10 years).

3.3 Analytics Data

Data processed: Aggregate, non-personal website usage statistics — page views, referral sources, and country-level geography. No individual visitors are identified or tracked.

Purpose: To understand how the website is used and improve the service.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in understanding website usage patterns. This processing involves no personal data and no cookies.

Processor: Plausible Analytics (Plausible Insights OÜ, Estonia, EU). Plausible does not use cookies, does not collect personal data, and does not track individual visitors. All data is processed within the European Union. See Plausible's data policy.

3.4 Contact Form Submissions

Data processed: Your name (if provided), email address, message content, and selected enquiry category.

Purpose: To respond to your enquiry.

Legal basis: Article 6(1)(b) GDPR — necessary to take steps at your request prior to entering into a contract, or Article 6(1)(f) GDPR — legitimate interest in responding to customer enquiries.

Processor: Formspree, Inc. (United States). Submissions are forwarded to our support email. See Formspree's privacy policy.

Retention: Contact form submissions are retained only as long as necessary to resolve your enquiry, after which they are deleted.

3.5 AI Document Generation

Data processed:Your audit responses are sent to the AI provider's API to generate your compliance documents.

Purpose: To produce the compliance documentation pack.

Legal basis: Article 6(1)(b) GDPR — necessary for the performance of the contract.

Processor:Anthropic, PBC (United States). Under Anthropic's API terms, inputs sent via the API are not used to train AI models and are not retained after processing. See Anthropic's privacy policy.

Retention: Transient only. Data is processed and discarded by the API provider after the response is returned.

4. What Data We Do Not Collect

ClarAudit does not collect or process:

  • User accounts, passwords, or login credentials
  • Cookies for tracking, advertising, or profiling purposes
  • Browsing history or behavioural data
  • Device fingerprints or persistent identifiers
  • Special category data (Article 9 GDPR) — we do not request or process data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or other sensitive categories

5. Cookies

ClarAudit does not set any first-party cookies for tracking or analytics. Plausible Analytics operates without cookies.

If you proceed to payment, Stripe may set cookies necessary for the secure processing of your transaction. These are strictly necessary cookies that do not require consent under the ePrivacy Directive. For details, see Stripe's cookie policy.

6. International Data Transfers

ClarAudit is operated from Canada. The European Commission has issued an adequacy decision for Canada (for organisations subject to PIPEDA), recognising it as providing an adequate level of data protection.

Some of our data processors are based in the United States:

  • Stripe — certified under the EU-U.S. Data Privacy Framework.
  • Anthropic— data processing is transient (no retention after API response). Appropriate safeguards are maintained through the processor's standard contractual commitments.
  • Formspree — processes contact form submissions only. Appropriate safeguards are maintained through their privacy commitments.

All audit session data is transient and is not stored in any jurisdiction after your session ends.

7. Automated Decision-Making

ClarAudit's risk classification engine is a deterministic, rules-based system — not an AI model. It applies the published text of Regulation (EU) 2024/1689 to your inputs. While the classification process is automated, it does not constitute automated individual decision-making with legal or similarly significant effects within the meaning of Article 22 of the GDPR. The classifications are informational and do not create legal obligations; they are tools to assist your own compliance assessment.

8. Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access (Article 15) — the right to know what personal data we hold about you.
  • Right to rectification (Article 16) — the right to correct inaccurate personal data.
  • Right to erasure (Article 17) — the right to request deletion of your personal data.
  • Right to restriction of processing (Article 18) — the right to limit how we use your data.
  • Right to data portability (Article 20) — the right to receive your data in a structured, commonly used format.
  • Right to object (Article 21) — the right to object to processing based on legitimate interest.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Because ClarAudit does not retain personal data beyond your active session, there is in most cases no stored data to access, correct, or delete. If you have submitted a contact form enquiry and wish to exercise any of these rights regarding that data, please contact us through the contact form.

9. Right to Complain

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

10. Children

ClarAudit is a business tool designed for professional use. It is not intended for use by anyone under the age of 16. We do not knowingly process personal data of children.

11. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page indicates the most recent revision. If we make material changes, we will note this prominently on the website.

12. Contact

If you have questions about this privacy policy or wish to exercise your data protection rights, please reach out through our contact form or refer to our Legal Notice for additional contact details.