Privacy Policy
Effective date: 2026-06-02 · Version privacy-en-v1
Controller: Andreas Hirzinger (Einzelunternehmen), Vomp, Tyrol, Austria — see the Impressum for full details. Contact: privacy@cleanscope.app.
We apply GDPR-level protections to all users worldwide, because GDPR is the strictest common denominator and over-satisfies most other regimes. Region-specific rights are added in §8.
1. Our role
For all personal data processed in the current version of CleanScope — your account, login, billing, support, marketing analytics, the audio you record, and the proposals generated from it — CleanScope is the data controller.
CleanScope acts as a processor only where you enable a feature under which we process data on your behalf (such as worker proof-of-clean records). That feature is not active in the current version, so no such processing takes place today. If it is enabled, the Data Processing Agreement governs it and you are the controller for that data.
2. What we collect and why
| Category | Examples | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Account | name, email, company, password hash | 6(1)(b) contract | life of account + legal periods |
| Audio walkthroughs | voice recordings you make | 6(1)(b) contract | until you delete; transient at AI step |
| Proposals | rooms, tasks, prices | 6(1)(b) contract | until you delete |
| Billing | Stripe customer/subscription IDs, invoices | 6(1)(b) + 6(1)(c) tax law | statutory retention (≈7–10 yrs) |
| Product analytics | events (PostHog) | 6(1)(a) consent (cookie banner) | per analytics config |
| Marketing-site analytics | aggregate, cookieless (Plausible) | 6(1)(f) legitimate interest | aggregate only |
3. AI processing (transparency)
Your audio is sent to Google Cloud Vertex AI in the EU region (europe-west4, Netherlands) to transcribe and structure it. We use enterprise terms under which your data is not used to train AI models. AI is used only for transcription and structuring; all pricing is computed by a deterministic engine, not by AI.
4. Sub-processors and international transfers
We use the following sub-processors. Some are US-based; transfers rely on EU Standard Contractual Clauses (SCCs) and, for UK data, the UK International Data Transfer Addendum (IDTA), plus the EU-US Data Privacy Framework where the recipient is certified.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase | database, auth, file storage | USA | SCCs / IDTA |
| Stripe | payments & billing | USA / Ireland | SCCs / DPF |
| Resend | transactional email | USA | SCCs |
| Loops | lifecycle email (if used) | USA | SCCs |
| Vercel | hosting / CDN | USA (edge global) | SCCs / DPF |
| PostHog | product analytics | USA | SCCs |
| Upstash (Redis) | rate limiting (stores IP addresses) | USA (us-east-2) | SCCs |
| Google Cloud (Vertex AI) | AI transcription | EU (europe-west4) | EU region — no third-country transfer |
Residency note: primary application data currently rests on Supabase US (Ohio), while AI runs in the EU. For EU/UK customers this asymmetry is covered by SCCs/IDTA; an EU (Frankfurt) Supabase region is planned before a material EU customer base.
5. Cookies & consent
Strictly-necessary cookies run by default. Analytics (PostHog) loads only after you accept via the cookie banner; declining keeps it off. The marketing site uses cookieless Plausible. A standalone cookie policy is not maintained — this section and the banner satisfy the requirement.
6. Security
Encryption in transit (TLS) and at rest; row-level security so each account sees only its own data; least-privilege service keys; private storage with signed URLs; and rate limiting on AI and write endpoints. Full technical and organizational measures are set out in the DPA.
7. Your rights (everyone)
Access, rectification, erasure, restriction, portability (machine-readable export), and objection. Contact privacy@cleanscope.app. You may also complain to a supervisory authority — for EU/Austria, the Datenschutzbehörde (DSB), Vienna.
8. Region-specific rights (what differs from the GDPR baseline)
- UK: UK GDPR applies; transfers use the IDTA/Addendum; complaints to the ICO.
- California (CCPA/CPRA):rights to know, delete, correct, and opt out of “sale”/“sharing” (we do not sell personal information). We act as a service provider for customer data. CCPA's business thresholds likely exempt CleanScope today, but service-provider contract terms still apply.
- Canada (PIPEDA + Québec Law 25): consent and access rights; Law 25 adds stricter consent, breach reporting to the CAI, and a privacy officer; complaints to the OPC.
- Australia (Privacy Act 1988 / APPs): access and correction rights.
- Brazil (LGPD) and India (DPDP Act 2023): equivalent access/deletion/consent rights; contact us to exercise them.
9. Changes
We post the new version with a new effective date and, for material changes, notify you by email or in-app.