Privacy Policy

What we collect

When a visitor loads a page on a site that uses Clarvivo, our tracker sends us a small event containing: the page URL, the HTTP referrer, a hashed visitor ID (derived from the request context — no cookie stored), the user agent, screen resolution, and language. We never collect IP addresses in a retrievable form — they are only used briefly at ingestion to infer country/region and then discarded.

If the website owner enables e-commerce tracking, we also receive aggregated order and revenue data (order ID, value, currency, product SKUs) to compute revenue attribution. We do not receive payment card details, customer names, email addresses, or any other personally identifiable information.

For users of the Clarvivo dashboard (website owners, not end visitors), we store account information including email, name, company, and authentication tokens from Google OAuth. This is standard account data required to operate the service.

How we use it

Analytics data is used exclusively to render dashboards, compute aggregates, and power the AI features you explicitly request (insights, chat, forecasts). We never repurpose analytics data for cross-site tracking, behavioural advertising, or data sales.

Account data is used to authenticate you, bill your subscription (via Polar.sh — a separate processor), and deliver product emails such as weekly reports. You can opt out of product emails in Settings.

Cookies

Clarvivo's tracker does not set any cookies on your visitors' browsers. This is what makes it GDPR-friendly without a consent banner in most jurisdictions.

The Clarvivo dashboard itself (app.clarvivo.com) uses a first-party session cookie to keep you logged in. This cookie is HttpOnly, Secure, and SameSite=Lax. It is never used for tracking.

GDPR + CCPA

Clarvivo is designed to be GDPR-compliant by default. Because we do not collect personally identifiable information from end visitors and do not set tracking cookies, most sites using Clarvivo do not need a cookie consent banner specifically for us. We still recommend consulting your legal counsel for your specific jurisdiction.

For CCPA requests (access, deletion, portability), website owners can request data export or deletion for their projects by emailing us at the address below. Requests are fulfilled within 30 days.

Data storage + security

Analytics data is stored in PostgreSQL databases hosted on Supabase. Application infrastructure runs on Vercel's global edge network. Both providers maintain SOC 2 Type II certifications.

Data in transit is always encrypted via TLS 1.2+. Data at rest is encrypted at the database layer. We retain aggregated analytics for the lifetime of your account, or 90 days for projects on the free tier.

Third parties we share data with

We share data only with the infrastructure providers required to run the service: Supabase (database), Vercel (hosting), Polar.sh (billing), Resend (transactional email), and Groq (AI inference). None of these providers are authorised to use your data for their own purposes.

We do not share data with advertising networks, analytics resellers, or data brokers.

Your rights

You have the right to request a copy of the data we hold about you, to request correction or deletion, and to export your account data in a portable format. Email us to exercise any of these rights.

If you believe we have mishandled your data, you have the right to lodge a complaint with your local data protection authority.

Changes to this policy

If we make material changes to this policy, we will notify active account holders by email at least 30 days before the changes take effect. The effective date at the top of this page will always reflect the current version.