legal

Privacy Policy

Last updated: 19 April 2026

This policy explains what personal data Clive collects, why we collect it, how we use it, and your rights under UK GDPR.

1. Who we are

Clive ("we", "us", "our") is operated by [Company name, registered number, registered address]. For privacy questions, email [email protected]. We act as a data controller for the personal data described below.

2. What we collect

From website visitors

• Email address - when you test Clive live or start a trial.
• Technical data - IP address, browser type, referring URL, pages visited. Used for security and aggregate analytics.

From customers

• Account details - name, work email, company name, role.
• Accounting data - invoices, customer names and email addresses, payment status, aging. Pulled from your accounting system (Xero) with your authorisation via OAuth.
• Communications data - emails sent via Clive, replies received, threads tracked against invoices. Accessed via Gmail or Outlook OAuth when you authorise the integration.
• Usage data - which features you use, toggles set, drafts approved, to improve the product.

3. Why we process your data (lawful basis)

• Contract - to provide the Clive service you signed up for.
• Legitimate interests - to secure the service, prevent fraud, improve the product, and contact you about service changes.
• Consent - for marketing emails (if any). You can withdraw consent any time.
• Legal obligation - tax records, anti-money-laundering, responding to lawful requests.

4. Who we share data with

We do not sell your data. We share it only with these categories of processors, under contract:

• Accounting integrations - Xero (to read invoice and customer data you authorise).
• Email integrations - Google (Gmail) and Microsoft (Outlook), to send and receive email on your behalf when you authorise.
• Cloud hosting - our infrastructure providers ([e.g. AWS / Fly.io / Railway]), based in [region].
• AI providers - we use [Anthropic / OpenAI] to generate chaser drafts. Invoice and customer data needed to draft a response is sent to the provider under their API terms, not used to train public models.
• Payments - Stripe processes subscription payments.
• Professional advisers - lawyers, auditors, accountants, bound by confidentiality.

5. International transfers

Some processors are outside the UK/EEA (notably US-based cloud and AI providers). Where they are, transfers are covered by UK International Data Transfer Agreements or the UK Extension to the EU-US Data Privacy Framework, as applicable.

6. How long we keep data

• Test/demo submissions - email and sandbox data deleted within 30 days.
• Customer data - kept while you have an account, and for up to 6 years after account closure for tax and legal reasons.
• Backups - rolling 30-day encrypted backups.

7. Security

We encrypt data in transit (TLS 1.2+) and at rest. Access to customer data is restricted to staff who need it, logged, and revoked on role change. OAuth tokens are stored encrypted. We review security practices regularly.

8. Your rights

Under UK GDPR you can:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Ask us to delete data ("right to erasure"), subject to legal retention.
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent where we rely on it.

To exercise any right, email [email protected]. We respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK data protection regulator.

9. Cookies and analytics

We use strictly necessary cookies for the site to function (session, security). We do not use tracking cookies or third-party analytics on our marketing site. If we add analytics in future, we'll update this policy and, where required, ask for your consent.

10. Changes to this policy

If we make material changes we'll update the "last updated" date above and, for existing customers, notify you by email.