GDPR Status
Last updated: May 14, 2026
This page describes how Clustova complies with the EU General Data Protection Regulation (GDPR) and how it affects users in the European Union and European Economic Area (EEA). Read this alongside our Privacy Policy.
1. Data Controller
Clustova acts as the data controller for the personal data of its users. As data controller we determine the purposes and means of processing your personal data.
For GDPR enquiries, contact our Data Protection Officer at: info@clustova.com
2. Your Rights Under GDPR
If you are in the EU/EEA, you have the following rights under Articles 15–22 GDPR:
| Right | How to Exercise It |
|---|---|
| Access (Art. 15) — obtain a copy of your data | Email info@clustova.com |
| Rectification (Art. 16) — correct inaccurate data | Update via Settings, or email us |
| Erasure (Art. 17) — "right to be forgotten" | Settings → Delete Account, or email us |
| Portability (Art. 20) — receive your data in structured format | Email info@clustova.com |
| Restriction (Art. 18) — pause processing of your data | Email info@clustova.com |
| Object (Art. 21) — object to processing based on legitimate interests | Email info@clustova.com |
| Withdraw Consent — opt out of analytics cookies | Cookie consent banner or browser settings |
We will respond to all verified requests within 90 days.
3. Lawful Basis for Processing
GDPR requires us to have a lawful basis for each processing activity. Our bases are:
| Processing Activity | Lawful Basis |
|---|---|
| Account registration and login | Contract (Art. 6(1)(b)) |
| Content generation and delivery of the service | Contract (Art. 6(1)(b)) |
| Payment processing and billing history | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| Sending transactional emails (billing, security) | Contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Analytics (Google Analytics) | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Sub-Processors
As data controller, we engage the following sub-processors who may process personal data on our behalf. All sub-processors are bound by data processing agreements that comply with GDPR Article 28.
| Category | Purpose | Transfer Safeguard |
|---|---|---|
| Database hosting provider | Secure storage of account, content, and usage data | SCCs / EU region option |
| Payment processor | Subscription billing and payment management | SCCs + Adequacy |
| Authentication & analytics provider | Social sign-in (OAuth) and anonymised website analytics | SCCs + DPA |
| AI content generation providers | Processing content jobs — SERP analysis, article writing, and humanization | SCCs |
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (name, email) | Until account deletion + 30 days |
| Generated content and pipeline jobs | 6 months, or until account deletion |
| Billing records and invoices | 7 years (legal / tax obligation) |
| Security / activity logs | 90 days |
| API keys (hashed) | Until revoked |
6. Data Protection Measures
- AES-256-GCM encryption of sensitive credentials at rest
- TLS 1.2+ encryption for all data in transit
- Passwords stored as one-way bcrypt hashes
- API keys stored as SHA-256 hashes
- Row-Level Security (RLS) enforced at the database layer
- Strict access controls: separate admin and user authentication with independent JWT secrets
- Rate limiting and brute-force protection on all authentication endpoints
- Principle of data minimisation: we only collect what is necessary to provide the service
7. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
- Notify affected users without undue delay where the breach is likely to result in high risk to their rights (GDPR Art. 34)
- Document all breaches in our internal breach register
To report a suspected security issue: security@clustova.com
8. International Transfers
Some of our sub-processors are located outside the EU/EEA (primarily the United States and China for AI processing). When transferring data internationally we rely on:
- Standard Contractual Clauses (SCCs) — approved by the European Commission under GDPR Art. 46(2)(c)
- Adequacy decisions — where the European Commission has determined the receiving country offers adequate protection
9. Contact the DPO
For all GDPR-related requests, data subject rights exercises, or questions about our data processing:
- Email: info@clustova.com
We aim to respond within 90 days of receiving a verifiable request.