Privacy Policy

1. Information We Collect

1.1 Account Information

When you register, we collect:

• Full name and email address
• Password (stored as a one-way bcrypt hash — we never store your plaintext password)
• Google OAuth profile data (name, email) if you sign in with Google

1.2 Content & Usage Data

While you use the platform, we collect:

• Topics and instructions you submit for content generation
• Generated content (SERP analysis results, AI-written articles, humanized output)
• Word counts, credit usage, and job history
• Connected site URLs and site API keys (keys are stored as SHA-256 hashes; only a short prefix is shown)
• Keyword research queries and results

1.3 Payment Information

Payments are processed by Stripe. We store your Stripe customer ID and subscription status, but your card number, CVV, and billing address are never transmitted to or stored on our servers. Please review Stripe's privacy policy at stripe.com/privacy.

1.4 Technical & Log Data

We automatically collect:

• IP addresses (retained in admin activity logs)
• Browser type and device information
• Pages visited, features used, and timestamps
• API request and response metadata (not full response bodies)
• Error reports and diagnostic data

1.5 Cookies & Analytics

We use cookies for authentication and session management, and a third-party web analytics service to understand how visitors use our website. See our Cookie Policy for full details.

2. How We Use Your Information

We use your data to:

• Provide, maintain, and improve the Clustova platform
• Process content generation jobs and return results to you
• Manage your subscription, process payments, and send billing receipts
• Authenticate you and secure your account
• Send transactional emails (password resets, billing notices, service updates)
• Respond to support requests and enquiries
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Analyse aggregated, anonymised usage trends to improve our models and prompts

We do not sell your personal data to third parties. We do not use your generated content to train or fine-tune any AI model without your explicit consent.

3. Third-Party Service Providers

We share data with trusted third-party processors only to the extent necessary to deliver our services. All processors are bound by data processing agreements.

When you generate content, your submitted topic and configuration parameters are transmitted to our AI processing providers. We recommend avoiding submission of personally identifiable or sensitive information as content generation topics.

4. Data Retention

• Account data: Retained for the lifetime of your account. Deleted within 30 days of account deletion.
• Generated content & jobs: Retained for 6 months after generation, or until you delete your account.
• Billing records: Retained for 7 years to satisfy legal and accounting obligations.
• Activity logs: Retained for 90 days.
• API keys: Deleted immediately upon revocation.

5. Data Security

We implement layered security controls:

• AES-256-GCM encryption for sensitive credentials at rest
• TLS/HTTPS encryption for all data in transit
• Passwords stored as bcrypt hashes (never in plaintext)
• API keys stored as SHA-256 hashes (only a short prefix is ever displayed)
• Row-Level Security (RLS) on the database — every table denies public access by default
• HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy)
• Rate limiting on all authentication endpoints

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to info@clustova.com.

6. Your Rights

You have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate data from your account settings
• Erasure: Delete your account (and associated data) at any time from Settings → Delete Account
• Portability: Export your generated content and job history in JSON format on request
• Object / Restrict: Object to or restrict certain processing activities
• Withdraw Consent: Opt out of analytics cookies at any time via our cookie consent banner

EU/EEA residents may also lodge a complaint with their local supervisory authority. To exercise any right, contact info@clustova.com.

7. International Data Transfers

Our servers and some sub-processors are located in the United States and other countries outside the EU/EEA. When we transfer personal data internationally, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on an adequacy decision by the European Commission, to ensure an appropriate level of protection.

8. Children's Privacy

Clustova is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where required by law, notify you by email or via an in-app notice. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related enquiries or to exercise your rights:

• Email: info@clustova.com
• GDPR / Data Protection Officer: info@clustova.com

We aim to respond to all requests within 30 days.