Skip to content

Effective date: March 23, 2026

Privacy Policy

This Privacy Policy explains how Clairvio ("we", "us", or "our") collects, uses, and protects information when you use the Clairvio platform and services ("Service"). By using the Service, you agree to the practices described here.

1. Information We Collect

Account information: When you register, we collect your name, email address, organisation name, and password (stored as a hash).

Session data: Session data is only captured when a diagnostic session is explicitly triggered via a magic link sent by one of our customers. When an end user opens a magic link, they are presented with a consent notice before any recording begins — if they decline, no data is captured. When a session is active, we capture DOM snapshots, user interactions, network requests, console errors, and other diagnostic events. Password fields and elements marked with the data masking attribute are never captured. Session data is stored on Amazon Web Services S3 in the us-east-1 region (US East, N. Virginia) and is associated with the relevant customer workspace.

Billing information: Payment details are processed directly by Stripe and are never stored on our servers. We store only your Stripe customer ID and subscription ID.

Usage data: We collect basic usage metrics such as session counts and API request logs to operate and improve the Service.

2. How We Use Your Information

  • To provide, operate, and maintain the Service.
  • To process payments and manage subscriptions.
  • To send transactional emails (account verification, invitations) via Mailgun.
  • To enforce plan limits and detect abuse.
  • To improve the Service through aggregate, anonymised analytics.

We do not sell your data or use it for advertising.

3. Session Data and Your End Users

Clairvio acts as a data processor; the customer who generates the diagnostic link is the data controller for session data captured from their end users. The SDK presents an explicit consent notice to end users before any recording begins — if the end user declines, no data is captured. Customers should include an identifying reference (such as a customer email address or support ticket ID) when generating magic links so that individual end user deletion requests can be fulfilled. End users who wish to have their session data deleted should contact the organisation that sent them the diagnostic link, as that organisation is the data controller for their session.

Password fields and elements marked with the SDK masking attribute are never transmitted or stored. Customers are responsible for configuring additional masking for any other sensitive fields in their application.

4. Data Retention

Session data is retained for the period defined by your subscription plan:

  • Free: 7 days
  • Starter: 30 days
  • Growth: 90 days
  • Scale: 1 year

Data beyond your retention window is automatically and permanently deleted. Account data is deleted within 30 days of account termination. Customers may manually delete individual sessions at any time from the dashboard regardless of the retention period. On account termination, all session data is permanently deleted within 30 days.

5. Third-Party Services

We use the following third-party services to operate the Service:

  • Stripe — payment processing. Stripe Privacy Policy.
  • Mailgun — transactional email delivery.
  • Amazon Web Services (S3) — encrypted storage of session replay data. Session data is stored in the us-east-1 region (US East, N. Virginia). AWS Privacy Policy.
  • Umami — cookie-free, privacy-focused analytics used on the marketing website and the agent dashboard. Umami does not use cookies or store personally identifiable information; visitor data is anonymised via server-side hashing. Umami Privacy Policy.

Each provider is bound by its own privacy policy and applicable data protection agreements.

6. Data Security

We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and access controls. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export personal data we hold about you as a Clairvio account holder. To exercise these rights, contact us at privacy@clairvio.dev. We will respond within 30 days.

If you are an end user whose session was recorded via a Clairvio diagnostic link, you are a data subject of the organisation that sent you that link, not of Clairvio directly. To exercise your rights regarding that session data — including access, correction, or deletion — please contact the organisation that sent you the diagnostic link. If you are unable to reach that organisation and believe your data is held by Clairvio, contact us at the address below and we will make reasonable efforts to assist.

8. International Data Transfers

Clairvio stores all data on Amazon Web Services infrastructure located in the United States (us-east-1). If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses as the legal mechanism for such transfers where required. A Data Processing Agreement (DPA) is available on request for customers who require one — contact privacy@clairvio.dev.

9. Cookies

The Service uses session cookies to maintain authentication state. We do not use tracking or advertising cookies. The Clairvio SDK does not set cookies on your end users' browsers.

10. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service. Continued use after the updated effective date constitutes acceptance.

12. Contact

Questions, data requests, or DPA inquiries? Email us at privacy@clairvio.dev. For Data Processing Agreement requests, include 'DPA Request' in the subject line. We will respond within 30 days.