Legal Document

Privacy Policy

Effective Date: April 13, 2026•Last Reviewed: April 13, 2026•Version 2.0

This Privacy Policy governs the collection, use, storage, and disclosure of personal data by Clause AI ("Company", "we", "our", "us"). It applies to all users ("Data Principal", "you", "your") accessing our services through www.clauseai.in. By using our platform, you consent to the practices described herein.

This Privacy Policy has been formulated in compliance with:

Digital Personal Data Protection Act (DPDP), 2023 — Government of India
Information Technology Act, 2000, and the IT (Amendment) Act, 2008
IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
General Data Protection Regulation (GDPR) — European Union (Regulation 2016/679)
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), 2020
United Nations Convention on the Rights of the Child (UNCRC), 1989 — for provisions relating to minors

1. Information We Collect

Clause AI collects personal data strictly to the extent necessary for providing its AI-powered interview assistance services. The categories of data we collect are set out below.

1.1 Personal Identification Information

Full name, as provided during account registration
Email address, used for account creation, authentication, and service communications
Account credentials (encrypted), including passwords and authentication tokens

1.2 Audio Data

During active interview sessions facilitated through our platform, we may collect audio input data transmitted via your device's microphone. Such audio data is processed exclusively for the purpose of real-time AI-assisted interview support. Audio data is not stored beyond the duration of the session unless explicitly required for service delivery and subject to your prior informed consent.

1.3 Technical & Device Data

Browser type, version, and operating system
Internet Protocol (IP) address and approximate geolocation
Session duration, timestamps, and clickstream data
Device identifiers and screen resolution

1.4 Cookie & Tracking Data

We use browser cookies and similar tracking technologies. Please refer to Section 1A (Cookie Policy) for a full and detailed account of how cookies are used and how you may exercise your opt-out rights.

1.5 Data We Do Not Collect

Clause AI does not collect sensitive personal data as defined under the DPDP Act 2023 and SPDI Rules, 2011, including but not limited to financial information, biometric data (beyond audio as described above), medical records, racial or ethnic origin, or political opinions, unless mandated by law or with explicit, informed consent.

1A. Cookie Policy

This section constitutes Clause AI's full Cookie Policy as required under applicable data protection legislation, including the DPDP Act, 2023, GDPR (specifically Recital 30 and Article 6), and the ePrivacy Directive (2002/58/EC as amended). It explains what cookies are, which cookies we use, and how you can control them.

1A.1 What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or mobile) by websites you visit. They are widely used to make websites function efficiently, improve user experience, and provide analytical information to site operators. Cookies may be set either by the website you are visiting ('first-party cookies') or by third-party services operating on that site ('third-party cookies').
Similar technologies include web beacons, pixel tags, local storage objects (LSOs), and session storage — all of which may operate analogously to cookies for data collection purposes. References to 'cookies' in this policy include all such similar technologies unless otherwise stated.

1A.2 Categories of Cookies We Use

The table below provides a detailed breakdown of cookies used on www.clauseai.in:

Cookie Category	Purpose	Legal Basis	Retention	Can Opt-Out?
Essential / Strictly Necessary	Authentication, session management, security tokens, CSRF protection	Contractual Necessity	Session / up to 30 days	No — required for platform operation
Analytical / Performance	Aggregate usage metrics, error tracking, page load performance	Legitimate Interest / Consent	Up to 12 months	Yes — via Cookie Preferences
Functional / Preference	Language, theme, UI settings, remembered preferences	Consent	Up to 6 months	Yes — via browser settings
Marketing / Targeting	Not currently used. If introduced, will require explicit opt-in consent.	Consent (opt-in)	N/A	Yes — explicit opt-in required

1A.3 Detailed Cookie Descriptions

A. Essential Cookies

Legal Basis (GDPR): Contractual necessity (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)).

These cookies are strictly necessary to deliver the core functionality of our platform. They enable user authentication, session continuity, and security safeguards. Without these cookies, the platform cannot function correctly.

clauseai_session — Maintains your authenticated session across page loads. Duration: Session.
csrf_token — Cross-Site Request Forgery protection token. Duration: Session.
auth_token — Encrypted bearer token for secure API requests. Duration: Up to 30 days.
locale_pref — Stores your language preference. Duration: 6 months.

B. Analytical / Performance Cookies

Legal Basis (GDPR): Legitimate interest (Article 6(1)(f)) or consent (Article 6(1)(a)).

These cookies help us understand how users interact with our platform by collecting aggregated, anonymised data. This enables us to improve performance, identify errors, and optimise the user journey.

_ca_analytics — Tracks session duration, page views, and navigation paths. Duration: 12 months.
_ca_error_log — Records anonymised error events for debugging. Duration: 30 days.
_ca_perf — Measures page load times and API response latency. Duration: 90 days.

C. Functional / Preference Cookies

Legal Basis (GDPR): Consent (Article 6(1)(a)).

These cookies allow the website to remember choices you have made and to provide enhanced, personalised features. They may be set by us or by third-party providers whose services we have added to our pages.

ui_theme — Remembers your dark/light mode preference. Duration: 6 months.
onboarding_state — Tracks tutorial completion status. Duration: 90 days.

D. Marketing / Targeting Cookies

Clause AI does NOT currently use marketing or targeting cookies. We do not serve advertisements or track users across third-party websites for commercial profiling purposes. Should this change in the future, we will update this policy, seek fresh opt-in consent, and provide a clear mechanism to opt out before any such cookies are deployed.

1A.4 How to Manage & Opt-Out of Cookies

You have the right to withdraw consent for non-essential cookies at any time. We provide the following mechanisms:

Option 1: Cookie Preferences Centre (Recommended)

Upon your first visit to www.clauseai.in, a Cookie Consent Banner will appear, allowing you to accept or decline each cookie category individually. You may revisit and update these preferences at any time by clicking the 'Cookie Preferences' link available in the footer of every page on our website.

Option 2: Browser-Level Controls

All major browsers allow you to manage cookies through their settings menus. The following links provide guidance for commonly used browsers:

Google Chrome: Settings > Privacy and Security > Cookies and other site data
Mozilla Firefox: Options > Privacy & Security > Cookies and Site Data
Apple Safari: Preferences > Privacy > Manage Website Data
Microsoft Edge: Settings > Cookies and site permissions

Please note that disabling essential cookies through browser settings may result in degraded platform functionality or inability to access core features.

Option 3: Third-Party Opt-Out Tools

For analytics tools that may operate across websites, you may use the following opt-out mechanisms:

Network Advertising Initiative (NAI) opt-out: optout.networkadvertising.org
Digital Advertising Alliance (DAA) opt-out: optout.aboutads.info
Your Online Choices (EEA users): youronlinechoices.eu

1A.5 Do Not Track (DNT) Signals

Some browsers transmit 'Do Not Track' (DNT) signals to websites. At present, there is no universally accepted standard for how websites should respond to DNT signals. Clause AI acknowledges DNT signals and, where technically feasible, will honour them by disabling non-essential tracking. We will continue to monitor industry developments on this matter.

1A.6 Cookie Consent for Minors

Where a user is identified as, or is reasonably suspected to be, a minor (under 18 years of age), Clause AI will deploy only essential cookies and will not activate analytical, functional, or marketing cookies without verifiable parental or guardian consent, in accordance with Section 9 of the DPDP Act, 2023 and Article 8 of GDPR. Please refer to Section 5A of this Policy for our full provisions relating to minors.

2. Local Processing & Data Privacy

Clause AI has implemented a privacy-first architecture. Where technically feasible, data processing operations are performed locally on the user's device to minimise unnecessary data transmission to external servers.

Audio data captured during interview sessions is processed in real-time and, where applicable, within the user's browser environment or on-device, reducing the exposure of sensitive voice data to third-party infrastructure.
Temporary session data (e.g., in-session transcripts or AI suggestions) is stored ephemerally within the active browser session and is not persisted to our servers unless required for an explicitly requested feature.
We employ end-to-end encryption for all data transmitted between the user's device and our servers, using industry-standard Transport Layer Security (TLS 1.2 or higher).
Our AI processing pipeline is designed to operate on anonymised or pseudonymised data wherever possible, ensuring that individual identities cannot be readily inferred from processed data records.

Clause AI does not engage in persistent profiling of users based on audio content or interview responses for purposes other than direct service delivery.

3. How We Use Your Information

Clause AI processes personal data only for specified, lawful, and legitimate purposes. The legal bases for processing, as applicable under DPDP 2023 and GDPR, are indicated alongside each purpose.

3.1 Service Delivery

To authenticate users and maintain secure account sessions [Basis: Contractual necessity]
To provide real-time AI interview assistance and generate response suggestions during active sessions [Basis: Contractual necessity / Legitimate interest]
To process audio data for in-session transcription and AI analysis [Basis: Consent]

3.2 Platform Improvement

To analyse anonymised usage patterns for product enhancement and feature development [Basis: Legitimate interest]
To diagnose and resolve technical errors and platform stability issues [Basis: Legitimate interest]

3.3 Communication & Support

To send service-related notifications, security alerts, and account updates [Basis: Contractual necessity]
To respond to user queries, complaints, and support requests [Basis: Legitimate interest]
To send promotional communications or product updates, only with your prior consent, and subject to your right to withdraw consent at any time [Basis: Consent]

3.4 Legal & Regulatory Compliance

To comply with applicable laws, court orders, regulatory directives, or lawful requests from competent governmental authorities [Basis: Legal obligation]
To enforce our Terms of Service and protect the legal rights, property, or safety of Clause AI, its users, and the public [Basis: Legitimate interest / Legal obligation]

We do not use personal data for automated decision-making that produces legal or similarly significant effects without your explicit consent and the right to request human review.

4. Third-Party Services

Clause AI engages select third-party service providers ('Data Processors') who assist in delivering and maintaining our platform infrastructure. All such processors are bound by contractual obligations of confidentiality and data protection commensurate with applicable law.

4.1 Infrastructure & Cloud Storage

We use Supabase (a PostgreSQL-based cloud database and backend service) for secure data storage, user authentication, and real-time database operations. Supabase processes data on our behalf and is contractually prohibited from using your data for any independent purpose. Data stored via Supabase is encrypted at rest and in transit.

4.2 Analytics Services

We may use privacy-respecting analytics tools to understand platform performance. These tools are configured to anonymise user identifiers and do not permit cross-site tracking or individual-level profiling.

4.3 Non-Disclosure of Data

Clause AI does not sell, lease, barter, or otherwise commercially transfer your personal data to any third party for marketing or commercial purposes. Data may be disclosed to third parties only in the following circumstances:

When required by a court order, government directive, or applicable law
To protect the rights, property, or safety of Clause AI, its users, or the public
In connection with a merger, acquisition, or sale of assets, subject to equivalent data protection obligations being imposed on the acquiring entity and prior notice to you
With your explicit prior consent

4.4 International Data Transfers

Where personal data is transferred to or processed in jurisdictions outside India, Clause AI ensures such transfers are effected in compliance with Section 16 of the DPDP Act, 2023 and applicable GDPR Chapter V provisions, including the use of Standard Contractual Clauses or equivalent transfer mechanisms where required.

5. Data Security

Clause AI implements a comprehensive information security programme designed to protect personal data from unauthorised access, disclosure, alteration, and destruction.

5.1 Technical Safeguards

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256 encryption standards
Access to personal data is restricted to authorised personnel on a strict need-to-know basis, enforced through role-based access controls (RBAC)
Multi-factor authentication (MFA) is enforced for all internal administrative access to production systems
Regular automated vulnerability assessments and penetration testing are conducted

5.2 Organisational Safeguards

All employees and contractors with access to personal data are bound by confidentiality obligations
Internal data handling policies and security awareness training are provided to relevant personnel
A documented incident response plan is maintained and tested periodically

5.3 Data Retention & Deletion

Account information: Retained for the duration of the active account and up to 90 days following account deletion
Audio data: Deleted at the conclusion of each session, unless subject to extended retention with explicit consent
Usage and log data: Retained for a maximum of 12 months for security and operational purposes

5.4 Breach Notification

In the event of a personal data breach that is likely to result in harm to Data Principals, Clause AI will notify the affected individuals and the Data Protection Board of India within the timelines prescribed under the DPDP Act, 2023. Such notification will include the nature of the breach, data categories affected, and remedial measures undertaken.

5A. Policy on Minors

IMPORTANT NOTICE

Clause AI's services are intended for users who are 18 years of age or older. If you are under 18, please read this section carefully and ensure a parent or guardian has reviewed this Policy before you use our platform.

5A.1 Age Restriction & Eligibility

Clause AI's AI-powered interview assistant platform is designed for adult users and is not directed at, or intended for use by, children or minors under the age of 18 years ('Minor'). By registering for or using our services, you represent and warrant that you are at least 18 years of age.
Where applicable local law prescribes a different age of digital consent (e.g., 13 in some U.S. states under COPPA, 16 in certain EU member states under GDPR), the higher age threshold shall apply.

5A.2 Legal Framework for Minors' Data

Clause AI's approach to minors' data is governed by the following international and domestic legal instruments:

Section 9, DPDP Act, 2023 (India): Prohibits processing of personal data of children without verifiable parental consent and prohibits behavioural tracking, targeted advertising, or any processing detrimental to the well-being of a child.
Article 8, GDPR (EU): Requires that where an online information society service is offered to a child, the child must be at least 16 years old to provide consent. Below this age, consent must be obtained from the holder of parental responsibility.
Children's Online Privacy Protection Act (COPPA), USA: Prohibits the collection of personal information from children under 13 without verifiable parental consent.
United Nations Convention on the Rights of the Child (UNCRC), Article 16: Recognises children's right to privacy and protection from interference with their privacy, family, home, or correspondence.

5A.3 Consent Requirements for Minors

Notwithstanding the general age restriction, should a Minor access our platform (whether through misrepresentation of age or otherwise), the following safeguards apply:

No personal data of a Minor will be processed without verifiable consent from a parent or legal guardian, in accordance with Section 9 of the DPDP Act, 2023.
Clause AI will not conduct behavioural monitoring, profiling, or targeted advertising directed at Minors under any circumstances.
Audio data of a Minor will not be retained beyond the active session under any circumstances, even where the Minor or their guardian has consented to extended retention for adult users.
Consent for Minors must be obtained through a verifiable parental consent mechanism, the details of which will be presented at the point of registration if a Minor is detected.

5A.4 Detection & Enforcement

While Clause AI does not proactively collect age information beyond the age verification declaration at registration, we implement the following measures to identify and protect Minors:

Age verification checkbox and declaration at the point of account creation
Automated signal review to detect age-inconsistent usage patterns, to the extent technically feasible
Prompt account suspension and data deletion upon receipt of credible notification that a Minor is using the platform without parental consent

5A.5 Parental Rights & Reporting

If you are a parent or legal guardian and believe that your child has provided personal data to Clause AI without your consent, you are entitled to:

Request immediate deletion of your child's personal data
Request a full disclosure of what personal data (if any) has been collected
Withdraw any consent previously given on your child's behalf

To exercise these rights, please contact our Data Protection Officer at dpo@clauseai.in with the subject line: MINOR DATA REQUEST. We will respond within 48 hours and take remedial action within 7 business days of verifying the request.

5A.6 Data Deletion Upon Discovery

Upon discovery or credible notification that personal data belonging to a Minor has been collected without valid parental consent, Clause AI will:

Immediately suspend the relevant account
Permanently and irrecoverably delete all personal data associated with that account within 7 business days
Notify the parent or guardian of the actions taken
Where required by law, notify the relevant regulatory authority

6. Your Rights

Clause AI recognises and upholds the rights of Data Principals as mandated under applicable data protection legislation. These rights are set out below.

6.0 DPDP Act 2023 — Compliance Verification

The following compliance check confirms how this Privacy Policy addresses specific rights under the Digital Personal Data Protection Act, 2023:

✓ Compliant

Right to Correction (Section 12(a), DPDP 2023) — Explicitly covered in Section 6.1 below. Users may request correction of inaccurate or misleading personal data at any time via dpo@clauseai.in. Acknowledged within 72 hours, resolved within 30 days.

✓ Compliant

Right to Erasure (Section 12(b), DPDP 2023) — Explicitly covered in Section 6.1 below. Users may request erasure of personal data no longer necessary for the collected purpose. Exceptions apply for legal retention obligations. Deletion completed within 30 days.

✓ Compliant

Right to Grievance Redressal (Section 13, DPDP 2023) — A Grievance Officer is designated (Section 8). All grievances acknowledged within 48 hours and resolved within 30 days.

✓ Compliant

Right to Nominate (Section 14, DPDP 2023) — Covered in Section 6.1. Users may nominate an individual to exercise their DPDP rights in the event of death or incapacity.

✓ Compliant

Children's Data Protection (Section 9, DPDP 2023) — A dedicated Minors Policy is included in Section 5A of this document, covering verifiable parental consent, prohibition on behavioural tracking, and data deletion obligations.

6.1 Rights Under the DPDP Act, 2023 (India) — Detailed

As a Data Principal under the DPDP Act, 2023, you are entitled to the following rights, each of which is specifically implemented in this Policy:

Right to Access Information — Section 11

You have the right to obtain: (a) a summary of the personal data processed about you; (b) the purposes for which your data has been or is being processed; and (c) the identities of all Data Fiduciaries and Data Processors with whom your data has been shared. To exercise this right, submit a written request to privacy@clauseai.in with the subject: RIGHT TO ACCESS — DPDP 2023.

Right to Correction — Section 12(a) [DPDP COMPLIANCE CONFIRMED]

You have the right to request correction of inaccurate or misleading personal data. Clause AI will:

Correct any inaccurate personal data in our systems upon verification of the request
Complete any personal data that is incomplete, where relevant to the purpose of processing
Update personal data that has become outdated since its original collection

Process: Submit a correction request to privacy@clauseai.in with the subject: RIGHT TO CORRECTION — DPDP 2023, clearly identifying the data to be corrected and the accurate information. We will acknowledge within 72 hours and complete the correction within 30 days.

Right to Erasure — Section 12(b) [DPDP COMPLIANCE CONFIRMED]

You have the right to request erasure of personal data that:

Is no longer necessary for the purpose for which it was collected or processed
Was collected on the basis of consent that you have subsequently withdrawn
Has been unlawfully processed
Must be erased to comply with a legal obligation

Clause AI will honour erasure requests within 30 days of verification, subject to the following exceptions: (i) data required to be retained under applicable law or court orders; (ii) data necessary for the establishment, exercise, or defence of legal claims; and (iii) data retained for public interest, archiving, or scientific purposes as permitted by law.

Process: Submit an erasure request to privacy@clauseai.in with the subject: RIGHT TO ERASURE — DPDP 2023. We will confirm receipt within 72 hours, verify your identity, and complete erasure (or provide a reasoned exception) within 30 days.

Right to Grievance Redressal — Section 13

You have the right to have your grievances addressed by Clause AI's designated Grievance Officer within 30 days. If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India upon its formal constitution.

Right to Nominate — Section 14

You have the right to nominate any individual to exercise your rights under the DPDP Act on your behalf in the event of your death or incapacity. Nomination requests should be submitted in writing to dpo@clauseai.in.

Right to Withdraw Consent — Section 7

Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal. Withdrawal requests should be sent to privacy@clauseai.in. Upon withdrawal, we will cease all consent-based processing within 14 days.

6.2 Rights Under GDPR (EEA Residents)

Right of Access (Article 15): To obtain confirmation of whether and what personal data is processed about you.
Right to Rectification (Article 16): To have inaccurate personal data corrected without undue delay.
Right to Erasure / Right to be Forgotten (Article 17): To request deletion of personal data in specified circumstances.
Right to Restriction of Processing (Article 18): To restrict processing of your personal data in specified circumstances.
Right to Data Portability (Article 20): To receive your personal data in a structured, machine-readable format.
Right to Object (Article 21): To object to processing based on legitimate interests or for direct marketing.
Rights Related to Automated Decision-Making (Article 22): To not be subject to solely automated decisions with significant effects, without human review.

6.3 Rights Under CCPA / CPRA (California Residents)

Right to Know: To request disclosure of categories and specific pieces of personal information collected, purposes of collection, and third parties with whom information is shared.
Right to Delete: To request deletion of personal information, subject to applicable exceptions.
Right to Opt-Out of Sale or Sharing: Clause AI does not sell or share personal information. You may opt out if this practice commences in the future.
Right to Correct: To request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: To limit use and disclosure of sensitive personal information to lawfully authorised purposes.
Right of Non-Discrimination: You shall not be discriminated against for exercising any of your CCPA/CPRA rights.

7. Changes to This Policy

Clause AI reserves the right to modify this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or service offerings. Any material amendments will be communicated through:

A prominent notice on www.clauseai.in at least 14 days prior to the effective date of the revised Policy
An email notification to your registered email address, where required by applicable law
An in-platform notification upon your next login, prompting review and, where required, renewed consent

Your continued use of our services following the effective date of a revised Policy constitutes your acknowledgment of the amended terms. Historical versions of this Privacy Policy are archived and available upon request from our Data Protection Officer.

8. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy, the exercise of your data protection rights, or our data handling practices, please contact us through any of the following channels:

Clause AI — Data Privacy Team

Email (General Inquiries): support@clauseai.in
Website: www.clauseai.in
Response Timeline: Acknowledged within 48 hours, resolved within 30 days.

Minor Data Requests: support@clauseai.in | Subject: MINOR DATA REQUEST
Response: Acknowledged within 48 hours, resolved within 7 business days.

Cookie Opt-Out / Preferences: support@clauseai.in | Subject: COOKIE OPT-OUT

Clause AI — Commitment to Privacy

This Privacy Policy has been prepared in good faith and reflects Clause AI's ongoing commitment to the protection of personal data, transparency in data handling, and accountability to all Data Principals — including the most vulnerable, such as minors. We remain dedicated to evolving our privacy practices in line with applicable legal developments and user expectations.