clivio

Privacy Policy

Effective Date: September 14, 2025

Clivio (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use and safeguard it, and your rights. We comply with applicable data protection laws in Europe (GDPR) and the United States.

1. Information We Collect

Account Information: When you create an account, we collect personal details such as your name and email address. Payment information (e.g. credit card token) is handled by our payment processor (Stripe) and not stored on our servers.

Content: We collect and store the documents, files, or other content you upload to Clivio. This may include text, images, and other data you choose to store or process using our service.

Usage Data: We automatically collect data about how you use Clivio, including log files, pages/features accessed, dates/times of access, device identifiers, browser type, and cookies. We also gather analytics data (via Google Analytics 4) to understand service usage.

AI Interactions: If you use our AI-powered features, we may process the text or content you input and the AI-generated outputs. This information is used to provide the AI functionality and improve our algorithms, and may be temporarily logged for quality assurance.

2. How We Use Your Information

We use the collected information for the following purposes:

  • Provide and Improve Services: To operate Clivio’s cloud-based document storage, search functionality, and productivity tools; to maintain and improve service performance (e.g. faster search results, relevant reminders) and develop new features.
  • Payments and Subscription Management: To process your subscription payments, manage billing cycles, and handle upgrades or downgrades of plans (monthly or annual) via Stripe.
  • Security and Abuse Prevention: To monitor, investigate, and prevent any fraudulent, unauthorized, or illegal activities on Clivio. We use data (including automated AI monitoring) to ensure account security, integrity of stored content, and to enforce our Terms of Service.
  • Legal Compliance: To fulfill our legal obligations, such as responding to valid law enforcement requests or court orders, and to comply with applicable laws and regulations (e.g. maintaining transaction records for accounting/tax).

3. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA) or United Kingdom, we process personal data only when we have a valid legal basis:

  • Contractual Necessity: Most data we collect (e.g. account and content data) is processed to provide you with the Clivio service you requested – this is necessary for the performance of our contract with you.
  • Legitimate Interests: We may process certain data for our legitimate business interests, such as improving and securing our services, fraud prevention, or analytics, provided those interests are not overridden by your privacy rights. For example, analyzing usage data helps us enhance user experience without unduly impacting your rights.
  • Consent: For non-essential cookies or certain analytics/tracking tools, we rely on your consent where required by law. For instance, we obtain your consent before using Google Analytics for analytics cookies in jurisdictions that mandate it. You can withdraw consent at any time (e.g. by adjusting cookie settings or via browser controls).
  • Legal Obligation: In some cases, we must process data to comply with laws (e.g. retaining transaction records for tax purposes or responding to government information requests). In such cases, the legal obligation forms the basis of processing.

4. Storage and Data Location

All personal data and content you provide is stored on secure infrastructure provided by Google Cloud (Firebase). Our primary servers are located in the European Union (Belgium) for both EU and international customers, ensuring that EU customer data remains within Europe. We do not physically store your data outside of the EU. If we transfer or access data from outside your country (for example, using a service provider or for technical support), we will implement appropriate safeguards in accordance with GDPR Article 46 (such as Standard Contractual Clauses).

Data Transfers: Some of our service providers are based outside the EU (for example, OpenAI in the U.S. for AI features, or Stripe which may process payments globally). When we transfer personal data to these providers, we rely on legally recognized transfer mechanisms (e.g. EU Standard Contractual Clauses or the EU-US Data Privacy Framework) to protect your information. We ensure that any non-EU data processors handle your data with a level of protection equivalent to EU standards.

5. Sharing of Data

We do not sell or rent your personal information to third parties. We only share data in the following circumstances:

  • Service Providers: We share necessary information with trusted third-party service providers who help us operate Clivio. This includes cloud hosting (Google Cloud), AI processing (OpenAI), payment processing (Stripe), and analytics (Google Analytics). These providers process data on our behalf and are contractually obligated to safeguard your information and only use it for the services they provide to us.
  • Legal Requirements: We may disclose your information to government authorities or other third parties if required to do so by law or subpoena, or if we believe in good faith that such action is necessary to (i) comply with a legal obligation, (ii) protect our rights or property, (iii) prevent fraud or abuse of Clivio or our users, or (iv) protect the personal safety of individuals.
  • Business Transfers: If Clivio (or substantially all of its assets) is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of assets, your information may be transferred to a successor or affiliate as part of that transaction. In such case, we will ensure the new owner is bound by terms similar to this Privacy Policy or we will notify you and seek your consent if required by law.

Importantly, we do not share or disclose your documents or uploaded content except as needed to provide the service (e.g. transferring data to and from our AI provider when you use AI features) or if required by law. Clivio employees and contractors do not access your stored documents unless absolutely necessary for support or legal compliance and, even then, only with strict controls and confidentiality agreements.

6. Your Rights

You have various rights regarding your personal data, which may vary depending on your location. We honor all user rights under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), among other laws. These rights include:

  • Access and Portability: You can request a copy of the personal data we hold about you, and information about how it’s used. For EU users, this is called a Subject Access Request. We will provide your data in a commonly used electronic format.
  • Rectification: If any of your information is inaccurate or incomplete, you have the right to ask us to correct it. You can also update most of your basic account information directly in your account settings.
  • Erasure: You may request that we delete your personal data. We will honor such requests to the extent required by law. For example, if you cancel your Clivio account, you can ask us to remove personal data associated with your account. Note that we might retain certain data if necessary for our legitimate business interests or legal obligations (e.g. records of transactions for accounting).
  • Restriction of Processing: You can ask us to restrict or suspend processing of your personal data in certain circumstances – for instance, if you contest the accuracy of data or object to our processing. We will still store your data but not use it until the issue is resolved.
  • Data Export: You have the right to obtain your data from us and reuse it elsewhere. Within Clivio, you can export your documents and information at any time (e.g. download your stored files).
  • Objection to Processing: In certain cases, you may object to our processing of your data, such as for direct marketing or when we process based on legitimate interests. If you object, we will stop processing your data for that purpose unless we have compelling legitimate grounds to continue or the processing is required by law.
  • Opt-Out of “Sale” (CCPA): Although we do not sell personal data, California residents have the right to direct businesses not to sell their personal information. We confirm that we do not sell your data; if that ever changes, we will provide a “Do Not Sell” link as required.
  • Non-Discrimination: If you exercise any of your rights under privacy laws (such as CCPA), we will not discriminate against you for doing so. You will continue to receive equal service and pricing from Clivio.
  • Complaint: If you believe your data rights have been violated, you have the right to lodge a complaint with a supervisory authority. For EU users, this could be the data protection authority in your country of residence (for example, the CNIL in France). For UK users, this is the ICO. For California residents, you can contact the California Attorney General’s office. We would, however, appreciate the chance to address your concerns first – feel free to contact us directly to resolve any issue.

How to Exercise Your Rights: You can exercise most of your rights by contacting us at our support email. For certain requests (access, deletion, etc.), we may need to verify your identity to protect your security. We will respond to requests within the timeframes required by law (generally within 30 days for GDPR requests, and 45 days for CCPA requests, with extensions if necessary). Note that these rights are subject to certain exemptions and limitations by law.

7. Cookies and Tracking Technologies

Clivio uses cookies and similar technologies to provide and improve our services:

  • Essential Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. For example, authentication cookies that keep you logged in, or preferences cookies that remember your settings. You can set your browser to block these cookies, but some parts of the site may not work.
  • Analytics Cookies: We use Google Analytics 4 (GA4) to collect information about how users interact with our site (e.g., pages visited, features used, time spent). This helps us understand user behavior and improve our service. Google Analytics 4 by default does not store users’ IP addresses and drops or anonymizes IP data for EU users before storage, which enhances privacy. The analytics cookies may collect information such as your device type, browser, and general location (country/city, derived from IP which is then anonymized).
  • Consent Management: In jurisdictions where it’s required (such as EU countries), we obtain your consent before setting non-essential cookies like analytics cookies. You will see a cookie banner or notice on your first visit which allows you to accept or reject analytics cookies. Even after consenting, you can always opt-out or withdraw consent: for example, by using our cookie settings tool (if provided) or through your browser settings. Google also provides a Google Analytics Opt-Out Browser Add-on if you wish to prevent your data from being used by Google Analytics on any website.
  • Third-Party Services: Besides Google Analytics, if we integrate any third-party services that use cookies or tracking (for example, an embedded video player or social media share button), we will inform you and obtain consent if required. Our site does not use any third-party advertising cookies at this time (we do not show ads), and we do not engage in behavioral advertising.

For more detailed information, please see our Cookie Policy (if provided separately) or reach out to us with any questions about our use of cookies.

8. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it. This includes:

  • Encryption: All data in transit between your device and our servers is encrypted using HTTPS/TLS. This means any data you send to Clivio (or that Clivio sends back to you) is encrypted to prevent eavesdropping. Additionally, we encrypt data at rest on our servers and databases whenever feasible.
  • Access Controls: Our team accesses user data only on a need-to-know basis. Administrative access to systems storing personal data is limited to authorized personnel who require it for their job (for example, technical support or system maintenance), and these personnel are bound by strict confidentiality obligations. We also employ two-factor authentication and other best practices to prevent unauthorized access to systems.
  • Monitoring and Testing: We regularly monitor our systems for possible vulnerabilities and attacks. We use firewalls and intrusion detection systems. We also periodically review our security procedures and may employ third-party experts to perform penetration tests.
  • Incident Response: In the event of a data breach or security incident affecting your personal data, we will notify you and relevant authorities as required by law. We have a breach response plan in place to quickly mitigate and address any security incidents.

Please note that no system can be 100% secure. While we strive to protect your information with strong measures, we cannot guarantee absolute security of data. It is important that you also take precautions – for instance, choose a strong, unique password for your Clivio account and keep your login credentials confidential. If you have any reason to believe that your interaction with us is no longer secure (for example, if you suspect your account has been compromised), please contact us immediately.

9. Children’s Privacy

Clivio is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16 years old. If you are under 16, you are not permitted to use Clivio or provide any personal data to us.
If we learn that we have inadvertently collected personal information from a child under 16, we will take steps to delete that information promptly. Parents or legal guardians who believe that their child under 16 may have provided us personal data can contact us and request deletion of such data.
Note: The age restriction is set to comply with international data protection laws. In certain jurisdictions, the age of digital consent may be lower (for example, 13 under U.S. COPPA for some services, or 15 under French data protection law). However, out of an abundance of caution and to simplify compliance across regions, we require all users to be at least 16. If you are 16 or 17 years old, you should use Clivio only with the permission and supervision of a parent or guardian. By using Clivio, you represent that you meet the minimum age requirement.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at contact@clivio.app. You can also reach us by mail at: Félix Boittin, Clivio – 10 rue des aqueducs, 94250 gentilly, france (see the Legal Notice below for full details). We will be happy to assist you and address any issues.