Privacy Policy
How ClauseClear collects, uses, and protects personal data, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated:
1. Who we are
ClauseClear is a trading brand of PJ Consulting Group Ltd, a company registered in England & Wales under company number 13298258. Our registered office is on file at Companies House and is available on request to hello@clauseclear.co.uk. For the purposes of UK GDPR and the Data Protection Act 2018, PJ Consulting Group Ltd is the data controller for personal data processed through ClauseClear.
We are registered with the Information Commissioner’s Office (ICO) under registration number 00014050667.
We have not appointed a Data Protection Officer because we are not required to under UK GDPR Article 37. Data-protection enquiries are handled by the company directors at hello@clauseclear.co.uk.
2. What this policy covers
ClauseClear operates four data-handling surfaces, each governed by this policy:
- The merchant dashboard — where UK businesses sign up via Single Sign-On (SSO), submit their Terms & Conditions for audit, and approve a simpler-terms summary for publication. This handles personal data of the merchant’s nominated user(s).
- The free shopper check tool at /check — where any visitor can paste a UK shop’s T&Cs URL or text and receive a simpler-terms summary. Rate-limited; no sign-up required.
- The pre-launch waitlist at /coming-soon — where prospective customers can register their email address to be notified at public launch.
- The transactional and operational emails we send to merchants (account confirmation, audit-result notifications, change-detected alerts).
Public ClauseClear Verified pages (/verify/[slug] and /verify/[slug]/report) and the embed script merchants install on their own sites do not collect personal data from visitors.
3. What personal data we process, and why
3.1 Merchant account holders (via SSO)
When a merchant authenticates via Google or Microsoft Single Sign-On, the SSO provider passes us:
- email address (used as the account identifier and for transactional notifications);
- display name (if provided by the SSO provider);
- a unique SSO subject identifier (used to recognise returning users).
During onboarding the merchant provides their business name, sector, and optionally a solicitor contact email. They may subsequently submit Terms & Conditions text or URLs for audit. We also store the date and time the merchant clicked through our Terms of Service and Privacy Policy (clickwrap consent), the version of those documents they agreed to, and a salted, non-reversible hash of their source IP address at the moment of acceptance — this is a non-personal audit trail used to evidence consent if challenged.
Lawful basis: performance of the contract between the merchant and ClauseClear (UK GDPR Article 6(1)(b)) for account operation; our legitimate interest in maintaining an evidential audit trail of consent (Article 6(1)(f)) for the consent-timestamp record.
3.2 Visitors using the free /check tool
When a visitor submits a URL or text to /check, we record:
- the URL submitted or the textual content of what was pasted;
- a daily-salted SHA-256 hash of the visitor’s IP address (used solely for rate-limiting and abuse prevention);
- the timestamp and outcome (whether the audit completed, or failed at the scrape / paste-validation stage).
We do not record the raw IP address, browser fingerprint, browsing history, or any other identifying data. The salted hash is one-way and the salt is rotated daily, so the same visitor on different days produces different hashes.
Lawful basis: our legitimate interest in preventing abuse of the public service (UK GDPR Article 6(1)(f)). The processing is minimal and not directly identifying.
3.3 Waitlist signups at /coming-soon
When a visitor submits their email to the waitlist we record:
- email address;
- sign-up timestamp;
- source page (e.g.
/coming-soon); - a daily-salted SHA-256 hash of the visitor’s IP address (abuse prevention only).
Lawful basis: the visitor’s explicit consent (UK GDPR Article 6(1)(a)) given by submitting the form. You can withdraw consent at any time by emailing us; we will delete your record within 14 days.
We use waitlist emails only to notify you when ClauseClear opens to public signups. We do not pass them to any third party.
3.4 Solicitor referral emails
A merchant may optionally nominate a solicitor email address during onboarding so that compliance reports can be copied to that solicitor. The nominated solicitor is a third-party data subject and we process only their professional contact email.
Lawful basis: the legitimate interest of the merchant (and ClauseClear, as their data processor for that purpose) in routing compliance information to nominated advisors (Article 6(1)(f)). The merchant warrants they have the necessary basis to share that contact with us.
3.5 Domain-level demand signals (not personal data)
When a visitor uses /check, we also keep a domain-level record (e.g. example.co.uk) with a count of how many times that domain has been scanned and how many visitors have indicated they would like the merchant to become verified. This is not personal data — it relates to the merchant domain, not the visitor — but we mention it for transparency.
3.6 Cookies and session storage
We use a small number of strictly-necessary cookies and tokens. We do not use any third-party analytics, advertising, or tracking cookies.
Full detail on each cookie is in our Cookies Policy. In summary:
- Supabase session cookie — signed-in merchants only; expires on sign-out or at the configured session lifetime.
- Soft-launch preview cookie (
cc_preview) — used during the pre-launch period to remember authorised previewers; 7-day lifetime; not used after public launch.
3.7 What we do not collect
- We do not use third-party analytics, advertising, or tracking cookies.
- We do not sell personal data to anyone, ever.
- We do not profile visitors for marketing purposes.
- The embed script that merchants install on their sites does not collect data about their shoppers; it fetches a static, cached summary keyed by the merchant slug.
- We do not knowingly collect data on children under 18. ClauseClear is a business-to-business service intended for UK commercial use only.
4. How long we keep data
- Merchant account data and audits: kept while the merchant has an active account. On account closure, we delete or anonymise within 90 days, except where retention is required by law (e.g. tax records under HMRC retention rules, which mandate 6 years).
- Salted IP hashes from /check and waitlist: retained for up to 90 days, then deleted. The daily salt rotation effectively limits identifiability to that day’s window.
- Domain-level scan counters: retained indefinitely as non-personal aggregate data.
- Waitlist signups: retained until ClauseClear opens to public signups, at which point we send a single launch notification email and delete the waitlist entry within 30 days unless the recipient has converted to a merchant account.
- Authentication tokens: session-bound and managed by Supabase Auth; expire on sign-out or after the configured session lifetime.
- Off-site backups: retained for up to 90 days then rotated. Backups are encrypted at rest and not accessed except for recovery purposes.
5. Who we share data with (processors)
We use a small number of carefully-chosen processors. Each is contractually bound (by their published Data Processing Addendum or our signed agreement) to act only on our instructions and to protect personal data to the standards required by UK GDPR.
The complete and current list is at /subprocessors. In summary:
- Supabase Inc. — database, authentication, storage. Hosted in the European Union (Frankfurt). Our primary processor.
- Vercel Inc. — hosting and CDN. Edge servers globally; primary region in the EU.
- Anthropic PBC — provides the Claude Haiku model used to translate Terms & Conditions into simpler-terms summaries. Processing occurs on Anthropic’s US infrastructure under the UK International Data Transfer Agreement and Anthropic’s commercial terms.
- Resend Inc. — transactional email delivery. Processing region: European Union (Ireland). Used only for transactional and operational emails, never marketing without consent.
- Google Ireland Ltd and Microsoft Ireland Operations Ltd — Single Sign-On providers. They process the authentication event and confirm the user’s identity. Their own privacy policies cover that processing.
We do not disclose personal data to anyone else except where required by law, court order, or to defend our legal rights.
6. International transfers
Most of our processing happens within the United Kingdom or European Economic Area (EEA). The principal exception is the Claude Haiku translation step, which processes the merchant’s submitted Terms & Conditions text on Anthropic’s US infrastructure. The text typically does not contain personal data of any individual, but the processing nonetheless constitutes an international data transfer.
We rely on the UK International Data Transfer Agreement (IDTA) (or the UK Addendum to the EU Standard Contractual Clauses, where Anthropic uses that framework instead) to safeguard those transfers.
Where SSO providers (Google, Microsoft) operate global infrastructure, we rely on the UK adequacy decision for the EEA and on each provider’s published international-transfer safeguards (typically Standard Contractual Clauses).
7. Your rights under UK GDPR
You have the following rights:
- Right of access — request a copy of the personal data we hold about you;
- Right to rectification — ask us to correct inaccurate or incomplete data;
- Right to erasure (“right to be forgotten”) — ask us to delete personal data, subject to legal retention requirements;
- Right to restrict processing in certain circumstances;
- Right to data portability — receive your data in a structured, machine-readable format;
- Right to object to processing based on legitimate interests;
- Right to withdraw consent at any time where processing is based on consent (this does not affect lawful processing carried out before withdrawal);
- Right to lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.
To exercise any of these rights, email hello@clauseclear.co.uk with the subject line “Subject access request” (or describe the right you want to exercise). We will respond within one calendar month of receiving the request, as required by UK GDPR Article 12(3). If we need to extend that period (which is rare), we will tell you within the first month and explain why.
To verify your identity before fulfilling a request, we may ask you to confirm details associated with your account or to provide proof of identity.
8. Automated processing and AI
ClauseClear uses automated processing to:
- run our deterministic rules engine over a merchant’s published Terms & Conditions and produce red, amber, or green findings;
- generate a simpler-terms summary of the same Terms & Conditions using a large language model (Claude Haiku, from Anthropic).
We do not make automated decisions that produce legal effects concerning individuals, or which significantly affect individuals within the meaning of UK GDPR Article 22. Our outputs are advisory: they inform the merchant’s own decision-making about their Terms & Conditions; they do not determine any individual’s rights, benefits, or treatment.
ClauseClear’s outputs are not legal advice, and the “Verified” badge does not constitute a regulatory endorsement. Our public Terms of Service explain the scope and limits of what the product produces.
9. Marketing communications
We send transactional and operational emails to merchants (welcome email, audit results, change-detected alerts, billing notifications). These are necessary to operate the contract between us and are not marketing.
We do not send marketing emails by default. If we introduce a product newsletter in future, we will do so on an opt-in basis only, and every newsletter email will include a one-click unsubscribe link (compliant with the Privacy and Electronic Communications Regulations 2003).
10. Children’s data
ClauseClear is a business-to-business service intended for UK commercial use only. We do not knowingly collect or process personal data of individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact us at hello@clauseclear.co.uk and we will delete it immediately.
11. Security
All data is transmitted over HTTPS (TLS 1.2 or higher) and encrypted at rest by Supabase. Merchant data is isolated at row level using PostgreSQL Row-Level Security policies, such that one merchant cannot read another merchant’s data and only the service-role server backend can read public-verify projections.
Authentication is handled by Supabase Auth using industry-standard OAuth 2.0 flows. Server-side secrets are stored in Vercel encrypted environment variables. Source code is held in a private GitHub repository.
Full details of our security posture, certifications, and operational controls are at /security.
No internet service is perfectly secure. If a personal-data breach occurs that is likely to result in a risk to the rights and freedoms of any individual, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in high risk to rights and freedoms, we will also notify affected individuals without undue delay, as required by Article 34.
12. Data Processing Agreement for Enterprise customers
Enterprise customers who need a signed Data Processing Agreement under UK GDPR Article 28 can review our standard DPA at /dpa and request a counter-signed copy by emailing hello@clauseclear.co.uk.
13. Changes to this policy
We will update this policy when our practices change, or when required by law. Material changes affecting how we process personal data will be notified by email to active merchant accounts. The “Last updated” date at the top of this page indicates the most recent revision.
Previous versions of this policy are available on request to hello@clauseclear.co.uk.
14. How to contact us
For any privacy or data-protection matter:
- Email: hello@clauseclear.co.uk
- Post: PJ Consulting Group Ltd, c/o ClauseClear — registered office address available on request to hello@clauseclear.co.uk (also on file at Companies House under company number 13298258)
- Phone: 0161 850 5277 (Monday-Friday, UK business hours)
If you are not satisfied with our response, you have the right to escalate to the ICO at ico.org.uk/make-a-complaint or by phone on 0303 123 1113.