Legal

Privacy Policy

How Clerk collects, uses, and protects personal data — and the rights available to you under the General Data Protection Regulation.

Last updated:

1. Who we are

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Luxembourg Law of 1 August 2018 on the organisation of the National Data Protection Commission (CNPD), the data controller is:

Clerk, a company organised under the laws of the Grand Duchy of Luxembourg, with its registered office in Luxembourg City (registration number to be inserted, VAT number to be inserted), acting through its authorised representatives.

You can contact our data-protection team at privacy@clerk.lu for any question relating to this policy or to the processing of your personal data.

2. What this policy covers

This policy applies to personal data processed by Clerk in connection with the Clerk web application (the "Service"), our public website at clerk.lu, and our communications with prospects, users and contacts.

3. Information we collect

3.1 Account data

When you create an account, we collect your name, professional email address, and a password (stored as a salted hash). If you sign in via an identity provider, we collect the data fields disclosed by that provider.

3.2 Usage data

We collect technical information about how you use the Service: pages viewed, features used, requests made, error events, and approximate location derived from IP address. This is used for security, abuse prevention, and product improvement.

3.3 Documents you upload or paste

You may upload or paste legal documents into the Service for analysis. Before any document content is sent to a third-party language model, Clerk performs an anonymisation step that replaces names, organisations, addresses and other identifying data with neutral placeholders. You see and confirm every replacement before processing begins.

We retain the anonymised text of analyses you have explicitly saved. We do not retain the original (unredacted) document text unless you have explicitly saved it to your Vault.

3.4 Cookies and similar technologies

We use a small number of strictly necessary cookies for authentication and session management. We do not use third-party advertising or cross-site tracking cookies. See the Cookies section below for details.

4. Why we process your data (lawful bases)

Under Article 6 of the GDPR, we rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service to account holders and respond to support requests.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, improve our product, and communicate with prospects who have expressed interest.
  • Consent (Art. 6(1)(a)) — for optional marketing communications, where applicable.
  • Legal obligation (Art. 6(1)(c)) — to comply with bookkeeping, tax, and regulatory obligations.

5. Anonymisation of legal documents

Clerk is designed around the principle that identifiable client data should not reach a third-party language model. Our anonymisation step runs before any content is transmitted to a language-model provider, and the redaction map is presented to you for review.

We treat the original (unredacted) document text as belonging to you. We do not use it to train models — ours or anyone else's — and we do not retain it beyond what is required to complete the requested analysis, unless you save it to your Vault.

6. Sharing your data

We do not sell personal data. We share data only with the categories of recipients listed below, in each case under written agreements that include the contractual safeguards required by the GDPR:

  • Authentication and database provider for account management and storage.
  • Cloud-hosting provider for serving the Service and storing operational data within the European Union.
  • Language-model provider for processing the anonymised content of your queries. Our agreements include zero-data-retention terms.
  • Email and customer-support tooling for transactional communications and support tickets.
  • Professional advisers, auditors and authorities where required by law or to defend our legal interests.

A current list of subprocessors is available on request from privacy@clerk.lu.

7. International transfers

We process personal data within the European Union. Where a subprocessor is established outside the EU/EEA, transfers are governed by the European Commission's Standard Contractual Clauses, supplementary measures where required, and any applicable adequacy decision.

8. Data retention

We retain account data for as long as your account is active and for a limited period afterwards to allow account recovery, comply with legal obligations and resolve disputes. Operational logs are retained for up to 12 months. Anonymised analyses and saved documents are retained until you delete them.

9. Your rights under the GDPR

You have the following rights in relation to personal data we hold about you (Articles 15–22 GDPR):

  • The right to access your personal data.
  • The right to rectification of inaccurate data.
  • The right to erasure ("the right to be forgotten").
  • The right to restriction of processing.
  • The right to data portability.
  • The right to object to processing based on legitimate interests.
  • The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
  • The right to withdraw consent, where consent is the lawful basis.

To exercise any of these rights, contact us at privacy@clerk.lu. You also have the right to lodge a complaint with the Luxembourg supervisory authority, the Commission nationale pour la protection des données (CNPD), or with the data-protection authority in your member state of residence.

10. Cookies

We use only strictly necessary cookies, namely:

  • Authentication cookies set by our authentication provider to keep you signed in.
  • Session cookies for security (CSRF protection, session integrity).

We do not use analytics, advertising or cross-site tracking cookies, and accordingly do not display a consent banner for optional cookies.

11. Children

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can delete it.

12. Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects the most recent update. For material changes, we will give account holders advance notice by email.

13. How to contact us

For any question, request or complaint relating to this policy, please write to privacy@clerk.lu.