Clarus

Privacy Policy

Effective Date: April 19, 2026 Last Updated: April 19, 2026

Clarus ("we," "our," or "us") is operated by Sumo Creations, LLC, located in Clackamas County, Oregon, United States. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, applications, and services (collectively, the "Service"). It covers both the marketing site at clarus.page and the signed-in application.

We believe privacy policies should be clear and honest. This document tells you exactly what data we collect, why, and what control you have over it.

1. Data We Collect

Information You Provide

  • Account information: Name, email address, and profile picture when you register.
  • Payment information: Billing details are processed through Polar.sh. We do not directly store your credit card or bank account numbers.
  • User content: Documents, memos, AI-generated output, and associated metadata that you create or upload through the Service.
  • Communications: Information you provide when contacting support, reporting bugs, or submitting feedback.

Information Collected Automatically

When you visit the marketing site or use the signed-in application, our hosting provider and application server receive standard request data such as:

  • IP address and approximate geographic location derived from your IP address
  • Browser and device information (device type, operating system, browser type and version)
  • Date and time of the request
  • Requested page and response status

We also use Plausible Analytics to measure pageviews and conversion events across both the marketing site and the signed-in application. Plausible is configured without cookies or persistent browser storage.

Marketing Attribution Data

If you arrive through a campaign link and click a tracked call to action such as "Get Started Free", we may record:

  • The landing path on our site
  • Standard campaign parameters in the URL, including utm_source, utm_medium, utm_campaign, and, when present, utm_content, utm_term, and utm_id
  • A high-level referrer URL
  • The call to action that was clicked
  • The time of the conversion event

We record this attribution on the server when the conversion happens.

What We Do Not Use Today

  • No Google Analytics
  • No advertising, remarketing, or retargeting pixels
  • No session replay or heatmap tools
  • No attribution cookies
  • No localStorage or similar browser storage for campaign tracking

If we later add any of these technologies, we will update this policy with at least 30 days' notice before enabling them, per Section 11.

2. How We Use Your Data

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process AI features by sending your content to third-party AI providers (see Section 3)
  • Process payments and manage your subscription through Polar.sh
  • Respond to support requests and communications
  • Understand which campaigns and landing pages lead to signups or inquiries
  • Monitor and improve Service performance, stability, and security
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

What We Do Not Do

  • We do not sell your personal data.
  • We do not share your data with third parties for their own marketing purposes.
  • We do not use your content to train AI models. Your documents, memos, and AI interactions are yours — not training data.
  • We do not serve targeted advertisements.

3. AI Features and Third-Party AI Providers

Clarus uses third-party AI providers to power its writing and analysis features. When you use an AI-powered feature, relevant content from your request is sent to these providers for processing.

What We Send to AI Providers

Only the content necessary to fulfill your specific request is transmitted. We do not send your entire account history, unrelated documents, or personal profile information.

Our Commitments

  • No model training: We do not use your content to train, fine-tune, or improve any AI models — ours or anyone else's.
  • AI interaction logs: We retain logs of AI interactions (prompts sent and responses received) for up to 90 days. These logs are used for debugging, abuse prevention, and service reliability. After 90 days, they are automatically deleted.
  • Provider selection: We select AI providers that commit, through their published API terms, to not training on customer data submitted through their APIs.

Current AI Providers

Clarus is currently on each provider's default commercial API tier. We have not yet upgraded to enterprise or zero-data-retention tiers. Below is what each provider contractually commits to on the tier we actually use today.

Anthropic (Claude models). Per Anthropic's commercial terms of service, content submitted through the API is not used to train Anthropic's models. Anthropic retains API inputs and outputs for up to 30 days for abuse monitoring and is deleted thereafter. See the "Use of Customer Materials" section at anthropic.com/legal/commercial-terms.

Google (Gemini models). Per Google's Gemini API Additional Terms of Service, content submitted through the paid API tier is not used to train Google's models and is retained only for service operation and abuse monitoring. See ai.google.dev/gemini-api/terms.

Future Upgrade Path

When funded, Clarus intends to upgrade to Anthropic's Zero Data Retention tier (requires an approved Enterprise agreement) and Google's equivalent enterprise data-governance terms. Until that happens, the default-tier protections above apply. This policy will be updated before any such upgrade takes effect.

Providers Not Currently In Use

This policy previously listed OpenAI and Fireworks AI as potential providers. As of the current version, no user content is routed to OpenAI or Fireworks AI. If that changes, this policy will be updated at least 30 days before we route content to a new provider, per Section 11.

Important Limitation

Once your content is transmitted to a third-party AI provider, it is subject to that provider's own terms and data handling practices. We encourage you to review their policies. While we rely on contractual terms requiring our providers to handle your data responsibly, we cannot control their internal practices beyond those agreements.

4. Data Sharing

We share your information only in the following circumstances:

RecipientWhat We ShareWhy
Third-party AI providers (Anthropic, Google)Content from AI feature requestsTo process AI-powered features
Polar.shBilling and subscription detailsPayment processing and metered AI credit usage
Plausible AnalyticsAggregated, cookieless pageview and conversion eventsSite and product analytics
ResendEmail address and sign-in linkTransactional email delivery (sign-in, account notifications)
Cloud infrastructure providersAll hosted data (encrypted)Service hosting and delivery

A detailed list of every sub-processor — including jurisdiction, the category of data we send, and a link to each vendor's data processing agreement — is maintained at Sub-processors.

We may also disclose information when required by law, court order, or governmental authority, or when necessary to protect the rights, safety, or property of Clarus, our users, or the public.

Corporate Transactions

If Clarus is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and prominent notice on the Service at least 30 days before any such transfer, and you will have the option to delete your account and data before the transfer takes effect.

5. Data Retention

We retain your data for specific, defined periods:

Data TypeRetention Period
Account informationWhile your account is active, plus 30 days after a deletion request
User content (documents, memos)While your account is active; deleted within 30 days of account deletion
AI interaction logs90 days, then automatically deleted
Payment recordsAs required by tax and financial regulations (typically 7 years)
Analytics data (Plausible)Aggregated by default; Plausible retains event-level records per its own retention policy
Support communications2 years after resolution, then deleted
Server request logsUp to 90 days, then deleted or aggregated

When you delete your account, we begin the deletion process within 30 days. Some data may be retained longer where required by law (e.g., tax records) or to resolve disputes.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data.
  • Portability: Request an export of your data in a standard, machine-readable format.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

European Economic Area, UK, and Switzerland (GDPR)

In addition to the above, you have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Lodge a complaint with your local data protection authority

Legal bases for processing: We process your data based on: (a) performance of our contract with you (providing the Service), (b) your consent (marketing communications), (c) our legitimate interests (security, fraud prevention, service improvement), and (d) compliance with legal obligations.

California (CCPA/CPRA)

You have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your personal information
  • Non-discrimination for exercising your privacy rights

Oregon

As an Oregon-based company, we comply with applicable Oregon consumer privacy laws including the Oregon Consumer Privacy Act, which provides Oregon residents with rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling.

How to Exercise Your Rights

Contact us at support@clarus.page to exercise any of these rights. We will respond within 30 days. We may ask you to verify your identity before processing your request.

7. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected such information, we will promptly delete it. If you believe a child under 13 has provided us with personal data, please contact us at support@clarus.page.

8. International Data Transfers

Your data is processed in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for your data when transferred internationally.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM, application-layer envelope encryption for user content)
  • Access controls and authentication requirements
  • Regular review of security configurations and policies

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify affected users and relevant authorities as required by applicable law, within 72 hours of becoming aware of the breach.

10. Algorithmic Decision-Making

We do not use algorithms or automated profiling to make decisions that significantly affect you without the opportunity for human review.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • Minor changes (clarifications, formatting): Updated on this page with a new "Last Updated" date.
  • Material changes (new data collection, new sharing partners, changes to your rights, enabling new analytics or error-tracking technologies): We will notify you directly via email at least 30 days before the changes take effect. You will have the opportunity to review the changes and delete your account if you disagree.

Material updates to this policy are listed in our Privacy Policy Changelog.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights:

  • Email: support@clarus.page
  • Mail: Sumo Creations, LLC, 16330 SW Kimball St., Lake Oswego, OR 97035

If you are in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.