Clarium

Privacy Notice

Last updated: 3 April 2026

1. Introduction

Clarium Systems Limited ("Clarium", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Notice explains how we collect, use, store, and protect your personal information when you use our GDPR compliance documentation platform (the "Service").

We are a Jersey-registered company and process personal data in accordance with the Data Protection (Jersey) Law 2018, which is equivalent to the EU General Data Protection Regulation (GDPR) with Jersey-specific provisions.

Please read this Privacy Notice carefully. By using Clarium, you acknowledge that you have read and understood how we process your personal data.

2. Data Controller Information

Data Controller: Clarium Systems Limited

Jurisdiction: Jersey, Channel Islands

Contact Email: [email protected]

Data Protection Officer: [email protected]

3. Supervisory Authority

Our supervisory authority for data protection matters is:

Jersey Office of the Information Commissioner (JOIC)

Website: https://oicjersey.org/

Email: [email protected]

Phone: +44 (0) 1534 716530

Adequacy Status: Jersey has been granted adequacy status by the European Union (January 2024) and is recognized as adequate by the UK, meaning data transfers between Jersey, the EU, and UK do not require Standard Contractual Clauses.

If you are based in the UK or EU, you also have the right to lodge a complaint with your local data protection authority (e.g., UK Information Commissioner's Office or your EU Member State authority).

4. What Personal Data We Collect

4.1 Account Information

  • Full name
  • Email address
  • Job title/role
  • Organization name
  • Profile picture (if using Google or Microsoft authentication)

Legal Basis: Contract (Article 6(1)(b)) - necessary to provide the Service

4.2 Authentication Data

  • Login credentials via OAuth providers (Google Workspace, Microsoft Entra ID/Azure AD)
  • OAuth tokens (temporary, not stored long-term)
  • Session tokens (JWT - JSON Web Tokens)
  • Login timestamps and IP addresses

Note: We do not support email/password authentication.

4.3 GDPR Compliance Documentation (Customer Content)

  • Business process descriptions (Article 30 Records of Processing Activities)
  • IT system names, vendors, locations
  • Data flow maps and visual diagrams
  • Data categories, data subjects, lawful basis selections
  • System verification details and security certifications
  • Uploaded documents (policies, procedures - PDF, DOCX, max 5MB)

Important: We are a data processor for this content. You (the customer organization) are the data controller and determine what personal data (if any) is included in your business process descriptions. We recommend not including individual names or contact details of data subjects in your process descriptions.

4.4 Billing & Payment Information

  • Billing name and address
  • Organization tax/VAT number (if applicable)
  • Payment card details (last 4 digits only - full card data stored by SumUp, not by us)
  • Payment history and invoice records

Third-Party Processor: SumUp (SumUp Limited, London/Dublin)

4.5 Usage & Analytics Data

  • Pages visited and features used
  • Time spent on platform
  • Actions performed (e.g., "created process", "verified system")
  • Browser type, device type, operating system

Legal Basis: Legitimate Interests (Article 6(1)(f)) - improve Service quality

4.6 Technical & Log Data

  • IP addresses
  • Error logs and debugging information
  • API request logs (rate limiting, performance monitoring)
  • Platform Admin impersonation logs (when support accesses your account)

Retention: 30 days (logs), 12 months (Platform Admin impersonation logs)

5. How We Use Your Personal Data

PurposeLegal Basis
Provide the Service (account access, GDPR documentation features)Contract (Article 6(1)(b))
Process payments & billingContract (Article 6(1)(b))
Send transactional emails (invitations, notifications)Contract (Article 6(1)(b))
Customer supportContract & Legitimate Interests
Improve Service quality (analytics)Legitimate Interests (Article 6(1)(f))
Security & fraud preventionLegitimate Interests (Article 6(1)(f))
Comply with legal obligationsLegal Obligation (Article 6(1)(c))

6. Data Storage & Location

✅ All customer personal data is stored and processed exclusively within the European Union on Microsoft Azure infrastructure.

Clarium runs entirely on Microsoft Azure, with all environments configured to European Union regions:

  • Primary Environment: Azure North Europe (Dublin, Ireland) — application hosting, database, file storage, authentication
  • Disaster Recovery: Azure West Europe (Amsterdam, Netherlands) — data replication and failover
  • AI Processing: Azure AI Services, Azure Sweden Central — temporary processing only during AI extraction (seconds); no data persisted
  • CDN & DDoS Protection: Cloudflare — static assets and DNS only; no customer personal data is stored or processed at Cloudflare edge nodes
  • Cookie Consent: CookieYes — consent preference records only
  • Backups: Azure North Europe, geo-redundant to Azure West Europe — 30-day retention, AES-256 encryption at rest

No customer data is transferred to the United States or any country outside the European Economic Area.

7. Third-Party Data Processors

7.1 Infrastructure & Hosting

ProviderPurposeLocationPersonal Data
Microsoft AzureApplication hosting, database, storage, authenticationNorth Europe (Dublin, Ireland) — primary
West Europe (Amsterdam) — DR		Yes — all customer data
Azure AI ServicesAI extraction of GDPR fields from documentsSweden CentralTemporary only (seconds) — not persisted; not used for model training
CloudflareCDN, DDoS protection, DNSGlobal CDN (static assets only)No personal data persisted at edge
CookieYesCookie consent managementEUConsent preferences only

7.2 Payment Processing

SumUp (SumUp Limited, London/Dublin) handles all payment processing. We do NOT store your full credit card number - we only receive and store the last 4 digits for identification.

7.3 AI Processing

AI extraction of GDPR fields from uploaded documents uses Azure AI Services hosted in Azure Sweden Central— entirely within the EU. Document content is processed temporarily (seconds) during extraction only and is not retained by the AI service. Microsoft's Azure AI Services DPA confirms data is not used for model training.

8. Data Retention

Data TypeRetention Period
Active Account DataDuration of subscription + 30 days
Deleted Records (Soft Delete)30 days (recovery window)
Audit Logs12 months
Backup Data30 days rolling
Session Data24 hours or logout
Email Delivery Logs90 days
Error Logs30 days
Platform Admin Impersonation Logs12 months

9. Your Data Subject Rights

Under the Data Protection (Jersey) Law 2018 and GDPR, you have the following rights:

Right of Access (Article 15)

Obtain confirmation of whether we process your personal data and access a copy.

How: Settings → Export → Download your data (UROPA JSON format)

Right to Rectification (Article 16)

Correct inaccurate personal data and complete incomplete data.

How: Edit your profile and organization settings directly in the platform

Right to Erasure (Article 17)

Request deletion of your personal data in certain circumstances.

How: Settings → Account → Delete Account

Right to Data Portability (Article 20)

Receive your data in a structured, commonly used, machine-readable format.

How: Settings → Export → Download your data

Right to Restrict Processing (Article 18)

Contact [email protected] to request account pause (read-only mode).

Right to Object (Article 21)

Contact [email protected] with details of your objection.

Response Time: Within 28 days (Data Protection (Jersey) Law 2018)

Contact: [email protected]

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.

For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie Policy.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

11. Technical Measures

Technical Measures

  • Encryption at Rest: AES-256 encryption (Azure Storage Service Encryption)
  • Encryption in Transit: TLS 1.3 (HTTPS only)
  • Database Security: Row-Level Security (RLS) with organization isolation
  • Authentication: OAuth 2.0 (Google Workspace, Microsoft Entra ID), JWT tokens (7-day expiry, HTTP-only cookies)
  • Access Control: Role-based permissions (5 roles: Platform Admin, Superuser, DPC, Contributor, Viewer)

Organizational Measures

  • Staff access to customer data on need-to-know basis only
  • All Platform Admin access to customer accounts is logged (12-month retention)
  • Breach notification within 72 hours (Jersey Law requirement)
  • Daily automated backups (Azure-managed, North Europe primary / West Europe geo-redundant, 30-day retention)

12. Changes to This Privacy Notice

We may update this Privacy Notice from time to time.

  • Material Changes: Email notification to account administrators at least 30 days before changes take effect
  • Minor Changes: Updated "Last Updated" date; continued use constitutes acceptance

13. Contact Us

Privacy Inquiries: [email protected]

General Support: [email protected]

Website: https://clarium.app

Document Control

Version:
1.2
Effective Date:
13 January 2026
Last Updated:
3 April 2026
Owner:
Will Wilson (Founder & Data Protection Officer)
Next Review:
March 2027
Governing Law:
Data Protection (Jersey) Law 2018