clausifai is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains what Personal Information we collect, why we collect it, how we use and disclose it, and your rights in relation to it.
1. Who We Are
Clausifai Pty Ltd (ABN: 18696797627) operates the clausifai Platform at clausifai.com. We are the "APP entity" responsible for the Personal Information collected through the Platform.
- Privacy enquiries and complaints: support@clausifai.com
- Mailing address: Ground Floor, 10 Pulteney Street
2. What Personal Information We Collect
2.1 Account Registration Data
When you register for a clausifai account, we collect:
- Full name
- Email address
- Password (stored as a cryptographic hash via Supabase Auth - not accessible to clausifai staff)
- Business name (app)
- Australian Business Number (ABN)
2.2 Contract and Usage Data
When you use the Platform to generate, edit, upload, or sign Contracts, we collect:
- Deal descriptions and prompts you enter into the Platform ("User Input")
- AI-Generated Content produced in response to your User Input
- Contract version history and edit logs
- Contract status (draft, sent, signed, etc.)
2.3 E-Signature and Recipient Data
When you send a signing request, we collect and process:
- Recipient email address (provided by you)
- Signing event timestamps (sent, opened, signed)
- Time spent reviewing the document
- IP address of the signing device
2.4 Waitlist Data
If you join the clausifai waitlist at clausifai.com before the Platform is available, we collect your email address and the date and source of your submission. Waitlist data is not accessible to authenticated users - it is accessible only via service role.
2.5 Technical and Analytics Data
We automatically collect certain technical information when you access the Platform, including:
- IP address (subject to anonymisation - see clause 7.5)
- Browser type and version
- Pages visited and features used
- Session duration and referral source
This data is collected via PostHog analytics with IP anonymisation enabled.
3. How We Use Your Personal Information
| Purpose | Lawful Basis (APP Reference) |
|---|---|
| Creating and managing your account | APP 3 - collection for primary purpose |
| Generating AI-powered Contracts | APP 3 - collection for primary purpose |
| Verifying your ABN against the ABR | APP 3 - collection for primary purpose |
| Sending signing requests and reminder emails | APP 3 / Spam Act consent |
| Providing the Contract Vault and version history | APP 3 - collection for primary purpose |
| Sending transactional emails (receipts, alerts) | APP 3 - collection for primary purpose |
| Product analytics and platform improvement | APP 3.4 - related secondary purpose |
| Waitlist communications and product updates | Spam Act 2003 - express consent |
| Investigating security incidents or fraud | APP 6 - required or authorised by law |
| Compliance with legal obligations | APP 6.2 - required by law |
4. Disclosure of Personal Information
4.1 Third-Party Service Providers
We disclose Personal Information to the following third-party providers to operate the Platform. Each provider is bound by contractual data processing obligations:
| Provider | Data Disclosed / Purpose |
|---|---|
| Anthropic (USA) | User Input (contract prompts) - AI generation. Zero Data Retention option: enabled. |
| Supabase (USA) | All structured data - database, auth, file storage |
| Vercel (USA) | Application requests - serverless hosting |
| Resend (USA) | Recipient email addresses - transactional emails |
| Cloudflare (USA) | DNS, email routing - infrastructure |
| PostHog (USA/EU) | Anonymised analytics data |
| ABR / ATO (Australia) | ABN - live verification only |
4.2 Overseas Disclosure
⚠ Personal Information may be disclosed to overseas recipients, including Anthropic, Supabase, Vercel, Resend, Cloudflare, and PostHog, whose servers are primarily located in the United States. By using the Platform, you consent to this overseas disclosure under APP 8.1. clausifai takes reasonable steps to ensure these overseas recipients comply with privacy standards substantially similar to the APPs through Data Processing Agreements and supplier assessments.
4.3 Server Location
Supabase database and storage instances are hosted on Oceania, Sydney, ap-southeast-2. Vercel edge and serverless functions may operate from multiple global regions. You should review Supabase's and Vercel's current infrastructure documentation for the most up-to-date server location information.
4.4 No Sale of Personal Information
clausifai does not sell, rent, or trade your Personal Information to third parties for their own marketing or commercial purposes.
4.5 Disclosure Required by Law
We may disclose Personal Information where required or authorised by Australian law, including in response to a valid court order, subpoena, or regulatory demand from the OAIC, ACCC, ATO, or law enforcement.
5. Sensitive Information
We do not intentionally collect sensitive information as defined under the Privacy Act 1988 (Cth) (including health information, racial or ethnic origin, political opinions, religious beliefs, or criminal records). You should not enter sensitive information about yourself or third parties into the Platform as part of a Contract unless it is strictly necessary for the purposes of that Contract and you have the lawful basis to do so.
6. Contract Content and AI Processing
6.1 Contract Content as Personal Information
Contract content may contain Personal Information about you, your counterparties, employees, or customers. This information is:
- stored in Supabase (encrypted at rest with AES-256, in transit with TLS 1.3);
- transmitted to Anthropic's Claude API for AI generation and risk analysis;
- accessible only to you via Row Level Security controls - clausifai staff cannot access your Contracts through the user-facing interface.
6.2 Anthropic Zero Data Retention
clausifai has taken steps to enable Anthropic's Zero Data Retention (ZDR) option, which means contract content submitted to the Claude API is not retained by Anthropic for model training. You should verify Anthropic's current ZDR policy at anthropic.com as policies may change.
6.3 Staff Access to Contracts
clausifai staff do not routinely access your Contract content. Access by authorised personnel may occur only for:
- security incident response;
- compliance with a legal obligation;
- technical support at your explicit request.
Such access is logged and subject to internal access controls.
7. Email Communications
7.1 Transactional Emails
We send transactional emails that are necessary to operate the Platform, including account verification, password reset, Contract signing requests, signing confirmations, and Contract reminders. These emails are sent from noreply@clausifai.com via Resend. You cannot opt out of transactional emails while you maintain an active account.
7.2 Waitlist and Marketing Emails
If you join the waitlist, you consent to receive product updates and announcements from clausifai. Every marketing or commercial electronic message we send will include a clear and functional unsubscribe mechanism in compliance with the Spam Act 2003 (Cth). You may unsubscribe at any time by:
- clicking the unsubscribe link in any marketing email; or
- emailing support@clausifai.com.
7.3 Automated Signing Reminders
The Platform may send automated reminder emails to Recipients on your behalf if a signing request has not been actioned within 48 hours. These reminders are sent via Resend. By initiating a signing request, you represent that the Recipient has consented to receive communications from clausifai in connection with the signing of the Contract.
7.4 Spam Act Compliance
All commercial electronic messages sent by clausifai comply with the Spam Act 2003 (Cth). We will not send commercial electronic messages to Recipients or waitlist contacts without consent. Every commercial message will identify clausifai as the sender and contain a functional unsubscribe facility.
7.5 Analytics and Tracking
We use PostHog to collect anonymised analytics data about Platform usage. PostHog is configured with IP anonymisation confirmation. We do not use cookies for targeted advertising. You may manage cookie preferences via the cookie consent banner displayed on first access to the Platform.
8. Data Security
clausifai implements the following security measures to protect Personal Information:
| Security Control | Detail |
|---|---|
| Encryption at rest | AES-256 (Supabase Storage and database) |
| Encryption in transit | TLS 1.3 for all data transmissions |
| Access control | Row Level Security (RLS) on all database tables |
| Authentication | Supabase Auth with session token management |
| Signed document integrity | SHA-256 cryptographic hash of signed document content, generated at signing time and stored immutably for integrity verification |
| Staff access controls | Role-based access with audit logging |
Despite these measures, no internet-based system is completely secure. In the event of a data breach that is likely to result in serious harm, clausifai will comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), including notifying the OAIC and affected individuals as required.
9. Retention and Deletion
9.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | Duration of account + 30 days post-deletion |
| Contract content and versions | Duration of Subscription + 12 months, or earlier deletion on request |
| Signed PDFs | Duration of Subscription + 7 years for legal hold |
| Waitlist email addresses | Until unsubscribe or account creation, or 3 years from collection |
| E-signature audit trail | 7 years - to satisfy limitation periods under the Limitation Act 1969 (NSW) |
| Analytics data (anonymised) | 24 months |
9.2 Deletion on Request
You may request deletion of your Personal Information by contacting support@clausifai.com. We will action deletion requests within 30 days, subject to any legal hold obligations under clause 9.3.
9.3 Audit Trail
Clausifai does not guarantee that audit trails or electronic signatures will be accepted as evidence in any court.
9.4 Legal Hold
We may retain Personal Information beyond the periods above where required by law, regulation, or legal proceedings, including:
- records required under the Corporations Act 2001 (Cth);
- records relevant to actual or anticipated litigation;
- records required by a court order or regulatory demand.
10. Your Rights Under the Australian Privacy Principles
Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights:
| Right | How to Exercise |
|---|---|
| Access (APP 12) - request a copy of your Personal Information | Email support@clausifai.com - response within 30 days |
| Correction (APP 13) - request correction of inaccurate data | Email support@clausifai.com - response within 30 days |
| Deletion - request erasure of your Personal Information | Email support@clausifai.com - response within 30 days (subject to legal hold) |
| Data export - download your Contracts and data | Via account settings export function |
| Complaint - lodge a privacy complaint | See clause 11 below |
| Opt-out of marketing emails | Unsubscribe link in any marketing email, or email privacy@clausifai.com |
11. Privacy Complaints
11.1 Internal Complaint Process
If you have a complaint about our handling of your Personal Information, please contact us at support@clausifai.com with a description of the issue. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.
11.2 External Complaint - OAIC
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
12. Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Information from minors. If you believe a minor has provided Personal Information to us, please contact support@clausifai.com and we will delete the information promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email at least 14 days before the updated policy takes effect. The current version of the Privacy Policy is always available at clausifai.com/privacy.
14. Contact Us
For all privacy-related enquiries, access or correction requests, and complaints:
- Email: support@clausifai.com
- Mail: Privacy Officer, clausifai Pty Ltd, 10 Pulteney Street Adelaide 5000, Email-karisa@clausifai.com
- Response time: 5 business days (acknowledgement), 30 days (substantive response)
This Privacy Policy was prepared to comply with the Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), Spam Act 2003 (Cth), and applicable Australian Consumer Law. Fields marked [in brackets] must be completed with accurate information before this policy is published.