Privacy Policy
Effective Date: January 8, 2026
Last Updated: January 8, 2026
This Privacy Policy describes how Astor Ventures B.V. (“Company”, “we”, “us”, or “our”), trading as Clara, collects, uses, and protects your personal information when you use our AI-powered contract review service (“Service”).
We are committed to protecting your privacy and handling your data responsibly. As a tool built for legal professionals, we understand the importance of confidentiality and data security.
1. Data Controller
The data controller responsible for your personal data is:
Astor Ventures B.V.KvK: 83221298
Amsterdam, Netherlands
Email: support@clara.legal
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name — Your full name
- Email address — Used for authentication and communication
- Company/Organization name — Your firm or business name
- Password — Stored securely using industry-standard hashing (never stored in plain text)
2.2 Documents & Analysis
When you use the Service, we process:
- Uploaded documents — Contracts and other files you upload for analysis, stored encrypted
- Analysis results — AI-generated summaries, risk flags, key terms, and other output
- Chat conversations — Questions you ask about your documents and the AI responses
2.3 Usage Data
We collect information about how you use the Service:
- Features accessed and actions taken
- Number of documents analyzed
- Session duration and frequency
Important: Usage data does not include the content of your documents or analyses.
2.4 Technical Data
We automatically collect certain technical information:
- IP address
- Browser type and version
- Device type and operating system
- Referring URL
2.5 Payment Information
Payment processing is handled by our Merchant of Record, Paddle.com Market Limited (“Paddle”). We do not store your credit card details or other payment credentials. Paddle collects and processes payment information in accordance with their own privacy policy.
3. How We Use Your Information
We use your information to:
- Provide the Service — Process your documents, generate analyses, and deliver the core functionality
- Manage your account — Authentication, authorization, and account settings
- Send transactional emails — Account verification, password reset, billing receipts
- Send product updates — New features, tips, and service announcements (you can opt out)
- Improve the Service — Analyze usage patterns to enhance features and user experience
- Ensure security — Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations — Respond to legal requests and fulfill regulatory requirements
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data based on:
| Legal Basis | Purpose |
|---|---|
| Contract Performance | Providing the Service, processing documents, managing your account |
| Legitimate Interests | Service improvement, security, fraud prevention |
| Consent | Marketing communications (you can withdraw consent at any time) |
| Legal Obligation | Tax records, compliance with law enforcement requests |
5. AI Processing
Your documents are processed using AI technology provided by Mistral AI, a French company. Key points:
- EU-hosted: All AI processing occurs on servers located in the European Union (France)
- No training on your data: Your documents are never used to train or improve AI models
- No retention by AI provider: Mistral AI does not retain your documents after processing
- Data residency maintained: Your data never leaves the EU during AI processing
6. Data Sharing
We share your information only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Mistral AI | Document analysis (AI processing) | France (EU) |
| Paddle | Payment processing, invoicing | United Kingdom |
| Brevo | Transactional email delivery | France (EU) |
| Plausible Analytics | Privacy-friendly website analytics | Estonia (EU) |
| Scaleway | Cloud infrastructure, database hosting | France (EU) |
We do not sell your personal data. We do not share your data with advertisers or marketing companies. We do not share your data for purposes unrelated to providing the Service.
7. International Data Transfers
All data processing occurs within the EU/EEA. Our infrastructure is hosted entirely in France (EU) using Scaleway, a French cloud provider.
The only exception is Paddle (UK), our payment processor. The UK benefits from an EU adequacy decision, meaning data transfers to the UK are permitted under GDPR without additional safeguards.
We do not transfer data to the United States or other third countries.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Retained while your account exists |
| Documents & analyses (canceled subscription) | Retained indefinitely (Free tier read-only access) |
| Documents & analyses (account deletion) | Deleted within 30 days from primary systems |
| Backup data (after account deletion) | Deleted within 90 days |
| Payment records | As required by law (typically 7 years) |
When you cancel your subscription, you are downgraded to our Free tier with read-only access to your existing documents. Your data is retained so you can return and upgrade at any time.
If you delete your account, all your data (documents, analyses, account information) will be permanently removed from our systems within the timeframes above.
9. Your Rights (GDPR)
Under GDPR, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (“right to be forgotten”)
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Restrict Processing: Request limitation of how we process your data
- Right to Withdraw Consent: Withdraw consent for processing based on consent at any time
To exercise any of these rights, contact us at support@clara.legal.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
10. Cookies & Tracking
10.1 Essential Cookies
We use essential cookies that are strictly necessary for the Service to function:
- Session cookies: Maintain your authenticated session
- Preference cookies: Remember your language and theme preferences
These cookies do not require consent under EU law as they are necessary for the Service.
10.2 Analytics
We use Plausible Analytics, a privacy-friendly analytics tool that:
- Does not use cookies
- Does not collect personal data
- Does not track users across websites
- Is GDPR compliant by design
No consent is required for Plausible as it does not process personal data.
10.3 No Third-Party Tracking
We do not use advertising cookies, social media tracking pixels, or any third-party tracking technology that would share your data with advertisers or other companies.
11. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit: All data transmitted using TLS 1.2 or higher
- Encryption at rest: All stored data encrypted using AES-256
- EU data residency: All data stored and processed within the EU
- Access controls: Strict access policies and authentication requirements
For detailed information about our security practices, please see our Security page.
12. Children's Privacy
The Service is intended for business use by legal professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days notice via email or a notice within the Service.
The “Last Updated” date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Astor Ventures B.V.KvK: 83221298
Amsterdam, Netherlands
Email: support@clara.legal
Data Processing Agreement (DPA): A DPA is available upon request for business customers. Contact us at support@clara.legal to request a copy.