Privacy Policy

Qito AI Ltd is the data controller for personal data collected through Clara. Contact us at hello@qito.io with any data protection queries.

Account data: When you register, we collect your name, email address, and password (stored as a secure hash).

Organisation data: Company name, sector, headcount, working model, and address — provided during onboarding and used to personalise your documents.

Employee data: Names, job titles, start dates, employment types, and other details you enter about your team members. This data is entered by you and used to generate and track HR documents.

Document data: HR documents you generate using Clara, documents you upload to the Document Vault, and AI analysis results.

Usage data: Log data including IP address, browser type, pages visited, and feature usage — collected automatically for security and service improvement.

Payment data: Billing information is processed by Stripe. We do not store your full card details. We retain records of subscription status and payment history.

We process your personal data on the following lawful bases:

• Performance of contract (Art 6(1)(b)): To provide the Clara service — generating documents, tracking your team, monitoring law changes, and managing your account.
• Legal obligation (Art 6(1)(c)): To comply with applicable law, including tax and accounting requirements.
• Legitimate interests (Art 6(1)(f)): To improve the Service, prevent fraud, ensure security, and send transactional emails relating to your account. We balance our interests against your rights before relying on this basis.
• Consent (Art 6(1)(a)): For any marketing communications — you can withdraw consent at any time.

When you enter data about your employees into Clara (names, job titles, salaries, start dates etc.), you are the data controller for that employee personal data. Clara processes it on your behalf as a data processor.

You are responsible for ensuring you have a lawful basis to share that employee data with Clara, and that your employees have been informed about it in your own privacy notice or employee handbook.

A data processing agreement (DPA) is available on request at hello@qito.io.

We never use employee data you enter to train AI models.

When you generate a document or use the chat feature, your inputs are sent to Anthropic (the provider of the Claude AI model) for processing. Anthropic's data processing policies apply to this processing.

We have configured our use of Anthropic's API so that your data is not used to train Anthropic's models.

Documents you upload to the Document Vault are processed by AI for compliance analysis. The document content is sent to Anthropic for this analysis and is not retained by Anthropic beyond the processing of your request.

We share your data only with trusted third parties necessary to provide the Service:

• Supabase — database and file storage (EU servers)
• Anthropic — AI processing for document generation and analysis
• Stripe — payment processing
• Resend — transactional email delivery
• Vercel — hosting and infrastructure

We do not sell your data to third parties. We do not share your data with advertisers.

We may disclose your data if required by law, court order, or to protect the rights and safety of Clara, our users, or third parties.

Some of our third-party providers (including Anthropic and Stripe) process data in the United States. These transfers are protected by standard contractual clauses (SCCs) approved by the European Commission, and are subject to appropriate safeguards under UK GDPR.

• Account data: For as long as your account is active, plus 30 days after closure
• Documents: For as long as your account is active. You can delete documents at any time.
• Employee data: For as long as your account is active or until you delete it
• Usage logs: Up to 12 months
• Payment records: 7 years (legal requirement)

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Ask us to correct inaccurate data
• Erasure: Ask us to delete your data in certain circumstances
• Restriction: Ask us to restrict processing in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at hello@qito.io. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use industry-standard security measures including encryption in transit (TLS), encryption at rest, and access controls. We limit access to personal data to those who need it to provide the Service.

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and you without undue delay.

We use cookies and similar technologies. See our Cookie Policy for details.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and update the "Last updated" date above. Continued use of Clara after changes take effect constitutes acceptance of the updated policy.

For any privacy-related queries, contact us at hello@qito.io.