Privacy Policy
Effective date: 23 August, 2025
Last updated: 23 August, 2025
Company (Controller): Pekkel
Contact: support@clortal.com
1. Scope
This Policy explains how we process personal data when you visit our website, create an account, use the app, or interact with client portals. It also explains our role as processor when we process Customer Content on behalf of our customers (your organization) under a Data Processing Addendum (DPA).
2. Roles
Controller (we/us): account, billing, product analytics, marketing communications.
Processor (we/us for your Org): files, images, messages, deliverables, and client information stored in your Org workspace. Your Org is the controller for that Customer Content.
3. Data We Collect (controller context)
Account data: name, email, password or SSO identifier, organization membership, roles.
Billing data: plan, invoices, VAT/tax details, payment status (card details handled by Stripe).
Usage & device data: app events, feature usage, approximate location/timezone, device/browser info, IP address (for security and fraud prevention).
Support data: messages, attachments, and records of communications.
Cookies: essential cookies for login and security; optional analytics cookies if enabled (see Cookies section).
4. Purposes & Legal Bases (GDPR)
Provide the Service & support — Contract (Art. 6(1)(b)).
Billing & compliance — Legal obligation and Contract (Art. 6(1)(c),(b)).
Security & fraud prevention — Legitimate interests (Art. 6(1)(f)).
Product analytics & improvement — Legitimate interests (Art. 6(1)(f)); opt-out available where required.
Marketing communications — Consent (Art. 6(1)(a)); you can withdraw at any time.
5. Processing as Processor (Customer Content)
When your Org uses Clortal to process personal data about your clients, we act as a processor. We process Customer Content only on documented instructions from your Org, implement appropriate security, assist with data subject requests and incident notifications, and delete or return Customer Content at end of the contract. These obligations are set out in our DPA.
6. Sharing & Transfers
We share data with service providers under contract who act as processors, including:
Stripe, Inc. — payments and invoicing (card data stays with Stripe).
Hosting/DB/Storage provider — Supabase (Postgres/Storage).
Email & support tools — Resend for email delivery.
Some providers may process data outside your country. Where we transfer personal data outside the EEA/UK, we rely on an adequacy decision or Standard Contractual Clauses and implement additional safeguards where appropriate.
7. Data Retention
We keep personal data as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Customer Content is retained for the life of the Subscription and deleted or returned upon termination or Org request, subject to backup cycles.
8. Your Rights (GDPR/EEA)
You may have the right to request access, rectification, erasure, restriction, portability, and to object to certain processing, as well as to withdraw consent at any time. To exercise rights, contact support@clortal.com. You also have the right to lodge a complaint with your local data protection authority.
9. Security
We use administrative, technical, and physical measures designed to protect personal data, including encryption in transit, access controls, least-privilege, and audit logging. No method is 100% secure; you are responsible for protecting your credentials and portal tokens.
10. Children
The Service is not for children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided personal data, contact us to delete it.
11. Cookies & Similar Technologies
Strictly necessary: login/session, security, load-balancing.
Analytics: helps improve features and performance. Enable only with consent where required and provide a cookie banner with granular choices.
12. Marketing Communications
With your consent, we may send product updates or offers. You can unsubscribe at any time via the link in the email or by contacting us.
13. Data Breach
We maintain incident response procedures. Where required by law, we will notify affected customers and/or authorities without undue delay.
14. Changes to this Policy
We may update this Policy from time to time. We will post changes here and update the "Last updated" date. Material changes will be notified in-app or by email.
15. Contact
For questions or requests about privacy, contact support@clortal.com.