GDPR Compliance

Disclaimer: The information below is not legal advice, and we don't accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.

The GDPR, General Data Protection Regulation (EU) 2016/679, is a foundational piece of European Union regulation that reshaped how software companies think about the personal data of the people who use their products. When it landed, businesses scrambled to add cookie banners and consent flows to infrastructure that was never designed with privacy in mind. The banners are still there. Most of the underlying problems are too.

We built Clerion differently. Privacy compliance is a consequence of how the product is architecturally designed, rather than a layer added after the fact. There are no cookies, no persistent personal identifiers, no cross-site tracking profiles, and no IP addresses stored in plain text. The analytics model is aggregate-first from the ground up: we measure what happens on your visitors' pages, not who your visitors are.

Is Clerion AI GDPR Compliant?

We believe so. GDPR compliance is relevant from two distinct perspectives for us:

As a controller: when we process personal data for our own purposes (for example, data related to our own customers, payment processing, and business operations).
As a data processor: when we process personal data belonging to our customers' website visitors on our customers' behalf.

The information below focuses on the second scenario: when Clerion acts as a data processor. This is the scenario most relevant to you as a customer of our service.

What we do to ensure GDPR compliance

We focus on the intent of the GDPR. The regulation's fundamental goal is to protect the digital privacy of individuals in the EU. With every architectural and product decision, we ask whether it introduces any risk to your website visitors. If it does, we don't do it.

We are built on data minimisation by design. GDPR Article 5(1)(c) requires that personal data collected be adequate, relevant, and limited to what is necessary for the purpose. We have taken this seriously at an architectural level. We do not collect names, email addresses, precise device fingerprints, or any identifier that could be linked back to a specific individual without extraordinary effort. We collect only what is needed to understand aggregate traffic behaviour.

We pseudonymise IP addresses immediately on receipt. Visitor IP addresses are hashed using HMAC-SHA256 with a server-side secret key the moment a tracking event arrives at our servers. The raw IP address is never written to disk. What is stored is a one-way cryptographic hash that cannot be reversed without the secret, and that secret is never exposed to our database layer.

We have a lawful basis for every processing activity. We operate under legitimate interest as our lawful basis for processing aggregate analytics data. The processing is proportionate, the data is not sensitive, and the privacy impact on your visitors is minimal given our cookieless, non-identifying architecture.

We run automated data deletion aligned to GDPR's storage limitation principle. GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary. Our server runs a daily automated purge job that deletes analytics events and error logs for each account once they fall outside that account's plan-based retention window. Retention is not indefinite.

We offer a Data Processing Agreement (DPA) to all customers. As required by GDPR Article 28(3), we provide a DPA that defines the terms under which we process data on your behalf. It is available on request and becomes part of our contractual relationship when you become a customer.

We encourage our customers to consider a Legitimate Interest Assessment. Our architecture makes such an assessment straightforward. Because we collect no personal data in the traditional sense (no cookies, no fingerprinting, no raw IP storage), the risk profile of your use of Clerion AI is extremely low.

Our role as a data processor

Under the GDPR, you, as the operator of a website using Clerion, are the data controller. You determine the purposes and means of processing. Clerion is the data processor: we process data on your behalf, under your instructions, within the scope of our DPA.

As a processor, we are subject to several specific GDPR obligations:

Enter into binding data processing terms with you as the controller, including the right to audit our compliance (Article 28(3)).
Ensure all personnel with access to data are bound by confidentiality obligations (Articles 28 and 29).
Maintain records of all processing activities carried out on your behalf (Article 30(2)).
Cooperate with supervisory authorities on request (Article 31).
Implement appropriate technical and organisational security measures (Article 32).
Notify you promptly in the event of a personal data breach (Article 33).

Personal data we process (as a data processor)

When your visitors interact with a website using the Clerion tracking script, the following data is processed:

IP Address

The visitor's IP address is extracted from the incoming HTTP request to resolve approximate geography (country level). The raw IP address is immediately discarded: it is never stored. What is stored is an HMAC-SHA256 hash of the IP, keyed against a server-side secret that is held in our environment configuration and never written to the database. This hash is used only for session continuity within a short window, and is not linked to any personal identifier.

User-Agent String

The browser's User-Agent header is collected and stored in truncated form (capped at 512 characters) solely for the purpose of identifying browser type, operating system, and device category in aggregate. Individual User-Agent strings are not linked across sessions or used for fingerprinting.

Session ID

A session identifier is generated client-side and is used to group events within a single browsing session. This ID is not linked to a logged-in user identity, a cookie, or any persistent cross-visit identifier. A new session ID is created on each visit.

Page Path and Metadata

The URL path of the visited page and associated event metadata (scroll depth, referrer, performance timings, JavaScript errors) are stored in aggregate. No query string parameters that could contain personal data (such as search terms, email addresses, or tokens) are retained. These are stripped before storage.

Approximate Geography

Country-level geolocation is derived from the (immediately discarded) IP address and stored as a geo record attached to the event. We do not store city-level, region-level, or any more precise location data.

Geolocation lookups are performed via IPLocate.io using their EU-dedicated API endpoint (https://eu-api.iplocate.io/api/lookup/{ip}). All requests are routed exclusively to IPLocate's EU-based data centres: no data leaves the European Union during the lookup. IPLocate operates under a signed DPA (available at iplocate.io/legal/dpa) that is pre-signed and incorporated into their Terms of Service. The IP address used for the lookup is discarded immediately after the country code is returned; it is never stored in our database.

What we do NOT collect

No cookies of any kind are set by our tracking script.
No persistent device fingerprints.
No cross-site tracking identifiers.
No raw IP addresses.
No names, email addresses, or any directly identifying personal information.
No advertising or behavioural profiles.

AI processing

Clerion uses the Anthropic Claude API to generate intelligence briefings, signal analyses, audience summaries, and diagnostic recommendations. The data sent to the Anthropic API is aggregate and statistical in nature: counts, percentages, ranked lists, error fingerprints, and behavioural summaries. No raw event data containing hashed IPs, User-Agents, or session identifiers is forwarded to the AI model.

Our AI processing exists to answer questions like "what are the top landing pages this week?" and "why is the /pricing page underperforming?", not to analyse or identify individual people.

Anthropic as a sub-processor

Because our backend sends analytics context to the Anthropic Claude API, Anthropic is acting as a sub-processor under GDPR Article 28. We have a signed Data Processing Addendum (DPA) with Anthropic in place. Anthropic's DPA:

Restricts Anthropic from using your data for model training.
Specifies data retention and deletion obligations.
Documents Anthropic's security commitments.
Covers termination and data return/deletion procedures.

Anthropics DPA is publicly available at anthropic.com/legal/data-processing-addendum. You can review how to view and sign it at privacy.claude.com.

What is disclosed in our Privacy Policy

Our Privacy Policy explicitly states: "We use Anthropic Claude to generate analytics insights. Aggregated analytics data, including page views, geographic regions (country level only), device types, and behavioural summaries, may be sent to Anthropic for processing. No personal identifiers, raw IP addresses, or individual-level data are included in these requests."

Data retention and deletion

Data retention periods are enforced automatically by a server-side daily purge job. All analytics events and error logs older than the retention window for a given account are permanently deleted each day.

Plan	Retention Period
Free	30 days
Solo	90 days
Starter	90 days
Growth	13 months
Business	13 months
Agency	13 months

When an account is closed, all associated analytics data, website configurations, and AI usage logs are deleted from our systems.

This automated deletion schedule is our implementation of GDPR Article 5(1)(e): the storage limitation principle.

Data infrastructure and sub-processors

GDPR Article 28 requires us to maintain and publish a register of sub-processors: third parties that handle personal data on your behalf as part of delivering the Clerion service. The current register is below. We will notify customers of any material changes before they take effect.

Sub-processor register

Railway: Application hosting

Detail	Value
Purpose	Hosts the Clerion backend server (Node.js/Express)
Data centre jurisdiction	Netherlands, European Union
Data processed	All data in transit through the application layer
DPA / legal	Railway Privacy Policy & DPA

All server compute runs in Railway's Netherlands region. No application-layer data is routed outside the EU.

Supabase: Database

Detail	Value
Purpose	PostgreSQL database (stores analytics events, website configs, user accounts, AI usage logs)
Data centre jurisdiction	EU region (AWS eu-central-1, Frankfurt)
Data processed	Analytics events, hashed IPs, geo data, session IDs, User-Agent strings, AI usage counts
DPA / legal	Supabase DPA

Row-Level Security (RLS) is enforced at the database layer via Supabase policies. Each customer's data is logically isolated: no query run on behalf of one customer can access another customer's data.

IPLocate.io: Geolocation

Detail	Value
Purpose	Country-level geolocation lookup from visitor IP address
EU API endpoint	`https://eu-api.iplocate.io/api/lookup/{ip}`
Data centre jurisdiction	European Union only (all requests routed to EU servers)
Data processed	Raw visitor IP address (sent for lookup, immediately discarded after response)
DPA document	iplocate.io/legal/dpa
DPA signing method	Pre-signed and incorporated into IPLocate's Terms of Service

The IP address is sent to IPLocate solely to resolve a country code and is not stored by us or retained by IPLocate beyond the transaction.

Anthropic: AI processing

Detail	Value
Purpose	Generates AI intelligence briefings, signal analyses, audience summaries, diagnostic recommendations
Data centre jurisdiction	United States (Anthropic infrastructure)
Data processed	Aggregate, statistical analytics data only (no personal identifiers, no raw IPs, no session data)
DPA document	anthropic.com/legal/data-processing-addendum
Training restriction	Anthropic's DPA explicitly prohibits use of submitted data for model training

Note on Anthropic's jurisdiction: Anthropic operates from the United States. The aggregate data we send (counts, percentages, ranked page lists, device summaries) does not contain personal data as defined under GDPR. We have conducted an assessment and are satisfied that the transfer of aggregate statistical data to Anthropic does not constitute a transfer of personal data requiring Standard Contractual Clauses. Nonetheless, we maintain a signed DPA with Anthropic as a matter of best practice.

The Data Processing Agreement (DPA)

The DPA is the foundational document for all processing we perform on your behalf. It defines:

The subject matter, duration, and nature of the processing.
The type of personal data processed and the categories of data subjects.
Your rights and obligations as controller, and ours as processor.
Sub-processor disclosure and approval process.
Data breach notification timelines.
Audit rights.

Your obligations as a controller

As the controller, you are responsible for ensuring you have a valid legal basis for using Clerion on your website. Given our cookieless, aggregate-only architecture, the most appropriate basis for the majority of websites is legitimate interest: analytics performed without cookies, without fingerprinting, and without any personal data being stored in raw form is unlikely to require a cookie consent banner.

However, we are not in a position to provide legal advice for your specific situation. If you are unsure whether you need a consent mechanism, or how to document your legitimate interest, please consult your legal team.

Conclusion

We built Clerion on the premise that you should never have to choose between knowing what is happening on your website and respecting the people who visit it. GDPR compliance follows from how the product was built from the start.

In summary: there are no cookies, no personal data stored in raw form, no cross-site profiles, and no surveillance infrastructure. What remains is aggregate, privacy-respecting intelligence about your website, in plain English.