Privacy Policy

ClaroCam ("we," "us," "our") is a visual AI application developed and operated from Canada. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the ClaroCam application and related services (collectively, the "Service").

We are committed to protecting your personal information in accordance with:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal privacy law
• The General Data Protection Regulation (GDPR) — European Union
• The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• Applicable provincial privacy legislation (PIPA Alberta, Privacy Act Quebec)
• Australia Privacy Act 1988 and Australian Privacy Principles (APPs)

By using ClaroCam, you acknowledge that you have read and understood this Privacy Policy.

We process your personal data based on the following legal grounds:

• Consent: You provide consent when creating an account and using the Service.
• Contract Performance: Processing necessary to provide the Service you've subscribed to.
• Legitimate Interest: Improving the Service, preventing fraud, and ensuring security.
• Legal Obligation: Compliance with applicable laws and regulations.

• ✓We do NOT collect or access your GPS/geolocation data
• ✓We do NOT store photos or images after AI processing — images are analyzed in memory and immediately discarded from our servers
• ✓We do NOT sell, rent, license, or share personal information with third parties for marketing or advertising purposes
• ✓We do NOT use your images or data to train AI models (OpenAI API data exclusion policy applies)
• ✓We do NOT track you across other websites or applications
• ✓We do NOT use cookies for advertising, retargeting, or behavioral tracking
• ✓We do NOT collect biometric data, fingerprints, or facial recognition data
• ✓We do NOT collect contacts, calendar data, microphone audio, or any data from other apps on your device

• To provide and maintain the Service (processing scans, storing results)
• To manage your account and subscription
• To enforce rate limits and prevent abuse
• To communicate with you about service updates, security alerts, and support requests
• To improve the Service based on aggregate, anonymized usage patterns
• To comply with legal obligations and respond to lawful requests
• To detect, prevent, and address technical issues and security threats

Under Canada's Personal Information Protection and Electronic Documents Act, we adhere to the 10 fair information principles:

1. Accountability: We are responsible for all personal information in our possession. Our Privacy Officer oversees compliance.
2. Identifying Purposes: We identify and document the purpose for which personal information is collected before or at the time of collection.
3. Consent: We obtain your meaningful, informed consent for collection, use, and disclosure of personal information.
4. Limiting Collection: We only collect personal information that is necessary for the identified purposes.
5. Limiting Use, Disclosure, and Retention: Personal information is used only for the purposes for which it was collected and retained only as long as necessary.
6. Accuracy: We keep personal information accurate, complete, and up-to-date as necessary for the purposes for which it is used.
7. Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information.
8. Openness: We make detailed information about our policies and practices relating to personal information management readily available.
9. Individual Access: Upon request, you will be informed of the existence, use, and disclosure of your personal information and be given access to that information.
10. Challenging Compliance: You may challenge our compliance with these principles through our Privacy Officer.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland:

• Data Controller: ClaroCam is the data controller for personal information collected through the Service.
• Lawful Basis: We process data based on consent, contract performance, and legitimate interest as described in Section 2.
• Data Minimization: We only collect data that is adequate, relevant, and limited to what is necessary.
• Storage Limitation: Data is retained only for as long as necessary for the purposes outlined in this policy.
• Right to be Forgotten: You may request complete erasure of all personal data at any time.
• Data Portability: You may request a copy of your data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interest.
• Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

For California residents:

• Right to Know: You have the right to know what personal information we collect, use, and disclose.
• Right to Delete: You may request deletion of your personal information.
• Right to Opt-Out: We do NOT sell personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: You may request correction of inaccurate personal information.
• No Sale or Sharing: We do not sell or share (as defined by CCPA/CPRA) personal information with third parties.

Categories of personal information collected in the last 12 months: identifiers (email, name), internet activity (usage data), and commercial information (subscription status).

By using ClaroCam, you consent to the collection and use of information as described in this policy.

• For individual accounts: you provide consent by creating an account and using the Service.
• For Workforce/Enterprise accounts: the company administrator provides consent on behalf of their organization in accordance with applicable employment and privacy laws.
• Withdrawing Consent: You may withdraw consent at any time by deleting your account through the Settings page. Upon withdrawal, all associated personal data will be permanently deleted within 30 days.
• Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

We implement industry-standard security measures to protect your personal information:

• • All data encrypted in transit using TLS 1.3 / HTTPS
• • All data encrypted at rest using AES-256 encryption
• • Row Level Security (RLS) ensures users can only access their own data
• • Infrastructure hosted on SOC 2 Type II compliant providers (Supabase, Vercel)
• • Regular security audits and penetration testing
• • Automated dependency vulnerability scanning
• • No plaintext storage of passwords or sensitive credentials
• • Multi-factor authentication available for all accounts
• • Rate limiting and brute-force protection on all API endpoints
• • Regular backups with encryption (retained for 30 days for disaster recovery)

In the event of a data breach, we will notify affected users within 72 hours as required by GDPR Article 33, and the Office of the Privacy Commissioner of Canada as required by PIPEDA.

When you scan an image, it is sent via encrypted HTTPS to our AI provider for analysis. Our agreements with these providers ensure:

• • Images are processed in real-time and NOT retained after analysis
• • Your data is NOT used to train AI models (API data usage policy: opted out)
• • Processing occurs on secure, SOC 2 compliant infrastructure
• • Zero data retention policy applies to all image inputs

Third-party service providers:

• • OpenAI — AI image analysis (GPT-4o Vision). Data processing agreement in place. No training on API data.
• • Supabase — Authentication and database. SOC 2 Type II certified. Data stored in US-East region.
• • Vercel — Application hosting. SOC 2 Type II certified. Edge network.
• • Stripe — Payment processing. PCI DSS Level 1 certified. We never access card details.

All third-party providers are bound by Data Processing Agreements (DPAs) that ensure GDPR and PIPEDA compliance.

For ClaroCam Workforce subscribers, additional data handling applies:

• • Safety reports are stored in the company's workspace and owned by the company
• • Company administrators can view reports from their team members
• • Individual workers cannot access other workers' data
• • Safety talk sign-off records (names and timestamps) are stored as part of compliance documentation
• • Data is retained per the company's retention policy (minimum: duration of subscription)
• • Companies can request full data export or deletion upon subscription cancellation
• • Worker consent is obtained by the employer as part of their employment relationship
• • Workers retain individual rights to access and correct their own personal data

ClaroCam uses minimal browser storage:

• • Authentication tokens — stored in secure HTTP-only cookies for session management
• • User preferences — stored in localStorage (theme, font, region selection)
• • Service Worker cache — for offline PWA functionality

We do NOT use:

• • Advertising cookies
• • Analytics tracking cookies (no Google Analytics, no Facebook Pixel)
• • Third-party marketing cookies
• • Cross-site tracking mechanisms

Under PIPEDA, GDPR, CCPA, and other applicable laws, you have the right to:

• • Access — Request and receive a copy of all personal information we hold about you, in a structured and commonly used format
• • Correction — Request correction of inaccurate or incomplete personal information
• • Deletion — Request permanent and irreversible deletion of all your personal data ("Right to be Forgotten")
• • Portability — Export your data in a machine-readable format (JSON)
• • Restriction — Request restriction of processing in certain circumstances
• • Object — Object to processing based on legitimate interest
• • Withdrawal — Withdraw consent and close your account at any time
• • Non-Discrimination — Exercise your rights without penalty or discrimination
• • Complaint — File a complaint with your relevant supervisory authority

To exercise any of these rights, contact us at wensley135@gmail.com. We will respond within 30 days (or 45 days for complex requests under CCPA).

• • Active accounts: Data retained while account is active and for 30 days after deletion request
• • Deleted accounts: All personal data permanently and irreversibly removed within 30 days
• • Images: NEVER stored — processed in real-time memory and immediately discarded. No server-side copies exist.
• • Scan results: Retained until you delete them or close your account
• • Payment records: Transaction history retained for 7 years as required by tax law
• • Security logs: IP addresses and access logs retained for 90 days for security purposes, then permanently deleted
• • Backup data: Encrypted backups retained for 30 days for disaster recovery, then purged

Your data may be processed in Canada and the United States. We ensure all international transfers comply with:

• • PIPEDA cross-border transfer requirements (ensuring substantially similar protection)
• • EU Standard Contractual Clauses (SCCs) for transfers from the EEA
• • UK International Data Transfer Agreement (IDTA) for transfers from the UK
• • Adequacy decisions where applicable

Primary data storage: United States (us-east-1 region). Processing may occur in Canada and the United States.

ClaroCam is not directed at or intended for use by children under the age of 13 (or under 16 in the European Union, or under the applicable age of digital consent in your jurisdiction).

We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at wensley135@gmail.com. We will promptly delete such information.

If you have a privacy concern or dispute:

1. Contact our Privacy Officer at wensley135@gmail.com
2. We will acknowledge your complaint within 5 business days
3. We will investigate and respond within 30 days
4. If unsatisfied, you may escalate to:
   • Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
   • Your local EU Data Protection Authority (for GDPR matters)
   • California Attorney General (for CCPA matters)

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

• Material changes will be communicated via email and/or in-app notification at least 30 days before taking effect
• Minor clarifications or formatting changes may be made without notice
• The "Last updated" date at the top of this page indicates when the policy was last revised
• Continued use of the Service after changes take effect constitutes acceptance of the revised policy
• If you disagree with changes, you may delete your account before they take effect