Privacy Policy

We collect the email address you use to create an account. When you use the AI Hub features, we store metadata about your requests (token counts, model used, timestamps) to provide usage analytics. When you use the chat feature, we store your conversation history (messages you send and responses you receive) so you can access, search, and continue your conversations. This data belongs to you — we do not use your conversation content to train models, improve our algorithms, or for any purpose other than providing the service to you and running security scans you have enabled. API keys you provide for third-party services (OpenAI, Anthropic, Gemini) are stored in Google Cloud Secret Manager and are never written to our database or logged. Our database retains only a masked display hint. See our Security page for full details. When you register an agent, we store the agent name and configuration. Push notification device tokens are stored to deliver approval notifications.

We use your email address to authenticate you and, if you opt in, to send you notification emails about approval requests requiring your attention. Usage metadata is used to provide the analytics dashboard. We do not sell your data, use it for advertising, or use it to train AI models. When you enable runtime security features (CleverGuard, content scanning, agent drift detection), we process your AI inputs and outputs in real time to detect threats such as prompt injection, PII exposure, secret leakage, and unauthorized tool usage. This processing is performed solely to enforce your security policies. Scan results and flagged events are logged to your audit trail — we do not retain or analyze your content beyond what is necessary to provide the security service.

Conversation history is retained until you delete it. You can delete individual conversations from the dashboard at any time, or request deletion of all your data. Audit logs and security events are retained for 365 days by default (configurable per organization). Usage analytics are retained for 12 months. Account data is retained until you delete your account. You may export or erase all of your data at any time through the dashboard (Settings > Data Export) or by contacting us. Erasure removes your conversation content, projects, API keys, and analytics. Audit logs are anonymized rather than deleted to preserve the integrity of organizational security records.

When you route AI requests through Clevername (either via the dashboard chat or the Guard API), your requests are forwarded to your chosen AI provider using your own API keys. We process request and response content in transit to apply your security policies (content scanning, tool drift detection, guardrail enforcement). We do not store, copy, or log the content of requests processed through the Guard API beyond what is required for your conversation history (if enabled) and your security audit trail. Content scanning happens in memory and is not persisted. Clevername is a BYOK-only platform. All AI requests are routed using your own provider API keys — we never supply managed LLM access, and the same privacy protections apply to all requests regardless of which provider you use.

Clevername uses Supabase for database and authentication services. We use SendGrid for transactional email delivery. Apple Push Notification service (APNs) is used to deliver push notifications to iOS devices. Your API keys for OpenAI, Anthropic, and Google are transmitted directly to those providers when processing requests. We do not share your data with any third party except as necessary to route your AI requests to the provider you select.

Clevername uses only strictly necessary cookies — cookies that are essential to operate the service. Specifically, we set session cookies issued by Supabase (our authentication provider) to keep you logged in. These cookies are required for the service to function and do not track you across other websites. We do not use advertising cookies, analytics cookies, or any third-party tracking technologies. No consent is required for strictly necessary cookies under applicable law, but you may disable cookies in your browser settings. Doing so will prevent you from logging in.

When you connect a Google account — either to sign in or to link Google Drive as a file storage source — Clevername accesses only the Google user data required for that specific purpose. Sign-in: We request your email address and basic profile information to create and identify your account. Google Drive (if connected): We request access to your Google Drive files solely to allow you to attach files to projects within Clevername. We read, store references to, and display those files only at your direction. Clevername's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically: • We use Google user data only to provide the features you explicitly enable — we do not use it for advertising, profiling, or any purpose unrelated to the feature you authorized. • We do not share Google user data with third parties except as necessary to deliver the service (for example, forwarding a file to an AI provider you have selected). • We do not allow humans to read your Google user data unless you explicitly request support and grant access, or it is necessary for security purposes such as investigating abuse. • We do not use Google user data to train machine learning models.

All data is transmitted over HTTPS. API keys are encrypted at rest in Google Cloud Secret Manager. Authentication tokens are stored securely using platform-appropriate mechanisms. We conduct regular security reviews and follow industry best practices for data protection. Our infrastructure runs on Google Cloud Platform with strict IAM policies and no public endpoints.

You may access, export, correct, or delete your personal data at any time through the dashboard or by contacting us at [email protected]. You may request a complete copy of all data we hold about you. Upon account deletion, all your data is permanently removed within 30 days.

We may update this policy from time to time. We will notify you of significant changes by email. Continued use of the service after changes take effect constitutes acceptance of the new policy.

For privacy questions or data requests, contact us at [email protected].