Privacy Policy - ClavaNet

Last Updated: April 19, 2026

1. Introduction

ClavaNet ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

This policy applies to all users of the ClavaNet mobile application available on Google Play Store and Apple App Store, as well as our web platform.

2. Information We Collect

2.1 Information You Provide to Us

Account Information: Email address, first name, last name, and password when you create an account
Profile Information: Avatar image, custom profile fields as configured by your organization
Communication Data: Messages, replies, reactions, and attachments you send through our messaging features
Event Data: Event details, attendance responses, and calendar integrations
Photo and File Uploads: Images, documents, and other files you upload to the platform
Video Conferencing Data: When you use the optional Video Conferencing add-on, we process live audio and video streams, screen shares, in-meeting chat messages, and — only when a host explicitly starts a recording or transcription — recorded media and generated transcripts. Your microphone and camera are only activated when you join a meeting and choose to turn them on, and you can mute or disable them at any time during the call.
Notification Preferences: Your choices regarding push notifications and email communications

2.2 Information We Collect Automatically

Device Information: Device type, model, manufacturer, operating system version, unique device identifiers (UDID, Android ID, device serial numbers), mobile network information, screen resolution, and device capabilities
Usage Data: How you interact with our app, features used, pages visited, time spent on features, click patterns, navigation paths, search queries, and feature adoption rates
Location Data: Approximate location information (only when you explicitly enable location services for calendar events or location-based features)
Passkey Information: Public key credentials for biometric authentication (private keys remain securely stored on your device and are never transmitted to our servers)
Push Notification Tokens: Device tokens, platform-specific identifiers (APNs for iOS, FCM for Android), and notification delivery status
IP Addresses: Your IP address, approximate geographic location based on IP, and network information
Browser Information: Browser type, version, language settings, and browser extensions (for web access)
Connection Information: Network type (WiFi, cellular), connection speed, and network quality metrics
App Performance Data: App crash reports, error logs, performance metrics, response times, and system resource usage

2.3 Log Files and Technical Data

We automatically collect and store log files and technical data to ensure service reliability, security, and to assist with troubleshooting. This includes:

Server Logs: Timestamp, IP address, user agent, request method, URLs accessed, response codes, and request/response sizes
Application Logs: Application events, errors, warnings, debug information, and system messages
Authentication Logs: Login attempts (successful and failed), authentication method used, session creation and termination times, and security events
API Request Logs: API endpoints accessed, request parameters (excluding sensitive data like passwords), response times, and error messages
Database Query Logs: Database operations, query performance metrics, and transaction logs (excluding actual data content)
Error Logs: Stack traces, error messages, exception details, and context information when errors occur
Security Event Logs: Failed authentication attempts, suspicious activity patterns, rate limiting events, and security policy violations
Performance Metrics: Response times, throughput, resource utilization (CPU, memory, disk), and system health indicators

These logs are retained for security, troubleshooting, and compliance purposes. We take measures to exclude sensitive personal information from logs where possible, but some logs may contain user identifiers, email addresses, or other data necessary for troubleshooting.

2.4 Support and Customer Service Data

When you contact us for support, submit a ticket, or request assistance, we collect and may retain:

Support Ticket Information: Your name, email address, account information, issue description, and any attachments you provide
Log Files and Diagnostic Data: When you submit a support ticket, we may request and collect log files, error reports, diagnostic information, and technical data from your device or account to help diagnose and resolve issues
Communication History: All correspondence, including emails, chat transcripts, and notes from support interactions
Screen Recordings and Screenshots: If you provide screenshots, screen recordings, or other visual documentation of issues
System Information: Device specifications, app version, operating system details, and configuration information relevant to your issue
Reproduction Steps: Detailed information about how to reproduce bugs or issues you report

Important: Log Files in Support Tickets

When you submit a support ticket, we may request log files from your device or account. These log files may contain technical information including but not limited to: error messages, stack traces, API requests, authentication events, device identifiers, IP addresses, timestamps, and other diagnostic data. While we take measures to minimize sensitive information in logs, they may contain personal data such as your email address, user ID, or account identifiers. By submitting log files, you consent to our collection and analysis of this data for troubleshooting purposes. Log files submitted with support tickets are retained for up to 2 years or as required by law, whichever is longer.

2.5 Information from Third Parties

Google Calendar Integration: Event data, calendar metadata, and event details when you explicitly connect your Google Calendar account (with your explicit permission and OAuth consent)
Email Service Providers: Delivery confirmation data, bounce reports, open rates, and click tracking from our email service provider (Resend)
Payment Processors: Transaction data, payment method information (last 4 digits of card, billing address), and subscription status from payment processors (Stripe, Paddle, Authorize.Net)
In-App Purchase Services:
- RevenueCat: Subscription management service that processes in-app purchase transactions, subscription status, purchase history, and device identifiers for subscription management. RevenueCat acts as an intermediary between our app and Apple App Store/Google Play Store billing systems.
- Apple App Store: Transaction receipts, subscription status, purchase history, and device identifiers when you make in-app purchases through Apple's In-App Purchase system. Apple processes all payments and provides transaction data to us through RevenueCat.
- Google Play Store: Transaction receipts, subscription status, purchase history, and device identifiers when you make in-app purchases through Google Play Billing. Google processes all payments and provides transaction data to us through RevenueCat.
Analytics Services: Aggregated usage statistics and performance metrics (where you have consented to analytics)
App Store Providers: Installation data, app version information, and crash reports from Google Play Store and Apple App Store

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Provide and Maintain Our Service

Create and manage your account
Enable communication features (messaging, notifications)
Facilitate event management and calendar integration
Store and display your profile information within your organization

3.2 Communication

Send transactional emails (account verification, password reset, invitations)
Deliver push notifications for messages, mentions, and events
Provide real-time messaging capabilities

3.3 Security and Authentication

Verify your identity through email verification and passkey authentication
Protect against unauthorized access and security threats
Maintain the integrity of our platform

3.4 Service Improvement and Analytics

Analyze usage patterns, feature adoption, and user behavior to improve our features and user experience
Troubleshoot technical issues, diagnose bugs, and resolve service problems using log files and diagnostic data
Develop new features based on user needs, feedback, and usage analytics
Monitor service performance, identify bottlenecks, and optimize system resources
Conduct A/B testing and evaluate feature effectiveness
Generate aggregated, anonymized reports for business intelligence and product development

3.5 Customer Support

Respond to your support requests, inquiries, and technical issues
Analyze log files and diagnostic data submitted with support tickets to diagnose and resolve problems
Maintain support ticket history and communication records
Provide personalized assistance based on your account information and usage history
Follow up on reported issues and verify resolution

3.6 Subscription and Payment Processing

Process in-app purchases and subscription transactions through Apple App Store and Google Play Store
Validate subscription receipts and manage subscription status
Enable subscription restoration across devices
Provide subscription management features and billing history
Process refunds and subscription cancellations in accordance with app store policies

3.7 Legal Compliance

Comply with applicable laws and regulations
Respond to legal requests and prevent illegal activities
Enforce our Terms of Service

4. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

4.1 Within Your Organization

Tenant Administrators: May access user data within their organization for management purposes
Group Members: Can view your profile information and communication data as necessary for collaboration
Approved Content: Photos and documents may be shared within approved groups or publicly as per your settings

4.2 Service Providers and Vendors

We may share information with trusted third-party service providers and vendors who assist us in operating our Service, subject to strict confidentiality and data protection agreements:

Cloudflare R2: For secure file storage, content delivery, and data hosting. Files are encrypted in transit and at rest.
Resend: For transactional email delivery services, email analytics, and delivery tracking
Google APIs: Only for calendar integration when you explicitly connect your Google account. We access only the calendar data you authorize.
Web Push Services: For delivering push notifications to your device (Apple Push Notification service for iOS, Firebase Cloud Messaging for Android)
Payment Processors: Stripe, Paddle, and Authorize.Net for processing subscription payments and managing billing on web platforms. We share only necessary payment information required for transaction processing.
RevenueCat: For managing in-app purchases and subscriptions on mobile platforms (iOS and Android). RevenueCat processes subscription transactions, validates receipts with Apple App Store and Google Play Store, manages subscription status, and provides subscription analytics. RevenueCat receives device identifiers, app user IDs, subscription purchase data, and transaction information. RevenueCat's privacy policy applies to their processing of this data. You can learn more at https://www.revenuecat.com/privacy.
Apple App Store: For processing in-app purchases and subscriptions on iOS devices. Apple processes all payments and provides transaction data to us through RevenueCat. Apple's privacy policy applies to their processing of payment data. You can learn more at https://www.apple.com/privacy.
Google Play Store: For processing in-app purchases and subscriptions on Android devices. Google processes all payments and provides transaction data to us through RevenueCat. Google's privacy policy applies to their processing of payment data. You can learn more at https://policies.google.com/privacy.
Daily.co: We use Daily.co as our real-time video and audio infrastructure provider for the Video Conferencing add-on. Daily.co transports your live audio, video, and screen-share streams between meeting participants and, when a host enables it, produces the recording and/or transcript. Daily.co receives meeting room identifiers, participant display names, audio/video streams, and (for recorded meetings) recorded media and transcripts. Daily.co's privacy policy applies to their processing of this data. You can learn more at https://www.daily.co/legal/privacy.
Hosting and Infrastructure: Cloud hosting providers for server infrastructure, database hosting, and content delivery networks
Analytics Providers: Aggregated, anonymized usage analytics (only where you have consented to analytics)
Customer Support Tools: Support ticket management systems and customer relationship management (CRM) platforms for managing support interactions
Security Services: Security monitoring, threat detection, and fraud prevention services

All service providers are contractually obligated to protect your information and use it only for the purposes we specify. They are prohibited from using your information for their own purposes or sharing it with other parties.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety, or that of our users.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections.

5. Data Security

We implement comprehensive security measures to protect your personal information, including technical, administrative, and physical safeguards:

5.1 Technical Safeguards

Encryption: All data in transit is encrypted using TLS 1.3 or higher. All data at rest is encrypted using AES-256 encryption or equivalent industry-standard protocols
Access Controls: Strict data isolation ensures each organization's data is kept separate. Role-based access control (RBAC) limits data access to authorized personnel only
Authentication: Secure authentication using JWT tokens with short expiration times, WebAuthn passkeys, and multi-factor authentication options
File Storage: Secure cloud storage (Cloudflare R2) with access controls, encryption, and versioning
Network Security: Firewalls, intrusion detection systems, DDoS protection, and network segmentation
Database Security: Encrypted database connections, parameterized queries to prevent SQL injection, and regular security updates
API Security: Rate limiting, authentication requirements, input validation, and secure API endpoints
Log Security: Log files are stored securely, access-controlled, and encrypted. Sensitive data is minimized in logs where possible

5.2 Passkey Security

Private keys for biometric authentication never leave your device
Public keys stored on our servers cannot be used to impersonate you
WebAuthn protocol ensures secure, phishing-resistant authentication

5.3 Administrative and Organizational Safeguards

Employee Training: Regular security and privacy training for all employees with access to personal data
Access Management: Principle of least privilege - employees only have access to data necessary for their job functions
Background Checks: Security screening for employees with access to sensitive data
Incident Response: Established procedures for detecting, responding to, and reporting security incidents
Regular Audits: Security audits, vulnerability assessments, and penetration testing
Data Processing Agreements: Contracts with all service providers requiring appropriate data protection measures

5.4 Data Minimization and Privacy by Design

We collect only the information necessary to provide our services and fulfill legal obligations
Temporary files are automatically deleted after processing
Unused data is regularly purged according to retention policies
Log files are configured to minimize collection of sensitive personal information where possible
Data anonymization and pseudonymization techniques are used for analytics and service improvement
Privacy by design principles are incorporated into our development processes

5.5 Security Incident Response

In the event of a security breach or unauthorized access to your personal information, we will:

Immediately investigate and contain the incident
Notify affected users and relevant authorities as required by applicable law (typically within 72 hours for GDPR)
Provide information about the nature of the breach, data affected, and steps being taken
Take remedial actions to prevent future incidents
Document the incident and response for compliance and improvement purposes

6. Data Retention

We retain your information for different periods depending on the type of data and legal requirements:

6.1 User Account Data

Account Data: Retained while your account is active and for up to 90 days after account deactivation or deletion request, after which it is permanently deleted unless required by law
Profile Information: Retained until you update or delete it, or until account deletion
Passkey Credentials: Retained until you remove them or delete your account
Authentication Tokens: Session tokens expire after inactivity; refresh tokens expire after 30 days of inactivity

6.2 Content and Communications

Messages and Communications: Retained until you or your organization administrator deletes them, or until account deletion
Event Data: Retained as long as the event exists or as required for organizational records, typically up to 7 years for historical records
File Uploads: Retained until deleted by you or your organization administrator, or until account deletion
Photo Gallery Content: Retained until deleted by you or your organization administrator
Form Submissions: Retained according to your organization's data retention policies or until deleted

6.3 Log Files and Technical Data

Server Logs: Retained for 90 days for security and troubleshooting purposes
Application Logs: Retained for 30 days, with error logs retained for up to 1 year
Authentication Logs: Retained for 1 year for security auditing and fraud prevention
API Request Logs: Retained for 30 days, with error logs retained for up to 90 days
Security Event Logs: Retained for 2 years for security analysis and compliance
Performance Metrics: Aggregated metrics retained indefinitely for service improvement; individual user metrics retained for 90 days

6.4 Support and Customer Service Data

Support Tickets: Retained for 2 years after ticket resolution or closure, or as required by law
Log Files Submitted with Tickets: Retained for 2 years after ticket closure for troubleshooting and quality assurance purposes
Support Communications: Email and chat transcripts retained for 2 years
Diagnostic Data: Retained for 90 days after ticket resolution, unless required for ongoing issue resolution

6.5 Video Conferencing Data

Live Audio and Video Streams: Not stored. Streams are transported in real time via Daily.co and are discarded as soon as the meeting ends.
In-Meeting Chat: Chat messages exchanged during a meeting are discarded when the meeting ends unless your organization has enabled chat persistence, in which case they follow the retention rules in Section 6.2.
Meeting Recordings: Only created when a host explicitly starts recording. Recordings are retained for the lifetime of your organization's Video Conferencing subscription (or up to 90 days after the subscription ends, whichever is shorter), unless you delete them sooner. Organization owners can delete recordings at any time.
Transcripts: Only generated when a host explicitly enables transcription. Transcripts follow the same retention rules as recordings.
Meeting Metadata: Room identifiers, participant display names, and join/leave timestamps are retained for up to 90 days for billing, quota enforcement, and troubleshooting, then deleted or anonymized.

6.6 Temporary Data

Email Verification Tokens: Automatically expire and are deleted after 24 hours
Password Reset Tokens: Automatically expire and are deleted after 1 hour
Session Data: Deleted upon session expiration or logout
Cache Data: Automatically purged according to cache expiration policies

6.7 Legal and Compliance Retention

We may retain certain information for longer periods when required by law, regulation, or legal process, including but not limited to: financial records (7 years), tax records (as required by jurisdiction), legal hold requirements, and compliance with data protection regulations.

7. Your Rights and Choices

7.1 Account Management

Profile Control: Edit your profile information and privacy settings
Passkey Management: Add, remove, or manage your passkey credentials
Notification Settings: Control push and email notification preferences
Data Export: Request a copy of your personal data

7.2 Data Deletion and Right to Erasure

Account Deletion: Request deletion of your account and associated personal data. Note that some data may be retained for legal or compliance purposes as described in our Data Retention section
Content Removal: Delete messages, photos, files, and other content you've uploaded through your account settings
Support Data Deletion: Request deletion of support tickets and associated log files, subject to our retention policies and legal requirements
Data Minimization: Opt out of non-essential data collection where possible through your account settings
Right to Erasure: Under GDPR and other applicable laws, you have the right to request erasure of your personal data, subject to certain exceptions (e.g., legal obligations, legitimate business interests)

Important Note on Log Files: While you can request deletion of log files submitted with support tickets, we may retain aggregated, anonymized log data for security, troubleshooting, and service improvement purposes. Additionally, some log data may be retained for legal or compliance reasons.

7.3 Communication Preferences

Push Notifications: Enable/disable push notifications and choose notification types
Email Communications: Control email notifications and marketing communications
Do Not Track: Respect Do Not Track signals where technically feasible

7.4 Data Portability

Export your profile data and communications history
Transfer data to another service (where technically feasible)

8. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

Organizations using ClavaNet are responsible for ensuring compliance with applicable children's privacy laws.

9. International Data Transfers

Your information may be processed and stored in countries other than your own. We ensure that such transfers comply with applicable data protection laws and implement appropriate safeguards.

10. Cookies and Tracking Technologies

10.1 Mobile Application

Our mobile app may use local storage and device permissions to provide functionality:

Storage Permissions: To save files and cache data locally
Notification Permissions: To deliver push notifications
Camera Permissions: To upload photos and, when you join a video meeting, to send your video stream to other participants. Your camera is only active while you are in a meeting and have it turned on.
Microphone Permissions: Used exclusively when you join a video meeting and unmute yourself. Your microphone is not accessed outside of active meetings.
Biometric Permissions: For passkey authentication

10.2 Web Features

When accessed through web interfaces:

Session Cookies: For authentication and session management
Analytics: Usage analytics to improve our service (with user consent where required)

11. Third-Party Services and Integrations

11.1 Google Calendar Integration

When you connect your Google Calendar, we access only calendar events you explicitly share
Data is used solely for event synchronization within ClavaNet
You can revoke access at any time through your Google account settings

11.2 File Storage

Files are stored securely in Cloudflare R2
Access is controlled through our application
Files are not shared with third parties except as described in this policy

11.3 Email Services

Transactional emails are sent through Resend
We do not use your email for marketing without consent
Email delivery data is used only for service improvement

11.4 Video Conferencing Add-on

Organizations that subscribe to the optional Video Conferencing add-on gain the ability to host live audio/video meetings inside ClavaNet. The add-on is delivered through Daily.co, which acts as our real-time media infrastructure provider (see Section 4.2).

What is processed: Live microphone audio, camera video, optional screen share, in-meeting chat, and participant display names. When a host explicitly starts a recording or transcription, the resulting media and transcript are also processed.
Permission control: Your camera and microphone are only accessed while you are in an active meeting, and only after you grant the permission and turn them on. You can mute audio, stop video, leave the meeting, or revoke the OS-level permission at any time.
Recording and transcription: Recording and transcription are off by default and must be started manually by a meeting host. When a recording or transcript is in progress, ClavaNet shows an in-meeting indicator to all participants.
Storage and retention: Live streams are not stored. Recordings and transcripts are retained according to Section 6.5.
Minors: As stated in Section 8, the Service is not intended for children under 13. Organizations enabling the Video Conferencing add-on are responsible for obtaining any parental consent required by applicable law for users under the age of majority in their jurisdiction.

11.5 In-App Purchases and Subscriptions

Mobile App Subscriptions: All subscriptions purchased through our mobile apps (iOS and Android), including the optional Video Conferencing add-on, are processed through Apple App Store In-App Purchase system or Google Play Billing, respectively. We use RevenueCat as a subscription management service to validate purchases, manage subscription status, and sync subscription data with our backend.
Subscription Data: When you purchase a subscription, we receive transaction data including subscription product ID, purchase date, expiration date, subscription status, and device identifiers. This data is necessary to provide you with access to subscription features.
Restore Purchases: You can restore previous purchases through the app's "Restore Purchases" feature, which validates your subscription status with Apple App Store or Google Play Store.
Subscription Management: You can manage your subscriptions (cancel, renew, change plan) through your device's app store settings (iOS: Settings → Apple ID → Subscriptions; Android: Google Play Store → Subscriptions).
Payment Processing: All payments for mobile app subscriptions are processed directly by Apple or Google. We do not collect, store, or process credit card information for mobile app subscriptions. For web subscriptions, payments are processed through Stripe, Paddle, or Authorize.Net.
Third-Party AI Services: We do not share your personal data, including subscription data, with third-party AI services without your explicit consent. If we implement AI features in the future, we will update this policy and obtain your consent before sharing any data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy within the app
Sending you an email notification
Providing an in-app notification

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Email: privacy@clavanet.com
Support: Within the app settings or through our help documentation

14. Compliance with App Store Requirements

This Privacy Policy is designed to comply with:

Google Play Store Developer Program Policies
Apple App Store Review Guidelines
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
Other applicable privacy laws

15. Additional Information for California Residents

Under the California Consumer Privacy Act (CCPA), California residents have additional rights regarding their personal information:

15.1 Right to Know

You have the right to know what personal information we collect, use, and disclose.

15.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

15.3 Right to Opt-Out

You have the right to opt out of the sale of your personal information (though we do not sell personal information).

15.4 Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, please contact us using the information provided above.

By using ClavaNet, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.