Privacy Policy

CAMNY LTD — Privacy Policy

Effective date: 23 August 2025

This Privacy Policy explains how CAMNY LTD (company number 15719462, registered office: 20 Wenlock Road, London, England, N1 7GU) (“we”, “us” or “our”) collects, uses, shares and protects personal data in connection with our websites, platform, extensions and related services (the “Services”). This version contains a purposes/legal basis/retention matrix as requested and no annexes.


1) Who we are & how to contact us

Controller: CAMNY LTD, incorporated in England and Wales (No. 15719462).
Address: 20 Wenlock Road, London, England, N1 7GU.
Email (privacy & requests): info@clarisign.ai

This Policy applies to your use of the Services worldwide.


2) Our roles (controller vs processor)

We act as controller for personal data that we determine the purposes and means of processing for (e.g., account administration, billing, security, product telemetry, and marketing to our own contacts).

When business customers submit data to the Services (“Customer Content”), we process that data as processor on their documented instructions under the customer agreement. We do not use Customer Content for our own purposes beyond providing and securing the Services.


3) Personal data we collect (controller context)

We collect only the personal data needed for the purposes below:

·      Account & business contact data – name, work email, job title, organisation, role, authentication identifiers (including SSO/IdP identifiers), administrator settings.

·      Commercial & billing data – subscription tier, purchase records, billing contact, tax/VAT identifiers, and limited payment tokens generated by our payment processor (we do not store full payment card numbers).

·      Service usage & technical data – interactions with features, timestamps, device/OS/browser, IP address, app version, performance and error logs, cookie identifiers, referrers/UTM parameters, and approximate location derived from IP.

·      Support & communications – messages you send us (tickets, chat, email), attachments you provide, feedback forms, and event/webinar registrations.

·      Marketing preferences – newsletter opt‑in/opt‑out status and campaign interactions.

·      Recruitment data (if you apply) – CV/resume, cover letter, interview notes, references.

Sources: directly from you or your organisation; automatically via the Services (logs, cookies/SDKs); and from service providers acting on our behalf (e.g., authentication/SSO, payments, communications) to the extent permitted by law and your settings.


4) How and why we use personal data (legal bases)

We rely on the following legal bases under UK/EU law:
- Contract – to create and administer accounts; provide and maintain the Services; provide support.
- Legitimate interests – to operate, secure and improve the Services (including telemetry and troubleshooting), prevent abuse/fraud, understand feature adoption, and communicate service‑related updates to admins. We balance these interests against your rights.
- Consent – for non‑essential cookies/SDKs and electronic direct marketing to individuals where required. You can withdraw consent at any time.
- Legal obligation – tax/financial record‑keeping, responding to lawful requests, and compliance reporting.

Matrix: purposes, data categories, legal bases & data retentionn

Purpose

Types of personal data

Legal basis

Data retention

Manage your account and provide the Services (incl. SSO, user management, feature delivery)

Account & business contact; Service usage & technical

Contract; Legitimate interests (service reliability & security)

While the account is active; account/profile data kept 12 months after closure. Logs 12–24 months.

Support, incident handling & communications

Support & communications; Account & business contact; Service usage & technical

Contract; Legitimate interests

Support tickets/attachments 24 months after closure.

Security, fraud prevention & misuse detection

Account & business contact; Service usage & technical

Legitimate interests; Legal obligation (where applicable)

Security/event logs 12–24 months (longer if needed to investigate incidents or meet legal duties).

Product analytics & improvement (aggregate)

Service usage & technical; cookie identifiers

Legitimate interests; Consent for non‑essential cookies/SDKs in UK/EEA

Telemetry 12–24 months; cookie lifetimes per Cookie Notice.

Billing, payments & tax records

Commercial & billing; Account & business contact

Contract; Legal obligation (tax/accounting)

For the period required by lawand accounting obligations.

Identity verification & access management

Account & business contact; Service usage & technical

Contract

While you use the Services; related auth logs 12–24 months.

Surveys, feedback & research

Support & communications; survey responses; Service usage & technical

Legitimate interests

Up to 24 months(aggregated/anonymised results may be kept longer).

Marketing to business contacts; newsletters & events

Account & business contact; Marketing preferences

Legitimate interests (B2B); Consent where required

Until you opt out, plus up to 24 months for suppression/compliance records.

Recruitment (if you apply)

Recruitment data

Legitimate interests; Contract (pre‑contractual); Legal obligation

12 months unless you consent to a longer talent‑pool period.

Compliance & legal claims

Data necessary for the purpose

Legal obligation; Legitimate interests

As long as needed to comply with law or to establish/exercise/defend legal claims.

Customer Content (processor role) — data uploaded by/for Customer

Customer Content

Controller instructions under the customer agreement (we act as processor)

As set in the Agreement/DPA; deleted per contractual timeframe after termination or on verified request.

5) Cookies and similar technologies

We use cookies and similar technologies to operate the Services (e.g., authentication, security), measureperformance and usage (aggregate analytics), and remember preferences. In the UK/EEA, non‑essential cookies run only with your consent via our banner. You can manage preferences in the banner and via your browser settings. If you have questions about specific cookies in use, contact info@clarisign.ai.


6) How we share information

We do not sell personal data. We share limited personal data with: - Service providers (sub‑processors)that host, support and help us operate the Services (e.g., cloud hosting, security, communications, analytics, payments). These providers are bound by contract to process personal data only on our instructions and to protect it appropriately. A current list of sub‑processors is available on request at info@clarisign.ai. We provide advance notice of material changes to that list. - Your organisation (workspace/tenant admins may access certain account and usage information for their organisation’s users).
- Professional advisers (legal, accounting, insurance) under confidentiality.
- Corporate transactions (e.g., merger, acquisition or financing), subject to appropriate safeguards.
- Authorities when required by law or necessary to protect rights, safety and integrity.

We do not permit service providers to use personal data for their own independent purposes.


7) International transfers

Personal data may be transferred to and processed in countries outside the UK/EEA. Where we do so, we use appropriate safeguards such as the EU Standard Contractual Clauses (2021/914) together with the UK Addendum/IDTA, and additional measures as needed. Where relevant, we may also rely on providers participating in recognised data‑transfer frameworks (e.g., EU–US Data Privacy Framework) for specific transfers. You can contact us for more information about transfer mechanisms that apply to your data.


8) Security

We implement administrative, organisational and technical measures proportionate to risk, including: - Encryption in transit and at rest;
- Role‑based access controls and least privilege; MFA/SSO for staff; confidentiality undertakings;
- Tenant separation and secure software development lifecycle;
- Vulnerability management, logging and monitoring;
- Incident response with user/customer notification where required by law; and
- Backups and disaster recovery practices.
For detailed security information (e.g., pen‑test cadence, RTO/RPO), contact info@clarisign.ai.


9) Data retention

We retain personal data only as long as necessary for the purposes described above, then delete or anonymise it. Retention periods used in the matrix govern where stated; otherwise we retain for the time needed to fulfil the purpose and comply with legal obligations.


10) Your rights

Subject to conditions and exemptions, you have the right to access, rectify, erase, restrict, object, and portyour personal data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a data protection authority (in the UK, the Information Commissioner’s Office).

How to submit a request: email info@clarisign.ai from the address associated with your account. We may need to verify your identity and, for enterprise users, confirm with your organisation’s administrator. We aim to respond within one month, extendable where permitted by law.


11) Marketing choices

You can opt out of marketing emails at any time via the unsubscribe link in our emails or by contacting info@clarisign.ai. We conduct B2B outreach in compliance with applicable laws (including PECR in the UK). Opt‑out choices do not affect essential service communications (e.g., security or billing notices).


12) US state privacy disclosures (if applicable)

Where our activities fall within the scope of certain US state privacy laws, residents of those states may have rights to access, delete, correct, and opt out of certain processing. We do not sell personal information and do not share personal information for cross‑context behavioural advertising. You may exercise rights via info@clarisign.ai. We will verify requests as required by law.


13) Children

Our Services are intended for professional/business use and are not directed to children. We do not knowingly collect personal data from children under 16 in the UK/EEA (or 13 in the US). If you believe a child has provided personal data, contact us so we can take appropriate steps to delete it.


14) Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will post the updated version and change the “Effective date” above. If changes materially affect your rights or how we use data, we will provide additional notice (e.g., email or in‑product).


15) Contact

Controller: CAMNY LTD (No. 15719462)
Address: 20 Wenlock Road, London, England, N1 7GU
Email: info@clarisign.ai
EU Representative (Article 27): Nikita Bezotosnyi — Münchener Straße 4, 63179 Obertshausen, Germany; contact: info@clarisign.ai

Sub‑processor list available on request at info@clarisign.ai. This policy contains no annexes.