Privacy Policy

1.     Introduction

1.1 This Privacy Policy explains how Camny Ltd (trading as “Clarisign”) (“Clarisign”, “we”, “us”, “our”) collects, uses, discloses and protects personal data in connection with:

  • our public website and Trust Centre;

  • our cloud‑hosted AI platform for managing M&A transactions; and

  • our related sales, marketing, support and recruitment activities.

1.2 This Privacy Policy is designed to provide the information required by the UK General Data Protection Regulation (“UK GDPR”) and, where applicable, the EU General Data Protection Regulation (“EU GDPR”) (together, the “GDPR”), including Articles 12–14. It also takes account of applicable rules on cookies and electronic communications under the UK Privacy and Electronic Communications Regulations (“PECR”) and relevant EU ePrivacy rules, and relevant guidance from the UK Information Commissioner’s Office (“ICO”) on privacy notices and international transfers.

1.3 Clarisign acts both:

  • as an independent controller, for example in relation to website visitors, marketing contacts, users’ account and billing data, support interactions and product telemetry; and

  • as a processor, when we process client matter data (including documents and related personal data) on behalf of our law‑firm and corporate customers in order to provide the Clarisign platform and related services.

This Privacy Policy covers both roles. Where our role makes a difference to how your personal data is handled, we explain this explicitly.

2.     Who we are and how to contact us

2.1 Identity of the controller

The controller of your personal data for the purposes described in this Privacy Policy (unless stated otherwise) is:

Camny Ltd (trading as “Clarisign”)

A company incorporated in England and Wales

Company number: 15719462

Registered office: 20 Wenlock Road, London, England, N1 7GU

2.2 How to contact us about privacy

If you have any questions about this Privacy Policy or our handling of personal data, you can contact us at:

  • Email: privacy@clarisign.ai

2.3 Data Protection Officer / privacy lead

Clarisign has appointed a privacy lead who is responsible for overseeing questions in relation to this Privacy Policy and data protection compliance more generally. You can reach the privacy lead using the contact details above.

If Clarisign formally appoints a Data Protection Officer (“DPO”) under the GDPR, we will update this Privacy Policy with the relevant contact details.

3.     Scope and audiences

3.1 To whom does this Privacy Policy apply?

This Privacy Policy is intended for:

  • visitors to our websites, including our Trust Centre;

  • individuals who work for, or represent, our law‑firm and corporate clients and prospects;

  • authorised users of the Clarisign platform (e.g. lawyers, trainees, paralegals, legal ops professionals, corporate deal teams);

  • individuals who interact with us in a business context (e.g. vendors, partners and consultants); and

  • job applicants and candidates.

3.2 Client matter data where we act as processor

For most client matter data that is uploaded to, ingested or generated within the Clarisign platform (including documents, due diligence materials, contracts, corporate records, checklists, notes and related metadata), we act as a processor. In those cases:

  • your law firm or corporate employer (or another organisation instructing us) is the controller;

  • their own privacy notice will explain how and why your personal data is processed; and

  • our processing of that data is governed by our contracts and data processing agreements (“DPAs”) with those customers.

We describe our processing and safeguards for client matter data at a high level in this Privacy Policy, but in the event of any conflict between this Privacy Policy and a DPA with a customer, the DPA will prevail for that processing.

4.     Categories of personal data we collect as controller

This section describes the personal data that Clarisign processes as an independent controller.

4.1 Website and product telemetry

When you visit our website or use the Clarisign platform, we may automatically collect:

  • Technical identifiers: IP address, device identifiers, browser type and version, operating system, time zone setting, language settings.

  • Usage data: pages and screens visited, clickstream and navigation paths, time and date of visits, response times, feature use, error messages and performance diagnostics.

  • Cookies and similar technologies: please see section 7 (Cookies and similar technologies).

4.2 Account and user data

When a firm or corporate subscribes to Clarisign or you create or use an account, we may process:

  • Identification data: name, title, professional role or grade.

  • Contact data: work email address, work telephone number, organisation name, office location.

  • Account data: username, permissions and roles, group/team membership, authentication IDs (e.g. SSO identifiers), password hash (where SSO is not used), audit logs of log‑ins and account changes.

  • Customer relationship and billing data: billing contact details, purchase orders, invoicing details and payment status (payment card details themselves are typically handled by our payment providers, not by Clarisign directly).

4.3 Support, feedback and communications

When you contact us (e.g. through support channels, email, in‑product chat, or at events) we may process:

  • Support communications: content of emails and chats, support tickets, troubleshooting information and related logs.

  • Feedback: feature requests, survey responses, NPS scores, testimonials and related correspondence.

  • Call or meeting information: details of calls or video meetings with our teams, including notes and follow‑up actions.

4.4 Marketing and business development

For individuals who engage with us for marketing or business development purposes, we may process:

  • Contact details: name, work email, telephone, employer, role.

  • Engagement data: event registrations and attendance, webinar participation, email opens and clicks, preferences about which communications you receive.

  • Lead and pipeline information: notes relating to your firm’s or organisation’s potential use of Clarisign.

We do not intentionally collect special categories of personal data in this context.

4.5 Vendors and partners

For suppliers, sub‑contractors and other partners, we may process:

  • business contact details;

  • contract and performance information; and

  • compliance and due diligence information where required (e.g. to conduct financial or sanctions checks).

4.6 Recruitment and candidates

For job applicants and candidates, we may process:

  • Identification and contact details: name, email address, telephone number, address.

  • Application data: CVs/resumés, covering letters, professional history, education and qualifications, LinkedIn or other profiles you choose to share.

  • Assessment data: interview notes, test results, references, right‑to‑work documentation (where legally required).

  • Diversity data: only where we specifically ask for this, on an optional basis and in accordance with applicable law.

We do not actively seek to collect special category data (such as health or biometric data) or criminal offence data about candidates, but such data may be included incidentally in documents you provide (for example, in a CV). Where we process such data, we will do so only in accordance with applicable law.

5.     Categories of personal data we process as processor

This section describes, at a high level, the personal data we typically process as a processor on behalf of law‑firm and corporate customers.

5.1 Client documents and matter content

Customers may upload, or allow us to ingest, a wide range of documents and data, including:

  • contracts and agreements;

  • corporate records, shareholder registers and organisational documents;

  • due diligence reports, questionnaires and responses;

  • regulatory and compliance documents;

  • deal bibles, disclosure letters and ancillary closing documentation;

  • email exports or notes; and

  • structured data from data rooms or third‑party systems.

These documents may include personal data such as:

  • names, contact details and roles of directors, shareholders, employees, counterparties and advisers;

  • transaction‑specific personal details (e.g. shareholdings, remuneration, contractual arrangements); and

  • other information that appears in documents relevant to an M&A transaction.

5.2 Matter metadata

In order to organise matters and transactions within the Clarisign platform, we may process metadata such as:

  • matter or project names and IDs;

  • information about parties, group companies and jurisdictions;

  • deal timelines, key milestones and CP lists;

  • tags, labels, folder structures and custom fields defined by the customer.

5.3 End‑user identifiers and activity

To provide audit trails, security logging and collaboration features, we process:

  • user identifiers, names and organisation affiliation;

  • role/permission information;

  • timestamps and activity logs (e.g. who uploaded or edited a document, which issues they flagged, which items they marked as complete).

5.4 Special category and other sensitive data

Clarisign does not intentionally require or seek special category personal data (such as health information, political opinions or religious beliefs), or data relating to criminal convictions, for use of the platform. However, due to the nature of legal transactions, such data may appear incidentally in documents uploaded by customers. In those circumstances:

  • our customers, as controllers, are responsible for ensuring there is an appropriate legal basis and, where required, an Article 9(2) condition or equivalent; and

  • we handle that data only as necessary to provide the platform and support services, in accordance with the relevant customer contracts and this Privacy Policy.

6.     Purposes and lawful bases (controller activities)

This section explains the purposes for which we process personal data as controller and the corresponding lawful bases under the GDPR.

6.1 Overview

We rely on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR) – where processing is necessary to enter into or perform a contract (for example, a subscription agreement with a customer, or steps taken at your request before entering into an employment contract).

  • Legitimate interests (Article 6(1)(f) GDPR) – where we (or a third party) have a legitimate interest that is not overridden by your interests, fundamental rights or freedoms.

  • Consent (Article 6(1)(a) GDPR) – mainly for certain marketing activities and non‑essential cookies where required by law.

  • Legal obligations (Article 6(1)(c) GDPR) – where processing is necessary to comply with our legal obligations (e.g. tax, accounting, compliance with regulators).

6.2 Details by purpose

We process personal data for the following purposes:

(a) Providing and administering the Clarisign platform and accounts

We use your personal data to set up and manage user accounts, authenticate users, provide platform features, send service communications (such as password resets and security alerts), and handle subscription and billing.

Legal basis: performance of a contract with the customer and/or with you as user; our legitimate interests in providing and improving our services to business clients.

(b) Security, logging and fraud prevention

We monitor access to the platform, maintain and review logs, detect and respond to suspicious activities or incidents, enforce acceptable-use rules and prevent abuse.

Legal basis: our legitimate interests in securing our platform, protecting client data and preventing fraud or misuse; compliance with legal obligations where applicable.

(c) Service improvement, analytics and product development

We analyse how users interact with features (in aggregated or pseudonymised form where possible), run experiments and A/B tests, train and improve internal models and tooling, and refine the user experience.

Legal basis: our legitimate interests in developing and improving our products and services, provided this does not disproportionately affect your privacy; we apply minimisation and safeguards (for example, aggregation and access controls).

(d) Marketing and business development

We send updates about Clarisign, legal-tech insights and event invitations, manage mailing lists, personalise outreach to business contacts and maintain CRM records.

Legal basis: our legitimate interests in promoting and growing our business in a B2B context, within GDPR limits; consent where required for electronic marketing to individuals under PECR/ePrivacy. You can opt out of marketing at any time.

(e) Running events and community activities

We register attendees, manage waiting lists, send joining details and post-event materials, and record attendance at events we organise.

Legal basis: performance of a contract (where we provide events) and/or our legitimate interests in engaging with customers and prospects.

(f) Vendor and partner management

We onboard suppliers and partners, manage contracts, pay invoices and assess performance and risks.

Legal basis: performance of a contract; our legitimate interests in running our business efficiently; compliance with legal obligations (for example, tax and accounting).

(g) Recruitment and hiring

We review applications, arrange interviews, assess suitability, carry out right-to-work and other checks where required, and communicate with candidates.

Legal basis: taking steps prior to entering into an employment contract and our legitimate interests in hiring suitable candidates; compliance with legal obligations (for example, right-to-work checks and equal-opportunities reporting).

(h) Legal and regulatory compliance

We keep records for tax and accounting purposes, respond to lawful requests from public authorities, manage disputes and enforce our contractual rights.

Legal basis: compliance with legal obligations; our legitimate interests in protecting our legal rights and defending claims.

6.3 How we apply the legitimate interests balancing test

Where we rely on legitimate interests, we:

  • identify a specific, proportionate business interest (for example, securing our services, preventing abuse, or improving functionality);

  • consider the potential impact on individuals and whether the processing is reasonably expected in the circumstances; and

  • apply safeguards such as data minimisation, access controls, pseudonymisation and appropriate retention periods.

You have the right to object to processing based on legitimate interests (see section 11).

7.     Processing client matter data as processor

7.1 For client matter data described in section 5, we act as processor and process personal data only:

  • on the documented instructions of our customers, as set out in our contracts and DPAs;

  • for the purposes agreed with those customers (typically, to provide, maintain, secure and support the Clarisign platform, including AI‑assisted review and drafting features); and

  • in accordance with applicable data protection laws.

7.2 Our customers are responsible for:

  • selecting the legal bases and conditions for processing client matter data;

  • providing appropriate transparency information to data subjects (for example through their own privacy notices); and

  • defining retention periods and deletion or return instructions for that data.

7.3 Clarisign does not:

  • use client matter data for independent marketing purposes; or

  • sell client matter data.

We do not use client matter data to train general‑purpose foundation models. Where we use AI/ML models, we configure zero‑data‑retention for model calls with Azure OpenAI and process client matter data only as necessary to provide the requested functionality and support services.

8.     Cookies and similar technologies

8.1 Our websites and the Clarisign platform use cookies and similar technologies (such as pixels and local storage) to:

  • operate core site and platform functionality (e.g. security, log‑in sessions, load balancing);

  • remember your preferences (e.g. language, cookie choices); and

  • in some cases, to collect analytics about how visitors use our website and platform, so we can improve them.

8.2 Necessary cookies

These are required for the website and platform to function (for example, to keep you logged in or to route requests). Because they are strictly necessary, they do not require your consent, but you can still manage them via your browser settings (although the service may not function correctly if you block them).

8.3 Analytics and other non‑essential cookies

We may use analytics tools to understand how our website and platform are used (for example, which pages are most frequently visited, or which features are adopted), generally in aggregated or pseudonymised form.

Where required by PECR/ePrivacy:

  • we will ask for your consent before setting non‑essential cookies or similar technologies; and

  • you can withdraw your consent or change your preferences at any time via our cookie banner or settings.

8.4 Cookie Policy

More detail about specific cookies used, their purposes and lifetimes may be provided in a separate Cookies Policy linked from our website and platform.

9.     Recipients and sharing of personal data

9.1 Service providers and sub‑processors

We may share personal data with trusted third‑party service providers who act on our behalf and in accordance with our instructions, including:

  • Hosting and infrastructure providers, such as Microsoft Azure, which host the Clarisign platform and related services in UK and/or EU regions.

  • Azure OpenAI and related AI infrastructure, used to power certain AI‑assisted features. We configure these services in UK/EU regions with zero‑data‑retention for model calls.

  • Communications and collaboration tools, used for customer support, in‑product messaging, email delivery and videoconferencing.

  • Analytics, logging and monitoring providers, used to monitor performance, detect incidents and understand service usage (in aggregated or pseudonymised form where possible).

  • Professional advisers, such as lawyers, auditors and insurers, where necessary for the establishment, exercise or defence of legal claims or compliance.

These providers are bound by contractual obligations to safeguard personal data and may not use it for their own independent purposes.

9.2 Corporate transactions

If we are involved in a merger, acquisition, financing, reorganisation, sale of assets or similar corporate transaction, personal data may be disclosed to advisers and actual or potential buyers (and their advisers), subject to appropriate confidentiality protections and, where required, data protection safeguards.

9.3 Legal and regulatory disclosures

We may disclose personal data where we consider this necessary to:

  • comply with applicable law or a lawful request from a public authority or court;

  • enforce our agreements or protect the rights, property or safety of Clarisign, our customers, users or others; or

  • investigate suspected or actual unlawful activity.

9.4 No sale of personal data

We do not sell personal data and we do not share personal data with third parties for their own independent direct marketing purposes.

10.   International transfers

10.1Clarisign is a UK‑based company. Where possible, we host and process personal data in the UK and EEA using regional Azure data centres and associated services.

10.2 Some of our service providers and group entities may be located, or may process data, outside the UK and/or EEA (for example, in countries that do not provide the same level of data protection as the UK or EU).

Where we transfer personal data outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as:

  • an adequacy decision by the UK Government or European Commission in respect of the destination country; and/or

  • standard contractual clauses approved by the European Commission, and the UK International Data Transfer Agreement/Addendum (IDTA), as applicable; and

  • transfer impact assessments and additional technical and organisational measures, consistent with ICO and European Data Protection Board (EDPB) guidance.

10.3 You can contact us using the details in section 2 to request more information about international transfers, including copies of relevant transfer safeguards (subject to redactions where necessary for confidentiality).

11.   Retention of personal data

11.1 General criteria

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting or reporting requirements. We consider:

  • the amount, nature and sensitivity of the personal data;

  • the potential risk of harm from unauthorised use or disclosure;

  • the purposes for which we process it and whether we can achieve those purposes through other means; and

  • applicable legal, regulatory, tax, accounting or other requirements.

11.2 Indicative retention periods (controller data)

Subject to specific contractual or legal obligations, we generally apply the following high‑level retention periods:

  • Account and customer relationship data: retained for the duration of the contract plus a reasonable period (typically up to 6 years) to manage renewals, disputes and legal obligations.

  • Platform logs and telemetry: retained for operational and security purposes for periods typically ranging from 90 days up to 24 months, depending on log type, after which they are deleted or anonymised.

  • Marketing data: retained while you remain engaged with us and for a limited period afterwards (e.g. up to 3 years from your last meaningful interaction) unless you opt out sooner. We keep a record of opt‑outs to respect your preferences.

  • Support and communications data: retained as long as reasonably necessary for record‑keeping and to improve our services (typically up to 3–6 years, depending on context).

  • Vendor and partner data: retained for the duration of our relationship and for a reasonable period afterwards (typically up to 6 years) to comply with legal and contractual obligations.

  • Recruitment and candidate data: retained for the duration of the recruitment process and, usually, for up to 12–24 months afterwards (unless a longer period is justified or required by law, or unless you ask us not to retain your details). If you become an employee, candidate data may be transferred into your HR file and retained in accordance with our internal HR policies.

11.3 Retention of client matter data (processor data)

For client matter data processed as a processor:

  • retention periods are primarily determined by our customers, as controllers, and set out in our contracts and DPAs with them;

  • we typically retain client matter data for the duration of the subscription or relevant matter and then, following termination or expiry, for a limited period agreed with the customer (for example, to allow export or to satisfy legal or audit requirements), after which we delete or anonymise the data in line with the contract;

  • deletion may include effective cryptographic erasure from backups where technically and commercially practicable, or natural expiry of backup media within defined cycles.

12.   Security of personal data

12.1 We take security seriously and implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, having regard to the nature of the data and the risks involved.

These measures include, for example:

  • Encryption: using industry‑standard encryption to protect personal data in transit and at rest.

  • Logical separation: multi‑tenant or logically separated environments so that one customer’s data is isolated from another’s.

  • Access controls: role‑based access controls, least‑privilege principles, SSO/MFA support, and strong authentication and authorisation practices.

  • Logging and monitoring: security logging, monitoring for unusual activity, and alerting to detect and respond to potential incidents.

  • Secure development lifecycle: controls for code review, testing and change management within our development and deployment processes.

  • Third‑party risk management: due diligence on sub‑processors and suppliers, including contractual security obligations.

  • Policies and training: internal policies and staff training on confidentiality, security and data protection, including incident response procedures.

12.2 Our information security management framework is designed to align with recognised standards such as ISO/IEC 27001 and SOC 2 (Type I and, in due course, Type II). Further information about our current certifications and external audits may be made available in our Trust Centre or on request.

12.3 Despite our efforts, no system can be guaranteed to be 100% secure. However, we are committed to using reasonable and appropriate measures to protect personal data and to responding promptly and transparently to any suspected data incidents, including by notifying customers and authorities where required by law.

13.   Your rights (for data processed as controller)

13.1 Your rights under the GDPR

Where we act as controller, and subject to applicable law and certain exceptions, you have the following rights in relation to your personal data:

  • Right of access: to obtain confirmation of whether we process your personal data and, if so, to receive a copy and certain additional information.

  • Right to rectification: to have inaccurate or incomplete personal data corrected.

  • Right to erasure: to request deletion of your personal data, for example where it is no longer needed for the purposes for which it was collected, or where you withdraw consent (if consent was the sole basis) and there is no other legal basis to continue processing.

  • Right to restriction: to request that we restrict processing of your personal data in certain circumstances (for example, while we verify its accuracy or the basis for processing).

  • Right to data portability: to receive personal data you have provided to us in a structured, commonly used and machine‑readable format and, where technically feasible, to have it transmitted to another controller, where processing is based on consent or contract and is carried out by automated means.

  • Right to object: to object to processing based on our legitimate interests (including profiling), on grounds relating to your particular situation. We will stop that processing unless we have compelling legitimate grounds which override your interests, rights and freedoms or we need to continue the processing for the establishment, exercise or defence of legal claims. You always have the right to object to direct marketing, including profiling for that purpose.

  • Right to withdraw consent: where we rely on consent (for example, for certain types of marketing or cookies), you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before it was withdrawn.

13.2 How to exercise your rights

To exercise any of these rights, please:

  • contact us via email at privacy@clarisign.com;

  • provide sufficient information to allow us to verify your identity (and, where relevant, your authority to act on behalf of another individual); and

  • describe your request clearly.

We will respond in accordance with applicable law, typically within one month. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. If we extend the response period, we will inform you of the delay and the reasons.

13.3 Where we act as processor

For personal data that we process solely as processor on behalf of a customer (for example, data contained within client documents uploaded to the Clarisign platform):

  • we are not generally able to respond directly to data subject rights requests, because we do not control the data or determine the purposes of processing;

  • in most cases, you should contact the relevant law firm or corporate (our customer), which is the controller and will be best placed to respond;

  • if you send a request directly to us, we may forward it to the relevant customer or ask you to contact them directly, and we will assist the controller as required by our contract and applicable law.

13.4 Right to complain

If you are unhappy with how we have handled your personal data or responded to a request, you can:

  • contact us using the details in section 2 so we can try to resolve the issue; and/or

  • lodge a complaint with your local supervisory authority.

For individuals in the UK, this is the Information Commissioner’s Office (ICO). Details of how to contact the ICO are available on its website.

If you are in the EEA, you can complain to your local supervisory authority, particularly in the Member State of your habitual residence, place of work or alleged infringement.

14.   Automated decision‑making and profiling

14.1Clarisign uses AI and automation to assist users with tasks such as:

  • extracting information from documents;

  • highlighting potential issues or risks based on pre‑defined rules or prompts; and

  • suggesting drafting changes or checklists.

These tools are designed to support legal and business professionals, not to replace their judgement.

14.2 We do not use personal data to carry out automated decision‑making (including profiling) that produces legal effects concerning an individual or similarly significantly affects them, within the meaning of Article 22 GDPR. Any decisions about individuals’ legal rights, employment, access to services or similar outcomes are made by our customers and their users, not by Clarisign or its AI tools alone.

15.   Children

15.1 Clarisign’s services are directed at business and professional users involved in M&A and related corporate transactions. They are not intended for children.

15.2 We do not knowingly collect personal data from children under the age of 16 (or any higher age threshold that may apply in a relevant jurisdiction) as controller. If you are a parent or guardian and believe that we have collected personal data about a child inappropriately, please contact us using the details in section 2 and we will take appropriate steps to investigate and, where necessary, delete the data.

16.   Changes to this Privacy Policy

16.1 We may update this Privacy Policy from time to time, for example to reflect:

  • changes to our services or business operations;

  • changes in applicable law or regulatory guidance; or

  • feedback from customers, regulators or other stakeholders.

16.2 When we make material changes, we will:

  • post the updated Privacy Policy on our website and in our Trust Centre;

  • update the “Last updated” date below; and

  • where appropriate, take additional steps to bring the changes to your attention (for example, by email to customer contacts or in‑product notifications).

Please review this Privacy Policy periodically to stay informed about how we handle personal data.

17.   Last updated

Last updated: November 24, 2025