Privacy Policy
1 About CAMNY LTD and this notice
1.1 Who we are
CAMNY LTD (“CAMNY”, “we”, “our”, “us”) is a private limited company registered in England & Wales (company no. [•••]) with its registered office at 20 Wenlock Road, London, N1 7GU.
1.2 What we do
We provide AI-native legal-services software and attorney-review workflows (“Services”) via the domains clarisign.aiand camny.co (“Sites”) and through related mobile or desktop applications (“Apps”).
1.3 Why this notice matters
This Privacy Policy explains what personal data we collect, how and why we process it, the lawful bases we rely on, the rights you have, and how you can exercise those rights.
It applies to:
visitors to our Sites or Apps;
registered users (clients, attorneys, collaborators);
newsletter subscribers and event attendees;
job applicants and contractors.
1.4 Key laws we comply with
Region | Applicable law |
|---|---|
United Kingdom | UK GDPR (as incorporated by the Data Protection Act 2018) |
European Economic Area | EU GDPR (Regulation 2016/679) |
United States (California) | CCPA / CPRA (California Civil Code § 1798.100 ff.) |
Other regions | Local data-protection and e-privacy statutes as applicable |
2 The data we collect and how we obtain it
Data category | Typical examples | How we obtain it | Purposes (linked to legal bases in § 3) |
|---|---|---|---|
Identity Data | full name, title, date of birth, bar-admission ID | provided by you during signup / KYC | A-1, A-2, B-1 |
Contact Data | e-mail, phone, postal address, social-media handle | provided by you; obtained from public sources (e.g., Companies House) | A-1, B-1 |
Account Data | username, hashed password, MFA token | created by you in the App | A-1 |
Matter Content | contracts, exhibits, litigation briefs, comments | uploaded by you or your authorised users | A-2 |
Usage Data | login timestamps, feature clicks, error logs, heat-maps | collected automatically via cookies / SDKs | C-1, D-1 |
Payment Data | last 4 digits of card, Stripe token, invoice history | processed via Stripe Payments (we never store raw card numbers) | A-3 |
Marketing Preferences | newsletter opt-in status, event RSVP | provided by you | C-2 |
Recruitment Data | CV, cover letter, interview notes, right-to-work docs | provided by candidate; created by us during hiring | E-1 |
(Internal reference keys A-1 … E-1 map to the lawful-basis table in § 3.2.)
3 Why we process your data and our lawful bases
3.1 Purpose matrix
Code | Purpose description |
|---|---|
A-1 | Create and administer user accounts; provide secure login and access tokens. |
A-2 | Deliver the core Services (AI drafting, red-lining, attorney review, e-signature, storage). |
A-3 | Process payments, issue invoices, manage collections. |
B-1 | Respond to support tickets, product-feedback requests, dispute-resolution inquiries. |
C-1 | Monitor, debug and improve Site / App performance and security. |
C-2 | Send product updates, newsletters, and event invitations (only if you opt-in). |
D-1 | Compile anonymous analytics and usage statistics to guide product development. |
E-1 | Conduct recruitment, background checks and onboarding of staff or contractors. |
3.2 Legal-basis table (UK GDPR / EU GDPR Article 6)
Purpose codes | Lawful basis | Explanation |
|---|---|---|
A-1, A-2, A-3, B-1 | Contract (Art 6 (1)(b)) | Processing is necessary to perform the contract with you. |
C-1 | Legitimate interests (Art 6 (1)(f)) | We need minimal logs to keep our platform reliable and secure. |
C-2 | Consent (Art 6 (1)(a)) | We only send marketing if you have opted in; you can withdraw any time. |
D-1 | Legitimate interests | Aggregated analytics do not override your privacy rights. |
E-1 | Pre-contractual steps / legal obligation (Art 6 (1)(b),(c)) | Required to assess suitability and comply with employment law. |
For residents of California, UK GDPR lawful bases align with “Business Purpose” or “Commercial Purpose” categories in CPRA § 1798.140.
4 Cookies, SDKs and similar technologies
4.1 Types used
Essential cookies (session token, CSRF)
Performance cookies (page-load timing)
Functional cookies (language selection)
Analytics SDKs (Plausible Analytics self-hosted)
No third-party advertising cookies.
4.2 Opt-out / consent
On first visit we present a GDPR-compliant banner. Non-essential cookies are disabled until you click “Accept” or customise settings.
5 Data sharing and sub-processors
Category | Recipient | Location | Safeguards |
|---|---|---|---|
Payment processing | Stripe Payments Europe Ltd. | IE / US | Standard Contractual Clauses (SCC 2021) |
Cloud hosting | AWS (eu-west-2), Cloudflare (UK) | UK | UK Binding Corporate Rules; ISO 27001 |
Document storage | AWS S3 encryption-at-rest (AES-256) | UK | Same as above |
E-mail delivery | Postmark (Wildbit LLC) | US | SCC 2021 |
AI model hosting | OpenAI - Azure OpenAI Service, West Europe region | NL | EU Data Boundary, SCCs |
Video-call provider | Whereby UK Ltd. | UK | DPA 2018 compliant |
Analytics | Plausible self-host (DigitalOcean AMS3) | NL | No personal data stored |
We update this table in real time at clarisign.ai/termsofuse.
6 International transfers
All primary data reside in UK Amazon datacentres.
When we engage a US sub-processor, we rely on SCCs and supplement with encryption in transit (TLS 1.3) and at rest (AES-256).
We do not rely on Privacy Shield.
7 Retention schedule
Data type | Standard retention | Deletion / destruction method |
|---|---|---|
Account & Identity | 6 years after final invoice (HMRC audit window) | Encrypted archival → secure erase |
Matter Content | 90 days after workspace deletion (configurable to 0) | S3 object purge + version wipe |
Payment tokens | As long as active subscription + 13 months for chargebacks | Stripe automatic purge |
Support logs | 24 months | Logrotate + encryption key shred |
Analytics (aggregated) | Indefinite (no personal data) | N/A |
8 Your rights
8.1 For UK / EU data subjects:
Right of access (Art 15)
Rectification (Art 16)
Erasure / “right to be forgotten” (Art 17)
Restriction (Art 18)
Portability (Art 20)
Objection (Art 21)
No automated decision-making with legal effect (Art 22)
8.2 To exercise: e-mail privacy@clarisign.ai with subject line “Data-rights request” and include details to verify your identity. We respond within 30 days.
8.3 Complaints: You may lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local EU supervisory authority.
9 Security measures
ISO 27001-aligned risk management programme.
SOC 2 Type II audit in progress (expected Q3 2025).
All traffic encrypted in transit (TLS 1.3 with HSTS).
Data encrypted at rest (AES-256-GCM, AWS KMS).
MFA enforced for admin accounts; optional for users.
Daily off-site backups; quarterly disaster-recovery tests.
Independent penetration testing every 12 months.
10 Children
Our Sites and Services are not directed to individuals under 18. We do not knowingly collect children’s data. If you believe a minor has provided personal data, contact privacy@clarisign.ai and we will delete it promptly.
11 Links to third-party sites
Our Sites may contain links to external sites (e.g., HM Land Registry, Companies House). We are not responsible for their content or privacy practices.
12 Changes to this Policy
Version 1.0 – 21 May 2025.
We will post any future changes at clarisign.ai/privacy and, for material changes, notify registered users by e-mail at least 14 days before they take effect.
13 Contact us
Data Controller
CAMNY LTD
20 Wenlock Road
London, N1 7GU
United Kingdom
Data Protection Officer
Nikita Bezotosnyi
E-mail: privacy@clarisign.ai
Tel: +49 170 175 0619