Privacy

Clarus, Inc. operates the Clarus contract lifecycle management platform and the Clarus CFO companion product (clarusclm.com). This privacy notice explains how we collect, use, and safeguard personal data when you visit our marketing site, request access, or use the platform.

Account information you provide when requesting access or signing in: name, work email, company name, role, and seat counts.

Customer content you upload to the platform: contracts, clauses, vendor records, transactions, and any data you ingest through CSV upload or integrations such as Okta, Microsoft Entra ID, and QuickBooks.

Usage telemetry the platform records to operate the service: timestamps, IP addresses, the browser user agent, the actions you take in the application, and audit logs of mutations made by you or members of your tenant.

Cookies and similar technologies needed to keep you signed in (an httpOnly session cookie) and to defend against cross-site request forgery (a CSRF double-submit token).

To provide the platform: authenticate users, enforce tenant isolation, render contracts and clauses, run extraction and intelligence workflows, and dispatch notification emails on your behalf.

To support your account: respond to access requests, troubleshoot issues, and communicate about your subscription, renewals, and material changes to the service.

To secure and improve the service: monitor for abuse, debug errors, measure feature usage at the aggregate level, and harden the platform against new threats.

We do not sell personal data. We do not use customer content to train third-party AI models. We do not use your contracts to train any model that other tenants will see.

The platform runs on managed infrastructure providers (cloud hosting, managed databases, object storage). We use Resend for transactional email and Claude via Anthropic, OpenAI, or your AI provider of choice for contract extraction and analysis.

Enterprise Secure customers can supply their own API key (BYOK) so AI calls bill to their account and use their provider relationship rather than ours. Encryption keys are stored using industry-standard symmetric encryption at rest.

A complete subprocessor list is available to customers on request.

Customer content stays in the tenant for as long as the subscription is active. On termination, customers may export their data and we will delete it on a documented schedule consistent with our agreements and applicable law.

Audit logs are retained for compliance and incident response and may persist after a tenant deletion in compliance with retention requirements.

Depending on where you live, you may have rights to access, correct, export, or delete personal data we hold about you. Send requests to privacy@clarusclm.com from a verified address. We respond on the timelines required by applicable law.

Tenant isolation is enforced via row-level data isolation in the database. Sessions use httpOnly, Secure, SameSite cookies plus a CSRF double-submit token. Files are stored with AES-256 server-side encryption. Internal service calls require a shared-secret header validated at each hop.

For more detail see the public Security page.

Privacy questions: privacy@clarusclm.com. Security disclosures: security@clarusclm.com. General: support@clarusclm.com.

We will update this notice as the service evolves. The Last Updated date below changes when we revise it. Material changes are communicated to active customers via email.