プライバシーポリシー
最終更新:2026-07-12
この翻訳は便宜上提供されるものです。本プライバシーポリシーの正式版は英語版です。
This policy explains how the website at claraconverts.com and the embedded chatbot widget served from it (together, "the Service") handle your information. We operate tellerio.com and cognicores.com as separate products with their own privacy policies — the practices differ.
Operator and data controller
The Service is operated by:
- Volker Arndt, trading as ClaraConverts
- Address: Jucar 29, 46190 Riba-roja de Túria, Valencia, Spain
- NIF: Y8754104L
- Email: support@claraconverts.com
Volker Arndt is the data controller for visitors to claraconverts.com and for subscriber accounts under the EU General Data Protection Regulation (GDPR). The information above also constitutes the "información general" required under Article 10 of Spanish Law 34/2002 (LSSI-CE).
Two roles, two relationships
ClaraConverts is a multi-tenant service. Whether we act as data controller or as processor depends on which role you're in:
- Subscribers — businesses that sign up at claraconverts.com to embed Clara on their own website. For your account, billing, and login data, ClaraConverts is the controller.
- Visitors of a subscriber's website — people who chat with Clara in the widget on a third-party site. For the resulting conversations and leads, the subscriber is the controller; ClaraConverts is a processor acting on the subscriber's instructions and storing the data on infrastructure they pay us for.
If you are a visitor and want your conversation or lead deleted, the fastest route is to contact the website where you used the chatbot. We will also action requests sent directly to support@claraconverts.com, after verifying the request with the subscriber.
What we collect from subscribers, and why
- Email address — used as your login identifier (magic-link auth) and for service emails (the embed-snippet email after checkout, billing-related notices, and security alerts). Required.
- Stripe customer record — when you start a paid subscription, Stripe creates a customer record holding your billing email, name, address (collected at Checkout for tax purposes), and payment method. We receive a Stripe customer ID; payment method details never touch our servers.
- Website URL and chatbot configuration — the URL you paste into the homepage, the brand colour and conversion goal we infer, the multi-page text content we extract from your site, and any edits you make in the studio.
- Lead destination email — the address where Clara forwards leads captured by the widget. Defaults to your billing email; you can change it in the studio.
- IP address — used to enforce rate limits on the marketing site (preview generation, login requests). Stored as a short-lived counter that automatically deletes within 24 hours.
- Session cookie — a signed, HttpOnly cookie set after magic-link sign-in so the studio knows you're logged in.
What happens when you paste a URL for a preview
The homepage lets visitors paste any website URL to generate a free, ephemeral preview of Clara configured for that site. The mechanism is:
- We fetch the public homepage of the URL you paste, identifying as
ClaraConvertsBot/1.0 (+https://claraconverts.com). We honour the site'srobots.txtand refuse to fetch any host that has asked to be excluded. - We extract public marketing signals from the response: the page title, meta description, theme colour, Open Graph image, h1-h3 headings, and a short body excerpt. We don't fetch additional pages, we don't follow login forms, we don't extract anything behind authentication.
- We send the extracted text to our own LLM to infer a conversion goal for the preview chatbot.
- We store the preview tenant in KV for one hour, then it's automatically deleted.
- We store the URL, the inferred business name, and the inferred conversion goal in a separate audit log retained for 90 days. The operator may use this list for sales outreach. No personal data — the visitor who pasted the URL is identified only by an anonymised IP at the moment of paste.
If you own a website and don't want us to generate previews of it, email opt-out@claraconverts.com with your domain. We add it to our opt-out list and stop fetching it within one business day. The opt-out is permanent unless you ask us to lift it.
What we process on the subscriber's behalf (visitor data)
When a visitor uses the embedded chatbot on a subscriber's website, we receive and store:
- Chat messages — visitor and assistant turns, persisted in our database so the subscriber can read transcripts in their studio.
- Lead submissions — the email, phone number, or other contact details a visitor enters into Clara's lead form, plus the conversation transcript that produced the lead.
- Visitor IP address and approximate country — recorded against the conversation row for the subscriber's anti-abuse and analytics purposes.
Conversations and leads are auto-deleted after the subscriber's retention window (default 90 days). Subscribers can change this window in their studio within service limits. Subscribers may also delete individual conversations or leads at any time.
Cookies and local storage
- Session cookie (claraconverts.com) — set after magic-link sign-in so the studio knows you're logged in. Strictly necessary; HttpOnly; expires after 30 days of inactivity or when you sign out.
- Embedded widget — the chat widget uses your browser's
sessionStorage(cleared when you close the tab) to keep your chat session intact across navigations. It does not set tracking cookies. - Cloudflare may set short-lived security cookies for bot detection. Under EU/Spanish ePrivacy rules these are classified as "strictly necessary" and don't require consent.
We do not set analytics cookies, advertising cookies, or cross-site tracking cookies on this domain.
Who we share data with
We use a small number of processors to run the Service:
- Cloudflare, Inc. — hosting (Workers), database (D1), key-value store (KV), DNS, and DDoS protection (privacy policy).
- Stripe Payments Europe, Ltd. — subscription billing, Checkout, Customer Portal, and tax computation (privacy policy).
- Resend (Drift.com, Inc.) — transactional email: magic-link sign-in, embed-snippet welcome, lead notifications to subscribers (privacy policy).
The chatbot generation backend runs on hardware we control; conversation messages do not leave our infrastructure for the model step.
We do not sell, trade, or rent your information, and we do not share it with advertisers.
Google user data (Google Calendar integration)
Subscribers may optionally connect a Google account so Clara can book appointments into their Google Calendar. The connection is made by the subscriber through Google's standard OAuth consent screen; it is entirely optional, the Service works without it, and it can be disconnected at any time. This section describes how we handle data obtained through Google APIs.
When a subscriber connects Google Calendar, ClaraConverts accesses only the following:
- Calendar availability (free/busy) — read at the moment a website visitor asks to book, to find and confirm an open time. We do not copy or index your calendar; availability is read live for that request and not retained.
- Calendar events (create) — when the visitor confirms a time, Clara creates a single event for that appointment, with the visitor's name and the details they provided.
- Account email address and primary calendar timezone — received once at connect time to label the connection in the subscriber's dashboard and to show appointment times in the correct timezone.
How we handle it:
- Purpose limitation. Google Calendar data is used solely to check availability and create the appointments a visitor requests, on the connecting subscriber's instruction — never for any other purpose. The general analytics, audit-log, and sales-outreach activities described elsewhere in this policy relate only to ClaraConverts's own marketing data and never to information obtained through Google APIs.
- Storage. The OAuth access and refresh tokens are stored encrypted at rest and used only to make the calls above. Calendar contents are not stored.
- No sale, no ads, no model training. We do not sell or rent Google user data, do not use it for advertising, and do not use it to train, develop, or improve generalized AI/ML models. We do not transfer it to anyone other than Google's own APIs to provide the feature, except where required by law.
- Limited Use. ClaraConverts's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
- Disconnecting and revoking. A subscriber can disconnect Google Calendar at any time from their ClaraConverts dashboard, which immediately stops all access. You can also revoke ClaraConverts's access directly from your Google Account permissions, which invalidates our tokens at once. Stored tokens are deleted when you delete your ClaraConverts account, and we will delete them sooner on request to support@claraconverts.com.
How long we keep it
- Subscriber account record — kept while the subscription is active, plus 24 months after cancellation for tax and dispute reasons. You can request earlier deletion if there are no outstanding obligations.
- Conversations and leads — auto-deleted after the subscriber's retention window (default 90 days) by a daily cleanup job.
- Stripe records — retained by Stripe under their own retention rules; Stripe is bound by EU/US payment regulations to keep certain transaction records.
- Email logs at Resend — Resend retains delivery metadata according to their policy.
- IP rate-limit counters — automatically deleted after 24 hours.
- Stripe webhook idempotency records — pruned automatically at 30 days; contain no personal data beyond the Stripe event id.
- Preview audit log (URLs pasted into the homepage form) — automatically deleted after 90 days by the same daily cleanup job. Contains the URL, the AI's inferred business name, and approximate visitor country; no name, email, or other personal identifier.
Legal basis (GDPR)
- Contract performance — for processing your subscription, account, billing, and the chatbot service we provide.
- Legitimate interest — for IP-based rate limiting and abuse prevention; for sending essential service emails about your account and billing. The interest is keeping the Service available and our infrastructure costs predictable; the impact on your privacy is minimal.
- Legal obligation — for VAT-related records (kept for the period required by Spanish tax law).
- Processor relationship — for visitor conversations and leads we host on a subscriber's behalf, the legal basis sits with the subscriber. Our handling is governed by the data-processing terms incorporated into the Terms of Use.
AI-generated responses
Clara is an AI system. Replies are generated by a language model (and optionally synthesised by a text-to-speech model on the Pro tier) and may be inaccurate, outdated, or out of context. Subscribers configure the chatbot name and conversion goal; nothing the bot says constitutes a contractual offer from the operator of the website where Clara is embedded, unless that operator confirms it directly.
International transfers
Some of our processors (notably Stripe and Resend) operate in the United States. Where personal data leaves the EEA, we rely on appropriate safeguards (the EU–US Data Privacy Framework or standard contractual clauses).
Your rights
If you are in the EU, the UK, or another jurisdiction with similar laws, you have the right to:
- Access the data we hold about you
- Have it corrected if it's wrong
- Have it deleted (the "right to be forgotten")
- Restrict how we process it
- Object to processing based on legitimate interest
- Receive it in a portable format
- Withdraw consent at any time, where consent is the basis
- Lodge a complaint with your local data-protection authority (in Spain: the Agencia Española de Protección de Datos)
To exercise any of these, email support@claraconverts.com from the address on file. We respond within 30 days.
For US visitors (CCPA / CPRA)
We do not sell or share your personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act, and we have not done so in the past 12 months. If you are a California resident, you have the right to know what personal information we collect about you, to request its deletion, and to be free from discrimination for exercising your privacy rights. To exercise any of these rights, email support@claraconverts.com.
How we keep your data safe
All traffic to and from the Service is encrypted using HTTPS/TLS. Subscriber sessions use HttpOnly, signed cookies bound to a server-side secret. Our processors (Cloudflare, Stripe, Resend) hold relevant security certifications and store data in encrypted form at rest. Stripe stores all payment-method details and we never receive card numbers. The chat backend runs on hardware we control. No system is perfectly secure, but we follow common-sense practices and limit access to the minimum needed to operate the Service.
Children
The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact support@claraconverts.com and we will delete it.
Changes to this policy
We may update this policy as the Service evolves. The "Last updated" date at the top reflects the most recent change. The updated text takes effect when posted; subscribers receive a notice by email when the changes are material.
Contact
Questions, requests, or concerns: support@claraconverts.com.