Effective Date: September 2, 2025
Last Updated: September 2, 2025

Clear Stack ("Clear Stack," "Company," "we," "our," or "us") is committed to protecting your privacy and maintaining the confidentiality of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website at getclearstack.ai or engage our services.

By accessing our website or using our services, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Personal Information

Information you provide directly, including:

Contact Information: Name, email address, phone number, job title, company name, and business address
Account Information: Login credentials, waitlist registrations, user preferences
Professional Information: Investment experience, company size, deal preferences, and areas of interest
Payment Information: Billing address and payment method details (processed securely by third-party providers)
Identity Verification: Documentation required to verify your identity for rights requests or account security

1.2 Deal and Transaction Information

When engaging our services, we may receive:

Deal Documents: Offering memoranda, private placement memoranda, rent rolls, financial models, pro formas, due diligence reports, property information, and related investment materials
Proprietary Information: Confidential business information, investment strategies, and financial data you choose to provide
Third-Party Data: Information about properties, markets, or investments obtained from public records or commercial databases

1.3 Technical and Usage Information

Collected automatically when you use our site:

Device Information: IP address, browser type/version, operating system, device identifiers, screen resolution, time zone settings
Usage Data: Pages visited, time on site, referral sources, search queries, clickstream data, and navigation patterns
Performance Data: Loading times, error reports, crash data, and analytics on feature usage
Location Data: General geographic location based on IP address (not precise GPS coordinates)

1.4 Communication Records

Email correspondence and attachments
Meeting notes and call recordings (with explicit consent)
Chat messages, support tickets, surveys, and feedback
Video conference recordings when authorized
Text messages or other communication channels you initiate

1.5 AI Processing Information

Because our services leverage AI-assisted workflows, we may collect and process:

Data inputs provided to AI systems for analysis
AI-generated outputs, recommendations, and intermediate processing results
Model performance metrics, accuracy measurements, and error rates
User interactions with AI-generated deliverables
Training data used to improve AI models (anonymized when possible)
Feedback on AI-generated content quality and accuracy

2. How We Use Your Information

We use information for the following legitimate business purposes:

2.1 Service Delivery

Analyzing deal documents and preparing investment memoranda
Providing consulting services tailored to your specifications
Managing project workflows, deadlines, and quality control
Customizing deliverables based on your preferences and requirements

2.2 Communication & Support

Responding to inquiries and support requests
Scheduling meetings and sending service notifications
Managing waitlist entries and onboarding new clients
Providing technical support and troubleshooting

2.3 Business Operations

Processing payments and maintaining accurate financial records
Conducting quality assurance and performance reviews
Training and improving AI models to enhance accuracy and workflows
Managing vendor relationships and service provider coordination

2.4 Website & Service Improvement

Monitoring usage patterns to enhance site performance and user experience
Developing new features and service offerings
Conducting research, analytics, and A/B testing
Optimizing website functionality and mobile responsiveness

2.5 Legal & Compliance

Complying with applicable laws, regulations, and industry standards
Enforcing our Terms of Service and other agreements
Preventing fraud, abuse, unauthorized access, and security threats
Responding to lawful requests, government inquiries, and court orders
Maintaining records required for audit and regulatory purposes

2.6 Marketing (With Consent)

Sending newsletters, service updates, and relevant industry insights
Sharing research reports or promotional communications
Conducting market surveys and client engagement campaigns
Providing personalized content recommendations

3. Legal Basis for Processing

For residents of the EEA, UK, and similar jurisdictions with comprehensive privacy laws:

Contract Performance: Necessary to provide our services and fulfill our agreements
Legitimate Interests: Improving workflows, ensuring security, business operations, and service enhancement
Consent: Marketing communications, optional data collection, and call recordings
Legal Obligation: Compliance with laws, regulations, or legal processes
Vital Interests: Rare cases involving health, safety, or protection of fundamental rights

4. Data Security and Protection

We implement comprehensive, institutional-grade safeguards:

4.1 Technical Measures

Encryption: TLS 1.3 or higher for data in transit, AES-256 encryption for data at rest
Access Controls: Role-based access control, multi-factor authentication, and privileged access management
Network Security: Advanced firewalls, intrusion detection systems, and continuous monitoring
Infrastructure Security: Regular vulnerability testing, security patching, and penetration testing
Backup and Recovery: Encrypted backups with tested disaster recovery procedures
Endpoint Protection: Antivirus, anti-malware, and device management on all business systems

4.2 Organizational Measures

Personnel Security: All personnel bound by comprehensive confidentiality agreements
Access Management: Strict "least privilege" access policies with regular access reviews
Training Programs: Ongoing privacy and security awareness training for all staff
Incident Response: 24/7 monitoring with documented incident response procedures
Vendor Management: Due diligence and contractual security requirements for all service providers
Compliance Audits: Regular internal and third-party security assessments

4.3 Infrastructure and Hosting

Certified Providers: SOC 2 Type II and ISO 27001 compliant hosting partners
Data Centers: Geographically distributed, physically secure facilities
Redundancy: Multiple layers of backup systems and failover capabilities
Monitoring: Real-time security monitoring and automated threat detection

Security Disclaimer: While we implement industry-leading security measures, no system is 100% secure. We cannot guarantee absolute security of transmitted or stored information.

5. Information Sharing and Disclosure

We never sell, rent, or trade your personal information. We may share information only in these limited circumstances:

5.1 Service Providers and Business Partners

We may share information with trusted third parties who assist with:

Technology Services: Cloud hosting, data storage, email delivery, analytics platforms
Payment Processing: Secure payment gateways, billing systems, and financial institutions
Professional Services: Legal counsel, accountants, auditors, and consultants (under confidentiality agreements)
AI and Analytics: Machine learning platforms, data analysis tools, and research services

All service providers are contractually bound to protect your information and use it only for specified purposes.

5.2 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to equivalent privacy protections and advance notice to affected individuals.

5.3 Legal Requirements and Safety

We may disclose information when required by law or when we believe in good faith that disclosure is necessary to:

Comply with legal obligations, subpoenas, court orders, or government requests
Enforce our Terms of Service or other agreements
Investigate potential violations or protect our rights and property
Protect the safety, security, and rights of users, employees, or the public
Prevent fraud, abuse, or illegal activities

5.4 Consent-Based Sharing

We may share information with your explicit consent or at your specific direction, such as when you authorize us to share analysis with your business partners or advisors.

5.5 Anonymized and Aggregated Data

We may share anonymized, aggregated, or de-identified information that cannot reasonably be used to identify you for research, analytics, or business purposes.

6. Data Retention and Deletion

We retain personal information only as long as necessary for legitimate business purposes:

6.1 Retention Periods

Contact Information: Retained while you are an active client or prospect, plus 7 years for business compliance
Deal Documents: Retained for project duration plus 3 years for audit purposes, unless earlier deletion requested
Communication Records: Retained for 7 years for business records and legal compliance
Usage and Analytics Data: Anonymized and retained up to 3 years for service improvement
Marketing Data: Retained until you opt out, request deletion, or we determine it's no longer needed
Payment Records: Retained for 7 years as required by tax and accounting regulations

6.2 Deletion Procedures

Verified Requests: We respond to verified deletion requests within 30 days
Secure Deletion: Information is permanently removed from active systems using secure deletion methods
Service Provider Notification: We notify relevant service providers to delete shared information
Legal Exceptions: We may retain certain information as required by law, for legitimate business purposes, or to resolve disputes

6.3 Automated Deletion

We implement automated systems to delete information according to our retention schedules, reducing the risk of over-retention.

7. International Data Transfers

7.1 Cross-Border Processing

If you are located outside the United States, your information will be transferred to and processed in the U.S. where our servers and primary business operations are located.

7.2 Adequacy and Safeguards

For transfers from the EEA, UK, and other regions with comprehensive privacy laws, we ensure adequate protection through:

Standard Contractual Clauses: Approved by the European Commission
Data Processing Agreements: With detailed security and privacy requirements
Adequacy Decisions: Where available from relevant authorities
Industry Certifications: Compliance with recognized international privacy frameworks
Regular Assessments: Ongoing evaluation of transfer mechanisms and protections

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 Universal Rights

Access: Request copies of your personal information and details about how it's processed
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information (subject to legal obligations and legitimate interests)

8.2 Enhanced Rights (EEA, UK, California, and Other Comprehensive Privacy Law Jurisdictions)

Portability: Receive your information in a structured, machine-readable format
Restriction: Request limits on how your information is processed
Objection: Object to processing based on legitimate interests or for marketing purposes
Automated Decision-Making: Right not to be subject to solely automated decisions with significant effects
Opt-Out: Opt out of marketing communications and certain data sharing practices
Non-Discrimination: Right not to be discriminated against for exercising privacy rights

8.3 Exercising Your Rights

To exercise these rights:

Email: hello@getclearstack.ai
Subject Line: "Privacy Rights Request - [Specific Right]"
Required Information: Your name, email address, and detailed description of your request
Identity Verification: We may request additional information to verify your identity before processing requests
Response Time: We will respond within 30 days (or as required by applicable law)
Appeal Process: If you're unsatisfied with our response, you may appeal or contact relevant supervisory authorities

8.4 Authorized Agent Requests

You may designate an authorized agent to make requests on your behalf by providing written authorization and verifying your identity.

9. Cookies and Tracking Technologies

9.1 Types of Cookies and Similar Technologies

Essential Cookies: Required for basic website functionality, security, and user authentication
Analytics Cookies: Google Analytics, Adobe Analytics, and similar tools for usage measurement and site optimization
Functional Cookies: Store user preferences, language settings, and session management
Marketing Cookies: Track interactions for advertising and marketing purposes (only with consent)
Social Media Plugins: Buttons and widgets from social platforms that may track usage

9.2 Cookie Management and Control

Browser Settings: Configure your browser to block, delete, or manage cookies
Opt-Out Tools: Use industry opt-out mechanisms and privacy tools
Cookie Preferences: Adjust settings through our cookie preference center (where available)
Do Not Track: We honor browser Do Not Track signals where technically feasible

9.3 Third-Party Analytics and Advertising

We use Google Analytics and similar services that may:

Track your behavior across websites and over time
Create advertising profiles and serve targeted advertisements
Share information with advertising networks and partners

You can opt out of Google Analytics using the Google Analytics opt-out browser add-on.

10. Data Breach Notification and Response

In the unlikely event of a security incident affecting personal information:

10.1 Internal Response

Detection and Assessment: Incidents detected and impact assessed within 24 hours
Containment: Immediate measures to contain the breach and prevent further unauthorized access
Investigation: Forensic analysis to determine scope, cause, and affected information
Remediation: Implementation of corrective measures and security improvements

10.2 External Notifications

Regulatory Authorities: Supervisory bodies notified within 72 hours where required by law
Affected Individuals: Prompt notification if there is high risk to rights and freedoms
Law Enforcement: Cooperation with investigations as required or appropriate
Business Partners: Notification of service providers and partners as necessary

10.3 Ongoing Support

Credit Monitoring: Where appropriate, we may provide credit monitoring or identity protection services
Regular Updates: Continued communication about investigation progress and protective measures
Process Improvements: Analysis of incidents to strengthen security and prevent future breaches

11. Children's Privacy

Our services are intended exclusively for business professionals and organizations. We do not:

Knowingly collect, use, or disclose information from individuals under 18 years of age
Target marketing or advertising to children or minors
Allow individuals under 18 to create accounts or engage our services
Process information from educational institutions regarding students under 18

If we become aware that we have collected information from a child under 18, we will delete it immediately and take steps to prevent future collection.

12. State-Specific Privacy Rights

12.1 California Residents (CCPA/CPRA)

In addition to the rights listed above, California residents have specific rights including:

Categories of Information: Right to know specific categories of personal information collected, sources, business purposes, and third parties with whom it's shared
Specific Pieces: Right to access specific pieces of personal information we maintain
Sale and Sharing: Right to opt out of sale or sharing of personal information (Note: We do not sell personal information as defined by the CCPA)
Sensitive Personal Information: Limited use and disclosure rights for sensitive personal information
Correction: Right to correct inaccurate personal information
Non-Discrimination: Protection against discrimination for exercising CCPA rights

California Consumer Privacy Rights Metrics: We will publish annual metrics about privacy requests as required by law.

12.2 Virginia, Colorado, Connecticut, Utah, and Other States

Residents of states with comprehensive privacy laws may have additional rights including:

Data minimization and purpose limitation protections
Consent requirements for processing sensitive data
Enhanced rights regarding automated decision-making
Universal opt-out mechanism recognition (Global Privacy Control)

13. Updates and Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

Changes in our business practices or service offerings
Updates to applicable laws and regulations
Improvements to our security measures and data protection practices
Feedback from users and stakeholders

13.1 Notification of Changes

Posting: Updated policy will be posted on our website with a new effective date
Material Changes: Significant changes will be communicated via email to registered users at least 30 days in advance
Continued Use: Use of our services after the effective date constitutes acceptance of the updated policy
Opt-Out Rights: For material changes that expand our use of your information, we may provide opt-out opportunities

13.2 Version Control

We maintain previous versions of our Privacy Policy for reference and will provide copies upon request for legitimate purposes.

14. Supervisory Authorities and Complaints

14.1 EEA and UK Residents

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

Contact Information: Available through your country's data protection authority website
Complaint Process: Follow your local authority's procedures for filing privacy complaints
Our Cooperation: We will cooperate fully with supervisory authority investigations

14.2 Other Jurisdictions

Residents of other locations may contact their relevant privacy or consumer protection authorities if available in their jurisdiction.

15. Contact Information

15.1 General Privacy Questions

Clear Stack
5 Centerpointe Drive, Suite 400
Lake Oswego, OR 97035
Email: hello@getclearstack.ai
Phone: 440-725-9239

15.2 Privacy Rights Requests

Email: hello@getclearstack.ai
Subject Line: "Privacy Rights Request - [Type of Request]"
Required Information: Name, email address, specific request details, and identity verification information

15.3 Data Protection Officer

For complex privacy matters or GDPR-related inquiries:
Email: hello@getclearstack.ai
Subject Line: "Data Protection Officer - [Subject]"

15.4 Security Incidents

To report security concerns or potential data breaches:
Email: hello@getclearstack.ai
Subject Line: "Security Incident Report"

By using our website or services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

Last reviewed and updated: September 2, 2025