Clovion AI
Legal/Privacy Policy

Privacy policy.

Effective November 1, 2026·Version 4.2·Last reviewed by legal counsel·Print PDF →

Contents

Fourteen sections. Read the plain-English summary first if you only have a minute.

01 — Summary

In short.

Clovion AI runs visibility tracking against the AI engines your buyers use. To do that, we collect the domains you want monitored, the prompts you care about, the competitors you track, and the account data we need to bill and support you. We log what the AI engines say about you, score it, and hand you the fixes that move the needle.

We share data only with a small list of vetted subprocessors (section 14). We do not sell personal data, we do not train foundation models on customer data, and we do not run advertising pixels inside the product. Our team accesses production data only with a documented reason, on hardware-backed MFA, and every access event is logged.

You have full rights over your data. Ask us for a copy, ask us to fix it, ask us to delete it, ask us to stop processing it. We respond within 30 days. If you are in California, the EU, or the UK, you have additional named rights under CCPA, GDPR, and UK GDPR. Reach our DPO at dpo@clovion.ai. The full legal text follows.

  • From whomBusiness customers and their teammates
  • What we do with itRun visibility scoring, deliver fixes, bill, support
  • Who we share with13 named subprocessors. No advertisers. No data brokers.
  • Your rightsAccess, correct, delete, port, object, restrict.
§ 02

Information we collect

We collect information you give us directly, information we collect automatically from your use of Clovion AI, and information we receive from third parties who help us deliver the service. This section describes each category.

Account data. When you sign up, we collect your name, work email, company, role, password hash, and the domains you want to track. Where billing applies, we collect a billing contact and tax identifier through our payment processor.

Workspace data. We store the prompts you configure, the competitor sets you track, the engines you select, the schedule you run them on, and the historical scores, citations, sentiment readings, and crawler logs we generate on your behalf. We also store invitations, role assignments, and audit log events for everyone in your workspace.

Usage data. We log IP address, user agent, session events, feature usage, and timestamps so we can keep the product reliable and improve it over time. We do not buy or sell third-party tracking data, and we do not run advertising pixels inside the application.

Support data. If you contact us, we keep a record of the conversation, the attachments you send, and any account details needed to resolve the issue.

  • 01Identifiers (name, email, company, role)
  • 02Authentication artifacts (password hashes, session tokens, recovery codes)
  • 03Workspace configuration (tracked domains, prompts, competitors, schedules)
  • 04Generated outputs (scores, citations, sentiment, GEO suggestions, crawler logs)
  • 05Billing and tax data (handled by Stripe; we receive only metadata)
  • 06Technical and security logs (IP, user agent, request timestamps)
§ 03

How we use information

We use the information we collect to run Clovion AI for you, keep it secure, bill you accurately, and improve the product over time. We do not use customer data to train foundation models, and we do not pool one customer’s data into another customer’s reports.

Specific uses. Deliver visibility scoring, citation tracking, and GEO suggestions on the domains and competitor sets you configure. Authenticate users and prevent abuse. Send transactional notices about scoring changes, billing events, and security alerts. Provide support and respond to requests. Measure aggregate, de-identified usage to understand which features are working.

Lawful basis. For European customers, we process personal data on the basis of contract (to deliver the service you signed up for), legitimate interest (to keep the service safe and improve it), and consent (where you opt into marketing or product communications you can opt out of).

This is placeholder copy pending counsel review; the production text will include lawful-basis language tailored to each processing activity.

§ 04

Data sharing

We share data with a small set of subprocessors who help us run the service. Section 14 lists every one of them, by name, with the purpose and region. We do not sell personal data, and we do not share it with advertisers.

We may disclose data when we are legally required to (subpoenas, court orders, lawful government requests). When that happens, we narrow the scope, push back where appropriate, and notify the affected customer unless the law forbids it.

If Clovion AI is involved in a merger, acquisition, or asset sale, we will give customers notice before personal data becomes subject to a different privacy policy, and we will honor opt-out rights.

This is placeholder copy pending counsel review.

§ 05

Subprocessors

A subprocessor is a third party we engage to process personal data on our behalf as part of delivering Clovion AI. We require every subprocessor to meet a baseline that includes a signed Data Processing Agreement, equivalent Standard Contractual Clauses where applicable, encryption in transit and at rest, an annual security review, and incident notification within 24 hours.

We maintain the live list in section 14 below. We also publish updates and material changes 30 days in advance for enterprise customers who subscribe to the subprocessor notification list. To subscribe, email dpo@clovion.ai.

This is placeholder copy pending counsel review.

§ 06

International data transfers

Clovion AI is operated from the United States, with infrastructure available in the European Union and Asia Pacific. When personal data moves across borders, we use Standard Contractual Clauses approved by the European Commission, the UK Addendum where the UK is involved, and equivalent safeguards for transfers governed by other regimes.

For customers who require data residency, see section 7. The default is US-East unless your contract specifies otherwise.

This is placeholder copy pending counsel review.

§ 07

Data residency (US/EU/APAC)

Enterprise customers can pin their workspace to one of three residency regions. Once a residency choice is made, primary storage, backups, and most processing stay in that region. A small set of operational data (for example, billing records and audit metadata) may still be processed in the United States to support shared business functions.

Available regions. United States (US-East-1, Virginia). European Union (EU-Central-1, Frankfurt). Asia Pacific (AP-Southeast-2, Sydney). Additional regions on request for qualifying enterprise contracts.

This is placeholder copy pending counsel review.

  • 01United States — US-East (Virginia)
  • 02European Union — EU-Central (Frankfurt)
  • 03Asia Pacific — AP-Southeast (Sydney)
§ 08

Security

We hold SOC 2 Type II and ISO 27001 certifications, audited annually by an independent third party. The full reports are available under NDA from security@clovion.ai. We also publish a security overview at /security with the practical controls and the latest pen test summary.

Encryption. Data is encrypted in transit using TLS 1.3 and at rest using AES-256. Production secrets live in a hardware-backed key management service and are rotated on a fixed schedule.

Access. Production access requires SSO, hardware-key MFA, and a documented business reason. Every access event is logged, reviewed monthly, and tied to an on-call ticket.

Resilience. Backups run every six hours with cross-region replication. Disaster recovery is tested twice a year against a four-hour RTO and a one-hour RPO.

Incident response. We notify affected customers within 24 hours of confirming a security incident that involves their data, with material updates every 24 hours until closure.

This is placeholder copy pending counsel review.

§ 09

Your rights (GDPR + CCPA)

You have rights over your personal data. The specific rights depend on where you live, but the core set is the same wherever you are in the world. You can ask us to do any of the following, and we will respond within the timelines the applicable law requires.

Right to access. Get a copy of the personal data we hold about you. Right to correction. Fix data that is wrong. Right to deletion. Ask us to delete your personal data, subject to legal retention requirements. Right to portability. Get your data in a machine-readable format. Right to object. Tell us to stop processing for specific purposes. Right to restrict. Pause processing while a dispute is resolved.

For California residents under the CCPA and CPRA, you also have the right to know what categories of personal information we collect, the right to opt out of any sale or share (we do not sell, and we do not share for cross-context behavioral advertising), and the right to non-discrimination if you exercise any of these rights.

To exercise a right, email dpo@clovion.ai from the address associated with your account. We respond within 30 days, with the option to extend by 60 days when a request is complex. There is no charge for the first request in a 12-month window.

This is placeholder copy pending counsel review.

§ 10

Cookies

Clovion AI uses a small number of first-party cookies that are strictly necessary to keep you signed in, balance load across our servers, and remember your workspace selection. We do not run third-party tracking cookies, advertising pixels, or session-replay tools inside the application.

Our marketing site (clovion.ai) uses a single first-party analytics cookie for aggregate, de-identified traffic measurement. You can decline it from the banner on first visit, and your choice is respected across the marketing site.

This is placeholder copy pending counsel review.

§ 11

Children’s data

Clovion AI is a business product. It is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data to us, email dpo@clovion.ai and we will delete it.

This is placeholder copy pending counsel review.

§ 12

Changes to this policy

We update this policy when our practices change. Material changes are announced 30 days before they take effect via the in-product notification center, the security@clovion.ai mailing list, and a banner at the top of this page.

Every version of this policy is archived. The current version, effective date, and a link to the prior version are listed at the top of the page. To see the full history, email dpo@clovion.ai.

This is placeholder copy pending counsel review.

§ 13

Contact us

For privacy or security questions, contact security@clovion.ai. For data subject requests and DPA questions, contact our Data Protection Officer at dpo@clovion.ai.

Mailing address. Clovion AI, Inc. 169 Madison Avenue, Suite 11731, New York, NY 10016, United States.

EU representative. Designated under Article 27 of the GDPR; full name and address available on request from dpo@clovion.ai.

§ 14

Subprocessor list — live

The thirteen subprocessors we engage to operate Clovion AI. Updated whenever we add, remove, or change a vendor. Enterprise customers can subscribe to a 30-day advance notification list by emailing dpo@clovion.ai.

SubprocessorPurposeRegionPolicy
Amazon Web ServicesPrimary cloud hosting, compute, storage, networkingUS-East / EU-West / AP-SoutheastView ↗
VercelEdge delivery and marketing site hostingGlobal edgeView ↗
AnthropicModel inference for visibility analysis and GEO suggestionsUSView ↗
OpenAIModel inference for prompt simulation and citation extractionUSView ↗
Google Cloud (Gemini API)Model inference for Gemini and AI Overviews trackingUS / EUView ↗
Neon (Managed Postgres)Primary application database and time-series storageUS-East / EU-CentralView ↗
CloudflareDNS, DDoS mitigation, WAF, object storage for crawler logsGlobal edgeView ↗
StripeBilling, invoicing, payment processing, tax remittanceUS / EU / APACView ↗
PostmarkTransactional email (reports, alerts, account notices)USView ↗
Customer.ioLifecycle and marketing email, customer communicationUSView ↗
SegmentFirst-party product analytics event routingUSView ↗
LinearInternal issue tracking for support escalationsUSView ↗
ZendeskSupport ticketing and knowledge baseUS / EUView ↗

Last revised — October 14, 2026

Questions? security@clovion.ai·DPO: dpo@clovion.ai

Effective 2026-11-01 • v4.2