Privacy Policy

Last Updated: June 17, 2026

This Privacy Policy explains how Cleredact Corporation ("Cleredact," "we," "us," or "our") collects, uses, and protects your personal information when you use cleredact.com and the Cleredact application (collectively, the "Service"). Cleredact is engineered so that the documents you redact never leave your browser. By using the Service, you agree to the terms below.

1. What We Do and Do Not Receive

Documents stay on your device. Detection, review, and redaction all run client-side in your browser. Uploaded files, extracted text, detected PII values, and the redacted output are stored only in your browser's local storage (IndexedDB) and auto-destruct after the window you configure (default one hour). Cleredact's servers never receive the contents of your documents.

2. Information We Collect

a) Account Data

When you create an account we collect your email address, hashed password (or OAuth identifier if you sign in with Google), and the vertical (industry) you select. If you enable multi-factor authentication, we store the encrypted TOTP secret bound to your account.

b) Preferences

Your detector toggles, redaction actions, self-destruct interval, and skip-review setting are stored so the app behaves the same across sessions and devices.

c) Redaction Metadata

For each redaction we log non-content metadata only: the file name, file size, page count, detector counts, and approximate location labels (e.g., "top-left of page 3"). We do not store the matched values, the surrounding text, or any rendered page.

d) Automatically Collected Data

Like most web services, our infrastructure records technical data such as anonymized IP address, browser type, request timestamps, and error reports. This is used to operate and secure the Service.

3. How We Use Your Information

• Authenticate you and protect your account (including MFA).
• Save your detector preferences and produce your in-account redaction history.
• Operate, maintain, and improve the Service.
• Detect, investigate, and block abusive or malicious activity.
• Communicate with you about your account, security, and product updates.

We do not sell, rent, or trade your personal data, and we have nothing of your documents to sell.

4. Sharing Your Information

• Service providers (hosting, database, authentication) bound by contract to protect your data.
• Legal compliance when required by law, subpoena, or court order.
• Security partners to share blocklists or threat indicators.

5. Data Retention

• Document content: never received; client-side files self-destruct after your configured TTL.
• Account and preferences: retained while your account is active, deleted within 90 days of closure.
• Redaction metadata history: retained while your account is active or until you delete it.
• Security and audit logs: typically retained up to 24 months.

6. Cookies and Local Storage

We use cookies and browser storage to keep you signed in and to operate the in-browser redaction engine. Clearing your browser data will sign you out and erase any in-flight documents.

7. Your Rights

Depending on your location (for example under GDPR or CCPA), you may request access to, correction of, or deletion of your personal data; withdraw consent; or opt out of analytics. To exercise these rights, contact privacy@cleredact.com.

8. Security

We use industry-standard measures (TLS in transit, row-level security in our database, scoped API keys, optional multi-factor authentication, and a zero-upload architecture for document content) to protect your account. No online service is 100% secure, but because we never possess your documents, the worst-case exposure of a server breach is limited to account metadata.

9. Compliance Posture

Cleredact is designed to support customers operating under HIPAA, FERPA, CJIS, GLBA, FOIA, GDPR, and CCPA workflows. Because document content never reaches our infrastructure, you remain the sole custodian of your regulated data. Cleredact is not a covered entity, business associate, or data processor for any document content you redact through the Service.

10. Accessibility

We design Cleredact to conform with WCAG 2.0 Level AA accessibility standards. Report accessibility issues to accessibility@cleredact.com.

11. International Transfers

Cleredact is operated from the United States. By using the Service you consent to processing of your account data in jurisdictions whose data-protection laws may differ from your own.

12. Children

Cleredact is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

13. Policy Updates

We may update this policy periodically. Material changes will be posted here with a revised "Last Updated" date.

14. Contact Us

For questions about this Privacy Policy, contact privacy@cleredact.com.

See also: Terms of Service.