Clerko Privacy Policy

Last updated:

This Privacy Policy explains how Clerko (“we”, “us”, “our”) collects, uses, and shares information when you use our website https://getclerko.com (the “Site”) and our web application available at https://app.getclerko.com (the “App”). The Site and App are together the “Services”.

This policy focuses on privacy and data protection only. It does not cover contractual terms (Terms of Service).

1. Who is responsible for your information

Clerko is the controller of personal data processed through the Services (unless we state otherwise for a specific situation). If you have questions or requests, contact us at [email protected].

2. Information we collect

2.1. Information you provide

  • Account information: email address, name (if provided), login credentials and authentication tokens.
  • Workspace and business profile information: workspace name and business details you enter in the App (for example, company name, tax identifiers, address, contact details, preferences, notes).
  • Support and communications: information you send when you contact us (e.g., emails, support messages, chat messages).

2.2. Documents and content you upload in the App

The App lets you upload and manage accounting documents, such as invoices/receipts and bank statements. These files may contain personal data (for example, names, addresses, bank account numbers, email addresses, phone numbers, and transaction details).

2.3. Information from connected accounts and integrations

If you choose to connect third-party accounts (such as Gmail, Outlook, Google Drive, or OneDrive), we will receive and store information needed to keep that connection working, such as access/refresh tokens, granted scopes, account identifiers, inbox display name/email address, and configuration settings (for example, whether automatic scans are enabled).

2.4. Email inbox scanning (important)

The App includes a feature that can scan a connected inbox to find invoices. We understand this is sensitive. We design scanning to be as narrow as possible and we do not store your emails as part of the product database.

  • What we search for: we look for invoice-like emails using invoice-related keywords and signals (for example, “invoice”, “receipt”, “bill”, “statement”, and similar terms) and we prioritize messages that appear likely to contain invoice attachments (e.g., PDF/image attachments). This reduces the number of emails we analyze.
  • What we analyze for candidates: for candidate messages, we may process message metadata (such as sender, recipient, subject, date), and limited content necessary to identify invoices (such as portions of the message body and invoice-like links), and we inspect attachment filenames and types.
  • Attachments and links: if an attachment or a link appears to be an invoice (for example a PDF), we may download it temporarily to complete the scan and import it as an invoice.
  • What we store after a scan: we store invoices that you import (the invoice file) and extracted invoice fields in our database. To prevent re-importing the same invoice, we also store minimal metadata like the originating provider message ID for invoices imported from inbox scans.
  • What we do not store: we do not store full email message bodies/content or complete non-invoice emails in our database after the scan completes.
  • Temporary files are deleted: files downloaded during a scan (e.g., attachments) are stored temporarily to perform the import and are deleted after the scan run finishes.

2.5. Information collected automatically (Site and App)

  • Log and usage data: IP address, request/response data, pages viewed, access times, error logs, and similar diagnostic and usage information.
  • Device and browser information: browser type, operating system, device identifiers, and settings.
  • Approximate location: derived from IP address (e.g., country/region).

3. How we use information

  • Provide and operate the Services: create and manage accounts and workspaces, process uploads, display documents, and provide features you request.
  • Inbox scanning and document processing: find invoice documents in connected inboxes, import them into the App, and extract structured accounting fields from documents.
  • Product improvement and analytics: understand how the Site/App is used, fix issues, and improve performance and features.
  • Security and fraud prevention: protect the Services, prevent abuse, and enforce policies.
  • Communications: send service and administrative messages (e.g., password resets, invitations, notifications). Where required, we will obtain consent for marketing communications.

4. Cookies, analytics, and similar technologies

We use cookies and similar technologies (including local storage) to operate the Services and to understand usage.

  • Strictly necessary: required for the Services to function. For example, the App may store authentication tokens in your browser’s local storage to keep you signed in.
  • Analytics: we use analytics tools such as Google Analytics, PostHog, and Vercel Analytics to measure traffic and product usage.
  • Live chat: we use Tawk.to to provide customer support chat; it may set cookies and collect usage/technical data to enable the chat widget.

You can control cookies through your browser settings. Where required by law, we will ask for your consent before using non-essential cookies and provide choices.

5. AI and automated processing

Some features use automated processing to classify and extract information from documents.

  • Inbox scan classification: to reduce the number of emails imported, we may use automated classifiers to decide whether a candidate email likely contains an invoice. This can involve sending limited signals (such as the email subject, attachment filenames, and invoice-like links) to an AI service provider.
  • Invoice parsing: when you upload or import an invoice/receipt, we may send the document file (PDF/image) to an AI service provider to extract structured invoice fields.
  • Bank statement parsing: when you upload a bank statement, we may use automated processing to extract statement metadata and transactions, and to enrich transactions (for example, short descriptions and counterparty names).

6. How we share information

We share information only as needed to provide the Services, comply with law, and protect Clerko and our users.

6.1. Service providers (processors)

We use third-party service providers to help operate the Services. Depending on the features you use, these may include:

  • Email inbox providers: Google (Gmail API) and Microsoft (Graph API) when you connect an inbox for scanning.
  • Cloud storage mirroring: Google Drive and Microsoft OneDrive if you enable mirroring/exporting invoices to your own cloud storage.
  • File storage: private object storage (S3-compatible) used to store invoice and bank statement files; access is typically provided via time-limited signed URLs.
  • Analytics: Google Analytics, PostHog, and Vercel Analytics.
  • Live chat: Tawk.to.
  • Payments: Stripe (for purchasing credits and payment-related records).
  • Transactional email: providers such as Postmark (for password reset emails, invitations, and service notifications).
  • AI service providers: providers that process content to classify emails or extract structured data from invoices/bank statements.

These providers are authorized to process information only as necessary to provide services to us and are contractually required to protect it.

6.2. Legal and safety

We may disclose information if we believe it is reasonably necessary to comply with law, regulation, legal process, or governmental request; to protect the security or integrity of the Services; or to protect the rights, property, and safety of Clerko, our users, or others.

6.3. Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

7. Data retention

  • Documents and extracted data: invoices, bank statements, and extracted fields are retained for as long as your account/workspace remains active or until you delete them, subject to legal, tax, or compliance requirements where applicable.
  • Inbox scan temporary files: downloaded attachments/linked files used during scans are temporary and are deleted after the scan finishes.
  • Connected account tokens: we retain tokens and connection metadata while a connection is active. Disconnecting Google Drive or OneDrive deactivates the connection and clears stored tokens. Disconnecting an email inbox stops scanning and deactivates the connection; connection records and tokens may remain stored unless deleted or cleared as part of a product workflow.
  • Logs and security records: retained for a limited period for security, troubleshooting, and audit purposes.

8. Security

We use administrative, technical, and organizational measures designed to protect information, including access controls and encryption in transit. No system is 100% secure; please use strong passwords and keep your account credentials confidential.

9. Your choices and rights

Depending on where you live, you may have rights regarding your personal data, such as access, correction, deletion, objection/restriction, and portability. You can also:

  • Manage documents: upload, export, skip, or delete invoices and bank statements in the App (where the feature is available).
  • Disconnect integrations: disconnect inboxes or cloud storage connections in the App (which stops future access through Clerko for that integration).
  • Control cookies: adjust browser settings and (where available) consent controls.

Legal bases (EEA/UK, where applicable): we process personal data to provide the Services (performance of a contract), to comply with legal obligations, and for our legitimate interests (such as securing and improving the Services). Where required, we rely on consent (for example, for certain cookies and similar technologies).

No sale of personal information: we do not sell personal information. We also do not share personal information for cross-context behavioral advertising in exchange for money.

To exercise rights or ask questions, contact us at [email protected].

10. International data transfers

We and our service providers may process information in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers (for example, contractual protections).

11. Children’s privacy

The Services are not directed to children and are intended for use by adults. If you believe a child has provided us personal data, contact us and we will take appropriate steps.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above. If changes are material, we may provide additional notice through the Services.

13. Contact

If you have any questions about this Privacy Policy, please contact us at [email protected].