Is Clario a lawyer or tax advisor?

No. Clario is an AI assistant that helps you understand documents instantly. For complex legal matters, we connect you to verified professionals through our Expert Marketplace.

Is my data safe and protected?

Clario uses encryption in transit and at rest, access controls, and account-level export/delete workflows. Anonymous try uploads are cleaned up automatically, and signed-in users can manage their data from settings.

Which languages do you support?

100+ languages with instant translation. Upload a German tax letter, get a simple summary in your language. Legal jargon transforms into plain language you actually understand.

Can I cancel anytime?

Yes. No long-term contracts, no hidden fees, no dark patterns. Cancel in one click. If you delete your account, access is revoked immediately and permanent deletion is scheduled after a 30-day recovery window.

Do you integrate with cloud storage?

Yes! Google Drive, Dropbox, OneDrive, Gmail — we instantly detect and import relevant documents.

What if I need a real lawyer?

Our Expert Marketplace connects you with vetted lawyers and tax advisors. Fixed fees, language filters, one-click handoff with full document context.

Sub-Processors — Clario.ai

1. About This Document

TL;DRThe live, authoritative list of every third party that touches your data. Updated whenever a processor is added, removed, or changed. 30-day advance notice for any material change.

In accordance with Article 28 of the EU General Data Protection Regulation (GDPR), this page lists every third-party sub-processor that Clario.ai engages to process personal data on behalf of our users. Each sub-processor is bound by a Data Processing Agreement (DPA) that imposes GDPR-compliant data-handling obligations.

This is the single source of truth: our Privacy Policy §4 and §12 both link here rather than duplicating the list, so it never drifts.

2. Current Sub-Processors

TL;DR10 processors across AI, Infrastructure, Analytics, Communications, and Payments. 6 in the EU; 4 in the US with SCCs.

Sub-Processor	Category	Purpose	Data Processed	Location	DPA
OpenAI	AI	AI analysis, summarisation, classification, embeddings	Document text, user queries	US (SCCs)	DPA + SCCs
DeepL	AI	Document translation across 100+ languages	Document text	EU (Germany)	DPA
Cohere	AI	Search-result re-ranking	Document snippets only (never full docs)	US (SCCs)	DPA + SCCs
Qdrant Cloud	AI	Vector embeddings for document search	Document embeddings + tenant metadata	EU	DPA
Supabase	Infrastructure	Authentication, session management, file storage	Credentials, uploaded files	EU (Frankfurt)	DPA
Railway	Infrastructure	Application + worker hosting, Postgres + Redis	All application data	EU (europe-west4)	DPA + SCCs
Redis / Upstash	Infrastructure	BullMQ job queue + short-lived processing cache	Session data, job metadata	EU	DPA
Stripe	Payments	Subscription billing + payment-method handling	Billing info, subscription status	US (PCI-DSS Level 1, SCCs)	DPA + SCCs
PostHog	Analytics	Product analytics, opt-in only	Anonymised usage events (PII stripped)	EU	DPA
Postmark	Comms	Transactional email (auth, receipts, notifications)	Recipient email + message body	US (SCCs)	DPA + SCCs
Sentry	Monitoring	Crash and exception monitoring + performance traces	Stack traces, request metadata (PII stripped via beforeSend hooks)	US (SCCs)	DPA + SCCs
Google (Sign-in with Google)	Auth	OAuth identity provider — sign-in only, no profile data stored beyond email + name	Email, name, OAuth profile ID	US (SCCs via Google DPA)	Google Cloud DPA + SCCs
Microsoft (Sign-in with Microsoft)	Auth	OAuth identity provider — sign-in only, no profile data stored beyond email + name	Email, name, OAuth profile ID	EU + US (SCCs via Microsoft DPA)	Microsoft DPA + SCCs
Apple (Sign in with Apple)	Auth	OAuth identity provider — sign-in only, no profile data stored beyond email + (optional) name	Email (real or relay), OAuth user ID	US (SCCs via Apple DPA)	Apple DPA + SCCs

3. International Data Transfers

TL;DRThe 4 US processors (OpenAI, Cohere, Stripe, Postmark) run under European Commission Standard Contractual Clauses + a Transfer Impact Assessment.

Where sub-processors are located outside the European Economic Area (EEA), data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with Chapter V of the GDPR. A Transfer Impact Assessment (TIA) summary is available on request from privacy@myclario.app.

4. Data Minimisation

TL;DREvery processor sees only the minimum it needs. Cohere gets snippets, not full documents. PostHog gets anonymised events. Stripe sees no card data on our servers.

We apply the principle of data minimisation under Art. 5(1)(c) GDPR. Each sub-processor receives only the minimum data necessary to perform its specific function:

Cohere receives only short text snippets for re-ranking, never full documents.
PostHog receives only anonymised usage events with personally identifiable fields stripped before transmission.
Stripe handles payment instruments directly; we never store card numbers, CVV, or full bank credentials on our servers.
Postmark receives only the recipient address + message body needed to deliver a specific transactional email; no bulk lists.
Qdrant stores vector embeddings + a tenant identifier — not the original document text.

5. Your Right to Object

TL;DRDon't like a new processor? 30-day window to object. If we can't resolve, you can terminate + take a full export with you.

Material changes (new sub-processor, change of location, change of purpose) are announced to registered users by email at least 30 days before they take effect. If you object to a change, write to privacy@myclario.app within that 30-day window and we will work with you to find a resolution. If no resolution is possible, you may terminate your account and request deletion of all your data + a full export in accordance with our Privacy Policy §8 (GDPR rights).

6. Contact

TL;DRQuestions go to privacy@myclario.app. Postal address on the Imprint.

Data Protection Officer — Clario.ai
Email: privacy@myclario.app
Registered office: see Imprint

7. Change Log

TL;DREvery addition, removal, or change is recorded here. Material changes get 30-day email notice before taking effect.

May 17, 2026 — v2.0. Added Postmark as a transactional-email sub-processor (closes the drift gap with Privacy §4.2). Added a Category column (AI / Infrastructure / Analytics / Communications / Payments). Effective + last-updated dates refreshed. Anchor-linked table of contents, TL;DR cards, reading-time estimate added — visual parity with Privacy v2.0 + Terms v2.0. Replaced placeholder postal address with link to /imprint as single source of truth. §7 Change Log section added.
April 6, 2026 — v1.0. Initial GDPR Art. 28 sub-processor list.

Sub-Processor List

1. About This Document

2. Current Sub-Processors

3. International Data Transfers

4. Data Minimisation

5. Your Right to Object

6. Contact

7. Change Log

Contact us

Transparency is our default.

Sub-Processor List

1. About This Document

2. Current Sub-Processors

3. International Data Transfers

4. Data Minimisation

5. Your Right to Object

6. Contact

7. Change Log

Contact us

Transparency is our default.