Privacy Policy
Effective date: 2026-04-19
1. Our privacy posture
ClearOrigin is operated by Aerial Capital Inc., a Canadian corporation. Our service is designed with three data-residency zones:
- Canadian product data. Your account records, HS code lookups, landed-cost inputs, rules-of-origin assessments, and ruling searches are stored in Supabase’s Montreal region.
- EU telemetry. Operational telemetry — error events, masked session replay, uptime probes, support-inbox conversations — is hosted in the European Union to stay closest to a PIPEDA-equivalent regulatory posture. We did not pick the United States for these signals.
- US commerce. Payment processing (Stripe), transactional email (Resend), certain LLM calls (Anthropic), and our web host (Vercel) operate from U.S. regions by the vendor’s default architecture.
For a deeper explanation of each zone and the reasoning behind it, see our Data Residency page.
2. What we collect
Account information
Email address, hashed password (hashed by Supabase Auth — we never see your plaintext password), company name, and selected subscription tier. For multi-tenant customers we also store the tenant slug and your role within that tenant.
Product usage
HS codes you query, landed-cost inputs and results, rules-of-origin assessments and the materials you submit to them, ruling searches, saved comparisons, and chat messages you send to our Claude-powered assistant.
Telemetry
Error events (via Sentry, configured with sendDefaultPii: false; only user_id and subscription tier are attached to each event). Masked session replay (via PostHog EU Cloud at eu.i.posthog.com; email fields, company names, passwords, chat content, and HS code inputs are redacted via PostHog’s mask list before the replay leaves your browser). Uptime probes and availability metrics.
Support
When you contact us through our in-product support widget or reply to our support email, the conversation is stored in Plain, our support inbox vendor (EU Frankfurt).
Billing
Stripe processes and stores your card details on our behalf. We never receive your card number or CVV. On our side we store only your Stripe customer ID, subscription state, invoice history, and dunning status.
3. How we use it
- To provide and operate the service you signed up for;
- To operate our infrastructure (databases, queues, CDN, logging, observability);
- To detect and prevent fraud, abuse, sanctions-list violations, and attacks against the platform;
- To improve the product in aggregate — for example, ranking HS code suggestions by which ones our engine returns most often or identifying the most common landed-cost error shapes. We do not build individual user profiles for targeted advertising.
- To meet our regulatory obligations under Canadian tax, corporate, customs, and privacy law;
- To communicate with you about your account, security notices, billing, service changes, and (with your permission) product updates.
4. Vendors and sub-processors
We rely on the following sub-processors. Each is listed with the purpose, jurisdiction, and type of data involved.
| Vendor | Purpose | Jurisdiction | Data involved |
|---|---|---|---|
| Supabase | Product database and authentication | Montreal, Canada | Email, hashed passwords, user profiles, assessments, multi- tenant rows |
| Cohere | Embeddings for semantic search (1024-dimensional vectors over rulings and HS code descriptions) | Canada | Query text and ruling/HS descriptions at embedding time |
| Anthropic | Claude AI for chat, HS classification reranking, and landed- cost summaries | United States | Chat prompts and product descriptions. Requests are structurally sanitized against prompt injection, but we do not automatically redact personal information you type into the chat — do not paste personal data into chat messages you don't want Anthropic to receive. |
| Stripe | Payment processing and subscription billing | United States (EU VAT handling via Ireland) | Card data (stored by Stripe, not by us), customer ID, subscription state, invoices |
| Sentry | Error tracking | EU region (configurable) | Error events with user_id and tier only |
| PostHog | Product analytics and masked session replay | EU Cloud, Frankfurt | Event stream and session recordings with PII mask list applied |
| Better Stack | Uptime monitoring and public status page | EU region | Uptime probe results, incident history |
| Plain | Customer support inbox | EU Frankfurt | Support conversations and attachments you send to us |
| Resend | Transactional email (billing, dunning, alerts) | United States | Recipient email, subject, body of transactional messages |
| Vercel | Web hosting and global edge | United States (global edge) | HTTP access logs at the edge; no application data at rest |
| Cloudflare | Edge network, DNS, WAF | Global | Request metadata, WAF events |
| OVH | VPS for data pipeline crons (rulings ingest, HS sync) | Beauharnois, Quebec, Canada | Pipeline logs; no customer account data |
| Backblaze B2 | Encrypted backups | Canadian region | Encrypted database and file-system backups |
We update this list when sub-processors change. Material changes trigger a thirty (30) day notice per section 13.
5. Data residency
Regulated product data stays in Canada. Operational telemetry (masked session replay of admin click paths, error events, uptime probes, support conversations) is in the European Union, a jurisdiction Canadian privacy regulators have historically considered equivalent to PIPEDA for trans-border transfer analysis. Commerce and LLM services run in the United States where that is the vendor’s default architecture; prompt content is sanitized of PII before it leaves our engine and hits the LLM.
The full table, with each asymmetry called out, lives on the Data Residency page.
6. Retention
- Account data: kept until you delete your account, plus up to thirty (30) days of residence in rolling backups.
- Product usage records (assessments, HS queries, landed-cost runs, chat messages): retained for your account’s active lifetime; deleted with your account except where we are required to retain by law.
- Telemetry (Sentry, PostHog, Better Stack): thirty (30) days.
- Audit logs (security-relevant events — authentication, tenant changes, admin actions): one (1) year.
- Backups: thirty (30) daily, twelve (12) weekly, twelve (12) monthly, rotated per our backup schedule.
- Support conversations (Plain): until you close your account plus thirty (30) days.
7. Your rights (PIPEDA and Québec Law 25)
Canadian privacy law grants you the following rights. We support each of them with a concrete mechanism:
- Access. Request a copy of the personal information we hold about you. Email privacy@clearorigin.ai.
- Correction. Ask us to correct inaccurate or incomplete information. Email the same address.
- Deletion. Delete your account and associated product data by calling
DELETE /api/account/deletefrom an authenticated session, or by emailing privacy@clearorigin.ai. - Portability / export. Request an export of your data in a structured, machine-readable format by emailing privacy@clearorigin.ai. We fulfill portability requests manually within thirty (30) days. A self-serve export endpoint is on the post-launch roadmap.
- Object to processing / withdraw consent. Under PIPEDA Principle 4.3.8 and Québec Law 25 §§27–30, you may object to, or withdraw consent for, processing of your personal information at any time by emailing privacy@clearorigin.ai. We will stop the specified processing as soon as operationally possible. Note that some processing is necessary to provide the service — withdrawing consent for essential processing may mean we can no longer deliver ClearOrigin to you, in which case we will help you export your data and close your account.
- Opt out of optional telemetry. You can opt out of PostHog capture by calling
posthog.opt_out_capturing()from the browser console, toggling the preference in your account settings, or emailing us. - Complain. Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), or for Québec residents, the Commission d’accès à l’information du Québec (cai.gouv.qc.ca).
7a. Automated and AI-assisted processing
In compliance with Québec Law 25 §8.1, we disclose the AI-assisted surfaces of the Service:
- Chat (“Ask ClearOrigin”). Powered by Anthropic Claude. Outputs are generated by a large language model and may be incorrect or incomplete.
- HS classification reranking. Vector search results are reranked by a Claude Haiku model to surface the most relevant candidates. The final classification decision is yours to make.
- Landed-cost summaries. Natural-language summaries of deterministic cost calculations are generated by Claude. The underlying math is rule-based; the narrative is LLM-authored.
These surfaces produce informational outputs — they are not determinative decisions. Every answer is accompanied by a disclaimer directing you to verify with a licensed customs broker before shipping. You have the right to request human review of, and an explanation for, any AI-assisted output that materially affects you by emailing privacy@clearorigin.ai.
8. Cookies
At launch we use essential cookies only: the Supabase session cookie (required to keep you signed in) and a CSRF token. PostHog sets cookies for session-replay continuity; we treat these as essential for the analytics service itself and they are subject to the masking and opt-out described in sections 2 and 7. We do not use third-party advertising cookies.
If we add non-essential cookies in the future, we will add a consent banner before they are set.
9. Cross-border transfers
PIPEDA permits transfers of personal information to third parties in other jurisdictions provided comparable protections are in place. We select EU-region hosting for telemetry vendors precisely to stay close to a PIPEDA-equivalent posture. For U.S. vendors ( Stripe, Anthropic, Resend, Vercel), we rely on contractual data- processing terms and, where applicable, Standard Contractual Clauses and vendor-side Data Processing Addenda.
10. Children
ClearOrigin is a B2B service intended for users aged 18 and older. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, contact privacy@clearorigin.ai and we will delete it.
11. Breach notification
Consistent with PIPEDA section 10.1 and Québec Law 25 section 3.5, we will notify you without undue delay of any breach of security safeguards affecting your personal information where the breach creates a real risk of significant harm. We will also notify the Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec where required, and maintain an internal breach record for the period required by law.
12. Privacy contact
Privacy questions, access or deletion requests, and regulator correspondence should go to privacy@clearorigin.ai.
13. Changes to this Policy
We may update this Privacy Policy from time to time. For material changes (new sub-processors, new data categories, changes to retention), we will provide at least thirty (30) days’ advance notice by email or in-product notification. Continued use of the service after the effective date constitutes acceptance.