Privacy Policy

Last updated: May 2025

Introduction

CampPear Labs LLC ("Company," "we," "us," or "our") operates DocLearly (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding that information.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

1. Information We Collect

We collect the following categories of personal information:

1.1 Account and Identity Information

• Email address — collected via Clerk (our authentication provider) when you create an account.
• Name — collected only if you sign in using Google OAuth, where your name is provided by Google.
• Authentication credentials — passwords are hashed by Clerk and never accessible to us in plaintext.
• Account metadata — your subscription tier (free, solo, pro, or team), the number of analyses you have run this month, and timestamps for account creation and monthly quota resets.

1.2 Document Content

• Document text — when you submit a document for analysis, we store the full input text (up to 20,000 characters) in our database.
• AI-generated analysis — we store the summary, risk flags (with verbatim quote excerpts from your document), key obligations, risk score, and document type classification produced by the AI for each analysis.
• Risk flag excerpts — risk analysis flags may include verbatim excerpts of text from submitted documents, stored as part of the analysis result in our database.
• Analysis name — the first 40 characters of your submitted document text, used as a label in your dashboard.
• Share token — a unique 10-character token generated for each analysis that enables public sharing via a link.

For document comparisons (Pro and Team plans only), we additionally store:

• Comparison document text — the first 8,000 characters of each of the two documents submitted for comparison.
• Comparison metadata — labels you assign to each document, the comparison summary, risk change assessment, and categorized risk differences.

1.3 Chat Messages

When you use the document Q&A chat feature, we store:

• Your messages — every question you send about a specific analyzed document.
• AI assistant replies — every response generated by the AI in reply to your messages.
• Chat messages are linked to the specific analysis they relate to and are stored in our database indefinitely while your account is active.

1.4 Usage and Billing Data

• Usage data — number of analyses run, chat messages sent, and monthly usage counts.
• Stripe customer ID — after a successful payment, Stripe provides us with a customer identifier that we store and use to manage your subscription and access to the billing portal.

1.5 Technical Data

• IP address and request logs — collected by Vercel (our hosting provider) and Clerk as part of normal server operation.
• Browser and device data — user agent strings and session data collected by Clerk for authentication and fraud prevention.
• Session cookies — set by Clerk to maintain your authenticated session.

2. How We Collect Information

We collect information you provide directly (during sign-up and document submission), automatically through your use of the Service (session cookies, server logs), and from third-party services when you authenticate via Google OAuth.

3. CRITICAL DISCLOSURE: Document Text is Transmitted to Anthropic's API

When you submit a document for analysis, the text of that document (up to 8,000 characters) is transmitted to Anthropic's Claude API for processing. This is how the AI analysis, summaries, risk flags, and chat responses are generated.

Similarly, when you use the chat feature, your document text (up to 8,000 characters) and your chat message history are transmitted to the Anthropic API on each request so the AI can answer your questions.

For document comparisons, both documents (up to 8,000 characters each) are transmitted to the Anthropic API.

Anthropic does not use API inputs to train its models. Inputs and outputs via Anthropic's API are subject to Anthropic's data usage policies, not their consumer product policies. You can review Anthropic's privacy policy and API usage policies at anthropic.com/privacy.

Implication: Your document text leaves our servers and is processed by Anthropic's infrastructure, which is located in the United States. Do not submit documents containing highly sensitive personal information (such as social security numbers, medical records, or financial account numbers) unless you are comfortable with that information being transmitted to Anthropic's API.

4. Third-Party Data Processors

We share your data with the following third-party service providers, each of which processes your data on our behalf:

| Provider | Data Received | Purpose | Privacy Policy | |---|---|---|---| | Anthropic | Document text (up to 8,000 chars), chat messages and document context | AI analysis, comparison, and chat generation | anthropic.com/privacy | | Supabase | All application data: user records, document analyses, comparisons, chat messages | Database storage and hosting | supabase.com/privacy | | Clerk | Email address, authentication credentials, IP address, user agent, session data | Authentication, session management, identity verification | clerk.com/privacy | | Stripe | Email address, payment card details, billing address | Payment processing and subscription management | stripe.com/privacy | | Vercel | IP addresses, HTTP request logs, headers | Application hosting and edge network delivery | vercel.com/legal/privacy-policy |

We do not sell your personal information to third parties. We do not share your data with advertisers or use it for targeted advertising.

5. How We Use Your Information

We use the information we collect to:

• Provide the Service — process your document analyses, generate AI outputs, maintain your analysis history, and enable document sharing.
• Authenticate you — verify your identity and maintain your session.
• Manage your subscription — process payments, enforce usage limits, and handle plan upgrades and cancellations.
• Improve the Service — understand aggregate usage patterns and product performance. We do not use your individual document text for this purpose.
• Communicate with you — send transactional communications such as payment receipts and account notifications.
• Enforce our Terms — detect and prevent abuse, fraud, or violations of our Terms of Service.
• Comply with legal obligations — respond to lawful requests from courts or government authorities.

6. Data Retention

| Data Type | Retention Period | |---|---| | Account information (email, tier, usage counters) | Active account lifetime; deleted within 30 days of account closure | | Document analyses (input text, summaries, flags) | Active account lifetime; deleted within 30 days of account closure | | Document comparisons | Active account lifetime; deleted within 30 days of account closure | | Chat messages | Active account lifetime; deleted within 30 days of account closure | | Stripe customer ID and billing records | Retained by Stripe per their data retention policies and applicable financial regulations | | Vercel server logs | Retained per Vercel's default log retention policy | | Clerk authentication records | Retained per Clerk's data retention policy |

We do not have automated expiry for individual analyses or chat messages while an account is active. You can manually delete individual analyses from your dashboard, which removes the associated data from our database.

7. Share Links

Each analysis generates a unique 10-character share token. Anyone who possesses the share link can view the summary and risk flags for that analysis without signing in. Share links do not expire automatically. If you delete the underlying analysis from your dashboard, the share link becomes inactive.

Do not share links to analyses of documents containing sensitive personal information, as anyone with the link can view the analysis output.

8. Cookies and Session Data

We use cookies set by Clerk for authentication session management. These cookies are necessary for the Service to function and cannot be disabled if you wish to use authenticated features.

We do not use advertising cookies, cross-site tracking cookies, or cookies for behavioral profiling. We may use privacy-preserving, aggregate analytics to understand how the product is used; this does not involve tracking individual users across sites.

9. Data Security

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• All data transmitted between your browser and our servers uses TLS encryption.
• Database access is restricted to server-side code using role-based access controls.
• Sensitive credentials (API keys, service role keys) are stored as environment variables and are never committed to source code.

No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a security breach involving your personal information, we will notify affected users in the most expedient time possible and without unreasonable delay, as required by the South Carolina Identity Protection Act (S.C. Code Ann. § 39-1-90). We aim to notify affected users within 72 hours of confirming that a breach has occurred. If a breach affects more than 1,000 South Carolina residents, we will also notify the South Carolina Attorney General and major consumer reporting agencies as required by law. For users located in the European Union or United Kingdom, we will notify applicable supervisory authorities within 72 hours of becoming aware of a qualifying breach under the GDPR or UK GDPR.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will delete that information promptly. If you believe we may have collected such information, contact us at legal@camppearlabs.com.

12. Your Rights (General)

Depending on your location, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate personal information.
• Deletion — request deletion of your personal information (see Section 16).
• Portability — request a machine-readable copy of your personal information.
• Objection — object to certain processing of your personal information.

To exercise any of these rights, contact us at legal@camppearlabs.com. We will respond within 30 days.

13. California Residents — CCPA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the purposes for collection, and the categories of third parties with whom it has been shared.

Right to Delete. You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Correct. You have the right to request correction of inaccurate personal information.

Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.

Do Not Sell or Share My Personal Information. We do not sell or share your personal information with third parties for cross-context behavioral advertising. No opt-out is required because we do not engage in such activities.

To submit a CCPA request, email legal@camppearlabs.com with the subject line "CCPA Request."

14. European Union and United Kingdom Residents — GDPR Rights

If you are located in the European Union or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR:

Legal Basis for Processing. We process your personal information on the following legal bases:

• Contract performance — to provide the Service you have contracted for (account information, document storage, billing).
• Legitimate interests — for fraud prevention, security, and aggregate analytics, where our interests are not overridden by your rights.
• Legal obligation — to comply with applicable law.

Your Rights. You have the right to: access your personal data; rectify inaccurate data; erase your personal data ("right to be forgotten"); restrict processing; data portability; and object to processing based on legitimate interests.

International Transfers. Your personal data is transferred to and processed in the United States, which does not have a finding of adequacy from the European Commission. Anthropic, Supabase, Clerk, Stripe, and Vercel are all US-based services. By using the Service, you consent to this transfer.

Data Protection Contact. To exercise your GDPR rights or raise a data protection concern, email legal@camppearlabs.com. You also have the right to lodge a complaint with your local supervisory authority.

15. Data Deletion Requests

You may request complete deletion of your account and all associated personal data at any time by emailing legal@camppearlabs.com with the subject line "Data Deletion Request." We will process your request and confirm deletion within 30 days. Note that:

• Stripe retains records of transactions as required by financial regulations, independent of our deletion.
• Clerk may retain certain identity verification logs per their own policies.
• Vercel server logs may persist per Vercel's log retention policy.
• Anonymized or aggregated data that cannot be linked to you is not subject to deletion.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy with an updated effective date. For significant changes affecting how we use your data, we will provide additional notice by email. Your continued use of the Service after changes become effective constitutes your acceptance.

17. Contact

For privacy questions, data access requests, or deletion requests:

CampPear Labs LLC
Email: legal@camppearlabs.com

DocLearly is not a law firm. This Privacy Policy does not constitute legal advice.