Privacy Policy

1. Who We Are

CLARA (Corporate Litigation & Accountability Research Assistant) is operated by the Climate Litigation Lab at the Oxford Sustainable Law Programme, Smith School of Enterprise and the Environment, University of Oxford ("we", "us", "our"). We are the data controller for personal data processed through the CLARA platform at clara-research.com.

For any privacy-related questions, contact us at admin@clara-research.com.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

• Email address — used for authentication and account identification.
• Full name — provided during registration.
• Password — managed and securely hashed by AWS Cognito; we never store or have access to your plaintext password.

2.2 Profile Information (Optional)

• Organisation — your institutional or organisational affiliation.
• Occupation / Role — your professional title.
• Sector — the sector you work in (e.g. Academic, Legal, Journalism, NGO, Government).

2.3 User-Generated Content

• Conversations — questions you ask CLARA and the AI-generated responses, including tool calls, reasoning traces, and AI-generated conversation titles.
• Conversation summaries — when conversations become long, older messages are automatically summarised by the AI model and the summary is stored alongside the conversation to manage context limits.
• Files — documents you create, edit, or upload to your personal workspace (supported formats: PDF, DOCX, DOC, TXT, MD, PNG, JPG, JPEG, TIFF, WEBP; max 50 MB per file, 200 MB total storage).
• Extracted document content — when you upload documents, their text content and structural metadata (headings, page numbers, table of contents) are extracted and stored for search and citation.
• Citations and sources — references linking AI responses to archival source documents.

2.4 Usage and Technical Data

• Credit usage — records of your daily research credit balance and transactions.
• File activity logs — records of file creation, modification, and deletion, including file paths, file names, extensions, and sizes (for audit and analytics purposes).
• Server logs — HTTP request metadata (method, URL path, status code, response time). These logs do not contain message content.
• Last activity timestamp — the date and time of your most recent authenticated request to the platform, used to calculate login and activity statistics.
• Onboarding progress — which product tours you have completed, tracked both in your browser's local storage and on our servers.
• Terms acceptance — whether you have accepted the Terms of Service and Privacy Policy.

2.5 Analytics Data

We use Google Analytics (measurement ID: G-8L38S6KL3T) to understand aggregate usage patterns on our website. Google Analytics collects standard internet log information and visitor behaviour data, including pages visited, time on site, and referral sources. This data is processed in aggregate and is not used to identify individual users. See Section 6 (Cookies) for more details.

3. How We Use Your Data

4. Third-Party Services and Data Sharing

We share data with the following categories of third-party service providers, solely for the purposes described above:

Important — AI Processing: Your conversation messages (including full conversation history, search results, and file content when accessed by the AI assistant) are sent to OpenAI for processing. When you upload documents, page images may be sent to OpenAI, Anthropic, or Google Cloud for text extraction depending on the system configuration. These providers' API data usage policies state that data submitted via their APIs is not used to train their models. We encourage you to review their respective privacy policies.

AI Agent File Access: When you use the research assistant, it may read, search, create, and modify files in your personal workspace as part of answering your queries. The AI agent operates solely within your own file space and cannot access other users' data.

We do not sell, rent, or trade your personal data to any third party. We do not share your data with data brokers or advertisers.

5. Data Storage, Security, and International Transfers

5.1 Where We Store Your Data

• Primary infrastructure: AWS EU (London) region (eu-west-2).
• Database: PostgreSQL hosted on AWS.
• File storage: AWS S3 (uploads) and AWS EFS (user workspace files).
• Authentication: AWS Cognito (EU region).

5.2 International Transfers

Some third-party services (OpenAI, Anthropic, Google Cloud, Cohere, Pinecone, Google Analytics) may process data outside the United Kingdom and European Economic Area. Where this occurs, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the providers' adherence to applicable data protection frameworks (e.g. EU-US Data Privacy Framework).

5.3 Security Measures

• Authentication via AWS Cognito with Secure Remote Password (SRP) protocol — passwords are never transmitted to or stored on our servers.
• All API communications use HTTPS/TLS encryption in transit.
• JWT-based authentication with RS256 signature verification and automatic key rotation.
• Per-user data isolation — all database queries are scoped to the authenticated user.
• File system path traversal protection to prevent unauthorised access.
• Server-side route protection — unauthenticated requests to protected pages are blocked at the edge before any page content loads.
• Security response headers including clickjacking protection (X-Frame-Options), MIME-sniffing prevention (X-Content-Type-Options), referrer policy controls, and XSS filtering.
• Automated bot and crawler detection on protected routes.
• Rate limiting on API endpoints to prevent abuse.
• Pre-signed URLs with time-limited expiry for file uploads (1 hour) and downloads (5 minutes).

6. Internal Access to Your Data

Authorised platform administrators have limited access to user data for operational and support purposes. Specifically, administrators can view:

• Your email address, name, and profile information (organisation, role, sector).
• Aggregate usage statistics: conversation counts, message counts, credit usage, last login timestamp, and account registration date.
• Previews of your most recent messages (truncated to 120 characters) for platform monitoring.
• File activity statistics (counts of files created, updated, or deleted, grouped by file type) — but not file names, paths, or content.
• Your terms acceptance status, including when you accepted and which version of the Terms you agreed to.

Administrators cannot view your full conversation history, read your files, or access your uploaded documents. This access is used solely for platform operation, abuse prevention, and providing support.

7. Cookies and Local Storage

7.1 Cookies

7.2 Local Storage

• Cookie consent preference (clara_cookie_consent) — stores whether you accepted or declined analytics cookies. Contains no personal data.
• Onboarding tour state (clara_onboarding_done, clara_editor_panel_tour_done, clara_editor_file_tour_done) — tracks which product walkthroughs you have completed. These contain no personal data.
• AWS Amplify session tokens — managed by the AWS Amplify SDK for authentication. Tokens are stored in cookies (see Section 7.1) to enable server-side route protection, and are cleared on sign-out.

7.3 Managing Cookies

When you first visit our site, a cookie consent banner allows you to accept or decline non-essential (analytics) cookies. You can change your preference at any time by clearing your browser cookies and revisiting the site. The Cognito authentication cookies are essential for the platform to function and are set automatically when you sign in. Blocking these cookies will prevent you from accessing protected areas of the platform.

8. Data Retention

• Account data: Retained for the duration of your account. If you delete your account, your data (including your authentication credentials, files, uploads, and all database records) is permanently removed immediately.
• Conversations and messages: Retained for the lifetime of your account. You may delete individual conversations at any time through the platform interface.
• Files and uploads: Retained until you delete them or request account deletion. You may delete individual files and uploads at any time.
• Credit transaction logs: Retained for the lifetime of your account for audit purposes.
• File activity logs: Retained for the lifetime of your account for audit and analytics purposes.
• Server logs: Retained for up to 90 days for debugging and security monitoring, then automatically purged.
• Analytics data: Google Analytics data is retained according to Google's standard retention settings (14 months).

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate data (you can also update your profile directly in the platform).
• Right to erasure — request deletion of your account and all associated data.
• Right to restrict processing — request that we limit how we use your data.
• Right to data portability — request your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where we process data based on consent (e.g. analytics cookies), you may withdraw consent at any time.

To exercise any of these rights, please email us at admin@clara-research.com. You can also delete your account and all associated data immediately using the Request Data Deletion option in your profile menu. For other rights requests, we will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

10. Children's Privacy

CLARA is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a notice on the platform or by email. We encourage you to review this page periodically.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact: