Privacy Policy

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Service and tells you about your privacy rights and how the law protects you.

We use your Personal Data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Self-hosted deployments. Clerq is open-source software that you can run on your own infrastructure ("Self-Hosting"). This Privacy Policy governs only the Service we operate, namely the Website and Clerq Cloud. When you Self-Host Clerq, we do not receive or have access to your data, and you (or whoever operates that instance) are the Data Controller. See the Self-Hosted Deployments section below.

Interpretation and Definitions

Interpretation

The terms defined below have the meanings given to them here. These definitions have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

Account means a unique account created for you to access our Service or parts of our Service.
Business, for the purpose of the CCPA (California Consumer Privacy Act), refers to the Company as the legal entity that collects Consumers' personal information and determines the purposes and means of the processing of Consumers' personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California.
Clerq Cloud means the hosted version of the Clerq software that we operate and make available at app.useclerq.net.
Company (referred to as either "the Company", "we", "us" or "our" in this Agreement) refers to Shay Stephan Lee Punter, Korunni 2569/108, Vinohrady, 101 00 Praha, Czech Republic (Business No / IČO: 23507101, VAT: CZ0003091869). For the purpose of the GDPR, the Company is the Data Controller.
Country refers to: Czech Republic.
Consumer, for the purpose of the CCPA (California Consumer Privacy Act), means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.
Do Not Track (DNT) is a concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
Personal Data is any information that relates to an identified or identifiable individual. For the purposes of GDPR, Personal Data means any information relating to you such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. For the purposes of the CCPA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with you.
Sale, for the purpose of the CCPA (California Consumer Privacy Act), means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's personal information to another business or a third party for monetary or other valuable consideration.
Self-Hosting (or a Self-Hosted Instance) means running the open-source Clerq software on infrastructure that you or a third party control, rather than using Clerq Cloud.
Service refers to the Website and Clerq Cloud.
Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.
Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to Clerq, accessible from https://useclerq.com.
You (or you) means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under GDPR, you can be referred to as the Data Subject or as the User, as you are the individual using the Service.

Self-Hosted Deployments

The Clerq software is released as open source under the GNU AGPL-3.0-only licence and can be Self-Hosted. This is fundamental to how Clerq handles data:

When you Self-Host Clerq, all data you enter stays on the infrastructure you control. We do not receive it, store it, or have any access to it. You (or the organisation operating the instance) are the Data Controller and are responsible for security, backups, and meeting privacy obligations to your own users and clients.
When you use Clerq Cloud, we operate the infrastructure and this Privacy Policy applies in full.

Except where stated otherwise, the rest of this Privacy Policy describes the Service we operate (the Website and Clerq Cloud). The only outbound request a Self-Hosted Instance makes to a third party is an optional currency-rate lookup (see Detailed Information on the Processing of Your Personal Data), which contains no Personal Data.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

Email address
First name and last name
Address, State, Province, ZIP/Postal code, City (the postal address of your business, used on the invoices you generate)
Usage Data

In the ordinary course of using Clerq Cloud, you also enter business content that may contain Personal Data about third parties, in particular your clients and their contacts (names, email addresses, VAT numbers, notes), together with related projects, time entries, invoices, expenses and uploaded receipts. You decide what to enter. As between you and your clients, you are the Data Controller of that content and we act as your Service Provider (Data Processor), processing it on your behalf and on your instructions.

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, and other diagnostic data. When you sign in to Clerq Cloud, we record the IP address and browser type (user agent) associated with each session in order to keep you signed in and to detect suspicious activity.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, the IP address of your mobile device, your mobile operating system, and the type of mobile Internet browser you use.

The Company allows you to create an account and sign in to use the Service through the following Third-Party Social Media Service:

Google

If you decide to register through or otherwise grant us access to a Third-Party Social Media Service, we may collect Personal Data that is already associated with your account, such as your name, your email address and your profile picture. This option is entirely optional; you can always create an account with an email address and password instead.

Tracking Technologies and Cookies

We use a strictly limited set of Cookies to operate the Service. We do not use advertising, analytics, tracking or performance cookies, and the Website (useclerq.com) sets no cookies at all. The technologies we use are:

Cookies or Browser Cookies. A cookie is a small file placed on your Device. You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of our Service.

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser.

We use only the following Cookies:

Necessary / Essential Cookies. Type: Session Cookies. Administered by: us. Purpose: These Cookies are essential to provide you with services available through Clerq Cloud and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that you have asked for cannot be provided, and we only use these Cookies to provide you with those services.

We do not use Notice Acceptance Cookies, Functionality Cookies operated by third parties, or Tracking and Performance Cookies. Because we do not track you across the Service or other websites, no separate cookie-consent banner is required.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

To provide and maintain our Service, including to monitor the usage of our Service and to keep it secure.
To manage your Account: to manage your registration as a user of the Service. The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user.
For the performance of a contract: the development, compliance and undertaking of providing the Service, and of any other contract with us through the Service.
To contact you: to contact you by email or other equivalent forms of electronic communication regarding updates or informative communications related to the functionalities or contracted services, including security updates, when necessary or reasonable for their implementation. (We do not currently operate an email-sending service; Clerq Cloud does not send marketing emails, and team invitations are shared by you as a link rather than emailed by us.)
To manage your requests: to attend and manage your requests to us, including support requests.
For business transfers: we may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our Service users is among the assets transferred.
To comply with legal obligations: for example, retaining records relating to invoices and the operation of the Service where the law requires it.

We may share your personal information in the following situations:

With Service Providers: we may share your personal information with Service Providers to operate, host and support the Service, and to perform currency conversions. The Service Providers we use are listed in Detailed Information on the Processing of Your Personal Data.
With other users: when you add other members to a business in Clerq Cloud, those members can see the business content shared within that business (clients, projects, invoices, expenses and related data). You control who you invite.
With an AI assistant you connect: if you choose to connect an AI assistant to your account (see AI Assistant Connections), that assistant, and its provider, can access the business data in your account on your behalf, under their own terms.
For business transfers: we may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
With your consent: we may disclose your personal information for any other purpose with your consent.

We do not sell your Personal Data, share it with advertising networks, or use it for advertising.

Retention of Your Personal Data

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable accounting and tax laws), resolve disputes, and enforce our legal agreements and policies.

In practice, we retain your account and business content for as long as your Account is open. Invoices and related financial records may be retained where the law requires it, even after other data is deleted. Sign-in sessions and their associated IP and browser details are removed when you sign out or when the session expires. Team invitations expire automatically after 7 days.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. We are based in the European Union and host Clerq Cloud data within the EU/EEA.

It means that this information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. This may happen, for example, where you use an optional integration provided by a party outside the EEA (such as Google sign-in or an AI assistant you connect). Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Delete Your Personal Data

You have the right to delete or request that we assist in deleting the Personal Data that we have collected about you.

Within Clerq Cloud you can directly amend or delete much of the content you create (for example clients, expenses, tasks and invoice lines). You may also contact us to request access to, correction of, or deletion of any Personal Data you have provided to us.

Please note that we may need to retain certain information when we have a legal obligation or lawful basis to do so (for example, invoice and accounting records).

Using a Self-Hosted Instance? Direct deletion requests to whoever operates that instance, as they hold your data, not us.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other Legal Requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of Users of the Service or the public
Protect against legal liability

Security of Your Personal Data

The security of your Personal Data is important to us. Passwords are stored only as secure hashes and never in plain text, and all traffic to Clerq Cloud is encrypted in transit (HTTPS). However, remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

AI Assistant Connections

Clerq Cloud offers an optional, secured connection (an MCP server) that lets you link an AI assistant, such as Claude, to your account. This is entirely opt-in.

To connect an assistant, you sign in and authorise it through a consent screen. Once authorised, the assistant connects using a token tied to your account and can read and act on the business data in that account on your behalf, for example listing clients, creating invoices or recording expenses, just as you can in the app. It cannot access other users' data.

You can revoke an assistant's access at any time. While connected, the assistant's provider processes whatever you ask it to work with under their own terms and privacy policy, which are outside our control. You are responsible for what you connect and for the actions you instruct it to take.

Detailed Information on the Processing of Your Personal Data

The Service Providers we use may have access to your Personal Data. These third-party vendors collect, store, use, process and transfer information about your activity on our Service in accordance with their Privacy Policies. We keep this list deliberately short:

Our hosting provider: operates the EU/EEA servers on which Clerq Cloud and your data are hosted.
Frankfurter (frankfurter.dev): when you generate an invoice in another currency, we request the relevant European Central Bank reference rate. We send only a currency pair and a date, so no information about you or your clients is transmitted. This is the only outbound request that also applies to Self-Hosted Instances.
Google: only if you choose "Sign in with Google".
An AI assistant provider: only if you choose to connect one (see AI Assistant Connections).

Analytics

We do not use any third-party analytics services (such as Google Analytics) to monitor or analyze the use of our Service. The Website sets no analytics cookies and runs no tracking scripts.

Email Marketing

We do not send newsletters, marketing or promotional emails, and we do not use an email-marketing Service Provider. Should this change in future, we will update this Privacy Policy and provide an unsubscribe mechanism in any such communication.

Payments

Clerq Cloud is currently provided free of charge during an open beta. We do not currently process payments and we do not store or collect your payment card details.

If we introduce paid plans in future, we may use third-party payment processors. In that case, we will not store or collect your payment card details. That information would be provided directly to our third-party payment processors, whose use of your personal information is governed by their own Privacy Policy. Such payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which help ensure the secure handling of payment information.

We may process Personal Data under the following conditions:

Consent: you have given your consent for processing Personal Data for one or more specific purposes (for example, signing in with Google or connecting an AI assistant).
Performance of a contract: provision of Personal Data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof (for example, creating and running your Account).
Legal obligations: processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject (for example, retention of financial records).
Vital interests: processing Personal Data is necessary in order to protect your vital interests or those of another natural person.
Public interests: processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
Legitimate interests: processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company (for example, keeping the Service secure and preventing abuse), balanced against your interests and rights.

In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

The Company undertakes to respect the confidentiality of your Personal Data and to guarantee you can exercise your rights. You have the right under this Privacy Policy, and by law if you are within the EU, to:

Request access to your Personal Data.
Request correction of the Personal Data that we hold about you.
Object to processing of your Personal Data.
Request erasure of your Personal Data.
Request the transfer of your Personal Data (data portability).
Withdraw your consent at any time where we relied on your consent to process your Personal Data.

You may exercise your rights of access, rectification, cancellation and opposition by contacting us at [email protected]. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. In the Czech Republic, this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.gov.cz). For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.

CCPA Privacy Policy

This section for CCPA privacy applies to California residents only.

Categories of Personal Information Collected

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or Device. Depending on how you use the Service, we may collect the following categories of personal information:

Identifiers, such as your name, email address, IP address and account identifiers.
Personal information categories listed in the California Customer Records statute, such as your name and the postal address of your business.
Commercial information, such as the invoices, expenses and records of services you create within the Service.
Internet or other similar network activity, such as Usage Data and session information.

We do not collect categories such as biometric information, geolocation precise to your device, or sensitive personal information beyond what is described in this Privacy Policy.

Your Rights under the CCPA

If you are a California resident, you have the following rights:

The right to notice. You have the right to be notified which categories of Personal Data are being collected and the purposes for which it is being used.
The right to know / access. You have the right to request that we disclose information to you about our collection, use and disclosure of your Personal Data over the past 12 months.
The right to say no to the sale of Personal Data (opt-out). We do not sell Personal Data, so there is nothing to opt out of.
The right to delete Personal Data, subject to certain exceptions where we are permitted or required to retain it.
The right not to be discriminated against for exercising any of your rights.

Exercising Your CCPA Data Protection Rights

To exercise any of your rights under the CCPA, please contact us at [email protected]. We will disclose and deliver the required information free of charge within the timeframe required by law. We may ask you to verify your identity before responding to your request.

Do Not Sell My Personal Information

We do not sell Personal Data as defined by the CCPA. Because we do not sell Personal Data, we do not offer a separate "Do Not Sell" mechanism, as there is nothing to opt out of.

"Do Not Track" Policy as Required by California Online Privacy Protection Act (CalOPPA)

Our Service does not respond to Do Not Track signals because our Service does not track its visitors across third-party websites and does not use the kind of tracking technologies that DNT signals are designed to control.

Children's Privacy

Our Service does not address anyone under the age of 16, and Clerq is a business tool not intended for children. We do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data on Clerq Cloud, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information.

Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy. For significant changes affecting Clerq Cloud, we will take reasonable steps to notify account holders. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, you can contact us:

By email: [email protected]
By post: Shay Stephan Lee Punter, Korunni 2569/108, Vinohrady, 101 00 Praha, Czech Republic