Legal

Privacy Policy

What data we collect, why we collect it, and the choices you have.

Last updated: 20 May 2026 Effective: 20 May 2026

Summary:

We collect the data you give us to run your account (email, firm name, billing details) plus the files and answers your clients submit through your workflows. We share data only with our named sub-processors (Stripe, Resend, DigitalOcean, Sentry). You can export, correct, or delete your data at any time. We comply with GDPR and CCPA. Operated by DIGITFORGE LTD (UK).

1.Who this applies to

This Privacy Policy explains how ClearBinder ("we", "us") collects and uses personal data when you visit our marketing website, register for the service, or use the platform as an accountant or bookkeeper.

If you're a client uploading documents through a portal link your accountant sent you, you're a "data subject" of your accountant. They are the data controller for their relationship with you, and we are their processor. The Data Processing Addendum explains that role.

2.Data we collect

Information you give us

Account details — name, email, phone number, password (hashed), firm/company name, country, industry, and team size when you register.
Company profile — optional logo and other firm details you provide in settings.
Two-factor authentication — authenticator app secret and recovery codes (stored hashed where possible) if you enable 2FA.
Content — document requests you build, fields, instructions, files, and messages you upload or receive through the platform.
Support communications — anything you send us by email or through support channels.

Information we collect automatically

Usage — pages visited, actions taken, request IDs, timestamps, and audit/activity logs.
Device and connection — IP address, browser type and version, operating system, approximate location, and similar technical signals.
Cookies — see the Cookies and tracking section.

Information from third parties

Stripe — when you subscribe to a paid plan, Stripe shares limited billing metadata with us (plan, customer ID, subscription status, charge results, partial card details for display). We never receive your full card number.
Email providers — delivery and bounce information for emails we send via Resend.

3.How we use data

We use the data described above to:

Provide, maintain, and improve the service;
Authenticate you and protect your account;
Process subscription payments and prevent fraud;
Send transactional emails (password reset, email confirmation, document request notifications, reminders, billing receipts);
Respond to support requests and communicate service updates;
Detect, investigate, and prevent abuse, security incidents, or policy violations;
Comply with legal obligations and enforce our Terms.

We don't sell personal data. We don't use the content of your document requests or your clients' uploads to train AI models or for advertising.

4.Legal basis (EEA / UK users)

If the GDPR or UK GDPR applies to you, we rely on these legal bases:

Contract — to provide the service you signed up for.
Legitimate interests — to keep the service secure, prevent abuse, and operate our business, balanced against your rights.
Legal obligation — to meet bookkeeping, tax, and other legal duties.
Consent — for any optional processing where consent is the appropriate basis. You can withdraw consent at any time.

5.Sharing and sub-processors

We share personal data with the following categories of recipients, under contractual safeguards:

Provider	Purpose	Location
Stripe	Subscription billing, card processing	EU / US (SCCs applied)
Resend	Transactional email delivery	US (SCCs applied)
DigitalOcean, LLC	Application hosting and database	United States (NYC) (SCCs applied)
DigitalOcean, LLC	Encrypted file storage for uploaded documents	United States (NYC) (SCCs applied)

We do not sell or rent personal data. We may disclose data to law enforcement or government authorities when we believe disclosure is required by law or necessary to protect rights, property, or safety.

6.How long we keep data

Active accounts — we keep your data while your account is active and for the duration of your subscription.
Closed accounts — after you close your account, we keep account metadata for up to 30 days to allow recovery, then delete or anonymise it. Some data (like invoices) may be retained longer to comply with legal obligations.
Documents and uploads — controlled by you. You can delete documents and requests at any time. Deleted items are removed from active systems immediately and from backups within a reasonable cycle.
Audit logs — we retain activity logs as long as needed to support security investigations and legal obligations, typically up to 24 months.

7.Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Correction — ask us to fix inaccurate or incomplete data.
Deletion — ask us to delete your data, subject to legal exceptions.
Restriction or objection — ask us to stop or limit processing in certain circumstances.
Portability — request a copy of your data in a portable format.
Withdraw consent — where we rely on consent, you can withdraw it at any time.
Complain — lodge a complaint with your local data protection authority.

To exercise these rights, email [email protected]. We may need to verify your identity. We'll respond within the timeframe required by applicable law (typically 30 days).

If you're a client whose accountant uses ClearBinder, please contact your accountant first — they're the controller of your data and we'll route your request to them.

8.International transfers

Some of our service providers are located outside the EEA, UK, or your country of residence. Where required, we put in place appropriate safeguards — such as the EU Standard Contractual Clauses and the UK addendum — to ensure your data receives equivalent protection.

9.Cookies and tracking

We use a small number of cookies to keep the service working:

Session cookies — to keep you signed in and protect against cross-site request forgery.
Preference cookies — to remember settings like theme.

We don't use advertising cookies or third-party tracking pixels. You can clear cookies from your browser at any time; doing so will sign you out.

10.Security

We take security seriously. Measures include:

HTTPS for all traffic in transit;
Encryption at rest for uploaded documents and database backups;
Password hashing with industry-standard algorithms;
Two-factor authentication available for accountant accounts;
Time-limited, single-use client portal access links;
Rate limiting on sensitive endpoints to prevent abuse;
Regular dependency updates and access reviews.

No system is completely secure. If we become aware of a breach affecting your personal data, we'll notify you and the relevant authorities as required by law.

11.Children

The service is intended for business use by adults. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please email us so we can delete it.

12.Updates

We may update this Privacy Policy from time to time. When we do, we'll change the "Last updated" date above. If changes are material, we'll notify you by email or in-app.

13.Contact

For privacy questions, write to [email protected].

Postal: DIGITFORGE LTD (Company No. 17091016), Office 9489, 321-323 High Road, Chadwell Heath, Essex, RM6 6AX, United Kingdom