Privacy Policy

“Klerica,” “we,” and “our” refers to the operator of Klerica, an AI-assisted invoicing tool accessible at klerica.com. When you sign in to Klerica and use our service, we act as the data controller for the personal information you provide.

• Account information. When you sign in with Google, we receive your name, email address, profile photo, and a unique Google account identifier. We use this to create and maintain your Klerica account.
• Business profile. Information you enter on the Settings page, including your business name, postal address, logo, default payment instructions, accent color, invoice template preference, and saved rate items.
• Invoice data. Invoices you draft, save, send, or mark paid, including client name and address, line-item descriptions, quantities, prices, dates, tax rates, notes, and status changes.
• Google sign-in. Klerica uses Google for authentication and requests only the basic OIDC scopes openid email profile — the same minimal information any “Sign in with Google” button collects. We do not request access to your inbox, contacts, calendar, or any other Google service.
• Pasted email content (transient). When you paste a client email into the editor for AI extraction, that text is sent to our AI provider, processed in-memory, and discarded once the draft invoice has been created. We do not retain pasted email content beyond the request that produced your draft.
• Payment information. When you subscribe to a paid plan, our payment processor (currently Lemon Squeezy or Stripe, depending on what is integrated at time of purchase) handles your card details directly. Klerica never sees or stores your full card number. We do receive a billing customer ID and subscription status so we can grant you access to the right plan.
• Usage and device data. Server logs of requests you make (page paths, IP address, user agent, timestamps), standard error/diagnostic logs, and aggregate metrics about feature usage. We use this to keep the service running, debug issues, and understand which features are valuable.
• Public share-page views. When you send an invoice and the recipient opens its public share link, we record the first-view and last-view timestamps and a view count, so you can tell whether the recipient has looked at it. We do not collect IP addresses, geolocation, or device fingerprints of share-page viewers.

• To operate the Klerica service and the features you use.
• To draft invoices from pasted email content via our AI processing (Anthropic Claude). The email text is transmitted to Anthropic over TLS, processed in memory, and not retained for AI training.
• To send invoices and reminder emails to your clients when you explicitly click Send. Emails are sent through our transactional email provider with your business name in the From line and your email address as Reply-To.
• To bill you for paid subscriptions and send purchase receipts.
• To communicate service-related notices (account changes, security alerts, scheduled maintenance, policy updates).
• To prevent fraud, enforce our Terms of Service, and respond to lawful legal requests.

We do not sell your data, share it with advertisers, or use it to train AI models. We do not show third-party ads inside Klerica.

We use a small number of trusted third parties to operate the service. Each one only receives the data they need to do their job:

• Supabase — Postgres database and file storage for your account, business profile, invoices, and uploaded logos. Hosted in the United States.
• Anthropic — AI extraction from email text you submit. Email content is processed transiently and not retained for model training under our API contract.
• Google— sign-in via OAuth (basic OIDC scopes: name and email). Subject to Google's own terms.
• Resend — transactional email delivery for invoice sends and automated reminders. Email metadata (recipient, subject, send timestamp) is logged with Resend for delivery diagnostics.
• Payment processor — Lemon Squeezy or Stripe, depending on the integration in effect at your time of purchase. They handle card data; we receive only billing identifiers and subscription state.
• Vercel — hosting for the Klerica web application.

We may also disclose information when required by law, to respond to valid legal process (subpoena, court order, etc.), to protect the rights or safety of Klerica or our users, or in connection with a corporate transaction (e.g. merger, acquisition, or sale of assets), in which case we will notify you in advance where legally permitted.

Klerica primarily stores data in the United States via Supabase and Vercel. If you access the service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on the European Commission's Standard Contractual Clauses (where applicable) to safeguard cross-border transfers.

We retain your account and invoice data for as long as your account is active. If you delete an invoice from the editor, it is removed from active storage immediately and from encrypted backups within 30 days. If you delete your account (see below), we wipe your data within 30 days, except for limited records we are required to retain for tax, billing, or legal compliance (typically up to 7 years for invoice records under applicable tax law).

Depending on where you live (e.g. EU/UK under GDPR, California under CCPA/CPRA), you have rights over your personal data, including:

• Access — request a copy of the personal data we hold about you.
• Correction — fix inaccurate or incomplete data. Most of this you can do yourself on the Settings page.
• Deletion — request we delete your account and data. Email hello@klerica.com and we will complete deletion within 30 days, subject to the retention exceptions above.
• Portability — request an export of your invoices in a machine-readable format (CSV/JSON).
• Objection / restriction — object to or restrict certain processing.
• Withdraw consent — for processing that depends on consent (e.g. Stripe payment integration), you can withdraw at any time from Settings or by revoking access in the relevant third-party account.
• Lodge a complaint— with your local data protection authority. We'd prefer you tell us first.

To exercise any of these rights, email hello@klerica.com. We respond within 30 days.

We use industry-standard practices to protect your data: encryption in transit (TLS 1.2+), encryption at rest for our database and storage, scoped access controls (Postgres row-level security per user), encrypted OAuth refresh tokens, and routine dependency updates. No system is perfectly secure — if we ever become aware of a breach affecting your information, we'll notify you without undue delay and as required by law.

Klerica uses strictly necessary cookies to keep you signed in (session token, CSRF token) and to remember your preferences (e.g. preferred billing period on the pricing page). We don't use third-party advertising cookies or cross-site trackers.

Klerica is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, email hello@klerica.com and we will delete it.

We may update this policy from time to time. Material changes will be announced via email to your account address and posted at the top of this page at least 14 days before they take effect. Continued use of Klerica after the effective date constitutes acceptance of the updated policy.

Questions, requests, or concerns about this policy or your data: email hello@klerica.com. For data-subject requests under GDPR/CCPA, please include the email address associated with your Klerica account.