Skip to main content

Privacy Policy

Last updated: 12 April 2026

Who we are

ClearAct is a product of Nespit Bilgi Teknolojileri Limited Şirketi, a company registered in Istanbul, Türkiye. We operate the website clearact.net and provide EU AI Act compliance tools for small and medium-sized enterprises (SMEs). For full company details, see our Imprint page.

Data we collect

We collect personal data when you use our services. The specific data depends on how you interact with ClearAct:

  • Email address — required for account creation, quiz results, and communications
  • Full name — used for personalization and compliance reports
  • Company name — used for risk assessment context and report generation
  • Company size — used to tailor compliance recommendations
  • Quiz responses — your answers to the EU AI Act risk assessment questions
  • Calculated risk score — derived from your quiz answers (0-68 scale)
  • Account data — password (encrypted), subscription tier, login timestamps
  • AI system inventory — names, descriptions, risk levels of AI systems you register

Why we collect data

We process your personal data for the following purposes: (a) to deliver your risk assessment results and generate compliance reports; (b) to provide and maintain your account and subscription; (c) to send transactional emails such as quiz results, report delivery, and account notifications; (d) to improve our services based on aggregated, anonymized usage patterns; (e) to comply with legal obligations. We process data under GDPR Article 6(1)(b) (performance of a contract) for service delivery, and Article 6(1)(f) (legitimate interest) for service improvement.

How we store data

Your data is stored on a dedicated server hosted by DigitalOcean in their European data center region. The application database is encrypted at rest. Access to production systems is restricted to authorized personnel only. We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

Email communications

We send transactional emails (quiz results, compliance reports, account notifications) via Resend, a third-party email delivery service. You may also receive product update emails related to EU AI Act compliance deadlines and new features. You can unsubscribe from non-essential communications at any time by contacting us.

Payment processing

Paid subscriptions are processed by Lemon Squeezy (Lemon Squeezy, LLC), which acts as the Merchant of Record for all transactions. When you purchase a subscription, Lemon Squeezy collects your payment information (card details, billing address) directly through their secure checkout. ClearAct never sees or stores your payment card data. We only receive confirmation of your subscription status, plan type, and customer identifier from Lemon Squeezy. Lemon Squeezy's own privacy policy governs the data they collect during checkout.

Third-party services

We use the following third-party services that may process personal data on our behalf. Each service is bound by their own privacy policy and data processing agreements:

  • Resend (resend.com) — transactional email delivery. Processes: email addresses, email content. Server location: USA.
  • Lemon Squeezy (lemonsqueezy.com) — payment processing, subscription management, tax compliance. Processes: payment details, billing address, email. Acts as Merchant of Record.
  • DigitalOcean (digitalocean.com) — cloud infrastructure and hosting. Processes: all application data. Server location: EU region.
  • Cloudflare (cloudflare.com) — DNS, CDN, and DDoS protection. Processes: IP addresses, request metadata.

International data transfers

Some of our third-party service providers (Resend, Lemon Squeezy, Cloudflare) are based in the United States. Data transfers to the US are conducted under the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as appropriate. Our company is based in Türkiye; data stored on our DigitalOcean servers is kept in the EU region.

Cookies and analytics

We use strictly necessary cookies only: a session cookie for authenticated users and a cookie consent preference cookie. We do not use third-party tracking cookies, analytics platforms (such as Google Analytics), or advertising pixels. No personal data is shared with advertising networks or data brokers.

Data retention

We retain your personal data for as long as your account is active or as needed to provide our services. Quiz data for non-registered users is retained for up to 24 months. If you request account deletion, we will erase your personal data within 30 days, except where retention is required by law (e.g., invoicing records retained for 10 years under Turkish tax law). Anonymized, aggregated data may be retained indefinitely for statistical purposes.

Your rights under GDPR

If you are in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR): (a) Right of access — request a copy of the personal data we hold about you; (b) Right to rectification — request correction of inaccurate data; (c) Right to erasure — request deletion of your data ('right to be forgotten'); (d) Right to data portability — receive your data in a structured, machine-readable format; (e) Right to restrict processing — request that we limit how we use your data; (f) Right to object — object to processing based on legitimate interests; (g) Right to withdraw consent — where processing is based on consent. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Contact

For privacy-related requests or questions, contact us at [email protected].

Back to top