Back to Other

Security and Privacy

  • Updated

Privacy and security are too important for legalese. Clay does not own your data, nor do we sell it to others or use it for advertising. It’s your data, period.

This policy applies to all information collected or submitted on Clay’s website and our apps for iPhone and any other devices and platforms.

After account creation, you will be asked to connect external accounts like email, calendar, and Twitter. All of these integrations are optional, but are used to build a holistic view of your network. Each has special protections to ensure Clay only uses data that is necessary for the product, and that sensitive fields are protected:

Sign in with Apple

Sign in with Apple is a private and secure way for you to log in with third party services using your Apple ID. Sign in with Apple enforces two-factor authentication, which makes your Clay experience even more secure. Note that Sign in with Apple does not give access to your Apple ID credentials or any data stored in iCloud. For more information, you can refer to Apple's documentation.

 

Calendar

What does Clay do with my calendar?

Connected calendars are only used to create contacts, show your meeting history with someone, and remind you to take notes after meetings.

How do you protect my privacy?

  • Clay asks for the most restricted access that each integration allows, which is read-only.
  • Clay cannot create new events, change any existing events, delete your calendar, or access any other data within your associated account, including email
  • Clay encrypts titles, descriptions, and participants of your meetings in storage and in transit
  • You can revoke access to your calendar at any time at https://myaccount.google.com/permissions or at Apple or Microsoft's respective account permissions pages

 

Email

What does Clay do with my email?

Connected email accounts are only used to create contacts.

How do you protect my privacy?

  • Clay asks for the most restricted access that each integration allows, which is “email headers only”. This means Clay can only read the recipients and subject line of the message — not the body of the message
  • Clay encrypts the recipient and subjects of emails in storage and in transit
  • You can revoke access to your email at any time at https://myaccount.google.com/permissions or at Apple or Microsoft's respective account permissions pages

 

Notes

What does Clay do with my notes?

Your notes are private to you, and are used in search and displayed on the corresponding contact.

How do you protect my privacy?

Clay encrypts your note text in storage and in transit.

 

Twitter

What does Clay do with my Twitter account?

Connected Twitter accounts are only used to create contacts and remind you how you know someone.

How do you protect my privacy?

  • Clay asks for the most restrictive access that Twitter allows, which is read-only and non-DM. This means Clay cannot write tweets, retweet or like anything, or read/create direct messages
  • You can revoke access to your Twitter account at any time at https://twitter.com/settings/applications

 

LinkedIn

What does Clay do with my LinkedIn account?

Connected LinkedIn accounts are only used to create contacts based on the people you’ve connected with directly (i.e. “first degree connections”).

How do you protect my privacy?

  • All your connections from LinkedIn are imported locally, and your connections information is encrypted end-to-end
  • Clay never has access to your LinkedIn username and password—you log into LinkedIn directly
  • Clay never adds connections, send messages, or takes any actions on your behalf

 

iMessage and Contacts

What does Clay do with my iMessage account?

Connected iMessage accounts are only used to create contacts based on the people you’ve texted. Message data is never read directly—Clay computes aggregate statistics like how often you’ve texted someone, but never accesses message text.

What does Clay do with my Contacts data?

Clay only references contacts to use the name you have stored for a phone number. That name is only saved to your account, and is never shared.

What does Clay do with full disk access?

Recent versions of MacOS restrict access to iMessage data, so the only way for Clay to integrate with iMessage is to have full disk access — there’s no more restrictive access we can ask for, but if this ever changes we’ll modify the integration accordingly. Full disk access is only used to identify who you’ve texted in accordance with this integration, and Clay uses read-only access.

How do you protect my privacy?

  • The people you message will be imported locally. Your connections information is encrypted end-to-end
  • Clay never reads or imports the text of messages you’ve sent or received
  • Clay will never text anyone or take any other actions on your behalf
  • Clay only computes and stores aggregate data about the number of messages you’ve sent and received

 

Technical information

Email marketing

Clay uses your account email for product features like daily and weekly summaries, product update newsletters, and one-off transactional notifications like subscription receipts and support issues. You can unsubscribe from newsletters and notifications at any time. 

 

Ads and analytics

The Clay iOS and web apps collect various usage metrics, such as the percentage of users who use particular features or when users sign in, for the sole purpose of improving the app and proactively identifying errors / performance bottlenecks. This telemetry is limited to high-level product usage and never includes any account data. As Clay grows in the coming months, we will begin to anonymize all telemetry data to further enhance the privacy of our members.


Information usage

We use the information we collect to operate and improve our website, apps, and customer support.

We do not share personal information with outside parties except to the extent necessary to accomplish Clay’s functionality.

We may disclose your information in response to subpoenas, court orders, or other legal requirements; to exercise our legal rights or defend against legal claims; to investigate, prevent, or take action regarding illegal activities, suspected fraud or abuse, violations of our policies; or to protect our rights and property.

In the future, we may sell to, buy, merge with, or partner with other businesses. In such transactions, user information may be among the transferred assets.


Information isolation

Contact information (i.e. an email address or telephone number) is only accessible to a user who explicitly added that information, either via one of the above integrations or manually. This information isolation is reinforced with software safeguards to ensure contact information has appropriate visibility.


Passwords

We implement a variety of security measures to help keep your information secure. Passwords are hashed, not stored, using industry-standard methods (currently the PBKDF2 algorithm with a SHA256 hash, a process recommended by NIST). All communication with the app and website requires HTTPS.

 

Other

  • If you enable notifications, we must store a token to send them. We never use notifications for marketing.
  • We use cookies on the site and tokens in the app to keep you logged in. Our server software may also store basic technical information, such as your IP address, in temporary memory or logs.
  • For performance and overload protection, we direct your traffic through Cloudflare before it reaches Clay’s servers. They have access to some basic technical information to perform this role, such as your IP address. Cloudflare’s privacy policy is here.

 

Security Vulnerability Disclosure

If you believe you have discovered a security or privacy vulnerability that affects Clay’s software, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.

You can report a security or privacy vulnerability in several different ways:

  • Email us at security@clay.earth
  • Message us on Keybase at clayearth
  • Submit a vulnerability to us using our HackerOne vulnerability disclosure program (you’ll need a Hacker One account)
  • Call us at (646) 360-0754

In your message, please include:

  • The specific product and software version(s) which you believe are affected
  • A description of the behavior you observed as well as the behavior that you expected
  • A numbered list of steps required to reproduce the issue and a video demonstration, if the steps may be hard to follow
  • You’ll receive a reply from us to acknowledge that we received your report, and we’ll contact you if we need more information.

For the protection of our members, Clay doesn’t disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.


Accessing, changing, or deleting information

You may access or change your information or delete your account from the Clay iOS app or by emailing care@clay.earth.

Deleted information may be kept in backups for up to 90 days. Backups are encrypted and are only accessed if needed for disaster recovery.

Clay may delete your information at any time and for any reason, such as technical needs, legal concerns, abuse prevention, removal of idle accounts, data loss, or any other reason.


Compliance Information

Third-party links and content

Clay displays content from third-party social sites and APIs. These have their own independent privacy policies, and we have no responsibility or liability for their content or activities.

California Online Privacy Protection Act Compliance

We comply with the California Online Privacy Protection Act. We therefore will not distribute your personal information to outside parties without your consent.

Children’s Online Privacy Protection Act Compliance

We never collect or maintain information at our website from those we actually know are under 13, and no part of our website is structured to attract anyone under 13.

Google API Services User Data Policy Compliance

Clay’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements.

Information for European Union Customers

By using Clay and providing your information, you authorize us to collect, use, and store your information outside of the European Union.

International Transfers of Information

Information may be processed, stored, and used outside of the country in which you are located. Data privacy laws vary across jurisdictions, and different laws may be applicable to your data depending on where it is processed, stored, or used.

Your Consent

By using our site or apps, you consent to our privacy policy.

Changes to this policy

If we decide to change our privacy policy, we will post those changes on this page. Summary of changes so far:

  • Jul 21, 2022: Moved document to new Clay Library, and as a result changed some formatting, organization, and updated to our new support email address. No material changes were made to content.
  • Sep 30, 2021: Added details for Apple and Microsoft calendars and emails.
  • August 16, 2021: Added additional sentence to metrics section to clarify future telemetry plans.
  • August 13, 2021: Added section on iMessage integration and data usage.
  • July 12, 2021: Added section on LinkedIn integration and data usage.
  • July 11, 2021: Added section on Google’s API limited use requirements, as required by Google.
  • August 31, 2020: Added information on data isolation policies.
  • May 1, 2020: Added information on vulnerability disclosure program and additional details on how to delete an account.
  • March 4, 2020: Added additional information on what data is collected and how data is secured per integration.
  • January 3, 2020: Changed login from email and password to Sign in with Apple.
  • June 18, 2019: First published.

Questions or Concerns

If you have questions or concerns regarding these terms, privacy, or security, please contact us at care@clay.earth.

 

Have questions or comments?

Contact us