Privacy and security are too important for legalese. Clay does not own your data, nor do we sell it to others or use it for advertising. It’s your data, period.
Clay is SOC 2 certified, and all data is encrypted in transit and at rest.
After account creation, you will be asked to connect external accounts like email, calendar, and Twitter. You'll need to connect at least one account for Clay to be useful, but adding additional accounts is optional. Connected accounts are only used to build a holistic view of your network; each has special protections to ensure Clay only uses data that is necessary for the product, and that sensitive fields are protected.
This policy applies to all information collected or submitted on Clay’s website and our apps for iPhone and any other devices and platforms.
Sign in with Apple
Sign-in with Apple is a private and secure way for you to log in with third-party services using your Apple ID. Sign in with Apple enforces two-factor authentication, which makes your Clay experience even more secure. Note that Sign in with Apple does not give access to your Apple ID credentials or any data stored in iCloud. For more information, you can refer to Apple's documentation.
Calendar
What does Clay do with my calendar?
Connected calendars are only used to create contacts, show your meeting history with someone, and remind you to take notes after meetings.
How do you protect my privacy?
- Clay asks for the most restricted access that each integration allows, which is read-only.
- Clay cannot create new events, change any existing events, delete your calendar, or access any other data within your associated account, including email
- Clay encrypts titles, descriptions, and participants of your meetings in storage and in transit
- You can revoke access to your calendar at any time at https://myaccount.google.com/permissions or at Apple or Microsoft's respective account permissions pages
What does Clay do with my email?
Connected email accounts are only used to create contacts.
How do you protect my privacy?
- Clay asks for the most restricted access that each integration allows, which is “email headers only”. This means Clay can only read the recipients and subject line of the message — not the body of the message
- Clay encrypts the recipient and subjects of emails in storage and in transit
- You can revoke access to your email at any time at https://myaccount.google.com/permissions or at Apple or Microsoft's respective account permissions pages
Notes
What does Clay do with my notes?
Your notes are private to you, and are used in search and displayed on the corresponding contact.
How do you protect my privacy?
Clay encrypts your note text in storage and in transit.
Social Accounts
What does Clay do with my social accounts?
Connected social media accounts are only used to create contacts based on the people you’ve connected with directly (i.e. “first-degree connections”).
How do you protect my privacy?
- All your connections and friends are imported locally, and your connections information is encrypted end-to-end
- Clay never has access to your social media username and password—you log into the social media site directly
- Clay never adds connections, sends messages, or takes any actions on your behalf
- You can choose to disconnect your social media accounts in Clay's Settings at any time
Messaging apps
What does Clay do with my messaging /chat account?
Connected messaging accounts are only used to create contacts based on the people you’ve texted. Message data is never read directly—Clay computes aggregate statistics like how often you’ve texted someone, but never accesses message text.
What does Clay do with my Contacts data?
Clay only references contacts to use the name you have stored for a phone number. That name is only saved to your account, and is never shared.
What does Clay do with full disk access?
Recent versions of macOS restrict access to iMessage / WhatsApp data, so the only way for Clay to integrate with iMessage is to have full disk access — there’s no more restrictive access we can ask for, but if this ever changes we’ll modify the integration accordingly. Full disk access is only used to identify who you’ve texted in accordance with this integration, and Clay uses read-only access.
How do you protect my privacy?
- The people you message will be imported locally. Your connections information is encrypted end-to-end
- Clay never reads or imports the text of messages you’ve sent or received
- Clay will never text anyone or take any other actions on your behalf
- Clay only computes and stores aggregate data about the number of messages you’ve sent and received
Nexus and AI features
How do AI features use my Clay data?
Any AI features use Clay data like notes and contact information to provide product features like related contacts, contact summarization, question answering, and search.
How do you protect my privacy?
- AI features are entirely opt-in. You choose whether to use them.
- Nexus and Clay do not use your data to train our models.
- Any information used to power Nexus will be processed by our AI infrastructure, which is a combination of Clay servers and third-party partners, for the sole purpose of providing you with product features.
- You can choose to provide input to the AI models by providing feedback on the answers that Nexus provide. Providing that feedback is opt-in and isn't required.
- We do not allow any partners or third parties to use your data to train their models or any other purpose.
Technical information
Email marketing
Clay uses your account email for product features like daily and weekly summaries, product update newsletters, and one-off transactional notifications like subscription receipts and support issues. You can unsubscribe from newsletters and notifications at any time.
Ads and analytics
The Clay iOS, Web, and Desktop apps collect various usage metrics, such as the percentage of users who use particular features or when users sign in, for the sole purpose of improving the app and proactively identifying errors/performance bottlenecks. This telemetry is limited to high-level product usage and never includes any sensitive contact data like notes or contact information. As Clay grows in the coming months, we will begin to anonymize all telemetry data to further enhance the privacy of our members.
Subscriptions
All payment and credit card info is handled via Stripe (for payments on Mac, Windows, and web) or RevenueCat and the iOS App Store (for payments on our iOS app). Payment info is never stored on our servers, is only used for the purposes of your subscription, and is never shared with any third party.
Information usage
We use the information we collect to operate and improve our website, apps, and customer support.
We do not share personal information with outside parties except to the extent necessary to accomplish Clay’s functionality.
We may disclose your information in response to subpoenas, court orders, or other legal requirements; to exercise our legal rights or defend against legal claims; to investigate, prevent, or take action regarding illegal activities, suspected fraud or abuse, violations of our policies; or to protect our rights and property.
In the future, we may sell to, buy, merge with, or partner with other businesses. In such transactions, user information may be among the transferred assets.
Information isolation
Contact information (i.e. an email address or telephone number) is only accessible to a user who explicitly added that information, either via one of the above integrations or manually. This information isolation is reinforced with software safeguards to ensure contact information has appropriate visibility.
Passwords
We implement a variety of security measures to help keep your information secure. Passwords are hashed, not stored, using industry-standard methods (currently the PBKDF2 algorithm with a SHA256 hash, a process recommended by NIST). All communication with the app and website requires HTTPS.
Other
- If you enable notifications, we must store a token to send them. We never use notifications for marketing.
- We use cookies on the site and tokens in the app to keep you logged in. Our server software may also store basic technical information, such as your IP address, in temporary memory or logs.
- For performance and overload protection, we direct your traffic through Cloudflare before it reaches Clay’s servers. They have access to some basic technical information to perform this role, such as your IP address. Cloudflare’s privacy policy is here.
Security Vulnerability Disclosure
If you believe you have discovered a security or privacy vulnerability that affects Clay’s software, please report it to us. We welcome reports from everyone, including security researchers, developers, and customers.
You can report a security or privacy vulnerability in several different ways:
- Email us at security@clay.earth
- Message us on Keybase at clayearth
- Submit a vulnerability to us using our Federacy vulnerability disclosure program (you’ll need a Federacy account)
In your message, please include:
- The specific product and software version(s) which you believe are affected
- A description of the behavior you observed as well as the behavior that you expected
- A numbered list of steps required to reproduce the issue and a video demonstration, if the steps may be hard to follow
- You’ll receive a reply from us to acknowledge that we received your report, and we’ll contact you if we need more information.
For the protection of our members, Clay doesn’t disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.
Accessing, changing, or deleting information
You may access or change your information or delete your account from the Clay app or by emailing care@clay.earth.
Deleted information may be kept in backups for up to 90 days. Backups are encrypted and are only accessed if needed for disaster recovery.
Clay may delete your information at any time and for any reason, such as technical needs, legal concerns, abuse prevention, removal of idle accounts, data loss, or any other reason.
Compliance Information
SOC 2 Type II
Clay is SOC 2 Type II certified, and the attestation letter is available upon request — email us at care@clay.earth.
Third-party links and content
Clay displays content from third-party social sites and APIs. These have their own independent privacy policies, and we have no responsibility or liability for their content or activities.
California Online Privacy Protection Act Compliance
We comply with the California Online Privacy Protection Act. We therefore will not distribute your personal information to outside parties without your consent.
Children’s Online Privacy Protection Act Compliance
We never collect or maintain information at our website from those we actually know are under 13, and no part of our website is structured to attract anyone under 13.
Google API Services User Data Policy Compliance
Clay’s use of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements.
Information for European Union Customers
By using Clay and providing your information, you authorize us to collect, use, and store your information outside of the European Union.
International Transfers of Information
Information may be processed, stored, and used outside of the country in which you are located. Data privacy laws vary across jurisdictions, and different laws may be applicable to your data depending on where it is processed, stored, or used.
Your Consent
By using our site or apps, you consent to our privacy policy.
Changes to this policy
If we decide to change our privacy policy, we will post those changes on this page. Summary of changes so far:
- Oct 18, 2024: Update security vulnerability program to Federacy and add SOC 2 certification
- Oct 14, 2024: Consolidated social media accounts into one section
- Mar 28, 2024: Updated social media integrations to reflect updated integration behavior
- Sep 3, 2023: Added section on subscriptions and payment info.
- May 16, 2023: Added section on Nexus and AI features.
- Sep 6, 2022: Added section on Facebook integration and data usage. Clarified that at least one account is required when onboarding to Clay. Fixed outdated mentions of "Clay iOS app" where intended meaning was Clay app across platforms.
- Jul 21, 2022: Moved document to new Clay Library, and as a result changed some formatting, organization, and updated to our new support email address. No material changes were made to the content.
- Sep 30, 2021: Added details for Apple and Microsoft calendars and emails.
- August 16, 2021: Added additional sentence to the metrics section to clarify future telemetry plans.
- August 13, 2021: Added section on iMessage integration and data usage.
- July 12, 2021: Added section on new integration and data usage.
- July 11, 2021: Added section on Google’s API limited use requirements, as required by Google.
- August 31, 2020: Added information on data isolation policies.
- May 1, 2020: Added information on the vulnerability disclosure program and additional details on how to delete an account.
- March 4, 2020: Added additional information on what data is collected and how data is secured per integration.
- January 3, 2020: Changed login from email and password to Sign in with Apple.
- June 18, 2019: First published.
Questions or Concerns
If you have questions or concerns regarding these terms, privacy, or security, please contact us at care@clay.earth.