Privacy Policy — Clio Circle

This Privacy Policy is subject to the highest data-protection standards in accordance with the legal regulations established by the General Data Protection Regulation (GDPR) and consistent with other principles enshrined in the federal laws of the United States of America. This document also sets out the measures, procedures and purposes for the effective Processing of the Database transmitted by Organizations. Clio Circle, as the "Processor" of Data Processing, is responsible for preserving the security and confidentiality of the information through the Software.

Clio Circle offers Software to any kind of corporate Organization so they may use their own Organization Database to monitor and assess the coping behavior of Organization Members — whether employees, members, managers, workers, and in general, any Organization Member. The purpose is for the Organization to gain insight into the coping state of its Members, identify profiles within the Organization and, above all, take preventive measures to preserve good emotional mental health, intelligence and education throughout the development of activities. Clio Circle provides a chatbox built with artificial intelligence through which Organization Members may express any situation in their personal, family or work sphere ("Clio AI").

Clio Circle also offers its Software to individuals ("Consumers") so they can interact with the tool to identify their socio-emotional profile, track their behavior and skills, and write into Clio AI.

The Organization shall act as the "Controller" of personal and sensitive data Processing stored in the Organization Database. Consequently, the Organization has the duty to ensure the security and confidentiality of Personal Data and/or Sensitive Data of Organization Members/Consumers, and to ensure the truthfulness and transparency of the information.

Rules of interpretation
Definitions
Processing principles
Purpose
Purposes for Organizations
Purposes for Consumers
Legal basis
International transfers
Scope of application
Consent and withdrawal
Clio Circle duties
Information security
Controller assistance
Clio AI processing
Data deletion
Audit
Term
Contact
Annex: Chrome Extension

I. Rules of interpretation

For the interpretation of this Privacy Policy, terms with an initial capital letter shall have the meaning assigned to them below. Terms not expressly defined shall be understood in the sense given to them by the corresponding technical language or, failing that, in their natural and obvious sense.

If the expression "including" is used, it shall be understood as "including without limitation", unless the text explicitly states it as exhaustive. References to applicable laws or legal provisions include all aggregated, extended, consolidated, modified or replaced legal provisions.

II. Definitions

Clio Circle: the Processor of Personal Data and/or Sensitive Data on behalf of the Controller. Data is made available to the Organization through the Software (owned by Clio Circle) for the purpose of presenting statistics/metrics on the behavior of Organization Members, identifying socio-emotional profiles, among others. Clio Circle only provides the Software, but the Organization is responsible for obtaining Consent from Organization Members and ensuring proper use of the Software.

Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of personal data concerning them. For the purposes of this policy, the Organization shall be solely responsible for obtaining Consent from Organization Members.

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Personal Data processing.

Consumer(s): natural persons (non-organizational) who connect to the Software provided by Clio Circle. Through it they may build their socio-emotional profile, identify improvement opportunities related to managing emotional behavior, and use Clio AI to share personal, household and personal experiences.

Database: Organized set of personal data subject to Processing by both the Organization and Clio Circle through its Software.

Software: the program Clio Circle offers to the Organization to visualize metrics related to the behavior of Organization Members, providing information on the behavior and emotions of Organization Members, identification of socio-emotional profiles, and personalized solutions for emotion management — so the Organization can monitor and assess the behavior of Organization Members and adopt preventive measures for managing and caring for mental health.

Organization Member(s): any member related to the Organization (whether as employee, customer, supplier, worker, etc.) whose Personal Data is processed by the Data Processor (on behalf of the Data Controller). With the clarity that Organization Members must have previously authorized consent.

Organization: the Controller of personal/sensitive data Processing; determines the purposes and means of processing. Data is made available through the Software (owned by Clio Circle) for purposes including presenting statistics/metrics on the behavior of Organization Members, identification of socio-emotional profiles, etc.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal Representative of the Organization Member: the natural person who exercises parental authority over the Organization Member and who has accepted the Organization's privacy policy. This applies only in countries where regulations establish that the Organization Member is considered a minor.

III. Principles of data processing

Clio Circle, as Processor of Personal Data and/or Sensitive Data associated with Organization Members/Consumers, shall be obliged to store, collect and verify the integrity of the Database transmitted by the Organization, in accordance with the purposes set out in this Privacy Policy.

Principle of Transparency: the Organization Member's right to obtain from the Controller or Processor, at any time and without restriction, information on the existence of data.

Principle of Truthfulness: the information subject to Processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. Processing of partial, incomplete, fragmented or misleading data is prohibited.

Principle of Security: processed in a manner that ensures adequate security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through appropriate technical or organizational measures.

Principle of Confidentiality: the Processor is obligated to ensure the confidentiality of the information, even after the end of its relationship with any of the tasks comprising Processing. Subsequently, the Processor must delete all information held under the relationship with the Controller.

Privacy by Design and by Default:

Data Protection by Design: refers to the use of pseudonymization (replacement of personally identifiable material with artificial identifiers) and encryption (encoding of messages so that only authorized persons can read them).
Data Protection by Default: the Software is designed to limit the accessibility of Organization Members' profiles so they are not accessible by default to an indefinite number of persons. Clio Circle has technological mechanisms in place to ensure information protection within the Software, but the Organization is responsible for ensuring that data is not known by unauthorized third parties within the Organization.

Principle of Accountability: refers to the implementation of technical and organizational measures to ensure and demonstrate GDPR compliance, documentation of personal data processing, periodic audits, among other aspects to ensure regulatory compliance.

IV. Purpose of this policy

This Privacy Policy regulates the purposes under which Clio Circle, as Software provider and Data Processor, carries out the use, collection, handling and storage of the Database and/or Sensitive Data through the Software, on behalf of and on account of the Organization.

V. Processing purposes for Organizations

The Processing of Personal Data associated with Organization Members shall be subject to the following purposes:

Performing the profile-creation process for each Organization Member in Clio Circle's Software. The registration process includes: name, gender, date of birth, country of residence, email address and phone number.
The Organization Member must complete a form consisting of a series of questions related to socio-emotional behavior.
Clio Circle offers a space within its platform for Organization Members to write daily situations related to any event, such as their state of mind, family or work conflicts, moral dilemmas. Members may express any situation affecting their personal, family or work environment.
On the Clio Circle platform, the Organization may visualize metrics and/or statistics related to the information reported by Organization Members, as well as full access to profiles (emotional skills, improvements, behavioral progress).
After delivering metric/statistical information to the Organization, including bullying-case reports and profiles, Clio Circle proceeds to implement a "PIBS" methodology (Positive Behavior Intervention and Support) to design future strategy and assessment plans.

VI. Processing purposes for Consumers

Provide and manage the Software to enable creation, sharing and consumption of content, and to assist the Consumer.
Build socio-emotional profiles so the Consumer can identify improvement areas related to mental health.
Improve Clio AI's development and experience to better adapt it to the Consumer's profile.
Maintain and improve the Software's security, protection and stability by identifying and resolving technical or security issues (technical errors, spam accounts and abuse/fraud/illegal-activity detection).
Review, improve and develop the Software through, among other methods, tracking interactions and use within your account, analyzing how Consumers use it, and training/testing/improving our technology, such as our AI Chat and machine-learning algorithms.
Promote the Software or third-party services through marketing communications, contests or promotions.
Build metrics, reports and assessments using data provided by Consumers, provided that such data is anonymized or pseudonymized. Under no circumstances will Consumer identity be revealed.

VII. Legal basis

Clio Circle uses the following legal bases for storage, use, relocation and processing of Consumers' personal data:

Reasons for use	Personal Data collected	Legal basis
Provide and manage the Software, assist the Consumer.	Name · Country · Phone · Email · Coping questionnaire	Contract performance · Legitimate Interest · Consent (sensitive data)
Build socio-emotional profiles.	Coping questionnaire responses	Consent (Sensitive Data)
Improve Clio AI to fit the Consumer profile.	Questionnaire responses	Consent (Sensitive Data)
Software security and stability, fraud/abuse detection.	Name · Email · Phone	Legitimate Interest
AI / algorithm improvement and training.	Interaction and usage data	Contract performance
Marketing, promotions and contests.	Email · Phone	Legitimate Interest
Anonymized metrics and reports.	Pseudonymized data	Legitimate Interest

VIII. International transfers

Clio Circle may transfer your personal data outside your country of origin, including to countries whose regulations do not ensure an equivalent level of data protection. Nevertheless, Clio Circle commits to comply with applicable law in each jurisdiction and, as a guiding principle, will adopt the GDPR standard to ensure data security and privacy.

Given that Organization Members or Consumers may be located in different regions of the world, including the United States, Europe, Latin America and Asia, Clio Circle will implement appropriate measures to safeguard the information. When sharing personal data with affiliates or third parties located outside the European Economic Area (EEA) and the United Kingdom, Clio Circle will ensure that:

The receiving third party is located in a country recognized by the European Commission as providing an adequate level of data protection; and/or
Adequate safeguards are implemented to ensure the continued protection of personal data, such as signing the EU Standard Contractual Clauses adopted by the European Commission (Article 46(2)(c) GDPR).

IX. Scope of application

The guidelines, criteria and directives set out in this Privacy Policy shall apply to the Database for which the Organization acts as the Controller of Personal Data. They shall be complied with by the Organization and by Clio Circle as Processor of Personal Data.

The Controller and Processor will comply with their obligations under the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (Title 1.81.5 of the California Civil Code), and any relevant rule that modifies, regulates, supplements or replaces existing laws regarding personal data protection after the issuance of this Privacy Policy.

Consent

Consent given by Legal Representatives of Organization Members for Personal Data Processing will be collected by any of the means authorized by them and, in any case, under schemes that allow subsequent consultation. Authorizations will be granted by Legal Representatives of Members to the Organization, or to whomever the Organization designates.

The Legal Representative of Organization Members may at any time request the Organization, as Data Controller, to delete personal data and/or revoke the Authorization granted for Processing by submitting a request. However, we caution that requests to delete information and/or revoke authorization will not proceed when the Legal Representative has a legal or contractual duty under which they must remain in the Organization's database.

Withdrawal of consent

Organization Members and Consumers have the right to withdraw, at any time and with future effect, the consent granted to Clio Circle for processing their personal data. To exercise this right they may submit an explicit request to clio@cliocircle.com. Such withdrawal does not affect the lawfulness of processing performed based on consent prior to its revocation, in accordance with GDPR.

XI. Clio Circle duties

The Processor must keep a record of Personal Data Processing activities associated with Organization Members.
Preserve the confidentiality of Personal or Sensitive Data related to Organization Members; such data may not be disclosed to any third party other than Organization personnel, in accordance with the purposes described in this Policy.
Inform the purpose of Personal Data Processing associated with Organization Members.
Notify the Controller without undue delay of any Personal Data security breach of which it becomes aware.
Assess the risks inherent in Processing and implement measures to mitigate them, such as encryption.
Assist the Controller when necessary and upon request, to ensure compliance with obligations arising from data-protection impact assessments.
Handle Personal Data associated with Organization Members according to the Controller's instructions and guidelines.
Other obligations regulated through GDPR.

XII. Information security

The Processor, in compliance with directives expressed by the Controller, will adopt the following measures to protect the security of Personal Data associated with Organization Members:

Where possible, achieve pseudonymization of Personal Data. One of Clio Circle's purposes is to provide the Organization with metrics and statistics about Organization Members' behavior without any third party being able to identify the individual.
Clio Circle has a computer system capable of guaranteeing the integrity and confidentiality of Personal Data stored through its Software. The system has keys, passwords and other processes mitigating the risk that third parties breach the Software.
Clio Circle is able to restore availability and access to personal data quickly in case of a physical or technical incident.
Clio Circle has verification, evaluation and assessment processes to ensure processing security.
Clio Circle, at the Controller's request, may modify, update or rectify Organization Members' Personal Data in cases of inconsistency or inaccuracy.
Clio Circle will assess risks to natural persons' rights and freedoms inherent in processing and implement mitigation measures.

XIII. Assistance to the Controller / Organization

Given the nature of Processing, the Processor will assist the Controller with appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to data-subject rights requests under Chapter III of GDPR.

The Processor will assist the Controller with:

The data subject's right of access.
The right to rectification.
The right to erasure (the "right to be forgotten").
The right to restriction of processing.
The notification obligation regarding rectification or erasure of personal data, or restriction of processing.
The right not to be subject to a decision based solely on automated processing, including profiling.

XIV. Data processing through the Clio AI model

Clio Circle processes Consumer data in accordance with EDPB guidelines:

Legitimate interest. Clio Circle processes Consumer data through Clio AI for a social and educational purpose — so the Consumer can identify their socio-emotional profile, share experiences in the ChatBox, and have follow-up and assessment of emotional behaviors. Under no circumstances will Personal Data be processed in ways that violate or undermine the rights of the Organization Member/Consumer. Clio Circle must avoid bias in its decisions.
Data anonymization. Clio Circle will create metrics, analyses and reports on Consumer data, but in all cases data will be anonymized. Clio Circle will not reveal Consumer identities.

XV. Data deletion and return

Upon termination of Personal Data Processing in connection with the provision of Clio Circle, the Processor shall be obligated to delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, return all Personal Data to the Controller, and delete existing copies.

XVI. Audit and inspection

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Privacy Policy, more specifically with the security of Organization Members' information stored in Clio Circle's Software. It will also allow and contribute to audits, including inspections, conducted by the Controller.

Audits of the Data Processor will be performed at least once every six months.

XVII. Term

This Privacy Policy is effective from the date of its publication until the closure of the Application (Clio Circle). In case of any modification, adjustment, supplement or update of the terms set out herein, notice of such changes will be provided through the website https://cliocircle.com/en/privacy.

XVIII. Contact

Any question or additional information will be received and processed by sending it to: clio@cliocircle.com.

Annex · Chrome Extension "Clio – Write Better"

This section supplements the policy with disclosures specific to Google Chrome Web Store and to Google's User Data Policy (Limited Use).

Data collected by the extension

When you sign in with your Google account from the extension, we receive:

scope: email your email address
scope: profile your public name and profile picture
scope: openid your unique Google identifier (sub) — only to distinguish accounts in a stable way

When you explicitly request a draft improvement (by clicking the Clio icon inside the Gmail compose), we send to the server:

The text of the draft you are writing
The recipient email when visible in the compose
Your own email (to associate the improvement with your profile)

We also log basic usage events (clicks on "Insert", "Cancel", "Sign out") for product-improvement purposes.

What the extension does NOT do

Does not read your received emails or the contents of your inbox.
Does not send text to the server automatically — only when you explicitly click the Clio icon.
Does not access your contacts.
Does not use third-party tracking cookies or pixels.
Does not sell, rent or transfer your personal data.
Does not use the content of your drafts to train AI models.

Third-party processors (sub-processors)

To operate the Software we use the following providers acting as sub-processors under our control:

Google Cloud Platform / Firebase Firestore (Google LLC, USA) — stores your account and usage events. Subject to Google's GDPR commitments and SOC 2 / ISO 27001 certifications.
Anthropic, PBC (USA) — the Claude model transiently processes your draft text to generate the improvement suggestion. Per Anthropic's commercial terms, they do not train on data sent to their API. Privacy policy: anthropic.com/legal/privacy.
Vercel Inc. (USA) — hosting of the public landing site (cliocircle.com).

Permissions requested by the extension

activeTab Allows Clio to read the Gmail compose draft only when you are actively on that tab.
storage Stores your sessionToken locally (chrome.storage.sync) so you don't have to sign in every time.
identity Enables the Google sign-in flow (chrome.identity.getAuthToken).
host: mail.google.com Required to inject the Clio icon inside the Gmail editor.

Extension data retention

Account and profile (email, name, googleId, picture): kept until you request deletion.
SessionToken: 30 days, then automatically refreshed when you use the extension.
Draft text: NOT stored to disk. Held in memory only during request processing and discarded after sending the response.
Usage events: 12 months, then anonymized or deleted.

How to revoke access or delete your account

You can revoke Clio's access at any time through any of these paths:

Click "Sign out" inside the extension popup.
Remove the extension from chrome://extensions in your browser.
Revoke Clio's permission at myaccount.google.com/permissions.
For complete deletion of your account and all associated data, write to clio@cliocircle.com. We process deletion requests within 30 days at most.

Limited Use Disclosure (Google API Services)

The extension's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not transfer user data to third parties except as necessary to provide or improve user-facing features, do not use the data to serve advertising, and do not allow humans to read your data unless: (a) you give explicit consent for support cases, (b) for operational security, or (c) where required by law.

Contents