Privacy Policy
Last updated: May 13, 2026
0. Scope
Clonify processes personal data in two distinct roles. As a data controller, we process the personal data of creators (paying customers of Clonify). As a data processor, we process the personal data of visitors interacting with a creator's published clone on behalf of that creator.
A. Creator data (Clonify customer)
In this section, Clonify acts as data controller.
A.1 Controller
- Entity: Marea Kiss LLC
- Address: 30 N Gould St, Ste R, Sheridan, WY 82801, USA
- Email: privacy@clonify.com
A.2 Data we collect
- Account: email, name, profile photo, subdomain, language preference.
- Billing: fiscal data, country, subscription plan, payment history. Card data is processed by our payment provider; Clonify does not store card numbers.
- Uploaded content: audios, videos, documents, URLs and derived artifacts (transcripts, embeddings, knowledge graph, voice profile).
- Technical: IP address, user agent, session cookies, error logs.
- Usage: pages viewed, actions in admin panel, quota consumption.
A.3 Purposes and legal basis
- Service provision, authentication, billing, support — contractual necessity (art. 6.1.b GDPR).
- Tax and accounting obligations — legal obligation (art. 6.1.c).
- Product analytics, fraud prevention, service improvement — legitimate interest (art. 6.1.f).
- Commercial communications about features and similar services — legitimate interest based on existing contractual relationship (LSSI-CE art. 21.2), with opt-out in every email.
B. Visitor data of a clone
When a visitor interacts with a creator's clone, the creator is the data controller and Clonify is the data processor, bound by the Data Processing Addendum.
B.1 Data processed
- Identifiers: email and optional name when the visitor logs in via OTP; anonymous cookie ID when anonymous.
- Conversations: full transcripts of messages with the clone.
- Memory profile: AI-generated summary plus five neutral fields (context, goal, problem, constraints, next step) derived from the conversation, to personalise future replies.
- Technical: IP address, user agent, language, originating page.
- Cookies: see the Cookie Policy.
B.2 OTP clickwrap
When a visitor enters the one-time code received by email, they accept the visitor terms and this privacy policy. The acceptance is timestamped and linked to the email address.
B.3 Profiling (art. 22 GDPR)
The memory profile is automated processing designed to personalise the clone's behaviour. It does not produce legal effects or decisions significantly affecting the visitor. Visitors may reset or delete their memory profile by writing to privacy@clonify.com, or continue anonymously to avoid building one.
C. Subprocessors
We rely on the following subprocessors, each bound by a DPA with appropriate safeguards (Standard Contractual Clauses for US-based vendors).
| Vendor | Purpose | Location | DPA |
|---|---|---|---|
| Neon Inc. | PostgreSQL database | EE.UU. / UE | view |
| Upstash Inc. | Rate limiting and cache | EE.UU. / UE | view |
| Sentry | Error telemetry and logs | EE.UU. | view |
| OpenAI L.L.C. | Language models (clone replies) | EE.UU. | view |
| Anthropic PBC | Language models (clone replies) | EE.UU. | view |
| Resend Inc. | Transactional email delivery | EE.UU. | view |
| AssemblyAI Inc. | Audio transcription | EE.UU. | view |
| Replicate Inc. | Auxiliary audio processing | EE.UU. | view |
| Vercel Inc. | Web application hosting | EE.UU. | view |
| Cloudflare R2 | File storage | EE.UU. / UE | view |
| PostHog Inc. | Product analytics and usage behaviour | UE (Frankfurt) | view |
Analytics and marketing tools (Google Analytics, Facebook Pixel, etc.) are NOT in use today and will only be added after a working consent banner is in place.
D. Retention
Clonify applies a Shopify-style soft-delete retention schedule:
- Active tenant: creator data retained indefinitely while the subscription is active. Visitor data retained for 3 years from last interaction.
- Tenant cancelled: workspace enters "suspended" state, visitor data retained for 90-day grace period.
- After 90 days: visitor data purged. Minimal tenant skeleton (billing/tax records) kept 4 years for Spanish fiscal obligations, then deleted.
- Visitor deletion request: processed immediately, regardless of tenant status.
E. Your rights
Under GDPR and Spanish data protection law you have the rights of access, rectification, erasure, opposition, restriction, portability, and not to be subject to solely automated decisions (ARSULIPO).
To exercise any of these, write to privacy@clonify.com including proof of identity. We respond within 30 days. If you are a visitor of a clone, we will forward the request to the corresponding creator (controller) when applicable.
You may also lodge a complaint with the Spanish AEPD (www.aepd.es) or your local supervisory authority.
F. Security
We apply technical and organisational measures: multi-tenant isolation enforced by code review and lint, TLS in transit, encryption at rest by Neon, rate limiting on sensitive endpoints, OTP for sensitive flows, role-based access control, CORS pinning, and security logging via Sentry.
G. International transfers
Some subprocessors are based in the United States. Transfers are covered by Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, by the EU-US Data Privacy Framework.
H. Minors
Clonify is intended for users over 16. We do not knowingly collect data from minors below this age.
I. Changes
We may amend this policy to reflect legal or service changes. Material changes will be notified by email or by a prominent notice on the platform.