Privacy Policy
Effective 2026-04-22 (entity name updated 2026-05-08). GeoClear is operated by GeoClear, Inc., a Virginia corporation. GeoClear provides operational evidence, verification, and evidence-bundle services for AI actions, agent workflows, tool calls, and related enterprise workflows. We collect only what is required to operate, secure, improve, and support the service, and we never sell personal information.
1. Information we collect
When you use GeoClear (operated by GeoClear, Inc.), depending on the customer workflow and deployment model, we may collect:
- Account and contact data — your email address (for account access and service delivery) and related contact information.
- Billing data — processed by Stripe; we never store full card numbers.
- Service request and workflow data — action metadata, request payloads, identifiers, customer-provided context, and the responses we return. Depending on the customer workflow this may include addresses, coordinates, action metadata, policy-result metadata, evidence commitments, verification status, timestamps, identifiers, and related customer-provided context.
- Evidence metadata and verification data — signature references, verification material identifiers, evidence-packet summaries, and policy-version references.
- Portal and usage data — portal interactions, project membership, and usage counters associated with the customer account.
- Technical and security data — IP address, user-agent, and rate-limit counters for abuse prevention and service reliability.
- Communications and support data — email and support correspondence with our team.
- Website analytics and consent data — covered in Section 11.
2. How we use information
- Provide and operate the operational evidence, verification, and evidence-bundle services the customer is using.
- Bill the customer accurately via Stripe.
- Detect and prevent abuse (rate limits, fraud signals).
- Improve service quality using aggregate, de-identified analytics only.
- Provide support and respond to inquiries.
3. What we do NOT do
- We do not sell personal information.
- We do not use customer service-request data to train third-party AI models.
- We do not share request-level data with advertisers.
3a. Customer trust boundary (design posture)
GeoClear is designed to support customer-held evidence and minimized-data workflows. Raw mission or enterprise data does not need to leave the customer boundary by default when a customer uses evidence commitments, policy results, and retained verification material. This is a design posture; specific behavior depends on the customer’s configuration and deployment model.
4. Data retention
Account and contact data: retained while the account is active and for 7 years after closure (tax/financial records). Service logs: 90 days rolling. Billing records: 7 years. Evidence bundles can be customer-held; GeoClear retention of evidence-related artifacts depends on the customer’s deployment model and configuration. You may request earlier deletion at any time, subject to applicable record-keeping obligations.
5. Sub-processors
We use Amazon Web Services (cloud hosting and data storage), Stripe (payment processing), Resend and SendGrid (transactional email), Sentry and Axiom (observability and security monitoring), and Upstash (cache/queue). Each is contractually bound to the same data-protection standards required of GeoClear.
6. California residents, CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information. You have the right to:
- Know what categories and specific pieces of personal information GeoClear has collected about you, the sources, the purposes of collection, and the categories of third parties (sub-processors) with whom we share it.
- Delete your personal information, subject to limited exceptions (e.g., tax/financial records we must retain by law).
- Correct inaccurate personal information we maintain.
- Opt out of the sale or sharing of your personal information. GeoClear does not sell or share personal information as those terms are defined under CCPA/CPRA, including for cross-context behavioral advertising. There is nothing to opt out of, and we do not process any sensitive personal information for purposes that would require an opt-out.
- Limit use of sensitive personal information. GeoClear does not seek to collect or process sensitive personal information (SSNs, precise geolocation of individuals, genetic/biometric data, health data, etc.) for purposes that would require an opt-out under CCPA/CPRA. Depending on the customer workflow, addresses or coordinates may be submitted by the customer; whether any such data is “sensitive personal information” under CCPA/CPRA for a given workflow may depend on the context. Customers retain responsibility for the data they submit and the workflows they configure.
- Non-discrimination. We will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right.
To exercise any of these rights, email privacy@geoclear.io from the email on your account, or provide equivalent verification. We will respond within 45 days (extendable to 90 days for complex requests with notice). You may also designate an authorized agent to submit requests on your behalf; we will verify the agent's authorization.
7. EU / UK residents, GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights under GDPR / UK GDPR to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. GeoClear is the data controller for your account data and a data processor for personal data you submit through our API. Our lawful basis for processing is the performance of our contract with you (service delivery) and legitimate interests (abuse prevention, service reliability). International transfers rely on Standard Contractual Clauses (SCCs).
To exercise your rights or lodge a complaint with your local supervisory authority, contact privacy@geoclear.io. We respond within 30 days.
8. Data Processing Addendum (DPA) for business customers
If you are processing personal data through the Service on behalf of your end users and need a DPA for GDPR Article 28 or CCPA Service Provider requirements, email legal@geoclear.io to request one. Our DPA incorporates the European Commission's Standard Contractual Clauses (2021/914) for international transfers and designates GeoClear as a Processor / Service Provider with appropriate technical and organizational measures.
9. Children
The GeoClear Service is a B2B API intended for businesses and developers. It is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.
10. Security
All traffic is TLS-encrypted. API credentials are protected using one-way cryptographic controls and are not stored in plaintext. Database access uses IAM-scoped short-lived credentials (no static passwords). See Security & Trust for details.
11. Web analytics
We use Google Analytics 4 (GA4) on geoclear.io to measure aggregate site usage, pageviews, demo starts, content downloads, and conversion events. The following discipline applies and is enforced in code:
- No PII transmitted to Google. We never send your email, name, API key, or any free-text identifier into GA4 events.
- Identity is a hashed Cognito subject identifier when you are signed in, a one-way SHA-256 hash. Anonymous client IDs are used otherwise.
- We do not track admin.geoclear.io. The internal admin app does not load any third-party analytics.
- Consent Mode v2 default-deny. Until you accept the cookie banner, no analytics cookies are set.
- IP anonymization is on globally. Your full IP address is never stored by Google.
- Google Signals is off. We do not opt into Google's cross-device user matching.
- Data retention is 14 months. Older event detail is automatically purged.
- Bot traffic is filtered at the source. If your User-Agent identifies as automated, the analytics script is never loaded. Machine-to-machine API observability uses a separate stack that does not share an event store with GA4.
- You can opt out at any time by clearing the consent cookie or using your browser's tracking-prevention features.
12. Changes to this policy
We will post any material changes at geoclear.io/privacy with 30 days' advance notice to the email on record. The "Last updated" date at the bottom of this page reflects the current effective version. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
Privacy questions or rights requests: privacy@geoclear.io. Legal matters: legal@geoclear.io. Security reports: security@geoclear.io.
Data controller: GeoClear, Inc., Commonwealth of Virginia, United States.
Last updated: 2026-05-08 · positioning-language cleanup 2026-05-31; substantive legal review pending