Privacy Policy · Disclos

Who we are

This policy is published by Disclos (Sole proprietorship · transitioning to limited company in 2026), jurisdiction Pakistan / European Union. We operate the website at disclos.vercel.app (interim) and the SDKs distributed under @disclos/* on npm.

For the purposes of GDPR Article 4(7), Disclos is the controller of personal data we collect on our marketing site and SDK telemetry, and a processor for audit events that flow through our ingestion pipeline on behalf of our customers.

If you have any concern about how your personal data is being used, write to us at official00980+privacy@gmail.com.

Data we collect

Information you give us directly

Account details — name, email and organisation, supplied when you sign up.
Billing information — payment method handled by Stripe; we never see card numbers.
Support correspondence — anything you write to our inboxes.

Information collected automatically

Usage telemetry — aggregated page views, feature use and timings (Vercel Web Analytics).
Error reports — stack traces and the URL of the failing request (Sentry). PII is scrubbed before submission.
Operational logs — IP address, user agent, response time and status code, retained for security and abuse-prevention purposes only.

Information from third parties

Authentication — when you sign in with Google, GitHub or another provider via Clerk, we receive your name, email and a stable identifier from that provider.

Why we process it

We use personal data only for clearly identified purposes:

Operating the Disclos service and the SDK runtime.
Provisioning accounts and routing alerts.
Customer support, billing and dispute resolution.
Detecting fraud, abuse and security threats.
Improving the product through aggregated analytics.
Meeting our own legal obligations (tax records, requests from competent authorities).

We do not sell personal data, ever. We do not share data with advertisers and we do not run third-party advertising trackers.

Lawful basis (GDPR Art. 6)

Activity	Lawful basis
Operating the service for paying customers	Contract — Art. 6(1)(b)
Sending essential service emails (security, billing)	Contract — Art. 6(1)(b)
Marketing emails to opted-in subscribers	Consent — Art. 6(1)(a)
Error tracking, fraud detection, abuse prevention	Legitimate interests — Art. 6(1)(f)
Tax, accounting and statutory record keeping	Legal obligation — Art. 6(1)(c)

Who we share with (sub-processors)

Disclos uses a small set of specialist sub-processors. All have data-processing agreements on file and process data only on our instructions:

Sub-processor	Purpose	Location
Vercel	Frontend hosting	USA · EU edges
Render	Backend hosting	USA
Cloudflare	Edge network, R2 object storage, KV	Global edge · EU regions enabled
Neon	Managed Postgres (EU region)	EU (Frankfurt)
Clerk	Authentication	USA
Stripe	Billing & payments	USA · Ireland
Upstash	Redis cache & queue (QStash)	EU + USA
Resend	Transactional email	USA
Sentry	Error monitoring	EU (Frankfurt)
Anthropic PBC	LLM inference for selected features	USA

A live list, with versions and DPAs, is maintained on our Data Processing Agreement page. Customers receive 30 days’ notice before any sub-processor is added or removed.

International transfers

Where personal data leaves the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (2021) together with a Transfer Impact Assessment. Customers may demand EU-only data residency on Enterprise plans.

Retention periods

Data	Default retention
Account records	Lifetime of account, then 90 days
Audit events (ingestion)	13 months hot · 7 years cold (R2)
Operational logs (HTTP, DB)	30 days
Error reports (Sentry)	90 days
Email correspondence	3 years from last contact
Billing records	10 years (statutory)

Your rights

Under GDPR (and equivalent regimes), you have the right to:

Access the personal data we hold about you.
Rectify incorrect or incomplete data.
Erase data, subject to overriding legal obligations.
Restrict or object to certain processing.
Receive a portable copy in JSON.
Withdraw consent at any time.
Lodge a complaint with your local supervisory authority.

To exercise any of these, email official00980+privacy@gmail.com. We respond within 30 days as required by Article 12(3).

Security

We take a defence-in-depth approach. Highlights:

TLS 1.3 in transit, AES-256 at rest.
Row-level security on every tenant-scoped table.
SHA-256 hash-chain over every audit event for tamper evidence.
Ed25519 signatures on outbound proof bundles.
Least-privilege IAM, secret rotation, and segregated production access.
Continuous error tracking, alerting and structured logging.

If you discover a vulnerability, please email official00980+security@gmail.com before public disclosure. We respond within 72 hours.

Cookies

We use a small number of cookies, listed below. None of them are used for advertising. You can withdraw consent for non-essential cookies at any time via the “Cookie preferences” link in the footer.

Cookie	Purpose	Lifetime	Required?
`__clerk_*`	Authentication session	Session / 1 yr	Yes
`disclos_cookie_consent`	Records your consent choice	6 months	Yes
`__vercel_analytics`	Anonymous page metrics	30 days	No (opt-in)

Children

Disclos is a business tool. We do not knowingly process personal data of anyone under 16. If you believe a child has registered, write to us at official00980+privacy@gmail.com and we will delete the account.

Automated decisions & AI

Disclos uses AI internally to (1) suggest risk classifications during onboarding, (2) polish customer-written descriptive text in compliance documents, and (3) analyse public web pages submitted to the free scanner. None of these systems makes solely automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22.

A complete machine-readable inventory of every AI system we operate is published at /ai-disclosures in accordance with EU AI Act Article 50.

Changes to this policy

We notify registered customers by email at least 30 days before any material change. Non-material changes (typo fixes, clarifications) take effect on publication.

Contact us

Privacy & GDPR — official00980+privacy@gmail.com
Data Protection Officer — official00980+dpo@gmail.com
Security & vulnerabilities — official00980+security@gmail.com
Abuse & misuse — official00980+abuse@gmail.com
General & press — official00980+hello@gmail.com