← Back to Clint

Privacy Policy

Last updated: June 26, 2026

1. Introduction

Clint AI (“Clint,” “we,” “us,” “our”) operates the Clint platform at clint.build (the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, the choices and rights you have, and how we protect your information. It applies to your use of the Service, including your interaction with our website, generation tooling, chat interfaces, dashboards, billing, support, marketing communications, and our API. It also describes our role with respect to data collected by applications you generate, deploy, and operate using the Service (“Generated Applications”) and the responsibilities that role allocates between you and us. By creating an account, signing in, accessing the Service, or otherwise interacting with us, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy forms part of, and is incorporated by reference into, our Terms of Service.

2. Definitions

  • “Account” means the user account you create on the Service.
  • “Application Data” means data that a Generated Application collects, stores, processes, or transmits in the course of its operation.
  • “End User” means any person who interacts with a Generated Application.
  • “Personal Data” means information relating to an identified or identifiable natural person, as defined by applicable law.
  • “Sub-Processor” means a third party that processes data on our behalf to deliver the Service.
  • “Your Content” means prompts, chat messages, source files, schemas, application data, uploaded files, configuration, settings, credentials, and other content you submit to or store on the Service.

3. Our Role: Controller vs. Processor

We act in different capacities for different categories of data:

  • Controller. We are the data controller (or business, as defined under CCPA/CPRA) for Personal Data you provide to us when you create and manage your Account, contact support, subscribe to a paid plan, communicate with us, or interact with our marketing.
  • Processor (Service Provider). We act as the data processor (or service provider, as defined under CCPA/CPRA) for Application Data that Generated Applications collect from End Users. You determine the purposes and means of processing that Application Data; we process it on your behalf to provide hosting, deployment, and runtime services. Where the GDPR or analogous laws apply to Application Data, the data-processing terms in Section 14 of this Privacy Policy apply. A separate Data Processing Addendum is available upon request to dpa@clint.build.

4. Information We Collect

4.1 Information You Provide Directly.

  • Account information: email address, name, password (stored as a PBKDF2-SHA-256 hash with a unique per-user salt and 600,000 iterations — never in plaintext), and authentication tokens.
  • Authentication factors: if and when offered, second-factor codes, recovery codes, passkeys, and similar.
  • Prompts and chat messages: the natural-language descriptions you submit to build, edit, or modify Generated Applications, plus follow-up chat messages, attachments, and pasted content.
  • Third-party credentials and configuration: API keys, OAuth client identifiers and secrets, payment-processor secrets, webhook signing secrets, and other credentials you enter in Settings to enable features in Generated Applications. Credential fields are encrypted at rest using AES-GCM authenticated encryption (see lib/credentialCipher.ts) and injected as Vercel environment variables at deploy time. Plaintext credential values are never embedded in client-side Generated Application code.
  • Billing information: if you subscribe to a paid plan, the billing email, plan tier, subscription identifier, Stripe customer identifier, invoice history, and amounts paid. Payment-card data is collected and stored exclusively by Stripe; Clint never sees, stores, or processes card data.
  • Tax information: for invoicing and tax-compliance purposes, we may collect billing address, country, state or province, postal code, tax identification numbers (VAT, GST, etc.), and exemption certificates.
  • Account preferences: theme, layout, sidebar state, usage-alert thresholds, hard-limit caps, and similar configuration.
  • Support communications: the contents of any support ticket, email, chat, or call with us, including any attachments and metadata.
  • Survey responses, user research, beta enrollment: if you participate, the responses you provide.
  • Marketing preferences: opt-in choices, opt-outs, and topic interests where requested.

4.2 Information Generated by the Service.

  • Generated source code: HTML, CSS, JavaScript, JSON, serverless function files, and other files produced from your prompts.
  • Database provisioning data: a dedicated PostgreSQL schema is provisioned per project on Neon (running on AWS). The schema, table structures, indexes, constraints, and Application Data written to it are stored in that schema.
  • Test results and artifacts: browser-automation outcomes, video recordings, screenshots, console logs, error stack traces, network traces, and test reports.
  • Deployment metadata: Vercel deployment URLs, deployment identifiers, build logs, function logs, and environment-variable inventories (variable names only — values are never logged).
  • Version snapshots: copies of project files captured before each modification, retained per plan limits.
  • Usage ledger: token counts, model-call durations, deploy counts, build counts, SMS counts, email counts, blob storage usage, AI test runs, and other consumption metrics for billing, rate-limit enforcement, and analytics.
  • Diagnostic logs: application server logs, function logs, queue logs, and security event logs.

4.3 Information Collected Automatically.

  • Server logs: IP address, user-agent string, request paths, response codes, request and response sizes, request times, referrer, and timestamps. Used for security monitoring, rate limiting, abuse prevention, capacity planning, and operational debugging.
  • First-party analytics: we operate a first-party analytics pipeline (no third-party analytics SDKs) that records page views, referrer, country (derived from network-edge headers; the raw IP is not retained), device type, screen size, and a session identifier. We do not use third-party advertising trackers, fingerprinting libraries, cross-site tracking pixels, or session-replay tools that record raw user input.
  • Pseudonymous identifiers: a daily-rotating salted hash of (IP, user-agent) is computed to deduplicate visitors in analytics without storing the raw IP. The salt rotates daily and is seeded from a private secret.
  • Error reports: stack traces, error messages, and request context for crashes, failed builds, and broken deploys, used to improve reliability.
  • Performance telemetry: latency measurements, queue lengths, build durations, and similar operational metrics.
  • Security telemetry: records of failed logins, suspicious activity, rate-limit hits, blocked requests, and similar events.

4.4 Information from Other Sources.

We may receive information about you from third parties, including: payment processors (transaction confirmations, fraud signals); authentication providers (where you sign in with an OAuth provider, identity attributes that provider shares with us); identity-verification services (where we use them for KYC on certain plans); referral partners (referral attribution); marketing partners (lead information you consent to share); publicly available sources (e.g., social-media profile pages you make public); and law-enforcement or regulatory authorities (in connection with legal process).

4.5 Sensitive Personal Data.

We do not knowingly request, and we ask you not to submit through the Service, any “sensitive” or “special-category” Personal Data such as health information, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sexual orientation, sex life, criminal history, financial-account credentials, government-issued identification numbers, or precise geolocation. If you submit such data in a prompt or chat message, you do so at your own risk, and you represent that you have a lawful basis under applicable law to do so. The Service is not designed or certified for processing such data.

5. How We Use Information

We use information for the following purposes, each under the lawful basis indicated under the GDPR or analogous law:

  • Operate the Service (performance of contract): generate code from prompts, provision databases, run automated tests, deploy to Vercel, process chat edits, serve dashboards, render analytics, run billing, and provide customer support.
  • AI processing (performance of contract): send prompts, chat messages, project context, and generated code to one or more large-language-model providers for generation and editing. Providers process the input under enterprise data agreements that, where available, prohibit training on customer data and minimize retention.
  • Account communication (performance of contract): send transactional email (password reset, security alerts, billing receipts, service announcements).
  • Billing and usage enforcement (performance of contract; legal obligation): calculate plan usage, apply limits, prevent abuse, bill paid plans through Stripe, generate invoices, calculate and remit taxes.
  • Security and fraud prevention (legitimate interest; legal obligation): detect credential stuffing, brute-force login attempts, prompt-injection attacks, runaway automation, denial-of-service patterns, payment fraud, and other abuse.
  • Service improvement (legitimate interest): aggregate and anonymize usage and error data to improve generation quality, fix bugs, tune rate limits, and design new features. We do not use prompts, chat messages, generated code, or Application Data to train AI models.
  • Marketing (consent; legitimate interest where applicable): send opt-in product updates, blog posts, event invitations, surveys, and offers. You may opt out at any time via the link in any marketing email or via Settings.
  • Legal compliance (legal obligation): respond to lawful requests from public authorities, comply with court orders, comply with tax and accounting obligations, enforce contractual obligations, and defend our legal rights.
  • Vital interests: in the rare event that processing is necessary to protect the vital interests of you or another person (e.g., emergency disclosures to prevent serious harm).

What we do not do: We do not sell your Personal Data. We do not share Personal Data with advertising networks or data brokers. We do not use your prompts, chat messages, generated code, or Application Data to train AI models — neither ours, nor a sub-processor's, nor a third party's. We do not access your application database except as required to provide hosting, backups, billing, and abuse prevention. We do not engage in cross-context behavioral advertising (CCPA/CPRA).

6. Data Storage Architecture

  • Project files (code): stored in S3-compatible object storage scoped per user, served through the Clint application server, and deployed to Vercel's global CDN.
  • Application databases: stored in Neon PostgreSQL on AWS. Each project receives an isolated schema within a shared Neon project. Schemas are not cross-readable between projects; the database proxy enforces schema scoping on every query.
  • Clint authentication database: account credentials (PBKDF2 hashes plus salts), session tokens, and hashed password-reset codes live in a dedicated clint_auth schema separate from any Generated Application's database.
  • Settings and credentials: stored per user in object storage. Credential fields are encrypted at rest with AES-GCM and only decrypted in memory at deploy time.
  • Chat history: stored as JSON files alongside project files. Up to 200 messages are retained per project; older messages are pruned automatically.
  • Uploaded files: files uploaded through the Generated Application uploadFile() helper are stored in Vercel Blob with public URLs. Treat anything uploaded as publicly addressable.
  • Backups and snapshots: we take periodic backups of platform data for disaster recovery. Project version snapshots are stored alongside project files.

7. Security Measures

  • Account passwords hashed with PBKDF2-SHA-256, 600,000 iterations, unique per-user salt. Plaintext passwords are never stored or transmitted server-to-server.
  • Credentials in Settings encrypted at rest with AES-GCM authenticated encryption; encryption keys are managed separately from the data.
  • Session tokens delivered as HTTPOnly secure cookies. Password resets invalidate prior sessions via a per-user password_changed_at check on every request.
  • All AI model calls in Generated Applications proxied through a server-side function (/api/openai); model API keys are never exposed in client-side code.
  • Database access from Generated Applications routed through a moat (/api/db); the database connection string is not visible to the browser.
  • Outbound fetches from custom serverless functions routed through an SSRF-hardened helper that blocks private-IP, link-local, metadata-server, IPv4-encoding-bypass, and IPv6-loopback targets.
  • All transport encrypted using TLS 1.2+ ciphers; database connections use SSL.
  • Per-project schema isolation enforced at the proxy layer.
  • Rate limits at signup, login, password reset, chat, build, redeploy, and proxy endpoints to mitigate abuse.
  • Automated dependency scanning, vulnerability scanning, and patch management.
  • Least-privilege access controls and separation of duties for personnel.
  • Logging and monitoring with alerting for suspicious patterns.
  • Coordinated vulnerability disclosure process. Report security issues to security@clint.build with a PGP-encrypted message if sensitive.

No system is perfectly secure. While we apply industry-standard practices, we cannot guarantee absolute security. You should use a strong, unique password; enable multi-factor authentication where available; never share credentials; and report suspected unauthorized access immediately.

8. Sub-Processors

We share data with sub-processors only as necessary to operate the Service. Current sub-processors:

  • Vercel (Vercel, Inc.): hosts the Clint application and Generated Applications. Receives generated app files and environment variables at deploy time.
  • Neon (Neon, Inc.): hosts the PostgreSQL databases used by Clint and by Generated Applications. Receives schema definitions and data your apps store.
  • AI model providers: prompts, chat messages, generated code, and project context are sent to one or more large-language-model providers for generation and editing under enterprise data agreements that, where available, disable training on customer data and minimize retention. The current providers are configured to use enterprise no-training endpoints.
  • Stripe (Stripe, Inc.): processes subscription billing for paid plans and processes payments inside Generated Applications that opt into Stripe checkout. Card data is collected directly by Stripe; Clint stores only Stripe customer and subscription identifiers.
  • SendGrid (Twilio Inc.): sends transactional email for both Clint (password resets, billing receipts, security alerts) and Generated Applications that use the sendEmail() helper. Receives recipient addresses and message bodies.
  • Twilio (Twilio Inc.): sends SMS for Generated Applications that use the sendSMS() helper. Receives recipient phone numbers and message bodies.
  • Vercel Blob: stores files uploaded through the Generated Application uploadFile() helper. Uploaded files are publicly addressable.
  • AWS (Amazon Web Services, Inc.): underlying infrastructure for Neon, for the object storage used to hold project files, and for backups.
  • OAuth providers: when you (or End Users of your Generated Applications) connect a third-party account (Google, Microsoft, Slack, Spotify, GitHub, Notion, Strava, etc.), we exchange the OAuth tokens required to complete the requested action. We never see passwords for those services.
  • Customer support tooling: we may use email and ticketing tools to respond to support inquiries.
  • Error monitoring: we may use a third-party error-tracking service to receive stack traces and request context for crashes.

Sub-processors change as the Service evolves. We will post material changes on this page. We do not sell Personal Data to any party. We require sub-processors to commit to confidentiality, security, and data-protection obligations no less protective than those in this Privacy Policy.

9. International Data Transfers

Clint is operated from the United States. Your information and your Application Data may be transferred to, stored in, and processed in the United States and in other countries where our sub-processors operate, which may not provide the same level of data protection as your country of residence. By using the Service you consent to these transfers. Where required (for example, for transfers of EEA, UK, or Swiss Personal Data to the United States), we rely on the European Commission's Standard Contractual Clauses (SCCs) of June 4, 2021 (Module Two: Controller-to-Processor; Module Three: Processor-to-Processor), the UK International Data Transfer Addendum, the Swiss SCC supplement, the EU-U.S. Data Privacy Framework (where we self-certify), or another lawful transfer mechanism. We use supplementary measures (encryption in transit and at rest, access controls, transparency reporting, challenge of overbroad legal requests) consistent with the European Data Protection Board's recommendations on supplementary measures. For DPA requests and SCC execution, contact dpa@clint.build.

10. Data Retention

  • Projects: retained until you delete the project or close your account. Deleted projects move to a trash bucket for thirty (30) days, then are permanently purged.
  • Version snapshots: retained per plan limit (Pro: 20 most recent; Ultra: unlimited). Older snapshots are pruned automatically.
  • Application databases: retained for the life of the project. Deletion of the project drops the schema. Neon point-in-time-restore retains short-term replication state per Neon defaults; ask if you need a hard delete.
  • Chat history: capped at 200 messages per project; oldest pruned automatically.
  • Server logs: rotated within 30 days unless retained longer for active security investigations or as required by law.
  • Analytics: aggregated metrics retained indefinitely in anonymous, de-identified form.
  • Password reset codes: stored only as hashes; expire 15 minutes after issuance; consumed codes are marked used and purged on the next sweep.
  • Session tokens: retained until expiry or revocation.
  • Billing records: retained for the period required by tax law (typically seven years in the United States).
  • Account data on closure: when you close your account, project files, databases, snapshots, chat history, and credentials are deleted within 30 days. Anonymized billing and tax records are retained for compliance.
  • Backups: rolling backups are overwritten on schedule; deletion of data from primary storage may be replicated to backups within the standard rotation cycle.

11. Your Rights

Depending on where you live, you may have one or more of the following rights regarding your Personal Data:

  • Right to know / access: request a copy of the Personal Data we hold about you.
  • Right to correct / rectify: request correction of inaccurate Personal Data.
  • Right to delete / erase: request deletion of your Personal Data and projects.
  • Right to portability: request your data in a structured, commonly used, machine-readable format.
  • Right to object / restrict: object to certain processing or request that we restrict processing.
  • Right to withdraw consent: where we rely on consent (for example, marketing email), withdraw it at any time.
  • Right against automated decision-making: object to fully automated decisions producing legal or similarly significant effects.
  • Right to opt out of “sale” or “sharing”: we do not sell or share Personal Data within the meaning of CCPA/CPRA, but you nonetheless may exercise the right to opt out.
  • Right to opt out of profiling: we do not engage in profiling that produces legal or similarly significant effects.
  • Right to nondiscrimination: we do not discriminate against you for exercising any privacy right.
  • Right to lodge a complaint: with your data-protection authority or attorney general.

To exercise any right, email privacy@clint.build with the subject line indicating the right (e.g., “Access Request”). We will verify your identity through your Account email and respond within the time required by applicable law (typically 30 to 45 days). For requests by an authorized agent, we may require evidence of authorization. If we deny a request, we will explain why.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”) gives you specific rights regarding your Personal Information:

  • Right to know: request the categories and specific pieces of Personal Information we have collected, the categories of sources, the purposes for collecting, and the categories of third parties with whom we share Personal Information.
  • Right to delete: request deletion of Personal Information we collected from you.
  • Right to correct: request correction of inaccurate Personal Information.
  • Right to opt out of sale or sharing: direct us not to “sell” or “share” your Personal Information. We do not sell or share Personal Information within the meaning of CCPA/CPRA.
  • Right to limit use of sensitive Personal Information: direct us to limit use of sensitive Personal Information. We do not knowingly collect sensitive Personal Information beyond what is necessary to provide the Service you requested.
  • Right to non-discrimination: we will not deny goods or services, charge different prices, or provide a different level of quality because you exercised a privacy right.

Categories of Personal Information we collect (in CCPA terms): identifiers (Account email, IP address, device identifiers), commercial information (billing history, subscription tier), Internet or other electronic network activity (browsing on the Service, interactions with features), geolocation (coarse, country-level, derived from IP), professional or employment-related information (if you provide it in support communications), inferences drawn from the foregoing (usage profile).

We do not collect biometric information, sensitive Personal Information (other than account credentials), or information about consumers we know to be under 16. We retain Personal Information for the periods described in Section 10.

To submit a CCPA/CPRA request, email privacy@clint.build. You may designate an authorized agent. We may verify your identity through your Account email or through reasonable verification questions.

13. Other U.S. State Privacy Laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (INDPA), Texas (TDPSA), Tennessee (TIPA), Montana (MCDPA), Oregon (OCPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Florida (FDBR), Minnesota (MCDPA), Maryland (MODPA), Rhode Island (RIDTPPA), or another state with a comprehensive privacy law, you have rights similar to those described in Section 12, subject to the variations in the applicable law. We honor verified data-subject rights regardless of state of residence. To submit a request, email privacy@clint.build. For Colorado, we honor the Global Privacy Control signal as a valid opt-out of any “sale” or “sharing.” For appeals, email the same address and we will respond within the period required by your state law.

14. EEA, UK, and Swiss Residents (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following provisions apply.

14.1 Controller.

For Personal Data we collect about you in our role as a controller (Account data, billing, support, marketing), our identity and contact details are set forth in Section 19.

14.2 Lawful Bases.

We rely on the lawful bases set forth in Article 6 GDPR as identified in Section 5 above. For special-category data, we do not knowingly process it.

14.3 Rights.

You have the rights set forth in Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right not to be subject to a decision based solely on automated processing. To exercise rights, email privacy@clint.build. You also have the right to lodge a complaint with your supervisory authority.

14.4 Processor Role.

For Application Data, we act as your processor. Where the GDPR or analogous law applies, the following processor terms apply and constitute a Data Processing Addendum between you (as controller) and us (as processor):

  • Subject matter and duration: processing of Application Data for the duration of your subscription.
  • Nature and purpose: hosting, deployment, runtime execution, backup, restore, billing, and abuse prevention.
  • Categories of data subjects: End Users of your Generated Applications and other persons whose data you cause to be processed.
  • Categories of Personal Data: determined by you; may include identifiers, contact data, account credentials (hashed), profile data, content data, and Application Data otherwise determined by you.
  • Obligations of the processor: we process Application Data only on documented instructions from you (which include your configuration of the Generated Application); we ensure persons authorized to process Application Data are subject to confidentiality; we apply the security measures described in Section 7; we engage sub-processors as listed in Section 8 and notify you of changes; we assist you with data-subject requests and breach response to the extent reasonably possible; and at termination, we delete or return Application Data subject to retention obligations.
  • International transfers: we rely on Standard Contractual Clauses (Module Two and/or Three) for transfers from the EEA, the UK International Data Transfer Addendum, and the Swiss SCC supplement, as described in Section 9.
  • Audits: upon reasonable written request, no more than once per year, we will make available information necessary to demonstrate compliance with Article 28 GDPR, subject to confidentiality. We do not permit on-site audits.

A standalone DPA is available on request to dpa@clint.build.

14.5 UK GDPR and Swiss FADP.

References to the GDPR include, mutatis mutandis, the UK GDPR (as defined in the UK Data Protection Act 2018) and the Swiss Federal Act on Data Protection (FADP), to the extent applicable. International transfer mechanisms apply correspondingly.

15. Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), and Other Jurisdictions

If you are located in Brazil, Canada, Australia, Japan, South Korea, Singapore, India, South Africa, or another jurisdiction with a comprehensive data-protection law, you have rights and protections equivalent to those described above, as adapted to the applicable law (Lei Geral de Proteção de Dados, the Personal Information Protection and Electronic Documents Act, the Privacy Act 1988, the Act on the Protection of Personal Information, the Personal Information Protection Act, the Personal Data Protection Act 2012, the Digital Personal Data Protection Act 2023, the Protection of Personal Information Act, etc.). To submit a request or for a copy of the applicable supplemental terms, email privacy@clint.build.

16. Application End-User Data

When you deploy a Generated Application, that application may collect Personal Data from End Users (account signups, form submissions, uploaded files, user-generated content, and so on). With respect to that Application Data:

  • You are the data controller (or business). You determine the purposes and means of processing.
  • Clint is the data processor (or service provider). We host the database, run the deployed code, and operate billing and abuse prevention. We do not use Application Data for any other purpose.
  • You are responsible for: publishing your own privacy policy in the Generated Application; obtaining all required consents; complying with all applicable law (GDPR, UK GDPR, CCPA/CPRA, PIPEDA, LGPD, POPIA, PDPA, APPI, PIPA, COPPA, BIPA, GLBA, HIPAA, FERPA, sector-specific laws); responding to data-subject requests; notifying End Users and regulators of data breaches; obtaining business-associate agreements where applicable; and complying with marketing and telemarketing laws (CAN-SPAM, CASL, ePrivacy Directive, TCPA).
  • Clint accesses Application Data only as necessary: to host the database, run the deployed code, operate billing and abuse prevention, troubleshoot a support ticket you open, comply with law, or defend our legal rights.
  • No training: Application Data is never used to train AI models.
  • DPA: a Data Processing Addendum is available on request to dpa@clint.build.

17. Children's Privacy

The Service is not intended for, and is not directed at, individuals under 13. We do not knowingly collect Personal Data from children under 13. If you believe a child has provided us with Personal Data, email privacy@clint.build and we will delete the information promptly. If you build a Generated Application that collects Personal Data from children under 13, you are solely responsible for complying with COPPA, including obtaining verifiable parental consent. If your Generated Application is directed at children under 16 in the EEA or UK, you are responsible for compliance with GDPR Article 8 and the UK Age Appropriate Design Code. If your Generated Application is directed at California minors under 18, you are responsible for compliance with the California Age-Appropriate Design Code Act. Clint does not provide tooling to satisfy these obligations; you must implement them yourself.

18. Cookies, Storage & Tracking

Clint uses the minimum browser storage required to operate the Service:

  • Authentication cookies: a single HTTPOnly secure cookie holds your Clint session token. Strictly necessary; cannot be disabled while signed in.
  • localStorage: UI preferences (theme, sidebar state) and, in Generated Applications that ship the optional authentication system, an End User auth token.
  • sessionStorage: a non-persistent session identifier used to deduplicate page views in the first-party analytics pipeline.
  • First-party analytics cookie: none. The analytics pipeline relies on the daily-rotating salted hash described in Section 4.3 and on sessionStorage.

We do not use third-party advertising cookies, retargeting pixels, cross-site tracking, browser fingerprinting libraries, or session-replay tools that record raw user input. We honor browser “Do Not Track” signals and the Global Privacy Control signal for residents of jurisdictions where such signals carry legal weight.

19. AI Training

We do not use your prompts, chat messages, generated code, Application Data, settings, or other content to train AI models — ours, our sub-processors', or any third party's. We have configured upstream model providers under enterprise terms that disable training on customer data where such terms are offered. If a sub-processor changes its terms in a way that would permit training, we will update this Policy and the Sub-Processor List in advance of the change.

20. Automated Decision-Making

We use automated systems for the following limited purposes: detection of abusive sign-ups, rate-limit enforcement, fraud screening, content moderation against the Acceptable Use Policy, dynamic plan-limit decisions, and routing of support inquiries. Where any such decision produces legal or similarly significant effects (for example, account suspension), you may request human review by emailing privacy@clint.build with a description of the decision and any context you would like considered.

21. Government & Law-Enforcement Requests

We may receive requests from law-enforcement, regulators, courts, or other governmental authorities for Personal Data. We require such requests to be in writing, properly issued under applicable law, and narrowly scoped. We may challenge overbroad or unlawful requests in court. Where legally permitted, we will notify affected users of requests for their data unless we are subject to a gag order, national-security letter, or other restriction. We do not provide governments with direct or unmediated access to our systems. We may publish aggregate transparency reports about request volumes.

22. Data Breach Notification

If we become aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, we will: (a) assess the scope and impact of the incident; (b) take reasonable steps to contain, mitigate, and remediate; (c) notify affected users and, where applicable, regulators within the timeframes required by applicable law (for example, 72 hours under GDPR Article 33); (d) provide information necessary to address the incident; and (e) cooperate with any regulatory investigation. We maintain an incident-response plan and conduct exercises.

23. Marketing Communications

We may send you product updates, blog posts, event invitations, surveys, and offers if you opt in or if applicable law permits us to send such communications under a legitimate interest. You can opt out at any time using the unsubscribe link in any marketing email, in Settings, or by emailing privacy@clint.build. Opting out of marketing does not affect transactional and service communications (billing receipts, password resets, security alerts, service announcements), which we may continue to send as necessary to operate the Service. If you are in a jurisdiction where the law requires double opt-in, we honor that requirement. We comply with the CAN-SPAM Act, CASL, the ePrivacy Directive, and equivalent laws.

24. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on the Service and via email to active accounts. The “Last updated” date at the top of this page reflects the latest revision. Continued use after the effective date constitutes acceptance of the revised Policy. If a change reduces your rights or increases the scope of our processing in a material way, we will give you reasonable advance notice and, where required, seek your consent.

25. EU AI Act Disclosures

The Service incorporates general-purpose AI models in a chained, agentic configuration to provide its functionality. We do not knowingly use the Service to develop or deploy systems classified as “high-risk” or “prohibited” under the EU AI Act. If you operate a Generated Application that falls within Article 6 (high-risk) or that interacts with natural persons in the EU, you are responsible for complying with the obligations applicable to providers and deployers of such systems, including transparency, risk management, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, incident reporting, and registration where required. We do not act as a notified body. Where Article 50 transparency obligations apply (for example, AI-generated content created by a Generated Application that interacts with the public), you must ensure End Users are informed that they are interacting with an AI system and that any synthetic content is labeled as such.

26. Accessibility & Privacy

We aim to make this Privacy Policy accessible. If you have a disability and need this Policy in an alternative format, contact privacy@clint.build.

27. Do Not Sell My Personal Information / Do Not Share / Limit Use of Sensitive Personal Information

We do not sell or share Personal Information within the meaning of the CCPA/CPRA or the laws of other states with comprehensive privacy laws. We do not engage in cross-context behavioral advertising. If we change this practice, we will update this Policy and provide opt-out mechanisms. You may submit a request directing us not to use or disclose sensitive Personal Information for non-essential purposes by emailing privacy@clint.build.

28. Contact