Privacy Policy
This Privacy Policy explains how Clan AI ("Clan AI", "we", "us", "our") collects, uses, discloses, and protects personal data across our products, including:
- Auto Book — our AI-powered accounts-payable automation service that processes invoices from connected email inboxes and syncs them to your accounting software.
- Auto Reply — our AI-powered WhatsApp customer-support service available at autoreply.clanai.sg.
Each of the above is referred to in this Policy as a "Service", and collectively as the "Services". This Policy is issued in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and other applicable data-protection laws. By using a Service, you consent to the collection, use, and disclosure of your personal data as described here.
1. Personal Data We Collect
We may collect the following categories of personal data:
- Account information: name, email address, profile photo, and authentication credentials (handled by our identity provider).
- Business information: company name, business address, industry, common services or vendor types, GST registration status, and other workspace context you choose to provide.
- Conversation and message data (Auto Reply): content of WhatsApp conversations, contact phone numbers, contact display names, and any context the AI uses to reply.
- Bill and invoice data (Auto Book): documents you upload or that arrive via connected email accounts, including vendor names, invoice numbers, line items, amounts, dates, payment terms, and any text or metadata extracted from those documents.
- Email integration data (Auto Book): OAuth tokens for Gmail or Microsoft Outlook (encrypted at rest), email metadata (sender, subject, received date), and the contents of messages with invoice attachments processed by the Service.
- Calendar integration data (Auto Reply): OAuth tokens for Google Calendar (encrypted at rest), the list of calendars on your account, and the start/end times of events on the calendar you select for appointment sync.
- Accounting integration data (Auto Book): OAuth tokens for accounting platforms such as Xero (encrypted at rest) and chart-of-accounts data synced from your accounting system.
- AI configuration: the AI provider, model, and (where applicable) API key you configure for your workspace. API keys are encrypted at rest.
- Usage and technical data: log data, IP addresses, browser type, device identifiers, and timestamps generated when you interact with the Services.
2. How We Collect Personal Data
We collect personal data when you:
- Create an account or sign in to the Services;
- Configure your workspace, settings, or integrations;
- Connect your email inbox, calendar, or accounting software;
- Upload bills, invoices, or other documents;
- Receive emails with invoice attachments through a connected mailbox;
- Send or receive messages through a connected WhatsApp Business number;
- Communicate with us by email or other means.
3. How We Use Your Personal Data
We use your personal data to:
- Provide, operate, and maintain the Services;
- Generate AI replies to your customers (Auto Reply) and extract structured data from invoice documents (Auto Book), and present results for your review and approval;
- Match invoices to vendors and chart-of-accounts entries;
- Sync approved bills to your connected accounting software (e.g., Xero);
- Schedule and update appointments on the calendar you connect to Auto Reply;
- Authenticate users and prevent fraud or abuse;
- Respond to support requests, queries, or complaints;
- Improve the Services, including reliability, performance, and accuracy;
- Comply with our legal, regulatory, and contractual obligations.
4. AI Processing
Each Service uses third-party AI providers (such as Anthropic, OpenAI, or Google) to perform its core function — generating replies to WhatsApp messages (Auto Reply) or extracting structured data from invoices (Auto Book). Where applicable, the AI provider, model, and API key used to process your data are configured by you within your workspace settings.
We do not use your conversation data, email content, invoice content, calendar data, or other workspace data to develop, improve, or train generalised machine-learning or artificial-intelligence models for Clan AI or any third party. Data is sent to the configured AI provider only for the purpose of processing the specific message, document, or event in front of the user, and is subject to that provider's own data-handling policies, which we encourage you to review.
5. Google Gmail API Data Usage
When you connect a Gmail account to Auto Book, the Service accesses your Gmail data via the Gmail API to identify and process invoice attachments. Clan AI's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What we access
- Email metadata (sender, subject, received timestamp) for messages received in your connected Gmail account;
- Attachment files (PDFs and images) on those messages, for processing through our invoice-extraction pipeline;
- Push-notification updates via Google Cloud Pub/Sub when new messages arrive in your inbox.
How we use Gmail API data
- To detect new messages with invoice attachments and download those attachments;
- To extract structured invoice data using the AI provider you configure, with the attachment and minimal email context as input;
- To present extracted data to you in your Auto Book workspace for review and approval.
Limited Use commitments
In compliance with the Google API Services User Data Policy and its Limited Use requirements, Clan AI does NOT:
- Use Gmail API data to develop, improve, or train generalised machine-learning or artificial-intelligence models, whether for Clan AI or any third party;
- Transfer Gmail API data to third-party AI/ML tools or any other parties for the purpose of developing or improving generalised AI models;
- Use Gmail API data for advertising, marketing, or profiling purposes;
- Sell Gmail API data to any third party;
- Allow humans to read Gmail API data, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations such as troubleshooting;
- Use Gmail API data beyond the functionalities required to provide the Service as described in this Privacy Policy.
Storage and retention
Email metadata and downloaded attachments are stored only within your Auto Book workspace database. OAuth tokens used to access the Gmail API on your behalf are encrypted at rest using AES-256-GCM. We retain Gmail-derived data only for as long as necessary to provide the Service, as described in our Data Retention section.
Revoking access
You may revoke Clan AI's access to your Gmail data at any time:
- Within Auto Book: Settings → Email Connections → Disconnect;
- In your Google Account at https://myaccount.google.com/permissions.
6. Google Calendar API Data Usage
When you connect a Google account to Auto Reply, the Service accesses your Google Calendar via the Calendar API to read your availability and to create, update, and delete appointment events on the calendar you select. Clan AI's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What we access
- The list of calendars on your Google account (calendar names and identifiers), so you can pick which calendar Auto Reply should sync appointments to;
- The start and end times of events on the calendar you select, within the date range required to compute availability for appointment booking;
- The events that Auto Reply itself creates, updates, or deletes on your behalf in response to bookings made by your customers.
How we use Calendar API data
- To present a calendar selector after you connect Google so that you can choose which calendar Auto Reply should write to;
- To check existing busy/free times before offering appointment slots to your customers, preventing double-booking;
- To insert, update, or delete appointment events on your selected calendar at your direction or your customer's direction through the WhatsApp assistant.
Limited Use commitments
In compliance with the Google API Services User Data Policy and its Limited Use requirements, Clan AI does NOT:
- Use Google Calendar API data to develop, improve, or train any ML or AI models, whether generalized or non-personalized;
- Transfer Google Calendar API data to third-party AI/ML tools or any other parties for the purpose of developing or improving generalized AI models;
- Use Google Calendar API data for advertising, marketing, or profiling purposes;
- Sell Google Calendar API data to any third party;
- Allow humans to read Google Calendar API data, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations such as troubleshooting;
- Use Google Calendar API data beyond the functionalities required to provide the Service as described in this Privacy Policy.
Storage and retention
We do not maintain a long-term copy of your full calendar. We store only: the identifier of the calendar you selected, the identifiers of events that Auto Reply itself created, and short-lived caches of busy/free windows used for availability checks. OAuth tokens used to access the Calendar API on your behalf are encrypted at rest using AES-256-GCM.
Revoking access
You may revoke Clan AI's access to your Google Calendar at any time:
- Within Auto Reply: Settings → Calendar → Disconnect;
- In your Google Account at https://myaccount.google.com/permissions.
7. Disclosure of Personal Data
We do not sell your personal data. We may disclose your personal data to the following categories of recipients:
- Service providers: hosting, database, file storage, identity, email delivery, AI inference, and analytics providers acting on our behalf under appropriate contractual safeguards.
- Integrations you authorise: Gmail, Microsoft 365 / Outlook, Google Calendar, Xero, the WhatsApp Business Cloud API, and other systems you connect to the Services.
- Other workspace members: if you are part of a multi-user workspace, authorised members may view bills, vendors, conversations, appointments, settings, and activity recorded under that workspace.
- Legal and regulatory authorities: where disclosure is required by law, court order, or to protect our rights, property, or safety.
- Successors in interest: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.
8. International Transfers
Your personal data may be processed and stored on servers located outside Singapore, including those operated by our cloud and AI service providers. Where personal data is transferred outside Singapore, we take steps to ensure that the recipient provides a standard of protection comparable to that under the PDPA.
9. Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to provide the Services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. When data is no longer required, we will delete or anonymise it.
10. Data Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal data, including:
- Encryption of OAuth tokens and API keys at rest using AES-256-GCM;
- Transport-layer encryption (HTTPS/TLS) for data in transit;
- Authentication, role-based access controls, and least-privilege practices;
- Workspace-level data isolation in our database;
- Regular security updates and patching of underlying systems.
However, no method of transmission or storage is completely secure. You are responsible for keeping your account credentials and any AI provider API keys you supply confidential.
11. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate or incomplete personal data;
- Withdraw your consent to our collection, use, or disclosure of personal data;
- Request deletion of your account and associated data.
We will respond to access requests within seven (7) business days where reasonably practicable, and to consent withdrawal requests within twenty-one (21) business days. Withdrawing consent may prevent us from continuing to provide the Services to you.
12. Children's Privacy
The Services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal data from children.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date. We encourage you to review this Privacy Policy periodically.
14. Contact Us
If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact our Data Protection Officer at support@clanai.sg.