Clovert ("we", "our", "the platform") is committed to protecting the personal data of its users in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection law. This Privacy Policy explains what data we collect, why, and how we protect it.
By using Clovert, you agree to the practices described in this policy.
1. Data We Collect
We collect the following categories of personal data:
- Account data: Name, work email address, company name, and password (stored as a salted hash — never in plain text).
- Employee profile data: Name, job title, department, manager, and employee ID — entered by HR administrators.
- Performance data: Self-evaluations, manager reviews, 9-Box ratings, goal progress, IDP content, and peer feedback entered into the platform.
- Usage data: Login timestamps, session activity, and audit logs for security and compliance purposes.
- Communication data: Email addresses used for system notifications (e.g. review reminders, verification emails).
We do not collect payment data directly — payments are processed by third-party providers.
2. How We Use Your Data
We use your data exclusively to provide and improve the Clovert platform. Specifically:
- To operate the HR and performance management features of the platform.
- To send transactional emails (account verification, password reset, review reminders).
- To maintain security, detect fraud, and enforce our Terms of Service.
- To generate aggregated, anonymised analytics that help us improve the product.
We never sell your data to third parties. We never use your data for advertising purposes.
3. Data Storage & Security
- Location: All data is stored on servers within the European Union (Frankfurt, Germany) via Supabase (PostgreSQL).
- Encryption: Data is encrypted at rest and in transit (TLS 1.2+).
- Passwords: Stored using one-way cryptographic hashing with a secret salt. We cannot recover your password.
- Access control: Data is isolated per company using Row-Level Security (RLS). No company can access another company's data.
- Backups: Automated daily backups are retained for 30 days.
4. Your GDPR Rights
As a data subject under GDPR, you have the following rights:
- Right of access: You may request a copy of all personal data we hold about you.
- Right to rectification: You may request correction of inaccurate data.
- Right to erasure ("right to be forgotten"): You may request deletion of your personal data. HR administrators can anonymise employee data directly via the GDPR tools in the platform.
- Right to data portability: You may request your data in a machine-readable format (JSON or CSV).
- Right to object: You may object to processing of your data for specific purposes.
- Right to restriction: You may request that we restrict processing of your data.
To exercise any of these rights, contact us at privacy@clovert.eu. We will respond within 30 days.
5. Data Retention
- Active accounts: Data is retained for the duration of the subscription.
- Inactive accounts: Data is retained for 12 months after the last login, then automatically deleted.
- Deleted accounts: Personal data is permanently deleted within 30 days of account closure.
- Audit logs: Security logs are retained for 12 months for compliance purposes.
6. Third-Party Processors
We use a limited number of trusted third-party processors, all operating under GDPR-compliant Data Processing Agreements:
- Supabase (database hosting) — EU servers, Frankfurt
- Render (application hosting) — EU region
- Resend (transactional email) — GDPR compliant
We do not use Google Analytics, Facebook Pixel, or any advertising trackers.
7. Cookies
Clovert uses a single session cookie (talent_session) for authentication purposes. This cookie is:
- HttpOnly and Secure — not accessible by JavaScript
- Session-scoped — expires after 8 hours of inactivity
- Strictly necessary — no consent banner required under ePrivacy Directive
We do not use tracking, analytics, or advertising cookies.