Privacy Policy

Last updated: 21 May 2026

This Privacy Policy explains how Clarixa.ai ("we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, contact us, book appointments, submit forms, or interact with our AI-enabled services (including Voice AI and Conversational AI).

Note: This is a website privacy policy. If you become a client, additional terms (including a Data Processing Addendum) may apply depending on the engagement and configuration. A template Data Processing Addendum is available on request by emailing [email protected].

1. Who we are

Controller: Clarixa.ai
Address: Kilmanahan, Clonmel, County Tipperary, Ireland
Contact email: [email protected]

2. What personal data we collect

2.1 Data you provide to us

• Identity and contact data (e.g., name, email address, phone number, business name, job title).
• Enquiry and form data (e.g., messages, questionnaire answers, preferences).
• Appointment and meeting data (e.g., requested times, notes you provide, meeting links).
• Billing/payment-related data where applicable (typically processed by our payment providers; we may receive limited transaction metadata).

2.2 Data collected automatically

• Device and usage data (e.g., IP address, browser type, pages viewed, clicks, timestamps, approximate location).
• Cookie and similar technology data (see our Cookie Policy for details and controls).

2.3 AI interaction and communications data

If you interact with our AI features (for example via web chat, inbound/outbound voice calls, or messaging), we may process:

• Chat messages and conversation logs.
• Call audio and call metadata (time, duration, routing).
• Call transcripts and summaries (Voice AI transcribes calls).
• Intents, tags, and workflow outcomes (e.g., appointment created, enquiry routed, support ticket logged).

3. How we use your personal data

• To respond to enquiries and provide requested information.
• To provide our services, including onboarding, support, and account administration.
• To schedule, manage, and run appointments (including reminders).
• To operate AI features such as Voice AI and Conversational AI (e.g., answering questions, triage, booking, support).
• To operate and improve our website and user experience (analytics, testing, debugging).
• To send marketing communications where permitted, and to respect opt-out choices.
• To protect our business and users (security monitoring, fraud prevention, logging).
• To comply with legal obligations and respond to lawful requests.

4. Legal bases (EEA/UK)

Where GDPR or UK GDPR applies, we rely on one or more of the following legal bases depending on context:

• Contract (or steps before entering a contract) – delivering requested services, managing accounts and appointments.
• Legitimate interests – securing our systems, improving our services, and basic business communications (balanced against your rights).
• Consent – non-essential cookies, certain marketing communications, and (where required) call recording/transcription.
• Legal obligation – tax, accounting, and compliance requirements.

Call recording/transcription requirements vary by country and, in some places, by state/province. Where required, we will obtain consent or provide appropriate notice before recording/transcribing.

5. Cookies, analytics, and advertising technologies

We use cookies and similar technologies to run our website, understand usage, and (where you opt in) measure and personalise advertising. Tools we may use include:

• Google Analytics 4 (GA4)
• Meta Pixel
• LinkedIn Insight Tag
• TikTok Pixel
• Hotjar

Details on categories and controls are provided in our Cookie Policy and our cookie preference centre.

6. Our platforms and service providers

6.0 Primary platform — HighLevel (LeadConnector)

Our primary CRM, automation, Voice AI, and communications platform is provided by HighLevel Inc., operating as our data processor under a signed Data Processing Agreement. In some contexts, HighLevel's services are presented as LeadConnector within our platform.

HighLevel Inc. is certified under the EU–US Data Privacy Framework, and all transfers of personal data to HighLevel's US infrastructure are governed by Standard Contractual Clauses (SCCs) as part of their Data Processing Agreement. HighLevel's infrastructure runs on Google Cloud Platform and Amazon Web Services, both of which are independently certified under the EU–US Data Privacy Framework.

Note: While our platform infrastructure is processed by an EU–US Data Privacy Framework-certified processor, Clarixa.ai is the data controller and bears responsibility for ensuring lawful processing under GDPR.

6.1 Support access and global team

Our team members and authorised contractors (including support) may be located in different countries. Access is role-based and limited to what is necessary for support, delivery, and security.

6.2 Messaging and communications providers

We may use third-party communications providers to send and receive messages (e.g., SMS, WhatsApp, iMessage, and similar channels). Providers can vary by region and availability. Where possible, we may use LeadConnector-supported services; however, in Ireland this may not always be available and we may use providers such as Phonovation and/or ComReach. We may also use providers such as Twilio. The exact providers we use may change over time.

6.3 Calendars and appointment tools

We may integrate with calendar tools (such as Google Calendar) to create and manage appointments. This may process appointment details (e.g., name, contact details, time/date, notes). Storage location depends on your interaction and the configured tools.

6.4 Sub-processors

The following is a list of the principal third-party processors we currently use. This list may be updated from time to time; we will update the "Last updated" date at the top of this Policy when we do so.

HighLevel Inc. (LeadConnector)

Purpose: CRM, automation, Voice AI, messaging, appointments, and workflows
Location: USA
Safeguard: EU–US Data Privacy Framework; Standard Contractual Clauses; signed DPA

Google Cloud Platform (via HighLevel)

Purpose: Core infrastructure hosting
Location: USA / Global
Safeguard: EU–US Data Privacy Framework; Standard Contractual Clauses

Amazon Web Services (via HighLevel)

Purpose: Core infrastructure hosting
Location: USA / Global
Safeguard: EU–US Data Privacy Framework; Standard Contractual Clauses

Twilio Inc.

Purpose: SMS and voice communications
Location: USA
Safeguard: Standard Contractual Clauses

Phonovation Ltd

Purpose: SMS (Ireland)
Location: Ireland (EEA)
Safeguard: EEA — no additional transfer mechanism required

ComReach

Purpose: SMS (Ireland)
Location: Ireland (EEA)
Safeguard: EEA — no additional transfer mechanism required

Google LLC (Analytics, Calendar, Workspace)

Purpose: Website analytics; calendar and appointment integration; email
Location: USA
Safeguard: EU–US Data Privacy Framework; Standard Contractual Clauses

Meta Platforms Ireland Ltd (Meta Pixel)

Purpose: Advertising measurement and retargeting
Location: Ireland / USA
Safeguard: Standard Contractual Clauses

LinkedIn Ireland Unlimited Company (Insight Tag)

Purpose: Advertising measurement
Location: Ireland / USA
Safeguard: Standard Contractual Clauses

TikTok Technology Ltd (TikTok Pixel)

Purpose: Advertising measurement
Location: Ireland / USA
Safeguard: Standard Contractual Clauses

Hotjar Ltd

Purpose: Website behaviour analytics and heatmaps
Location: Malta (EEA)
Safeguard: EEA — no additional transfer mechanism required

JotForm Inc.

Purpose: Secure data collection forms (client onboarding)
Location: USA
Safeguard: Standard Contractual Clauses

Bitwarden Inc.

Purpose: Encrypted credential storage (internal use only)
Location: USA
Safeguard: Standard Contractual Clauses

n8n (self-hosted)

Purpose: Workflow automation
Location: Ireland (self-hosted on Clarixa infrastructure)
Safeguard: EEA — no additional transfer mechanism required

Make (Celonis SE)

Purpose: Workflow automation (cloud)
Location: Germany / USA
Safeguard: Standard Contractual Clauses

Notion Labs Inc.

Purpose: Internal operations and documentation
Location: USA
Safeguard: Standard Contractual Clauses

6.5 Clarixa.ai as data processor for clients

When we build and operate the Clarixa Growth Engine (CGE) or other automated systems on behalf of a client, our role changes: our client becomes the data controller and Clarixa.ai acts as the data processor in respect of the personal data that flows through those systems.

In those circumstances, we process personal data only on our client's documented instructions, and we maintain appropriate technical and organisational measures to protect that data. A Data Processing Addendum is available on request and may be included within client service agreements.

7. Sharing of personal data

We may share personal data with:

• Service providers (processors) who help us run our website, CRM, analytics, communications, and support.
• Professional advisers (legal, tax, accounting) where necessary.
• Authorities where required by law or to protect rights, safety, and security.
• Business transferees (e.g., in a merger or sale), subject to appropriate safeguards.

We do not sell personal data for money. Some advertising technologies may be treated as "sharing" under certain US laws (see Section 12).

8. International transfers

Your information may be processed in countries outside your home country, including outside the EEA/UK. Where required, we use recognised transfer safeguards such as Standard Contractual Clauses and/or the EU–US Data Privacy Framework. A full list of processors and the safeguards applied to each is set out in Section 6.4 above.

9. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy, including legal, tax, and accounting obligations. The table below sets out indicative retention periods by data category.

Website enquiry / contact form submissions

2 years from last contact — Legitimate interests

Active client records (contracts, invoices, communications)

7 years from end of engagement — Legal obligation (tax and accounting)

Prospective client / lead data

2 years from last interaction — Legitimate interests / consent

Voice AI call audio

30 days, then deleted unless otherwise required — Consent / contractual necessity

Call transcripts and summaries

90 days, then deleted unless otherwise required — Consent / contractual necessity

Appointment and meeting records

3 years from appointment date — Legitimate interests

Marketing communications data (opt-in lists)

Until opt-out, then 1 year — Consent

Website analytics data (GA4)

As per Google Analytics retention settings (default 14 months) — Legitimate interests / consent

Billing / payment metadata

7 years — Legal obligation

Security and access logs

12 months — Legitimate interests

Where we have no ongoing lawful basis for retention, data is securely deleted or anonymised. You can request further detail on retention periods applicable to your specific data by emailing [email protected].

10. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, authentication, and monitoring. No method of transmission or storage is 100% secure, but we work to reduce risk appropriately.

10.1 Personal data breaches

In the event of a personal data breach, we will:

1. Detect and assess — identify the nature, scope, and likely consequences of the breach as quickly as possible.
2. Notify the supervisory authority — where required, notify the Data Protection Commission (Ireland) within 72 hours of becoming aware of the breach (Article 33 GDPR), unless the breach is unlikely to result in risk to individuals.
3. Notify affected individuals — where the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Article 34 GDPR).
4. Document and remediate — log all breaches internally (regardless of whether notification is required) and take steps to contain and prevent recurrence.

If you become aware of or suspect a data breach involving your personal data, please contact us immediately at [email protected].

11. Your rights (EEA/UK)

You may have rights including access, correction, deletion, restriction, objection, portability, and the right to withdraw consent (where processing is based on consent). You also have the right to lodge a complaint with your supervisory authority (in Ireland, the Data Protection Commission).

To exercise rights, email [email protected].

12. United States (including California)

If you are a US resident, you may have additional rights under state privacy laws. For California residents, the CCPA/CPRA may provide rights to know, access, delete, correct, and opt out of certain data uses.

Do Not Sell or Share (California): Some advertising technologies (such as pixels) may be considered "sharing" for cross-context behavioural advertising. You can opt out by rejecting advertising cookies in our cookie preference centre and/or using browser/device controls.

13. Canada

If you are in Canada, we handle personal information in line with applicable Canadian privacy laws (including PIPEDA and provincial laws where applicable). You may request access and correction, and you may withdraw consent subject to legal/contractual restrictions.

14. Children

Our website and services are not intended for children. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will take appropriate steps.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version on our website and update the "Last updated" date. For material changes, we will take reasonable steps to notify you directly where we hold your contact details.