Privacy Policy

1. Introduction

This Privacy Policy explains how Clienty collects, uses, and protects your personal information.

2. Information We Collect

We collect personal information like your name, email, username, and password when you sign up. We store files you upload in AWS S3. We use OpenAI to provide AI services and Twilio for messaging services. If you connect your Microsoft calendar, we access and sync calendar data (events, attendees, availability) from Outlook via the Microsoft Graph API and store it in our database for display. If you use electronic signatures, documents are sent to HelloSign (Dropbox Sign) and signed PDFs are downloaded and stored in your organization's secure AWS S3 storage. Trust ledger entries (amounts, dates, descriptions, payment methods) you enter are stored in our database for record-keeping.

3. How We Use Your Information

We use your information to provide our CRM services, including AI-based document drafting, messaging reminders via Twilio, managing your calendar events (including sync with Microsoft Outlook), electronic signature workflows via HelloSign, payment processing via Stripe, and trust account ledger record-keeping. We may also use your data to improve our services.

4. AI Document Summarization & Text-to-Speech

Clienty offers AI-powered document summarization and text-to-speech features to help you quickly understand and review uploaded documents. When you use these features, the following applies:

• How It Works: When you click "Summarize" on a document, the text content of the document is extracted on our servers and sent to OpenAI's API for processing. Only the document text is sent — not filenames, client names, matter details, or other metadata.
• No Data Retention by OpenAI: We have configured our OpenAI integration so that your data is not stored or used for model training. All API requests include a "no-store" directive, and we have disabled all data sharing on our OpenAI organization account. OpenAI processes your request and returns the result without retaining your document content.
• Summary Storage: AI-generated summaries (title, summary text, and key points) are stored in our database and linked to the originating document and matter. You can delete any summary at any time from the AI Summaries tab.
• Text-to-Speech: When you use the "Listen" feature, the summary text is sent to OpenAI's text-to-speech API. The generated audio is streamed directly to your browser and is not stored on our servers.
• Credit Usage: Document summarization consumes 1–3 AI credits depending on document size (short documents use 1 credit, medium documents use 2, and long documents use 3). First-time text-to-speech playback consumes 1 AI credit; subsequent replays of the same summary are free. Credit usage is tracked and visible in your organization's billing dashboard.
• Encryption: Documents are encrypted at rest in AWS S3 using AES-256 encryption and transmitted over TLS 1.2+ encrypted connections. API communications with OpenAI are also encrypted via TLS.
• Attorney-Client Privilege: You are responsible for ensuring that your use of AI summarization features complies with your jurisdiction's rules regarding attorney-client confidentiality, work product doctrine, and professional conduct. We recommend reviewing your bar association's guidance on the use of AI tools in legal practice.
• Opt-Out: AI summarization is entirely opt-in. No document content is ever sent to AI services unless you explicitly click the Summarize button. Simply not using the feature ensures your documents are never processed by AI.

For more information about how OpenAI handles data, please refer to OpenAI's Enterprise Privacy Policy.

5. SMS Communications & TCPA Compliance

We use Twilio as our SMS messaging provider to enable communication between your organization and your clients. To ensure compliance with the Telephone Consumer Protection Act (TCPA) and Twilio's Messaging Policy, we implement the following practices:

• Sender Identification: All outbound SMS messages are automatically prefixed with your organization's name to clearly identify who is contacting the recipient (e.g., "Your Company: Your appointment is tomorrow at 2pm").
• Opt-Out Mechanism: Recipients can opt out of receiving SMS messages at any time by replying with STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT. This preference is immediately honored and recorded.
• Opt-In Mechanism: Recipients who have opted out can opt back in by replying with START, YES, or UNSTOP.
• Consent Records: We maintain audit logs of all opt-in and opt-out actions for TCPA compliance purposes, including the date, time, and method of consent changes.
• Message Content: SMS messages may include appointment reminders, payment reminders, case updates, and other communications related to your services.

By using our SMS features, you agree to comply with all applicable laws regarding electronic communications, including obtaining proper consent from recipients before sending messages.

6. Team Chat & Internal Communications

Our Team Chat feature enables real-time communication between team members within your organization. When you use Team Chat, we collect and process the following information:

• Message Content: Text messages, GIFs (via Giphy), and emoji reactions you send in chat threads.
• File Attachments: Files you share in chat conversations are stored securely in AWS S3.
• Metadata: Timestamps, read receipts, typing indicators, and thread membership information.
• Mute Preferences: Your notification preferences for each chat thread.

Data Retention: Chat messages are retained for compliance and audit purposes. When you delete a chat or leave a group, messages remain accessible to other participants but are hidden from your view. Organization administrators may have access to chat logs for compliance monitoring.

Visibility: Chat messages are only visible to members of the specific thread (direct messages or group chats). Your organization's data is isolated from other organizations.

Third-Party Services: Team Chat uses Giphy for GIF search functionality. When you search for GIFs, your search queries are sent to Giphy. Please refer to Giphy's Privacy Policy for more information.

7. Payment Processing & Stripe Connect

We use Stripe Connect to process payments and invoices on behalf of your organization. When you or your clients make payments through our platform, the following information is collected and processed:

• Payment Information: Credit card numbers, bank account details, and billing addresses are collected and processed directly by Stripe. We do not store full payment card numbers on our servers.
• Transaction Data: Payment amounts, dates, invoice references, and payment status are stored to maintain accurate billing records.
• Stripe Account Information: If your organization connects a Stripe account, we store your Stripe account ID and connection status to facilitate payment processing.
• Invoice Records: We maintain records of invoices created, sent, and paid through our platform for accounting and compliance purposes.

Data Sharing with Stripe: Payment information is shared directly with Stripe for processing. Stripe may use this data in accordance with their Privacy Policy. We recommend reviewing Stripe's privacy practices.

Data Retention: Payment transaction records are retained for a minimum of 7 years for tax and legal compliance purposes. You may request deletion of payment data after this retention period by contacting us.

8. Electronic Signatures, Calendar & Trust Ledger

Electronic Signatures (HelloSign): When you send documents for electronic signature, document content is transmitted to HelloSign (Dropbox Sign). Upon completion, we download signed PDFs and store them in your organization's secure AWS S3 storage. HelloSign processes document content in accordance with their Privacy Policy.

Microsoft 365 & Outlook: When you connect your Microsoft account, we access calendar data (events, attendees, availability, shared calendars) via the Microsoft Graph API. This data is synced and stored in our database to display events and manage scheduling. Microsoft's Privacy Statement applies to data processed by their services.

Trust Account Ledger: When you use the trust ledger feature, we store transaction records you enter (amounts, dates, descriptions, payment methods such as check numbers or transaction references). This is for record-keeping only; we do not process or hold trust funds.

9. Data Sharing

We do not sell your data. We share it with service providers like AWS, OpenAI, Twilio, Stripe, HelloSign (Dropbox Sign), Microsoft (for calendar integration), and Giphy to provide our services.

10. Data Security

We use industry-standard security to protect your data, including encryption and secure access controls. You are responsible for keeping your password safe.

11. Your Rights

You have the right to access, correct, or delete your data. You can contact us at clientysupport@clienty.io to exercise these rights.

12. Changes

We may update this Privacy Policy. We will notify you of significant changes.