Last updated June 3, 2026Who we are
Claura is operated by DjaloVentures OÜ (registration code 16915498), Narva mnt 5, 10117 Tallinn, Estonia. For your account and our direct relationship with you we act as a data controller. For the messages, attachments, and personal data inside the mailboxes and sources you connect (including the personal data of third parties such as your suppliers, customers, and clients), we act as a processor on your behalf, and you are the controller.
Data we process
We process the following categories of data:
- Account and profile data: name, email, sign-in provider (email, Google, or Microsoft), and preferences such as display currency.
- Connected Account data: source type, encrypted OAuth authorisation tokens, and sync status. We never receive or store your email password.
- Mailbox-derived data: metadata of messages with attachments (sender, subject, date), a limited body-text excerpt used as context, and PDF/image attachments.
- Document data: original files and extracted fields (vendor, amounts, currency, dates, invoice/VAT numbers, billing entity and address, recipient details), classifications, and confidence scores.
- Usage and technical data: search queries and embeddings, saved searches, AI assistant activity, exports, logs, and error diagnostics.
How we use data and our legal bases
We use personal data to provide the Service (performance of a contract, or your documented instructions where we act as processor), to secure it and prevent abuse (legitimate interests and legal obligation), to provide support, to maintain reliability, to bill where a paid plan applies, and to comply with law. We do not sell personal data, and we do not use your content to train third-party generative AI models for their own purposes.
Inbox access
Inbox access is requested through the provider's standard OAuth flow and is read-only. We scan connected mailboxes for messages with attachments, retrieve financial-document attachments, and process related metadata and a limited body excerpt. Access stays limited to the inboxes you connect, and you can disconnect at any time.
AI and document processing
We process document content through automated systems, including OCR and AI extraction and classification. Discovery is not guaranteed to be complete and AI outputs may contain errors, so you remain responsible for verifying them. This is decision-support with human review available; we do not make solely automated decisions that produce legal or similarly significant effects.
Sub-processors and recipients
We share data with service providers that process it on our behalf under contract: Supabase (database, storage, authentication), Vercel (hosting), OpenAI (AI extraction, embeddings, assistant), Microsoft Azure Document Intelligence and Google Document AI (OCR, where enabled), Google and Microsoft (mailbox connectivity), and Sentry (error tracking). A current sub-processor list is available on request.
International transfers
Some sub-processors, notably OpenAI in the United States, process data outside the European Economic Area. Where we transfer data outside the EEA we rely on appropriate safeguards, in particular the European Commission's Standard Contractual Clauses, with supplementary measures where needed.
Retention and your rights
We keep personal data for as long as needed to provide the Service and to meet legal obligations. You can delete documents, disconnect sources, and delete your account in the Service. Subject to law, you have rights to access, correct, erase, restrict, object to, and port your data. For mailbox and document data where we act as processor, requests are generally directed to the relevant customer. Contact privacy@claura.io, or your local supervisory authority (in Estonia, the Andmekaitse Inspektsioon).
Contact
Questions about privacy or data handling can be sent to privacy@claura.io.