Privacy Policy

Last updated: May 2026

1. Data Controller

Clareo is operated by Michael Holemans, a Belgian self-employed professional (eenmanszaak / sole proprietorship), trading as "Clareo".

  • Address: Waversesteenweg 3A, 3360 Bierbeek, Belgium
  • Enterprise number (KBO/BCE): 0759.456.946
  • VAT number: BE0759.456.946
  • Privacy contact: privacy@clareo.be

This service is intended for business users (B2B). Full operator details are available on our Legal information page.

2. What data do we process and why?

Processing activityDataLegal basis
Account creationName, email addressContract performance
Business registry lookupVAT number, business name, address (public registers)Legitimate interest (documented LIA)
Website crawlingPublicly available website dataLegitimate interest
AI analysisBusiness name, industry, website content processed via AI servicesContract performance
PaymentsPayment data (processed by payment processor)Contract performance
Email communicationEmail address, usage dataLegitimate interest

3. Sub-processors

We use the following sub-processors to deliver the Service. Personal data sent to each is limited to what is necessary for that specific purpose.

Sub-processorPurposeLocation
SupabaseAuthentication, database, storageEU (Frankfurt)
StripePayment processing and invoicingIreland (EU billing) + US
ResendTransactional email deliveryEU + US
FastmailInbound email (info@ / privacy@)US (servers) / Australia (company)
SentryApplication error monitoringEU + US
NetlifyStatic website hosting and CDNUS (global edge with EU PoPs)
Fly.ioWorker hosting and analysis pipeline executionEU (Frankfurt)
Anthropic (Claude)AI content generation and analysisUS
OpenAI (ChatGPT)AI content generation and blind testsUS
Google (Gemini, Knowledge Graph, Places, PageSpeed)AI analysis, classification, searchEU + US
PerplexityAI research and blind testsUS
FirecrawlWeb page extractionUS
SerperSearch results retrievalUS
Brave SearchSearch results retrievalUS + EU

We have a signed Data Processing Agreement (DPA) in place with each sub-processor above. For US-based sub-processors, the DPA rests on either the EU-US Data Privacy Framework (where the provider is DPF-certified) or the 2021 EU Commission Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR for any transfer not covered by the DPF. Copies are available on request via privacy@clareo.be. We do not sell personal data to any third party.

4. International transfers

Your data is processed in the United States. We ensure an adequate level of protection via the EU-US Data Privacy Framework (DPF) where available, and Standard Contractual Clauses (SCCs) for all other transfers, in accordance with Article 46(2)(c) GDPR.

5. Retention periods

  • Analysis results: As long as your account is active, or until you delete them
  • Account data: Duration of account + 30 days after deletion
  • Payment data: 7 years (legal obligation)

6. Your rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interest

You can export your data and delete your account via your dashboard settings. Upon deletion, all your data is permanently erased.

Contact us at privacy@clareo.be. We will handle your request within 30 days.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (GBA/APD):
Drukpersstraat 35, 1000 Brussels — www.dataprotectionauthority.be

7. Automated decision-making

Clareo uses AI technology to perform analyses and calculate scores. These scores are informational and have no legal effects. No automated decision-making within the meaning of Article 22 GDPR takes place.

8. Cookies

Clareo uses only essential cookies for authentication (session cookies). We do not use analytics, tracking, or marketing cookies. Therefore, no cookie banner is needed.

We use your browser's Accept-Language header to pick a default language (English, Dutch or French) on your first visit. Your subsequent choice is stored locally in your browser (key: clareo-lang) and is not transmitted to our servers.

9. Data Protection Officer

Under Article 37 GDPR, Clareo is not required to appoint a DPO. For privacy inquiries: privacy@clareo.be.

10. Information about businesses we analyze

When a Clareo user requests an analysis of a business (their own or any other business by website URL), Clareo automatically collects information from publicly available sources: the business's own website, public business registers (KBO, KVK, SIRENE, Companies House, VIES), AI engines, and search engines. This may incidentally include personal data that the business itself has published online (such as names of founders, team members, or contact persons).

Legal basis (Article 6(1)(f) GDPR): Legitimate interest in providing AI findability analysis on the basis of public business information. We balance this interest against the rights of data subjects by limiting collection to what is necessary, retaining data only while reports are active, and providing a clear removal channel.

What we store: Only the data needed to produce and retain the analysis report. We do not enrich or resell business data, and we do not build profiles of individuals beyond what the business itself has published.

Retention: Business analyses are retained as long as the requesting Clareo account is active. On account deletion, related analyses are deleted within 30 days.

Article 14(5)(b) — disproportionate effort: Individual notification to every person mentioned on every analyzed website would involve disproportionate effort given the volume and the absence of direct contact channels for many data subjects. In line with EDPB guidance on web-scraping and the Article 14(5)(b) exception, we provide this collective notice instead.

Right to be removed: If you are a person mentioned in a Clareo analysis, or you are a business owner who does not want their business analyzed by Clareo, write to privacy@clareo.be with the website concerned. We acknowledge within 72 hours, respond substantively within 7 days, and complete removal of the existing analysis + add the domain to a permanent exclusion list within 30 days (in line with GDPR Article 12(3)). We respectrobots.txt directives that target our crawler (ClareoBot) or all crawlers during crawling. Full procedure and response times: Trust & Safety.

11. Changes

We may update this privacy policy. Significant changes will be communicated via email. The most recent version is always available at clareo.be/privacy.