Cleve

Cleve

Get started

Privacy Policy

Effective date: April 6, 2026

Cleve is your AI workspace. Your content is yours and is used only to run the product, never to train models or sell to third parties.

Our Approach

Cleve is designed to be a safe and secure way to collaborate with AI to do your life's best work. To achieve this, we designed Cleve with industry-leading data and privacy practices. Here's what that looks like in practice.

Never used to train AI models

Your docs, notes, conversations and ideas are never used to train AI models. This applies to Cleve and every AI provider we work with. We have contractual or policy-level guarantees from all of them.

Encrypted everywhere

Everything you store is encrypted at rest using AES-256. All connections use TLS 1.2 or higher, including every call to an AI provider.

Prompts deleted after each response

When you use an AI feature, your prompt is sent, a response is returned, and nothing is stored on the provider's side. We don't allow providers to hold onto it.

SOC 2 Type II certified infrastructure

Every service that processes your data (database, authentication, payments, file storage) is independently security-audited and SOC 2 Type II certified.

The rest of this page covers exactly what we collect, how we use it, and the controls you have. Questions? Email us at support@cleve.ai.

TL;DR

  • You own your data and your AI output. We assign all rights in AI-generated output to you. We never sell your content, share it for advertising, or use it to train AI models.
  • Encrypted everywhere. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Zero data retention on AI calls. Your prompts and outputs are not stored by AI providers after the response is delivered.
  • SOC 2 Type II infrastructure. All services that process your data are independently security-audited.
  • Export or delete anytime. Export your data in Markdown, HTML, PDF, or JSON. Close your account and data is deleted within 30 days.

Data We Collect

  • Account data: email address, name, authentication credentials, and subscription status. Managed by Clerk.
  • Content data: notes, documents, chats, files, and other material you create or upload in Cleve. This is stored in Convex (our primary database) and Vercel Blob (file storage).
  • Usage data: feature interactions, page views, performance metrics, and crash reports. Used to improve the product. We mask sensitive fields in analytics.
  • Payment data: billing metadata (plan, renewal date, payment status). We never see or store your card number. Payment is processed directly by Stripe (PCI DSS Level 1).
  • Connected integrations: if you connect third-party accounts (e.g., email, calendar, notes apps), we import only the content you authorize. You can revoke access at any time.
  • Technical data: IP address (approximate location), browser type, and device information. This is used for security and abuse prevention.
  • Feedback: ideas, suggestions, or comments you choose to submit about the Services. This may be used to improve Cleve and incorporated into future features or products without restriction or compensation. Feedback does not include your User Content or Output.

How We Use Your Data

  • Provide and improve the features you use (AI writing, search, collaboration).
  • Authenticate your account and keep it secure.
  • Process payments and manage subscriptions.
  • Send transactional emails (receipts, security alerts) and, if you opt in, product updates.
  • Monitor for abuse, errors, and performance issues.
  • Comply with legal obligations.
  • Incorporate Feedback you submit to improve the Services.

Under GDPR, our lawful bases are: contractual necessity (operating Cleve), legitimate interests (security, product improvement), consent (optional marketing and analytics cookies), and legal obligation.

Content & Output Ownership

You retain all right, title, and interest in the content you create, upload, or provide in Cleve ("User Content"). Cleve assigns to you all of its right, title, and interest, if any, in and to any AI-generated output produced for you through the Services ("Output"). You own your Output.

We process your User Content only to provide the Services, ensure security, and prevent abuse. We do not claim ownership of your User Content or Output, and we do not use either to train AI models.

AI & Data Processing

When you use AI features, the minimum necessary context from your request is sent to an AI provider to generate a response. We route these calls through the Vercel AI Gateway with Zero Data Retention (ZDR) enabled. Prompts and outputs are not stored by providers after the response is returned.

No provider trains on your data. All AI providers are contractually or policy-restricted from using your content to train or improve their models. We currently use Anthropic, OpenAI, Google, Groq, Perplexity, Cohere, and Nebius to power AI features.

We do not use your content to train our own models either. Diagnostic logs used for reliability and abuse prevention are short-lived and cleared on a rolling basis.

Workspace & Org Access

If you access Cleve using an email address provided by an organization (like your employer) or join a workspace managed by an organization, that organization may have access to your account information and the content you create within that workspace. The organization's administrators may also be able to restrict your access, move data, or delete your account.

To ensure your personal data remains private, use a personal email address to create a separate personal account. You are welcome to maintain both personal and organizational accounts.

Subprocessors

We use trusted third-party services to operate Cleve. This covers infrastructure, authentication, payments, analytics, error monitoring, email, and AI. All services that handle personal data are contractually bound to process it only on our instructions and maintain appropriate security standards.

A full list of subprocessors is available on our security page. Marketing and analytics tags (Google Analytics, Google Ads, LinkedIn, Microsoft Clarity, Meta Pixel) are loaded only with your explicit consent via the cookie banner.

Security

  • Encryption at rest: AES-256 across all data stores (Convex, Neon, Vercel Blob, Clerk, Stripe).
  • Encryption in transit: TLS 1.2+ for all connections, including AI provider API calls. HSTS enforced.
  • SOC 2 Type II infrastructure: all services that process personal data are independently audited. Cleve itself is not yet SOC 2 certified.
  • DDoS & bot protection: Vercel DDoS mitigation, Arcjet bot detection and rate limiting, Upstash serverless rate limiting.
  • Account security: CSRF protection, breached password detection, and account lockout via Clerk.
  • Database isolation: customer data is isolated at the database level with unique credentials per deployment.

No system is perfectly secure. Use a strong, unique password and enable two-factor authentication to protect your account.

Cookies & Analytics

We use cookies and similar technologies for essential site functions (session management, referral attribution) and, with your consent, for analytics and marketing. See our Cookie Policy for details.

Non-essential cookies (analytics, advertising) only load after you accept via the cookie banner. You can change or withdraw consent anytime via "Cookie settings" in the footer.

Data Retention

We retain your data while your account is active and as needed to operate the Services or meet legal obligations. When you close your account:

  • Content and personal data is deleted within 30 days.
  • Backups are purged on a rolling basis (typically 30 to 90 days).
  • Billing records may be retained longer where required by law.

You can export your data at any time in Markdown, HTML, PDF, or JSON format from your account settings before closing your account.

Your Rights

Depending on where you live, you may have the following rights over your personal data:

  • Access: request a copy of the data we hold about you.
  • Correction: update inaccurate or incomplete data.
  • Deletion: request deletion of your personal data (subject to legal retention requirements).
  • Portability: receive your data in a machine-readable format.
  • Objection / Restriction: object to or restrict certain types of processing (EU/UK).
  • Opt-out of sale: we do not sell personal data (CCPA).

To exercise any right, contact support@cleve.ai. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing the request.

If you are in the EU or UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.

International Transfers

Data is stored in the United States by default. EU data residency is available for enterprise customers. Where personal data is transferred from the EEA or UK to third countries, we use appropriate safeguards including Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework certified providers.

Children

Cleve is not intended for users under 18. If we learn we have collected data from a child under 18, we will delete it promptly. Contact us at support@cleve.ai if you believe this has occurred.

Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via the app or email before the changes take effect. The "Effective date" at the top of this page reflects the most recent version.

Contact

Cleve Sdn. Bhd. (Reg: 202301049149)

Address: Kuala Lumpur, Malaysia

Email: support@cleve.ai

Product

PricingDownloadAffiliatesRoast Me

Resources

BlogContactWorkshopsDocs

Company

CareersCommunityStudentsBrand

Legal

Terms of ServicePrivacy PolicyData UseSecurity

Connect

XLinkedInYouTube
Β© 2026 Cleve Sdn. Bhd. (202301049149)