Privacy Policy

Claudium is operated by HelloClaudium, LLC (d/b/a Claudium), incorporated in Lisbon, Portugal. For privacy questions, write to privacy@helloclaudium.com. We do not currently have a statutory Data Protection Officer appointed; the email address above reaches the team responsible for privacy.

We collect the following categories of data:

• Account data. The email address you verify via one-time code, the display name you choose, the organization name you create (for workspace owners), and the role(s) assigned to you within an organization.
• Session metadata. The signed session cookie that keeps you logged in (encoded payload is{email, exp}), IP addresses used for rate-limiting, browser user-agent for security auditing.
• Sender / contributor metadata. The display name you publish to your team, the SHA-256 hash of your API token (the plaintext token never leaves your machine once issued), and a colour assigned to you for the live visualization.
• Activity events. For each Claude Code tool call your sender chooses to share: the tool name, the brain region it maps to, an approximate token count, the project name, and (depending on your sharing level) the file path or command text. We never receive your source code, your prompts, or the contents of the files you read or write. You can downgrade your sharing level at any time with the BRAIN_SHARING environment variable on the sender.
• Billing data.When Stripe billing ships, we'll process payment-method tokens via Stripe. We do not store full payment-card data; that lives with Stripe.
• Support correspondence. If you email us, we keep the conversation history so we can respond and improve our support.

We process personal data to:

• Operate the service (authentication, session management, live activity routing, billing).
• Protect the service (rate-limiting, abuse detection, audit logging).
• Improve the service inside your organization (the “org-bounded learning loop” — patterns derived from your data, surfaced only to your org).
• Communicate with you about your account, security incidents, and material changes to the service.
• Comply with legal obligations (tax records, lawful disclosure requests).

We do not sell personal data. We do not use your data to train models that are then made available to other organizations.

If you're in the EU, UK, or EEA we rely on the following legal bases under Article 6 GDPR:

• Contract — to provide the service you signed up for (Art. 6(1)(b)).
• Legitimate interest — for security, fraud prevention, and product improvement (Art. 6(1)(f)).
• Legal obligation — for tax and accounting records (Art. 6(1)(c)).
• Consent — for optional features such as marketing emails, where applicable (Art. 6(1)(a)). You may withdraw consent at any time.

We use the following sub-processors to deliver the service. Each one only receives the minimum data needed for its function and is bound by a written data-processing agreement:

• Render (United States) — application hosting for the hub and the landing site.
• Supabase (Frankfurt or Northern Virginia, region chosen at provisioning) — Postgres database hosting account, organization, membership, and sender data.
• Resend (United States) — transactional email delivery for one-time login codes and account notifications.
• Vapi (United States) — real-time voice agent on the marketing site and in-product. Only your live voice stream and conversation transcript are processed; no other account data is shared.
• Cloudflare (global edge) — DNS, DDoS protection, and TLS termination for our domains.
• Stripe (planned, when paid plans launch) — payment processing.

We'll update this list before adding new sub-processors and give organization admins at least 30 days' notice for material changes.

Several of our sub-processors are based in the United States. Where personal data of EU/EEA residents is transferred there, we rely on the European Commission's Standard Contractual Clauses (2021/914) plus supplementary measures (encryption in transit and at rest, access controls). For Enterprise customers, EU-region database hosting is available so personal data never leaves the EU.

We keep personal data only as long as needed for the purpose it was collected:

• Account & organization data — kept while your account is active, then deleted within 90 days of account closure.
• Activity events — kept for 90 days by default; configurable for Enterprise.
• Audit log entries — kept for 12 months for security forensics.
• Billing records — kept for the period required by Portuguese tax law (currently 10 years for invoices).
• Support conversations — kept for 24 months from the last interaction.

We use industry-standard technical and organizational measures to protect personal data, including: TLS for all data in transit; envelope encryption for sensitive at-rest data on the roadmap; SHA-256 hashing of API tokens (we never store plaintext); per-IP and per-email rate limits on login and signup; Row Level Security policies on the multi-tenant database; principle-of-least-privilege access for our team. No system is perfectly secure; if you discover a vulnerability, please disclose responsibly via security@helloclaudium.com.

Depending on where you live, you have some or all of the following rights over your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (subject to legal retention requirements such as tax records).
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — where we rely on consent.
• Lodge a complaint — with your local supervisory authority (e.g. CNPD in Portugal).

To exercise any of these rights, email privacy@helloclaudium.com. We'll respond within 30 days. If you're a California resident, the same rights apply under the CCPA, including the right to know what we've sold (none) and the right to non-discrimination for exercising your rights.

We use a small number of strictly necessary cookies (the signed session cookie and a CSRF token where applicable). We do not use third-party analytics or advertising cookies on the marketing site. If we add product analytics in the future, we'll update this policy and surface a consent banner before any tracking starts.

The service is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact privacy@helloclaudium.com and we'll delete it.

We may update this policy from time to time. The current version is always at this URL with a “Last updated” date at the top. For material changes affecting how we use your data we'll notify you by email or in-product at least 30 days before they take effect.

Privacy inquiries: privacy@helloclaudium.com
Security disclosures: security@helloclaudium.com
Postal: HelloClaudium, LLC (d/b/a Claudium) · Lisbon, Portugal (exact address on request)