Privacy

Privacy, in plain English.

The one-page version: we collect the minimum we need to reply to you or run the product, we do not sell or share your data, and we never train our public models on customer data.

Data we collect

Contact submissions. When you fill out a form, we collect your name, email, company, role, and message. We use this only to reply and to qualify the inquiry.
Product usage. When you use the platform, we collect the workflow data you upload (project schemas, candidate sites, filings) to deliver the service.
Operational logs. We log API requests, errors, and performance metrics with per-tenant isolation for debugging and capacity planning.
Website analytics. We use privacy-first analytics that does not set third-party cookies, does not fingerprint visitors, and does not track individuals across sites.

What we do not do

We do not sell your data.
We do not share customer workflow data across tenants. Every customer lives in a per-tenant database.
We do not train our public or shared models on customer workflow data. If we train anything on your data, it is scoped to your tenant and governed by your MSA.
We do not drop third-party ad cookies on the marketing site.

Subprocessors

We use a small set of trusted subprocessors: cloud infrastructure (AWS us-east-1 and us-west-2), email delivery (Resend), payments (Stripe), error monitoring (Sentry), and product analytics (PostHog, self-hosted). We keep the list of active subprocessors current and will share the complete list with any prospective enterprise customer under NDA.

Security posture

SOC 2 Type II audit in progress (target: Q3 2026). In the meantime, we offer: TLS 1.2+ in transit, AES-256 at rest, per-tenant data isolation, RBAC with SSO support (Okta, Azure AD, Google), audit logging on all privileged operations, and incident response commitments in our enterprise DPA.

Data retention and deletion

Contact submissions are retained for 24 months and then deleted. Customer workflow data is retained for the life of the subscription plus 90 days; deletion happens automatically unless you opt in to extended retention. Customers can export and delete their data at any time via the admin console or a written request to privacy@cliffcenter.com.

Questions

Email privacy@cliffcenter.com. We reply within three business days. For security vulnerability reports, email security@cliffcenter.com.

Last updated: April 2026. Cliffcenter, Inc.

Data we collect

Contact submissions. When you fill out a form, we collect your name, email, company, role, and message. We use this only to reply and to qualify the inquiry.

Product usage. When you use the platform, we collect the workflow data you upload (project schemas, candidate sites, filings) to deliver the service.

Operational logs. We log API requests, errors, and performance metrics with per-tenant isolation for debugging and capacity planning.

Website analytics. We use privacy-first analytics that does not set third-party cookies, does not fingerprint visitors, and does not track individuals across sites.

What we do not do

We do not sell your data.

We do not share customer workflow data across tenants. Every customer lives in a per-tenant database.

We do not train our public or shared models on customer workflow data. If we train anything on your data, it is scoped to your tenant and governed by your MSA.

We do not drop third-party ad cookies on the marketing site.

Subprocessors

Data retention and deletion