Our Privacy Policy

Last updated: January 13, 2026

Introduction

The privacy policy ("Policy") governs the online information collection practices of Clema.ai Inc. ("Clema," "we," or "us"). It outlines the types of information that we gather about you while you are using our platform at https://clema.ai (the "site"), and the ways in which we use this information.

We understand the sensitive nature of educational data and are committed to maintaining the highest standards of privacy protection, including compliance with the Family Educational Rights and Privacy Act (FERPA).

What type of information do we collect?

We may collect personal and institutional information about you and store this information in connection with the provision and fulfillment of our services to you.

Account Information

When you create an account, we collect:

  • Name and professional title
  • Email address
  • Institution name and department
  • Phone number (optional)

Institutional Data

To provide our services, we may process institutional data that you connect to our platform, including:

  • Student enrollment and demographic data
  • Academic performance metrics
  • Institutional research reports
  • Data from connected systems (SIS, LMS, data warehouses)

Important: Your institutional data remains under your control. We do not use your data to train our AI models, and we do not share your data with third parties.

Usage Information

We automatically collect certain information when you use our platform:

  • Query history and interactions with the AI assistant
  • Log data (IP address, browser type, device information)
  • Usage patterns and feature engagement

How we use your personal information?

The information we collect may be used for the following purposes:

  • To provide, maintain, and improve our services.
  • To process and respond to your data queries.
  • To authenticate users and manage account access.
  • To send service-related communications.
  • To provide customer support.
  • To monitor and analyze usage patterns to improve our platform.
  • To ensure security and prevent fraud.
  • To comply with legal and statutory obligations.

Who has access to your data within our organization?

Within our organization, access to your data is limited to those persons who require access in order to deliver the services you subscribe to, to contact you, and to respond to your inquiries. Those staff members may be on teams such as: engineering, product, customer support, and executive. Employees only have access to data that is relevant to their role, on a 'need to know' basis.

FERPA Compliance

Clema is designed to support institutions in maintaining FERPA compliance. We:

  • Act as a "school official" with a legitimate educational interest under FERPA.
  • Use education records only for authorized purposes.
  • Maintain appropriate administrative, technical, and physical safeguards.
  • Do not disclose personally identifiable information from education records without consent.
  • Support institutions in responding to FERPA-related requests.

We will enter into appropriate data processing agreements with institutions to formalize our obligations regarding the handling of education records.

With whom do we share your data outside our organization and why?

Processors

We may use service providers and third parties for operating and improving the site, to assist with certain functions, such as cloud infrastructure, analytics (using anonymized data only), and customer support tools. We take measures to ensure that these service providers access, process, and store information about you only for the purposes we authorize, through the execution of Data Processing Agreements.

Authorities

We may access, preserve, and disclose information about you to third parties, including content of messages, if we believe disclosure is in accordance with or required by applicable law, regulation, legal process, or audits. We may also disclose information about you if we believe that your actions are inconsistent with our Terms of Service, or if necessary to protect the rights, property, or safety of Clema or others.

Transfer of business

If we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal information could be one of the assets transferred to or acquired by a third party.

Why and for how long do we store information we collect from you?

We retain certain information collected from you while you are a member on the site, and in certain cases where you have deleted your account, for the following reasons:

  • So that you can use our site and services.
  • To ensure that we do not communicate with you if you have asked us not to.
  • To better understand usage of our platform so that we can provide the best possible experience.
  • To detect and prevent abuse of our site, illegal activities, and breaches of our Terms of Service.
  • To comply with applicable legal, tax, or accounting requirements.

Specifically: account information is retained while your account is active and for a reasonable period thereafter; institutional data is retained according to your institution's data retention policies and our service agreement; and usage logs are retained for up to 24 months for security and analytics purposes. Upon termination of service, we will securely delete or return your institutional data according to your instructions.

Security

We implement comprehensive security measures to protect your information:

  • SOC 2 Type II certified infrastructure.
  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Role-based access controls (RBAC).
  • Regular security audits and penetration testing.
  • Secure data centers with physical access controls.
  • Employee security training and background checks.

Third-Party Services

We may use third-party services to support our operations, including:

  • Cloud infrastructure providers (with appropriate data processing agreements).
  • Analytics services (using anonymized data only).
  • Customer support tools.

We carefully vet all third-party providers and ensure they maintain appropriate security and privacy practices.

AI and Automated Processing

Clema uses artificial intelligence solely to search, retrieve, and surface insights from federal higher education data sources, web search, and internal institutional data it has been granted access to. Clema does not use AI to profile users or make automated decisions that affect individual rights.

Our AI systems do not train on your institutional data. All AI interactions are stateless — your data is processed in real time to respond to your query and is never stored, logged, or reused for model training or improvement.

Clema enforces a strict output integrity protocol: when data is unavailable from federal or public sources, Clema explicitly returns "No data available in the federal source" and, where possible, surfaces the closest match from other external sources with full disclosure of the methodology, data definition, and the underlying query. For internal institutional data, Clema retrieves and presents findings within your institution's governance policies, and explicitly reports when no data is found or a query is not applicable — rather than approximating or inferring a response.

For more information about how AI is developed and governed at Clema, please refer to our AI Policy.

Data Subject Rights

Subject to applicable data protection laws, including the General Data Protection Regulation ("GDPR"), you may have the following rights regarding your personal data:

  • Right to Be Informed: You have the right to be informed about how your personal data is collected, used, and processed.
  • Right of Access: You have the right to request access to the personal data we hold about you.
  • Right to Rectification: You have the right to request correction or update of inaccurate or incomplete personal data.
  • Right to Erasure: You have the right to request deletion of your personal data, subject to applicable legal obligations.
  • Right to Restrict Processing: You have the right to request that we temporarily or permanently restrict the processing of all or part of your personal data.
  • Right to Object: You have the right to object to the processing of your personal data under certain circumstances, including for direct marketing purposes.
  • Right to Data Portability: You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format and to transmit such data to another service provider.
  • Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, where such decisions produce legal or similarly significant effects.

To exercise any of these rights, you may contact us using the details provided in the "Contact us" section below.

The personal data provided by you as a visitor, customer, user, or registrant of the Services will be processed for the purpose of providing and improving the Services or taking steps prior to providing such Services at your request. Where we rely on your consent to process personal data, you may withdraw such consent at any time.

Your rights under the CCPA

Users who are California residents have certain rights under the California Consumer Privacy Act (CCPA), including:

  • Right to know: You have the right to request to know more about the categories and specific pieces of personal information that we have collected about you and access a copy of your personal information.
  • Right to deletion: You have the right to request deletion of personal information that we have collected about you.
  • Right to non-discrimination: If you choose to exercise any of your rights under CCPA, we will treat you like all other users. There is no penalty for exercising your rights under CCPA.
  • Right to opt-out of sale or sharing: Clema does not sell or share your personal information as defined under CCPA. Therefore, no opt-out mechanism is required.

To exercise any of these rights under CCPA, please email privacy [at] clema.ai.

Our policy concerning children and their data

Our site is not directed to children under the age of sixteen and we do not knowingly collect personally identifiable information from children. If we become aware that we have inadvertently received personally identifiable information from a child, we will delete such information from our records. If we change our practices in the future, we will obtain prior, verifiable parental consent before collecting any personally identifiable information from children.

Links to other websites

Our site may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We do not control third-party sites accessible through our services, and this privacy policy does not apply to information you provide to or that is gathered by those third parties.

Changes to this policy

We may update our privacy policy from time to time. We will notify you of any changes by posting the new privacy policy on this page and updating the "Last updated" date. If we make any material changes, we will notify you via email or through a notification posted on the platform, as required by applicable law. You are advised to review this privacy policy periodically for any changes. Changes to this privacy policy are effective from when they are posted on this page.

Contact us

If you have any questions about this privacy policy or our privacy practices, please contact us:

Email: legal [at] clema.ai

For security concerns, please see our Security page.

This policy is effective as of January 13, 2026.