Privacy Policy
This Privacy Policy explains how Clarinet, a product of Obanek Labs, collects, uses, and protects personal data when you use the Clarinet service at clarinet.obaneklabs.com or the Clarinet API. We comply with the EU General Data Protection Regulation (GDPR / DSGVO).
1. Data Controller
Juan Manuel Ortiz, Obanek Labs, Berlin, Germany. Contact: [email protected]
2. What data we collect
2.1 Account data (when you register for Clarinet)
- First name, last name, email, hashed password
- Optional: neurodivergence profile (self-declared, used to personalize scoring)
2.2 Task data (when you use the service)
- Task descriptions, titles, and queues you submit for cognitive load analysis
- Cognitive load scores produced by our heuristic engine and, optionally, the LLM engine
- Cognitive snapshots (aggregated wear metrics over time, used for longitudinal tracking)
2.3 Server logs
- IP address, user agent, timestamp, requested URL, response status code
- Retention: 14 days for security and debugging
2.4 Data we do NOT collect
- No Google Analytics, no Facebook Pixel, no behavioural tracking
- We do not sell, rent, or share your data with advertisers
- We do not train AI models on your task data without explicit separate opt-in
3. Why we collect it
| Purpose | Data used |
|---|---|
| Create and manage your Clarinet account | Account data |
| Analyze cognitive load of your tasks | Task data, neurodivergence profile |
| Track your cognitive load over time | Cognitive snapshots |
| Send service and security emails | |
| Prevent abuse, secure the API | Server logs, IP address |
| Bill paying customers | Subscription status, payment metadata from Stripe |
4. Legal basis
- Art. 6(1)(b) GDPR: performance of the contract (Clarinet service)
- Art. 6(1)(a) GDPR: consent (neurodivergence profile, LLM dual engine, marketing)
- Art. 6(1)(f) GDPR: legitimate interests (security, fraud prevention)
- Art. 6(1)(c) GDPR: legal obligations (tax, accounting)
5. Third party processors
Clarinet relies on the following sub-processors. All EU-based or bound by GDPR Standard Contractual Clauses.
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication | EU (Ireland) |
| Amazon Web Services | API hosting (Lambda, EU region) | EU (Ireland) |
| Cloudflare, Inc. | CDN, DNS, DDoS protection | Global (EU edge) |
| Resend, Inc. | Transactional email delivery | US (GDPR SCC) |
| Anthropic PBC (optional) | LLM evaluation when dual engine mode enabled | US (GDPR SCC) |
| OpenAI, L.L.C. (optional) | LLM evaluation when dual engine mode enabled | US (GDPR SCC) |
When you enable the optional LLM dual engine, your task text is sent to the configured provider. Before transmission, Clarinet redacts common PII patterns (email addresses, phone numbers, national IDs). You remain responsible for not submitting sensitive data if you choose to enable this mode.
6. How long we keep it
- Account data: while your account is active, plus 30 days after deletion (to allow restore)
- Task data, cognitive snapshots: while your account is active; deleted with the account
- Server logs: 14 days
- Email correspondence: up to 3 years (support history)
- Billing records: 10 years (German tax law, § 257 HGB)
7. Your rights
Under GDPR you have the right to:
- Access (Art. 15), rectification (Art. 16), erasure (Art. 17)
- Restriction (Art. 18), portability (Art. 20), object (Art. 21)
- Withdraw consent (Art. 7) at any time
- Complain to the Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de)
To exercise any right, email [email protected]. We respond within 30 days.
8. Cookies and local storage
Clarinet uses browser local storage (not cookies) to keep you logged in. Stored: your Supabase access token, refresh token, and user id. Strictly necessary for the service; no consent banner required under the ePrivacy Directive.
Cloudflare may set a security cookie (__cf_bm) for 30 minutes for bot detection. Legitimate interest in security.
We do not use tracking, advertising, or analytics cookies.
9. Changes to this policy
We version this policy. On material changes we notify registered users by email and require re-acceptance before the next login. Version and date are always at the top of this page.