Privacy Policy

Clera

Last updated: May 29, 2026

1. Introduction

Clera ("we", "our", or "the app") is an AI summarization app that converts Instagram Reels and posts into structured, readable notes. This Privacy Policy explains what information we collect when you use Clera, how we use it, and your rights with respect to your data.

By installing or using Clera, you agree to the practices described in this policy. If you do not agree, please uninstall the app and contact us to request deletion of any data we hold.

2. Information We Collect

2.1 Instagram Content URLs

When you share an Instagram Reel or post to Clera, the URL of that content is sent to our server for processing. The URL is used to fetch the video or image content, generate a summary, and then deliver that summary to your device. URLs are stored transiently in our processing queue (maximum 5 minutes) and may appear in server logs retained for up to 30 days.

We do not store the video or image content itself after processing is complete. Transcripts and frame data are intermediate processing artifacts that exist only in server memory during the summarization pipeline and are discarded immediately afterwards.

2.2 Summaries (Stored Locally on Your Device)

The structured summary produced by our AI pipeline (title, category, ingredients, steps, tips, or equivalent fields) is delivered to your device and stored in a local database under your control. Summaries are not stored permanently on our servers after delivery.

2.3 Device Identifier

We generate a random, anonymous device identifier the first time you launch the app and store it in your device's secure storage. This identifier is included in all API requests for rate-limiting, fraud prevention, and idempotency checking. It cannot be used to identify you personally and is not linked to your name or email address.

The device identifier is registered on our server the first time you make a signed request. This registration record persists in our system until you request deletion.

2.4 Push Notification Token (FCM Token)

To notify you when a summary is ready, Clera sends your device's Firebase Cloud Messaging (FCM) push token to our server when submitting a processing request. The token is stored transiently alongside the processing job in Redis and is discarded when the job completes or expires.

2.5 Crash Reports and Diagnostics

We use Firebase Crashlytics (Google) and Sentry to collect crash and error reports. A report may include:

Device model and operating system version
App version number
Stack trace at the time of the error
Limited app state information (no content URLs, summaries, or personal data)

Crash collection is disabled in debug builds.

2.6 Google Account Information (Optional — Drive Export Only)

If you choose to export a summary to Google Drive, we receive your Google account name and email address via Google Sign-In, used solely to authenticate the export. This information is not stored on our servers.

2.7 IP Address and Server Logs

Our API server (hosted in Germany with Hetzner) logs inbound requests. Server logs may include your IP address, request timestamp, HTTP response code, and the device identifier sent with the request. Logs are retained for a maximum of 30 days and used exclusively for security monitoring and debugging.

3. How We Use Your Information

Data	Purpose
Instagram content URL	Fetching and summarizing the content you shared
Device identifier	Rate-limiting; fraud prevention; idempotency
FCM push token	Delivering your summary notification when processing completes
Crash / error reports	Diagnosing and fixing app bugs
Google account info	Authenticating Google Drive export (optional feature)
Server logs / IP address	Security monitoring; abuse prevention

4. Third-Party Services

Clera relies on the following third-party services, each subject to their own privacy policy:

Google Gemini API — processes content for AI summarization. Transcripts and frame descriptions are sent to Google's servers. ai.google.dev/terms
Firebase Cloud Messaging (Google) — delivers push notifications to your device. firebase.google.com/support/privacy
Firebase Crashlytics (Google) — receives crash diagnostics. firebase.google.com/support/privacy
Sentry — receives error and performance diagnostics. sentry.io/privacy
Langfuse — receives anonymized LLM prompt and response data (no personal information or content URLs) for AI quality monitoring. Self-hosted on our Hetzner server; data does not leave our infrastructure.
Google Sign-In / Google Drive — used only if you enable the optional Drive export. policies.google.com/privacy
Hetzner — our API gateway is hosted in Germany (EU). hetzner.com/legal/privacy-policy

We do not sell or share your data with advertisers or data brokers.

5. Data Storage and Retention

Instagram content URLs are held in our processing queue for a maximum of 5 minutes, then discarded.
Video, audio, and image data fetched during processing exists only in server memory and is discarded immediately after the summary is generated.
Summaries are stored locally on your device and remain under your control. You can delete them at any time from within the app.
The anonymous device identifier persists in your device's secure storage until you uninstall the app or clear app data.
FCM push tokens are stored transiently alongside processing jobs and discarded on job completion or expiry.
Server logs (IP address + request metadata) are retained for a maximum of 30 days, then automatically deleted.
Crash reports are retained by Firebase Crashlytics for 90 days per Google's policy, and by Sentry per their retention policy.

6. Data Security

All communication between the app and our server is encrypted with HTTPS/TLS.
API requests from the main app are authenticated with HMAC-SHA256 request signing; replay attacks are prevented with a 5-minute nonce window.
The local database on your device is stored in app-private storage, inaccessible to other apps.
Sensitive values are stored in platform secure storage (Android Keystore / iOS Keychain).

No security measure is 100% effective. If you believe your data has been compromised, please contact us immediately at the address below.

7. Children's Privacy

Clera is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

8. Your Rights

Depending on your location, you may have the right to:

Access — request a copy of the data we hold about you.
Deletion — request that we delete your data. On-device data can be deleted directly in the app; for server-side records (device registration, server logs), email us.
Portability — request your data in a machine-readable format.
Objection — object to certain types of processing.

To exercise any of these rights, contact us at privacy@clera.me. We will respond within 30 days.

9. International Data Transfers

Our API server is located in Germany (EU). If you are located outside the EU, the content URL you submit and the resulting AI processing may involve transfer of data to our server in Germany. By using the app, you consent to this transfer.

Crash reports and Gemini API data are processed by Google on servers that may be located outside your country. Google's data transfer mechanisms comply with applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify you via an in-app notice for material changes. Continued use of the app after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights:

Clera

Email: privacy@clera.me

Website: clera.me