CleverControl Privacy Policy

We provide two kinds of information to help you understand our privacy practices. This structure is designed to make it clear when CleverControl acts as a controller vs. a processor:

• Website Privacy Notice (this document, Sections 2–10) — covers personal data collected on the Site (e.g., cookies/analytics, contact forms, support requests, marketing and sales communications).
• Product & Services Privacy Notice (Sections 11–15) — covers personal data processed by CleverControl software/agents and cloud services when used by our business customers.

Where we process personal data for our own purposes (e.g., Site analytics, sales/marketing) CleverControl is a controller.

• Customer - an organization or individual that holds an account with us to use our Services or has expressed interest in CleverControl or our Services (directly or via partners).
• Webs ite Visitor - a person visiting or using our Site or other websites that link to this Notice.
• End User - individuals authorized by a Customer to access or use the Services and/or whose device hosts a CleverControl agent (e.g., employees, consultants, contractors). End Users should consult the Customer’s privacy policy for how the Customer, as controller, processes their information.

When a business customer uses our services to monitor its workforce, the customer is the controller, and CleverControl acts as a processor under the customer’s instructions and our data processing standards.

Information you provide — contact details (name, work email, phone), company and role, content of messages, support requests, account/portal credentials, order numbers, billing details submitted via our checkout (processed by PCI-compliant payment providers), and preferences. We do not store full payment card data on our systems.

Information from your device — online identifiers such as IP address, cookie IDs, device/browser information, pages viewed, referring/exit pages, session duration, and interactions with forms or downloads.

Information from third parties — limited business contact/enrichment data from partners and providers (e.g., channel partners, analytics and ad platforms, CRM enrichment, payment and fulfillment partners) to help us fulfill requests and operate the Site.

We use Site data to:

1. operate the Site and provide requested information;

2. create and manage accounts, trials, and orders;

3. provide sales/marketing communications (including events, demos, and surveys);

4. provide customer support;

5. analyze and improve the Site and services;

6. detect, prevent, and investigate security incidents, abuse, and fraud;

7. comply with the law and exercise legal claims;

8. administer hiring processes.

Where applicable law (e.g., GDPR/UK GDPR) requires a legal basis, we rely on:

We use cookies and similar technologies to run the Site and measure performance. Non-essential cookies (e.g., analytics/advertising) in the EEA/UK only run with your consent via our cookie banner/consent management platform (CMP). You can change your preferences at any time using the “Cookie settings” link on the Site.

Global Privacy Control (GPC). Where required by applicable U.S. state law, we honor browser-level GPC signals as an opt-out of the sale/sharing of personal data or targeted advertising.

Your choices. You can set your browser to block cookies or alert you when cookies are set; some Site features may not function without essential cookies.

We do not sell your personal data. We disclose Site data to:

• Service providers acting on our behalf (hosting, analytics/measurement, security, CRM, communications, order and payment processing, customer support, professional advisors). These providers are bound by contract to protect your data and use it only for our instructions.
• Advertising/retargeting partners (for Site visitors who consent to such cookies) to deliver and measure our advertising and prevent ad fraud.
• Channel partners/resellers to respond to your requests for local purchasing and support.
• Corporate transactions (e.g., merger, acquisition) subject to appropriate safeguards.
• Legal compliance and safety where we believe disclosure is required or permitted by law (e.g., lawful requests from authorities, enforcing terms, protecting rights, safety, or security).

For EEA/UK personal data, where transfers to third countries lack an adequacy decision, we use appropriate safeguards (for example, the EU Standard Contractual Clauses and the UK IDTA/Addendum) and conduct transfer risk assessments.

We retain Site personal data for as long as necessary for the purposes above and as required by law. Typical periods include: marketing leads and analytics records up to 24 months from last interaction; support requests up to 24 months after closure; server security logs ~90 days; cookie data per tool’s documented lifetimes. Where we rely on consent, we retain records of consent and preferences as required by law.

Subject to applicable law, you may have the right to request access, correction, deletion, restriction, portability, or to object to certain processing. Where consent is the basis, you may withdraw it at any time (this does not affect processing prior to withdrawal). You may exercise rights by emailing privacy@clevercontrol.com. We may need to verify your identity and will respond within the timeframes required by law.

Depending on your state of residence and our thresholds, you may have rights under laws such as those of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, and others. These may include the right to know/access, delete, correct, portability, and to opt-out of sale, sharing, or targeted advertising. We do not use sensitive personal data for inferring characteristics.

• How to exercise rights: submit a request to privacy@clevercontrol.com. If we deny your request, you may appeal by replying to our decision email. If you remain unsatisfied, you may contact your state Attorney General.

• Authorized agents (CA/others): If you submit a request via an authorized agent, we may require proof of authorization (e.g., power of attorney or signed permission) and may ask you to verify your identity directly with us.

• Opt-out of sale/share/targeted ads: use our cookie preferences and, where supported, GPC signals.

• Verification & response time: We verify requests using reasonable methods and respond within 45 days (we may extend by an additional 45 days where permitted and will tell you why).

• We will not discriminate against you for exercising your rights.

Role of the parties. For personal data monitored about employees, contractors, or other users of devices/accounts monitored by our customers, the customer is the controller (or business) and CleverControl is the processor (or service provider).

Categories of data processed (as configured by the customer): user identifiers, device identifiers, timestamps, application and website activity, URLs and titles, productivity categorizations, keystroke metadata or content (if explicitly enabled), screenshots/screen recordings (if enabled), webcam and/or audio recordings (if explicitly enabled and lawful), voice/call recordings (if explicitly enabled and lawful), email/log data, IP and approximate location, and administrative logs. Exact categories depend on product tier and customer configuration. We may also process de-identified and/or aggregated data derived from Customer data for analytics, benchmarking, and service improvement. We will not attempt to re-identify de-identified data except as permitted by law and to assess de-identification effectiveness.

End User data and marketing. We do not sell End User data or use it for targeted advertising.

Prohibited uses. Our services must not be used for covert or unlawful surveillance, monitoring of personal devices without authorization, intimate-partner or domestic surveillance, or any use without the notices, consents, or legal authorizations required by applicable law. We may suspend or terminate access for suspected misuse.

Customer responsibilities. Customers are solely responsible for:

• providing legally required worker notices and obtaining consents where applicable (e.g., prior electronic-monitoring notices in certain U.S. states);

• configuring monitoring to be necessary and proportionate for legitimate business purposes;

• performing data protection impact assessments where required;

• honoring workers’ rights requests directed to them;

• setting and enforcing internal retention, access, and use policies.

Retention & deletion. Customer monitoring data is retained according to our agreement. Upon contract end or at the customer’s instruction, we delete personal data within agreed timelines. Deleted data cannot be restored.

Security. We implement appropriate technical and organizational measures, including encryption in transit and at rest; access controls and least-privilege; SSO/MFA options; audit logging; vulnerability management and penetration testing; secure development practices; and vendor security reviews. We notify customers without undue delay after becoming aware of a data breach affecting customer data.

Service providers (sub-processors). We use vetted service providers to deliver our services (infrastructure, storage, analytics, communications, support). We provide notice to customers of material changes to service providers.

International transfers. When we transfer customer personal data internationally, we do so under the safeguards described in Section 7.

Law enforcement and governmental requests. For customer data, we require a valid legal process and will redirect requests to the customer where feasible. We will notify the customer unless legally prohibited and will seek to narrow the scope of any request. We may publish high-level transparency statistics.

Employee/End-user inquiries. Individuals monitored by a customer should contact that customer (the controller/business) to exercise their privacy rights. Where we receive an inquiry directly, we will notify the relevant customer and assist.

Our Site and services are intended for business use by adults. We do not knowingly collect personal data from children under 13 (or under 16 in the EEA/UK) on the Site. Customers must not use our services to monitor minors’ personal devices without a lawful basis and required notices/consents.

The Site may link to third-party websites, apps, or services. Their privacy practices are governed by their own notices. We encourage you to review them before providing personal data.

We may update this Notice from time to time. We will post the updated version with a new effective date and, if changes materially affect how we use or disclose personal data, we will provide additional notice as required.

For privacy questions, requests, or complaints, contact privacy@clevercontrol.com or write to: CleverControl LLC, 2234 North Federal Hwy #2017, Boca Raton, FL 33431, USA. If you are in the EEA/UK and we are required to appoint a representative or Data Protection Officer, their contact details will be published here.

For privacy questions, requests, or complaints, contact privacy@clevercontrol.com or write to: CleverControl LLC, 2234 North Federal Hwy #2017, Boca Raton, FL 33431, USA. If you are in the EEA/UK and we are required to appoint a representative or Data Protection Officer, their contact details will be published here.