Privacy Policy (GDPR, CCPA/CPRA & Morocco Law 09-08 / CNDP)

Effective date: January 1, 2026
Last updated: February 15, 2026


This Privacy Policy explains how Claribrix (“Claribrix”, “Doclarity”, “we”, “us”) collects and uses personal data when you (i) visit our marketing website, (ii) create or use an account on the Doclarity.ai Service, or (iii) contact us.

1. Who we are

Controller: Claribrix Sarl (Morocco)
Registered address: Résidence Riad El Otor B, N·4, Bloc C, Avenue Annakhil, Hay Riad, Rabat
ICE : 003871549000033
RC : 195369
TP : 25502886
IF : 71812243
Privacy & Security contacts: Please use the form below to contact us.

2. Scope

This Privacy Policy applies to:

  • Marketing website visitors (including cookies/analytics),
  • Prospects and business contacts (forms, emails, meetings),
  • Service users (account/admin data, logs, support),
  • Customer Content processing when such content includes personal data (where we act as a Processor).

It does not apply to third-party websites you may reach via links.

3. Roles: when we are Controller vs Processor
3.1 Claribrix as Controller

We are the Controller for personal data we collect for:

  • website operations and analytics,
  • account creation and authentication,
  • billing and contractual administration,
  • support and security operations,
  • sales/marketing communications (B2B).
3.2 Claribrix as Processor (Customer Content)

When your organization uploads documents into Doclarity.ai, your organization controls the content and determines purposes/means. If Customer Content includes personal data, your organization is typically the Controller, and Claribrix acts as the Processor under the DPA (Data Processing Addendum) referenced in your contract. (GDPR processor framework: )

4. What data we collect
4.1 Data you provide
  • Contact data: name, work email, organization, job title, phone (optional), message content.
  • Account data: user identity fields (e.g., name/email), role/permissions, authentication and security settings.
  • Support data: tickets, attachments you send us, diagnostics you choose to share.
4.2 Data collected automatically (website and Service)
  • Device & usage data: IP address, device type, browser, approximate location (derived from IP), pages viewed, timestamps, referrer URLs, interactions.
  • Cookies and similar technologies on the marketing website (see Section 7).
  • Security logs: authentication events, audit logs (admin actions), anomaly indicators.
4.3 Customer Content (uploaded documents)

Documents and metadata you upload (Input) may contain personal data. We process this content only to provide the Service, under your instructions (via product usage and configuration).

 5. Why we use personal data

We use personal data to:

  • provide and operate the website and Service,
  • create and manage accounts, authentication, and access controls,
  • deliver OCR, indexing, retrieval, and citation-linked outputs on your Customer Content (Processor role),
  • provide support, troubleshooting, and customer communications,
  • secure the Service (monitoring, incident detection, abuse prevention),
  • manage contracts, invoices, and payments,
  • improve reliability and performance (using aggregated/de-identified telemetry that does not include Customer Content),
  • comply with legal obligations and enforce our Terms.
6. Legal bases (GDPR)

Where GDPR applies, we rely on:

  • Contract necessity (provide the Service, support, billing),
  • Legitimate interests (B2B relationship management, security, fraud prevention, service improvement),
  • Consent (where required, e.g., non-essential cookies/analytics on the marketing website),
  • Legal obligation (accounting, compliance, responding to lawful requests). (GDPR legal framework: )

You can withdraw consent at any time (for consent-based processing).

7. Cookies & Analytics (Marketing Website)
7.1 Google Analytics (marketing website only)

We use Google Analytics on our public marketing website to understand website usage and improve content. This typically involves cookies and collection of online identifiers and usage data.

7.2 Your choices (EU/EEA and similar regimes)
  • We implement a cookie/consent mechanism where required, because tracking technologies can require consent under the ePrivacy framework as interpreted by EU regulators.
  • You can manage preferences via our cookie banner/settings (where available) and via your browser settings.
7.3 Service (app/platform) analytics

The Doclarity.ai Service uses self-hosted monitoring/analytics components operated by Claribrix. We do not use Google Analytics inside the Service for Customer Content processing.

8. Data sharing & disclosure
8.1 Customer Content

We do not disclose Customer Content to third parties except:

  • at Customer direction,
  • as required by law (where permitted, we notify the Customer),
  • to investigate or prevent security incidents or misuse.
8.2 Website analytics

For the marketing website, Google Analytics involves Google as a recipient of certain website data (subject to your cookie choices).

8.3 Corporate events

If we undergo merger, acquisition, or asset sale, personal data may be transferred as part of that transaction, subject to confidentiality protections.

9. International data transfers
9.1 Service hosting location

Customer Content is hosted and processed in the EU/EEA as part of the Service.

9.2 Remote access from Morocco (GDPR-relevant scenario)

Claribrix is incorporated in Morocco. If GDPR applies and support/operations involve remote access to EU/EEA personal data from Morocco, this may constitute an international transfer. In that case, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) (typically via the DPA).

10. Data retention

We retain personal data only as long as necessary for the purposes described:

  • Account data: for the life of the account, plus a limited period for audit/security and legal compliance.
  • Support communications: as needed to resolve issues and maintain support history.
  • Website analytics: per our cookie/analytics configuration and retention settings.
  • Customer Content: per contract/DPA and deletion/export process; after termination, content is available for export for a defined period and then deleted from production systems; backups roll off on a schedule.
11. Security

We use technical and organizational measures designed to protect personal data, such as access controls, least privilege, audit logging, encrypted transport, and operational monitoring. No system is perfectly secure; if a security incident affects personal data, we follow the notification and response steps described in the DPA and applicable law.

12. Your rights
12.1 GDPR rights (where applicable)

You may have rights to:

  • access, rectification, erasure,
  • restriction, portability, objection,
  • withdraw consent,
  • lodge a complaint with a supervisory authority.
12.2 California rights (CCPA/CPRA) — where applicable

If you are a California resident and Claribrix is a “business” under CCPA/CPRA, you may have rights to:

  • know what personal information we collect, use, and disclose,
  • delete personal information (with exceptions),
  • correct inaccurate personal information,
  • opt out of the sale or sharing of personal information,
  • non-discrimination for exercising your rights.
    California also supports opt-out requests via an opt-out preference signal (e.g., Global Privacy Control / OOPS mechanisms) where applicable.

Do we sell or share personal information?

  • We do not sell personal information for money.
  • For the marketing website, the use of analytics cookies may be interpreted as “sharing” under CPRA in some configurations. We provide opt-out/consent controls via cookie settings where required.
12.3 How to exercise rights

Send your request to: [PRIVACY@…]
Include: your name, your organization, the email you used with us, and the specific right you want to exercise. We may verify your identity and authority (especially for organization-managed accounts). For CCPA, you may use an authorized agent where permitted.

13. Morocco Law 09-08 / CNDP (Local compliance framework)

Claribrix is established in Morocco. Where Moroccan law applies and personal data is processed:

  • CNDP provides formalities (declaration/authorization regimes) and guidance for controllers.
  • CNDP also provides a process for transfer abroad notifications/authorizations where applicable.
    For Customer Content, your organization (as Controller) is typically responsible for completing any required CNDP formalities related to your processing activities and international transfers, and we assist with relevant information where needed.
14. Children

The Service is intended for B2B use and not directed to children. We do not knowingly collect personal data from children via the Service.

15. Changes to this Privacy Policy

We may update this policy from time to time. We will post the updated version with a new “Last updated” date. Material changes may be communicated via the website or Service.

16. Contact

To contact us regarding :

  • Privacy requests and questions
  • Legal notice
  • Security

Please fill the following form

Privacy requests and questions - Contact us

Privacy & Data Request

    [acceptance* privacy-confirm] I confirm the information provided is accurate and I’m authorized to submit this request.

    By submitting, you agree we may contact you about this request.