Legal

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Clan AI (we, us, our) collects, uses, discloses, and protects personal data across our products, including:

  • Auto Reply — our AI-powered WhatsApp customer-support service available at autoreply.clanai.sg;
  • Auto Book — our AI-powered accounts-payable automation service that processes invoices from connected email inboxes and syncs them to your accounting software.

Each of the above is referred to in this Policy as a Service, and collectively as the Services. This Policy is issued in accordance with the Singapore Personal Data Protection Act 2012 (PDPA) and other applicable data-protection laws. By using a Service, you consent to the collection, use, and disclosure of your personal data as described here.

1. Data Protection Notice for Customers

This notice applies to any individual who accesses or uses any Clan AI Service, whether as a registered user (a Customer) or as a recipient of communications sent through the Services. By using the Services you acknowledge that you have read and understood this Privacy Policy.

2. Personal Data We Collect

Personal Data means data, whether true or not, about an identifiable individual. The categories we may collect include:

  • Account information: name, email address, profile photo, and authentication credentials (handled by our identity provider).
  • Business information: company name, business address, industry, common services or vendor types, GST registration status, and other workspace context you choose to provide.
  • Conversation and message data (Auto Reply): content of WhatsApp conversations, contact phone numbers, contact display names, and any context the AI uses to reply.
  • Bill and invoice data (Auto Book): documents you upload or that arrive via connected email accounts, including vendor names, invoice numbers, line items, amounts, dates, payment terms, and any text or metadata extracted from those documents.
  • Email integration data (Auto Book): OAuth tokens for Gmail or Microsoft Outlook (encrypted at rest), email metadata (sender, subject, received date), and the contents of messages that contain invoice attachments processed by the Service.
  • Calendar integration data (Auto Reply): OAuth tokens for Google Calendar (encrypted at rest), the list of calendars on your account, and the start/end times of events on the calendar you select for appointment sync.
  • Accounting integration data (Auto Book): OAuth tokens for accounting platforms such as Xero (encrypted at rest) and chart-of-accounts data synced from your accounting system.
  • AI configuration: the AI provider, model, and (where applicable) API key you configure for your workspace. API keys are encrypted at rest.
  • Usage and technical data: log data, IP addresses, browser type, device identifiers, and timestamps generated when you interact with the Services.

3. How We Collect and Use Personal Data

We collect Personal Data either when you provide it voluntarily (with notification and your consent) or where permitted under applicable laws. We use Personal Data to:

  • Provide, operate, and maintain the Services;
  • Verify your identity and manage your account;
  • Generate AI responses to your customers, extract structured data from invoices, schedule and update appointments, and other Service-specific functions you have configured;
  • Handle queries, requests, complaints, and support tickets;
  • Process payments, invoices, and refunds;
  • Send service notifications, security alerts, and (where you have consented) promotional materials;
  • Comply with legal, regulatory, audit, and risk-management obligations;
  • Disclose data to third-party service providers (such as cloud hosting, payment processors, AI inference providers, and analytics providers) strictly to the extent required to provide the Services.

4. AI Processing Across the Services

Each Service uses third-party AI providers (such as Anthropic, OpenAI, or Google) to perform its core function — generating replies to WhatsApp messages (Auto Reply) or extracting structured data from invoices (Auto Book). Where applicable, the AI provider, model, and API key are configured by you within your workspace settings.

We do not use your conversation data, email content, invoice content, calendar data, or other workspace data to develop, improve, or train generalized machine-learning (ML) or artificial-intelligence (AI) models for Clan AI or any third party. Data is sent to the configured AI provider only for the purpose of processing the specific message, document, or event in front of the user, and is subject to that provider's own data-handling policies, which we encourage you to review.

5. Google Gmail API Data Usage

When you connect a Gmail account to Auto Book, the Service accesses your Gmail data via the Gmail API to identify and process invoice attachments. Clan AI's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

  • Email metadata (sender, subject, received timestamp) for messages received in your connected Gmail account;
  • Attachment files (PDFs and images) on those messages, for processing through our invoice-extraction pipeline;
  • Push-notification updates via Google Cloud Pub/Sub when new messages arrive in your inbox.

How we use Gmail API data

  • To detect new messages with invoice attachments and download those attachments;
  • To extract structured invoice data using the AI provider you configure, with the attachment and minimal email context as input;
  • To present extracted data to you in your Auto Book workspace for review and approval.

Limited Use commitments

In compliance with the Google API Services User Data Policy and its Limited Use requirements, Clan AI does NOT:

  • Use Gmail API data to develop, improve, or train generalized ML or AI models, whether for Clan AI or any third party;
  • Transfer Gmail API data to third-party AI/ML tools or any other parties for the purpose of developing or improving generalized AI models;
  • Use Gmail API data for advertising, marketing, or profiling;
  • Sell Gmail API data to any third party;
  • Allow humans to read Gmail API data, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations such as troubleshooting;
  • Use Gmail API data beyond the functionalities required to provide the Service as described in this Privacy Policy.

Storage and retention

Email metadata and downloaded attachments are stored only within your Auto Book workspace database. OAuth tokens used to access the Gmail API on your behalf are encrypted at rest using AES-256-GCM. We retain Gmail-derived data only for as long as necessary to provide the Service, as described in our retention section below.

Revoking access

You may revoke Clan AI's access to your Gmail data at any time:

6. Google Calendar API Data Usage

When you connect a Google account to Auto Reply, the Service accesses your Google Calendar via the Calendar API to read your availability and to create, update, and delete appointment events on the calendar you select. Clan AI's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we access

  • The list of calendars on your Google account (calendar names and identifiers), so you can pick which calendar Auto Reply should sync appointments to;
  • The start and end times of events on the calendar you select, within the date range required to compute availability for appointment booking;
  • The events that Auto Reply itself creates, updates, or deletes on your behalf in response to bookings made by your customers.

How we use Calendar API data

  • To present a calendar selector after you connect Google so that you can choose which calendar Auto Reply should write to;
  • To check existing busy/free times before offering appointment slots to your customers, preventing double-booking;
  • To insert, update, or delete appointment events on your selected calendar at your direction or your customer's direction through the WhatsApp assistant.

Limited Use commitments

In compliance with the Google API Services User Data Policy and its Limited Use requirements, Clan AI does NOT:

  • Use Google Calendar API data to develop, improve, or train any ML or AI models, whether generalized or non-personalized;
  • Transfer Google Calendar API data to third-party AI/ML tools or any other parties for the purpose of developing or improving generalized AI models;
  • Use Google Calendar API data for advertising, marketing, or profiling;
  • Sell Google Calendar API data to any third party;
  • Allow humans to read Google Calendar API data, except (a) with your explicit consent, (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations such as troubleshooting;
  • Use Google Calendar API data beyond the functionalities required to provide the Service as described in this Privacy Policy.

Storage and retention

We do not maintain a long-term copy of your full calendar. We store only: the identifier of the calendar you selected, the identifiers of events that Auto Reply itself created, and short-lived caches of busy/free windows used for availability checks. OAuth tokens used to access the Calendar API on your behalf are encrypted at rest using AES-256-GCM.

Revoking access

You may revoke Clan AI's access to your Google Calendar at any time:

7. Withdrawing Your Consent

You may withdraw your consent for the collection, use, or disclosure of your Personal Data at any time by contacting our Data Protection Officer at support@clanai.sg. Processing a withdrawal request typically takes up to twenty-one (21) business days. Withdrawing consent may affect our ability to provide the Services to you, and we may need to suspend or terminate your account as a result.

8. Access to and Correction of Personal Data

You may request access to, or correction of, the Personal Data we hold about you by contacting our Data Protection Officer in writing. A reasonable fee may apply to access requests. We will respond to requests within seven (7) business days where possible, and will notify you if we require additional time (typically not more than thirty (30) days).

9. Protection of Personal Data

We implement administrative, physical, and technical safeguards to protect Personal Data, including authentication and access controls, encryption of credentials and sensitive fields at rest (AES-256-GCM), transport encryption (HTTPS/TLS), tenant-level data isolation, and audit logging. While we take these measures seriously, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

10. Accuracy of Personal Data

We rely on the Personal Data you provide to be accurate, complete, and up to date. Please notify us promptly of any changes by updating your account details or by contacting our Data Protection Officer.

11. Retention of Personal Data

We retain Personal Data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. When data is no longer required, we will take reasonable steps to delete or anonymize it.

12. Transfers of Personal Data Outside Singapore

Personal Data is generally stored within Singapore. Where we engage third-party service providers located outside Singapore (for example for cloud hosting or AI inference), we will obtain your consent where required and ensure that such transfers are subject to protection standards comparable to those required under the PDPA.

13. Data Protection Officer

Our Data Protection Officer is the primary point of contact for inquiries, feedback, or formal requests regarding this Privacy Policy or your Personal Data. You may contact the Data Protection Officer at support@clanai.sg.

14. Effect of Notice and Changes to Notice

This Privacy Policy applies in conjunction with any other notices, contractual clauses, and consent provisions that govern your use of the Services. We may revise this Privacy Policy from time to time without prior notice; the latest version will always be available on this page. Your continued use of the Services after changes become effective constitutes your acceptance of the revised policy.