Legal

Privacy Policy

Version 0.1 (draft) · Remi Moët-Buonaparte. Privacy is a right — built in, not bolted on. The right to be forgotten is part of that right.

Draft — not legal advice. This describes CLAVA's privacy practices in plain language, authored to be reviewed with legal counsel before it is relied upon.

The short version: we observe artifacts, never the people who use the systems we build. CLAVA collects data only when it is needed, explains why it is needed, and keeps the purpose bounded. If we do not need data, we should not collect it; if we no longer need it, we should delete it. CLAVA never processes applicant, learner, or student records, never sells or rents data to anyone, and builds the front door to be as private as it is accessible.

1. What this covers

This policy covers the public CLAVA website and the gated CLAVA workspace. It does not govern a client institution's own admissions platform or website — those are the client's, under the client's own privacy notice. CLAVA acts as a service provider / processor to the client under a written agreement.

2. What we collect — and what we deliberately don't

Our rule is data with a reason. If a field or artifact does not help us reply, deliver scoped work, protect a person, or maintain a trustworthy system, we should not collect it. When we do collect something, we explain the purpose in plain language and keep it tied to that purpose.

3. No surveillance of persons

Our releases carry integrity / version signals that identify the artifact (which authorized release a file is, and whether it's intact) — never the people who use or operate it. Any such signal carries no personal or behavioral data.

4. How we use it; who we share with

We use what we collect only to provide and improve the service and to communicate with you. We do not sell, rent, or trade personal data. We share data only with the infrastructure providers that host the service (e.g., our website host and access gateway), under their own terms, and only as needed to run it — plus where required by law.

5. Where it lives, retention, and deletion

Data is hosted with reputable cloud infrastructure. We keep it only as long as needed for the purpose it was collected or as a written agreement or law requires, then delete it. Client work is returned or destroyed on request at the end of an engagement. The right to be forgotten is an operating commitment: deletion should be easy to request, narrow exceptions should be explained, and retained records should have a reason.

6. Your choices and the right to be forgotten

You may ask what we hold about you, request a copy, correction, or deletion, or ask us to stop emailing you — write to [email protected]. We honor applicable privacy rights (e.g., access, correction, deletion) regardless of where you are. If a legal, security, or written client obligation requires us to keep a limited record, we will explain the reason and keep only what is necessary.

7. Children & equity

The public site is not directed at children. Because the systems we build are often a learner's first contact with an institution or program, we hold privacy to the same standard as accessibility: a right, designed in from the first pixel, never traded for convenience.

8. Changes & contact

We may update this policy; material changes will be posted here with a new version date. Questions or requests: [email protected].