Back to home
CLAMETRA TECHNOLOGIES LIMITED

Privacy Policy

Clametra: Strategy Execution Software

Effective: 27 May 2026Last updated: 27 May 2026

Introduction

Clametra is a business-to-business strategy execution platform that helps organisations manage performance through scorecards, KPIs, objectives, action plans, and strategic assessments. This policy explains how we collect, use, store, share, and protect personal data when you use our platform, whether you are an Administrator configuring the system, a Manager overseeing teams, or an Employee whose performance is being tracked.

We process personal data in compliance with the General Data Protection Regulation (GDPR) for users in the European Economic Area, the Protection of Personal Information Act (POPIA) for users in South Africa, the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA) for users in California, and other applicable data protection laws in the jurisdictions where our customers operate.

Who Is Responsible for Your Data

The organisation that subscribes to Clametra — your employer or client — is the Data Controller for employee personal data. They determine the purposes and means of processing. Clametra acts as the Data Processor on their behalf, processing data only according to our customers' instructions and this policy.

For privacy inquiries, contact your organisation's Administrator or reach us directly at [email protected].

What Personal Data We Collect

We collect personal data across four broad categories.

Account and identity data. This includes your full name, email address, job title, department and team assignment, role within the platform, and optionally a profile photo and phone number. Authentication credentials are managed securely through Supabase Auth.

Performance and work data. This covers KPI measurements, targets and thresholds, scorecard data, objectives, action plans, task assignments, evaluation results, and any commentary or notes entered by users or managers. This data is the core of what the platform exists to track.

Behavioural and audit data. Every significant action taken on the platform generates an audit log entry recording the actor, the resource affected, the outcome, and a timestamp. Login timestamps and IP addresses are captured for security monitoring. Notification delivery logs and email engagement metrics are also recorded.

Analytics and AI-generated data. Where AI features are enabled, Clametra uses Google Gemini to generate predictive insights, anomaly detection flags, and trend analysis. These outputs are derived from aggregated performance data, not individual profiling.

We do not collect government ID numbers, financial account information, biometric data, health data, or precise location data. IP-derived geolocation is used solely for security purposes.

How We Use Your Personal Data

We process personal data primarily to provide the service itself: authenticating users, displaying scorecards, calculating KPIs, generating reports, enforcing access control, maintaining audit trails, and sending alerts for overdue KPIs, deadlines, and system notifications. This processing is necessary to fulfil our contractual obligations to your organisation.

We also process data for secondary purposes where we have a legitimate interest. This includes aggregate usage analytics to improve the platform, security monitoring to detect anomalous login behaviour, and customer support to troubleshoot issues reported by your organisation's Administrator. In all these cases, we apply appropriate safeguards and do not use data for individual profiling.

Where AI features are active, Clametra uses Google Gemini to generate strategic recommendations, risk assessments, and performance summaries. Personal identifiers are pseudonymised before any AI processing takes place. Gemini does not retain data for model training. Organisations can disable AI features entirely through their Administrator settings.

Legal Basis for Processing

Under GDPR, we rely on contractual necessity for service provision and notifications, legitimate interest for security monitoring and AI analytics, and legal obligation for compliance-related processing. Under POPIA, the equivalent bases are legitimate interest, consent where identifiable personal data is involved in AI processing, and legal obligation for regulatory compliance.

How We Share Personal Data

Within your organisation, data is shared strictly according to role-based access control. Administrators have access to the full organisation's data. Managers can see their department subtree and team data. Branch Managers see their exact department and team data. Employees can only access their own data and department-level aggregates.

We share data with a limited set of sub-processors who are essential to delivering the service. Supabase provides database hosting, authentication, and storage on AWS infrastructure with the region configurable by your organisation. Google Cloud provides the Gemini AI capabilities and receives only aggregated performance data. Our email delivery provider receives email addresses and notification content for the purpose of sending alerts. Vercel hosts the frontend application and receives no personal data. All sub-processors are bound by Data Processing Agreements ensuring GDPR and POPIA compliant handling.

We do not sell, rent, or trade personal data to third parties for marketing or advertising purposes under any circumstances.

Data Retention

Active user account data is retained for the duration of your organisation's subscription plus 90 days. Audit logs are retained for seven years to support legal and regulatory compliance. KPI measurements are kept for one year beyond the subscription period for historical analysis. Scorecard snapshots are retained for three years. Predictive analytics logs are kept for 90 days, email delivery logs for 30 days, and failed login records for 90 days. Deleted or anonymised accounts are retained indefinitely in anonymised form to preserve referential integrity in audit records.

We run automated jobs to purge data once retention periods expire. Soft-deleted user data is fully anonymised within 90 days of deletion.

Your Data Rights

Your rights depend on your jurisdiction, but we apply them broadly across all users where practical.

If you are in the EEA, GDPR gives you the right to access a copy of your personal data, correct inaccurate or incomplete information, request erasure, restrict how we process your data, receive your data in a machine-readable format, object to processing based on legitimate interests, and withdraw consent at any time.

If you are in South Africa, POPIA gives you the right to confirm whether we hold your data, request a copy, request corrections, request deletion, and object to processing for direct marketing purposes.

If you are in California, CCPA/CPRA gives you the right to know what data is collected and how it is used, request deletion, opt out of the sale of personal information (we do not sell), and exercise these rights without facing discrimination.

To exercise any of these rights, contact your organisation's Administrator or email [email protected] with your full name, email address, the right you wish to exercise, and any relevant details. We respond within 30 days.

Data Security

We protect your data through a layered set of technical and organisational controls. All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 through AWS RDS defaults via Supabase. Authentication is managed through JWT-based session management, and every database table is protected by Row Level Security. Role-based access control enforces the principle of least privilege across all user types. Our Edge Functions apply JWT verification, CORS restrictions, and rate limiting. Input validation through parameterised queries prevents SQL injection.

On the organisational side, we conduct regular security reviews and penetration testing, require confidentiality agreements from all staff with data access, maintain an incident response plan with 72-hour breach notification capability, and run annual security training for all staff with access to personal data.

International Data Transfers

Clametra is hosted on Supabase, which uses AWS infrastructure. Your data is stored in the region selected by your organisation, with backup regions used for disaster recovery. For transfers outside the EEA, we rely on Standard Contractual Clauses under GDPR Article 46 and adequacy decisions where applicable. For cross-border transfers under POPIA, we comply with the conditions set out in Section 72. Your organisation's Administrator can view the selected data region in the platform settings.

Children's Privacy

Clametra is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has accessed or used our platform, contact us immediately at [email protected].

Cookies and Tracking

We use essential cookies for platform operation, covering authentication, security, and session management. Where your organisation enables analytics, we may use Vercel Analytics for performance metrics and Supabase Analytics for anonymised usage patterns. We do not use advertising cookies or any third-party tracking technologies. Non-essential cookies require consent through a cookie banner where required by your jurisdiction.

Data Breach Notification

In the event of a personal data breach, we notify your organisation's Administrator within 24 hours of discovery. We notify affected data subjects and relevant supervisory authorities within 72 hours, as required by GDPR Article 33 and POPIA Section 22. Breach notifications include the nature of the breach, the categories of data affected, the likely consequences, and the steps we have taken or plan to take to address it.

Changes to This Policy

We may update this policy when we introduce new features or data processing activities, when applicable law changes, or when our sub-processors change. We notify Administrators of material changes by email and through an in-app notification. The Last Updated date at the top of this document reflects the most recent revision.

Contact

For all privacy-related queries, reach us at [email protected]. We respond within 30 days.

If you are in the EEA, you have the right to lodge a complaint with your national Data Protection Authority. If you are in South Africa, you may contact the Information Regulator at [email protected].

Clametra
Lusaka, Zambia