Security
Family data handling can go wrong in a lot of ways. Here is exactly how Clario protects yours.
Gmail access
Clario uses Google's read-only Gmail scope. We can read your messages to extract family events. We cannot send, delete, or modify any email.
Connecting Gmail uses Google's OAuth flow. You see exactly what you're granting before clicking allow. You can revoke access at any time from your Google Account or from Settings inside Clario.
OAuth tokens are encrypted at rest
Your Google access and refresh tokens are encrypted with AES-256-GCM before they hit our database. The encryption key is held in our server environment, separate from the database. A database breach alone would not expose your tokens.
Tokens are decrypted only at the moment we make a Gmail API call on your behalf, and only on our server — never in your browser or on your phone.
What we store, what we don't
- Full email message bodies
- Email attachments
- Email content unrelated to family scheduling
- Email subject line
- Sender name and domain
- Short body snippets (typically under 500 characters) needed to identify dates and locations
- Parsed event metadata (title, date, time, location)
- A reference to the original Gmail message ID, so we don't re-parse it
- Your account info (email, display name, family members you've added)
- Encrypted OAuth tokens
We never store full email bodies, attachments, or any Gmail content outside the parsed event metadata above.
AI processing
Email snippets are sent to Anthropic Claude via Anthropic's API. Anthropic's commercial API terms state that API submissions are not used to train models and are not retained beyond the duration needed to return a response.
Database security
Clario's database is hosted on Supabase, which is SOC 2 Type II certified and uses AES-256 encryption at rest at the storage layer. Every table containing user data has row-level security policies, so each account can only access its own family's data — verified by automated policy checks.
In transit
All traffic between your device, our servers, Supabase, Google, and Anthropic uses TLS 1.2 or higher.
Account deletion
You can delete your Clario account from Settings. On deletion:
- Your Google OAuth tokens are revoked through Google's revoke endpoint
- Encrypted tokens are deleted from our database
- Your account is marked for deletion immediately
- All family data, events, calendar imports, and scan logs are permanently deleted within 30 days
If you only want to disconnect Gmail without deleting your account, you can do that separately from Settings.
Data retention
Beyond what's tied to your account lifetime:
- Email scan logs are auto-deleted after 90 days
- Parsed event records are auto-deleted after 180 days unless still on your calendar
- Soft-deleted events are permanently deleted after 30 days
Vulnerability scanning
We run GitHub Dependabot weekly to flag vulnerabilities in dependencies, and npm audit on every deploy. Critical vulnerabilities are patched before deploy.
Reporting a vulnerability
If you find a security issue, please email security@clarioaiplanner.com with:
- A description of the issue
- Steps to reproduce
- Your contact info (we'll credit you in the fix if you'd like)
Please do not exploit the issue beyond what's necessary to confirm it. We'll respond within 72 hours and work with you on disclosure timing.
Incident response
In the event of a security incident affecting user data, we will notify affected users within 72 hours of discovery and provide details of what happened, what data was affected, and what we're doing about it.
Third-party services
For full transparency, here's every third party that touches your data:
- Google — OAuth and Gmail data source
- Supabase — Database, authentication, file storage
- Vercel — Application hosting
- Anthropic — AI parsing of email snippets
Each is contractually bound to use your data only for the purpose of providing services to Clario.