Data Handling Policy

This Data Handling Policy explains how BLCKS Software Ltd ("ClearTeam", "we", "us") collects, processes, stores, and protects data when your organisation runs AI diagnostics on our platform. It is written for legal, security, and procurement teams evaluating ClearTeam for EU and US operations.

ClearTeam is built for organisational process intelligence, not employee surveillance. We analyze work, not workers: aggregated patterns, bottlenecks, handoffs, and automation opportunities. We do not score individuals, infer emotions, or produce performance rankings.

GDPR-aligned by design

• Your organisation is the data controller for employee participant data. ClearTeam acts as your data processor under a Data Processing Agreement (DPA) available on request.
• We process personal data only on documented instructions from the workspace owner, for defined diagnostic purposes, with appropriate legal bases under GDPR Article 6.
• EU-hosted infrastructure is available: primary database and authentication run in EU (Frankfurt); AI processing can run in Microsoft Azure EU (Netherlands).
• Where US-based sub-processors are used, transfers are protected by Standard Contractual Clauses (SCCs) and supplementary measures.
• Data subjects can exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) via your organisation or directly at privacy@clearteam.org.

EU AI Act & workplace AI

ClearTeam is not designed as an emotion-recognition, biometric, or employee-monitoring system. Diagnostic outputs are aggregated and process-level, reducing risk under the EU AI Act framework for high-risk workplace applications. We do not make automated decisions about individuals based on diagnostic responses.

Works councils & employee trust

Diagnostics are framed as process improvement, not performance review. Participants receive clear purpose statements; managers receive aggregated reports by default, not individual scorecards. This supports lawful, proportionate use under EU labour and data-protection expectations.

CCPA / CPRA & state privacy laws

• We do not sell personal information. Diagnostic data is used solely to deliver the Service to your organisation.
• California residents (and employees whose data you upload) may request access, deletion, and correction through your organisation or via privacy@clearteam.org.
• We honour applicable US state privacy requirements (Virginia, Colorado, Connecticut, and others) through our global privacy programme and DPA terms.

Enterprise security expectations

• Encryption in transit (TLS 1.2+) and at rest for stored data.
• Role-based access control within workspaces; least-privilege admin model.
• Workspace isolation: one organisation's data is not accessible to another.
• Audit-friendly activity logging for administrative actions.
• EU & US data region options so US-headquartered companies can align hosting with internal policy and customer contracts.

No unlawful employee monitoring

ClearTeam must not be used for covert surveillance, union-busting, or individual discipline. Our Terms prohibit using the platform as a performance-ranking or emotion-scoring tool. US customers receive the same aggregation safeguards as EU customers.

Workspace & account data

• Administrator and team member names, work emails, organisation profile
• Billing metadata (payment cards handled by Stripe; we do not store full card numbers)
• Security logs: IP address, session metadata, authentication events

Diagnostic participant data

• Name, work email, department, role, and location (as provided by your organisation)
• Questionnaire and interview responses submitted during a diagnostic
• Session metadata: start time, completion time, duration

What we do not handle for surveillance

• Biometric, health, or special-category data (unless accidentally entered in free text and then protected)
• Individual performance scores, sentiment labels, or emotion classifications
• Continuous monitoring outside defined diagnostic sessions

Diagnostic insights are designed for leadership and operations teams as aggregated findings: themes, bottlenecks, process maps, and recommended actions. By default:

• Reports emphasise patterns across teams, not individual rankings.
• Raw participant transcripts are restricted to authorised administrators and not shared broadly.
• Synthesis pipelines cluster responses semantically before surfacing leadership-ready outputs.
• Small-group thresholds can suppress findings where aggregation would risk re-identification.

This model helps EU and US customers meet internal policies that prohibit individual employee scoring while still gaining operational intelligence.

• Encryption: All conversations and data are encrypted in transit and at rest.
• Cloud hosting: Production workloads run on enterprise cloud providers with regional controls. AI processing uses Microsoft Azure with EU-region deployment available.
• Access control: Multi-factor authentication support, workspace-scoped permissions, and separation between customer environments.
• Monitoring: Security logging and incident response procedures for unauthorised access attempts.
• Vendor management: Sub-processors are assessed for security and privacy posture; a current list is available on request.

• Participant responses are retained for the diagnostic project duration plus a configurable window (default: 12 months), unless your organisation sets a shorter period.
• Aggregated reports may be retained longer at your discretion for historical comparison.
• Deletion: Workspace owners may delete diagnostics and associated data; we support erasure requests under GDPR and CCPA.
• Export: Diagnostic outputs can be exported for your records and data-portability needs.

We use a limited set of sub-processors to operate the platform. Key categories include:

SCC = Standard Contractual Clauses. We notify customers of material sub-processor changes per our DPA.

• Execute a Data Processing Agreement (DPA) before processing employee data.
• Configure diagnostic scope, participant lists, and retention settings per project.
• Choose data region alignment where available for your contract requirements.
• Restrict admin access to authorised workspace members only.
• Review aggregated reports before wider distribution inside your company.
• Request a security questionnaire, sub-processor list, or architecture overview from our team.

For data handling questions, DPAs, security reviews, or regulatory requests:

See also our Privacy Policy and Terms of Service.