GDPR Compliance Assessment
Self-Assessment · March 2026This report presents the results of Clairify's self-assessment against the six core requirements of the General Data Protection Regulation (GDPR). The assessment reflects Clairify's compliance posture as of March 2026. Clairify operates as a data controller for individual users and processes personal data including email content via AI Large Language Models.
Executive Summary
| # | Area | Status | Summary |
|---|---|---|---|
| 1 | Privacy Policy | Medium | Cookie Notice blank; right to object not explicit |
| 2 | Data Processing Agreement (DPA) | N/A | Not applicable — no B2B processor relationships |
| 3 | Records of Processing Activities (RoPA) | Pass | Approved March 2026; 5 processing activities documented |
| 4 | Data Subject Rights (DSR) Process | Pass | Rights articulated; DSAR process in place |
| 5 | Lawful Basis for Processing | Medium | LIA approved; opt-out operationalization pending engineering |
| 6 | Data Protection Impact Assessment (DPIA) | Pass | Approved March 2026; covers AI email ingestion |
Risk Classification
Requirement met; no action required.
Partial compliance; remediation required but not immediately critical.
Direct regulatory exposure; immediate remediation required.
Not applicable to Clairify's current operating model.
Assessment Details
Remediation Roadmap
| Item | Priority | Owner | Action |
|---|---|---|---|
| Complete Cookie Notice in Privacy Policy | High | Legal / Product | Update Termly policy with cookie inventory, purpose, duration, and opt-out |
| Hash retained email + enforce 12-month expiry | Medium | Engineering | Store SHA-256 hash on deletion; purge after 12 months |
| Add explicit right to object to marketing in Privacy Policy | Medium | Legal | Add standalone Article 21(2) statement to rights section |
| Add Article 22 automated decision-making disclosure | Medium | Legal | Add dedicated AI processing disclosure to Privacy Policy |
| Tighten sensitive data basis in Privacy Policy | Medium | Legal | Update to reflect Contract basis as documented in DPIA |
| Reference LIA in Privacy Policy | Medium | Legal | Add reference to LIA availability on request |
| Marketing opt-out toggle in account settings | Medium | Engineering | Implement opt-out toggle; add unsubscribe to all marketing emails |
| Post-deletion marketing opt-in | Medium | Engineering | Present explicit opt-in at account deletion flow |
| Reconcile CCPA table Category C | Low | Legal | Confirm whether gender/age/race data is collected; update table accordingly |
This self-assessment was reviewed and approved by the designated Data Protection Officer. The findings and remediation items have been logged in the compliance backlog and are being actively tracked.