← Back to Home

Privacy Policy

Product Demo Notice

This is a product demonstration. Cluno is currently in demo mode. While we have implemented security measures to protect your data, please be aware that this is not a production service and data may be reset or modified during the demo period.

Data Protection & Encryption

Client-Side Encryption

All workspace data (text, images, connections, and other content) is encrypted before being sent to our servers. We use:

  • AES-256-GCM encryption - Industry-standard authenticated encryption algorithm
  • PBKDF2 key derivation - 100,000 iterations with SHA-256 hashing
  • User-specific encryption keys - Each user's data is encrypted with a unique key derived from their user ID and a master encryption key
  • Random salt and IV - Each encryption operation uses cryptographically secure random values

This means that even if someone gains access to our database, they cannot read your encrypted data without the encryption key. The encryption happens in your browser before data is transmitted.

AWS Storage Encryption

Data stored in AWS is protected with additional encryption layers:

  • DynamoDB - Workspace data is stored encrypted in AWS DynamoDB. The data is already encrypted client-side before storage.
  • S3 Image Storage - Images are stored in AWS S3 with ServerSideEncryption: AES256 (S3-managed encryption). Image metadata is also encrypted client-side before storage.
  • Data Isolation - All data is isolated by user ID. Users can only access their own data through authenticated API endpoints.

Authentication & Session Security

We use NextAuth.js with Google OAuth for authentication:

  • JWT-based sessions - Session tokens are stored as JWTs (JSON Web Tokens)
  • HttpOnly cookies - In production, session cookies are marked as HttpOnly, preventing JavaScript access
  • Secure cookies - In production, cookies are marked as Secure, requiring HTTPS
  • SameSite: Lax - Cookies use SameSite=Lax to protect against CSRF attacks
  • Session expiration - Sessions expire after 30-90 days depending on "remember me" preference

All API endpoints require valid authentication. Your user ID (from Google OAuth) is used to ensure you can only access your own data.

Cookie Management

We respect your privacy with a comprehensive cookie consent system:

  • Necessary cookies only by default - Only essential cookies for authentication and site functionality are used without consent
  • Optional cookies require consent - Analytics, functional, and marketing cookies are only used if you explicitly consent
  • Consent stored locally - Your cookie preferences are stored in your browser's localStorage
  • Consent expiration - Cookie consent expires after 365 days, requiring re-consent

You can manage your cookie preferences at any time through the cookie consent banner.

Analytics & Session Tracking

If you consent to analytics cookies, we collect:

  • Page views and navigation paths
  • User activity events (mouse clicks, keyboard input, scrolling)
  • Session duration and timestamps

Important: Session logs are stored locally in your browser and only sent to our servers if you have given consent for analytics cookies. Without consent, no analytics data is collected or transmitted.

Data Access & Control

You have control over your data:

  • User isolation - All database queries are scoped to your user ID. You cannot access other users' data.
  • API authentication - Every API request requires a valid session token
  • Data deletion - You can delete your workspaces, which removes data from both DynamoDB and S3
  • Cookie preferences - You can change or revoke cookie consent at any time

Third-Party Services

We use the following third-party services:

  • Google OAuth - For authentication. Google's privacy policy applies to authentication data.
  • AWS (Amazon Web Services) - For data storage (DynamoDB and S3). AWS's security and compliance standards apply.
  • AI Services - We may use third-party AI services (e.g., AWS Bedrock, Claude) to process your content. Data sent to these services is subject to their privacy policies.

Data Retention

As this is a product demo:

  • Data may be retained for the duration of the demo period
  • Data may be reset or deleted as part of demo maintenance
  • We reserve the right to clear demo data at any time

Limitations & Disclaimer

This is a demonstration product. While we have implemented security measures including client-side encryption, AWS encryption, and secure authentication, this is not a production service. Please do not store sensitive or confidential information in this demo.

The encryption master key is stored as an environment variable. In a production environment, this would be stored in AWS Secrets Manager or a similar secure key management service.

Contact

If you have questions about this privacy policy or our data handling practices, please contact us through the application.

Last updated: 12/2/2025