Privacy Policy - Data Protection

1. Data Controller

The data controller responsible for processing your personal data is:

ECL Sweden AB
STORGATAN 41C
931 31 SKELLEFTEÅ, Sweden
Registration Number: 559546-5831
VAT Number: SE559546583101
Email: privacy@eclean.gg

ECL Sweden AB is the primary data controller for personal data collected through our Services. eclean is also operated by ECLEAN LIMITED (Company Number: 14953607, registered at Suite 3194 Unit 3a, 34-35 Hatton Garden, London, EC1N 8DX, United Kingdom).

ECL Sweden AB and ECLEAN LIMITED are two independent companies, each held by the eclean co-founders. They are not subsidiaries of each other. Depending on your location, either entity may act as the trading entity and data controller for your use of the Services (for example, UK residents may trade with ECLEAN LIMITED). The companies reserve the right to transfer data controllership, intellectual property, and operational responsibilities between the two entities as the business evolves.

2. Our commitment to privacy

We built eclean because we were tired of PC tools that spy on their users. Privacy is not a feature we bolt on — it's a core reason this product exists.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the eclean desktop application, our website (eclean.gg), our Discord community bot, and related services (collectively, the "Services").

We process your personal data in accordance with the General Data Protection Regulation (GDPR), the Swedish Data Protection Act (Dataskyddslagen), the UK GDPR, the UK Data Protection Act 2018, and other applicable privacy laws. Where this policy says "we" or "eclean," we mean ECL Sweden AB and ECLEAN LIMITED, individually or together as the context requires.

3. Categories of Personal Data We Collect

We collect different data depending on which parts of our Services you use. Here's exactly what we collect and where.

3.1 Data you provide directly

Account Information: Email address, username, password (hashed — we never store plaintext passwords), and profile preferences
Payment Information: Billing details and payment method (processed entirely by Stripe — we never see or store your full card number)
Communications: Support tickets, live chat messages, feedback submissions, and survey responses
Newsletter Preferences: Email address and subscription choices (Product Updates, Promotions, Newsletter)

3.2 Desktop application data

The eclean desktop app is where most of our product runs. Here's what it collects:

Always collected (required for the app to function):

System Information: Operating system version, Windows build number, CPU model, RAM amount, primary GPU name, display resolution, monitor count, system language, and timezone. This is used to ensure optimizations are compatible with your hardware.
Device Identifier: A hardware-based identifier generated from your machine. This identifies your device for license validation and is not linked to your identity unless you sign in. If the hardware ID is unavailable, a random UUID is stored locally instead.
Local Scan Data: When you use the Cleaner, Optimizer, Uninstaller, or Booster features, the app reads system state (temp files, registry values, installed applications, startup items) to show you what can be cleaned or changed. This data stays on your device and is never sent to our servers. We do not access, scan, or read your personal files, documents, photos, or browsing history.
Authentication Tokens: If you sign in, your session token and refresh token are stored locally, encrypted with Windows DPAPI (Data Protection API) — a system-level encryption tied to your Windows user account.
Settings and History: Your preferences, optimization history, and cleanup history are stored locally on your device in your app data folder (%APPDATA%/eclean/).

Collected only when you opt in (both disabled by default):

Telemetry (analytics_enabled): If you choose to enable analytics in the app's privacy settings, we collect usage events (features used, buttons clicked, navigation), performance metrics, and session data including the system information listed above. Telemetry events are batched locally and sent to our API. Each event includes your session ID, device ID, app version, and platform. This data helps us understand which features are used and how to improve the app.
Error Tracking (error_tracking_enabled): If you choose to enable error tracking, crash reports and performance traces are sent to Sentry (hosted in the EU). This includes stack traces, app version, and basic system context. No personal files or user content is included.

Discord Rich Presence (optional): If enabled, the app shares your current page (e.g., "Browsing Dashboard," "Using Optimizer") with Discord via their Rich Presence API. This is visible on your Discord profile. It can be turned off in settings.

3.3 Website Data

When you visit eclean.gg:

Cookieless Analytics (always active): We use self-hosted Umami analytics, which collects no cookies, no personal data, and no device fingerprints. It records only aggregated page views and referrers. This is GDPR-compliant by design and does not require consent.
Consent-Based Analytics (optional): With your consent, we may use Google Analytics 4, PostHog, and Microsoft Clarity for product analytics, session replays, and heatmaps. See our Cookie Policy for specifics on each provider and how to control them.
Consent-Based Marketing (optional): With your consent, marketing pixels from Meta, LinkedIn, TikTok, Twitter (X), and HubSpot may be activated for campaign measurement. These are never loaded without your explicit permission.
Error Tracking: Sentry (EU region) tracks website errors using session-based identifiers. No cookies are set.
Server Logs: IP address, browser type, access time, and referring URL. Retained for 30 days.

3.4 Discord Community Bot Data

Our Discord bot operates in the official eclean Discord server. It collects:

Discord User Information: Your Discord user ID, username, and guild membership. This is provided by Discord's API when you interact with the bot.
Community Features Data: Kudos given/received, points earned, and counting game participation. Stored in a local database on the bot's server.
Account Linking: If you use the /link command to connect your Discord account to your eclean account, we store the association between your Discord ID and your eclean user ID.
Moderation Analysis: Messages in the Discord server may be analyzed by an AI moderation system to detect harmful content such as violence, hate speech, or exploitation. The first 100 characters of flagged messages are logged for moderation review. This processing is for community safety only — we do not use this data for any commercial purpose, and it is not used to train AI models.
Sentiment Sampling: A sample of messages (approximately 1 in 3) may be analyzed for community health metrics (overall sentiment, engagement patterns). Only the first 100 characters and an anonymized emotional classification are stored. No full message content is retained.
Community Analytics: Aggregated event data (joins, leaves, command usage, moderation actions) is stored for community health dashboards.

3.5 Data from third-parties

OAuth Providers: If you sign in with Google or Discord, we receive your email address, username, and profile picture from the provider. We also store a provider-specific access token and refresh token to maintain the connection.
Payment Processor: Stripe sends us transaction status, payment confirmation, and basic billing information. We store your Stripe customer ID to manage your subscription.

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Purpose	Legal Basis
Providing and maintaining the Services	Contract performance (Art. 6(1)(b))
Processing payments and billing	Contract performance (Art. 6(1)(b))
Customer support and communications	Contract performance / Legitimate interest (Art. 6(1)(b)/(f))
Security, fraud prevention, and abuse detection	Legitimate interest (Art. 6(1)(f))
Error tracking and crash reporting (when enabled)	Consent (Art. 6(1)(a))
Desktop app telemetry (when enabled)	Consent (Art. 6(1)(a))
Website analytics (cookieless/Umami)	Legitimate interest (Art. 6(1)(f))
Website analytics (cookie-based, e.g., GA4, PostHog)	Consent (Art. 6(1)(a))
Marketing cookies and campaign tracking	Consent (Art. 6(1)(a))
Marketing communications (newsletters)	Consent (Art. 6(1)(a))
Discord community moderation	Legitimate interest (Art. 6(1)(f))
Legal compliance (tax records, court orders)	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may request details of these assessments by contacting us.

5. How we use your data

We use your personal data to:

Create and manage your account
Provide, operate, and maintain our Services
Validate your license and subscription status
Process transactions and send billing-related communications
Respond to your inquiries and provide customer support
Send service announcements, security alerts, and administrative messages
Send marketing communications (only with your consent)
Improve our Services based on aggregated usage patterns (only from users who opt in to telemetry)
Detect, prevent, and address technical issues and security threats
Maintain community safety in our Discord server
Comply with legal obligations and enforce our terms

6. What we don't do

We want to be clear about things we will never do:

We don't sell your personal data to anyone, ever. We make money from subscriptions, not your data.
We don't share your data with advertisers for targeted advertising. Marketing cookies on our website are consent-only and don't use your eclean account data.
We don't access your personal files. The desktop app reads system state (temp files, registry, installed programs) to do its job. It does not open, read, or scan your documents, photos, browsing history, or any personal content.
We don't use your data to train AI models. Our Discord bot uses third-party AI for real-time moderation, but your data is processed only for that purpose and is not used as training data by us or Groq.
We don't make automated decisions that significantly affect you. Any account suspension or similar action is reviewed by a human.
We don't collect telemetry by default. Both analytics and error tracking in the desktop app are disabled unless you explicitly turn them on.

7. Third-party Services and Subprocessors

We use the following third-party services. Each is bound by a Data Processing Agreement (DPA) or equivalent contractual protections:

Infrastructure and Security

Cloudflare (USA/EU): CDN, DDoS protection, WAF, DNS, and Turnstile bot verification. Privacy Policy

Analytics and Monitoring

Umami (Self-hosted, EU): Cookieless, privacy-first web analytics. No personal data is collected.
Microsoft Clarity (USA): Session replay and heatmaps for UX improvement. Consent-required. Privacy Statement
Sentry (EU region): Error tracking and crash reporting for both website and desktop app. Privacy Policy
Google Analytics 4 / GTM (USA): Website analytics. Consent-required. Privacy Policy
PostHog (EU region): Product analytics. Consent-required. Privacy Policy

Payments

Stripe (USA/EU): Payment processing. We never store your full card details. Privacy Policy

Authentication

Google OAuth: Optional social login. Privacy Policy
Discord OAuth: Optional social login. Privacy Policy

Customer Support

Crisp: Live chat support widget on the website. A session cookie is set only when you open the chat. Privacy Policy

Email Communications

AWS SES (EU region): Primary transactional email delivery. Privacy Policy
Resend (EU region): Fallback transactional email delivery. Privacy Policy
Listmonk (Self-hosted, EU): Newsletter and email list management. Self-hosted on our infrastructure.

AI Processing

Groq (USA): AI-powered content moderation and sentiment analysis for Discord community safety. Processes message fragments only—no full conversations or personal data. Privacy Policy

Marketing (consent-required only)

Meta (Facebook) Pixel: Conversion tracking. Privacy Policy
LinkedIn: Advertising analytics. Privacy Policy
HubSpot: CRM and marketing automation. Privacy Policy
TikTok: Conversion tracking. Privacy Policy
Twitter (X): Conversion tracking. Privacy Policy

8. International Data Transfers

Most of our infrastructure is hosted in the EU. When we transfer personal data to countries outside the European Economic Area (EEA), we use the following safeguards:

UK Adequacy: The UK has an adequacy decision from the European Commission, meaning data shared between ECL Sweden AB and ECLEAN LIMITED does not require additional transfer safeguards
EU-US Data Privacy Framework: For US-based providers certified under the DPF (e.g., Cloudflare, Stripe, Google, Microsoft, Groq)
Standard Contractual Clauses (SCCs): EU-approved contractual terms for providers not covered by the DPF
EU region deployment: We configure services to process data in EU data centers wherever possible

9. Data storage and retention

Where your data lives

Account data, sessions, orders, and audit logs: PostgreSQL database (EU)
Telemetry events and analytics: ClickHouse database (EU)
Cache and rate limiting: Redis (EU)
User avatars: S3-compatible object storage (EU)
Desktop app local data: On your device, in %APPDATA%/eclean/ (encrypted auth tokens via Windows DPAPI)
Discord bot local data: SQLite database (EU)
Discord community analytics: ClickHouse database (EU)

Retention Periods

Data Category	Retention Period
Account data	Until account deletion + 30 days
Transaction and billing records	7 years (Swedish accounting law, Bokföringslagen)
Support communications	3 years after ticket closure
Desktop app telemetry	26 months (aggregated thereafter)
Website analytics data	26 months (aggregated thereafter)
Discord community analytics	26 months
Error logs and crash reports	90 days
Marketing consent records	Duration of consent + 3 years
Server access logs	30 days
Desktop app local data	Until you uninstall or delete it

10. Your rights

Under GDPR and Swedish data protection law, you have the following rights:

Right of Access (Art. 15): Request a copy of your personal data and information about how we process it
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
Right to Restriction (Art. 18): Request that we limit the processing of your personal data in certain circumstances
Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing
Right to Lodge a Complaint: File a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority

To exercise these rights, email privacy@eclean.gg. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Additional rights by Jurisdiction

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

Right to know what personal information is collected, used, shared, and sold
Right to delete personal information held by us and our service providers
Right to opt-out of the sale or sharing of personal information (we do not sell your data)
Right to non-discrimination for exercising your privacy rights

UK Residents

The UK GDPR provides equivalent rights to EU GDPR. UK residents may trade with and be served by ECLEAN LIMITED, and may contact us through that entity. The relevant supervisory authority is:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
United Kingdom
Website: ico.org.uk
Telephone: 0303 123 1113

12. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. For detailed information about each cookie, how consent works, and how to manage your preferences, see our Cookie Policy.

13. Security Measures

We implement technical and organizational measures to protect your personal data:

Encryption in transit (TLS) and at rest
Passwords hashed with bcrypt
Authentication tokens encrypted at rest with Windows DPAPI on the desktop app
Access controls and role-based permissions
Audit logging of administrative actions
Incident response procedures

We're a small team and we take security seriously, but no system is perfect. In the event of a personal data breach that poses a risk to your rights, we will notify the Swedish Authority for Privacy Protection (IMY) within 72 hours and inform affected individuals without undue delay.

14. Children's Privacy

Our Services are not directed to children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we discover that we have collected personal data from a child under 16 without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us immediately.

15. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our Discord moderation AI flags content for human review—it does not take action autonomously on user accounts.

16. Supervisory Authority

If you have concerns about our processing of your personal data, you have the right to lodge a complaint with your local data protection authority. For Sweden:

Swedish Authority for Privacy Protection (IMY)
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm, Sweden
Website: www.imy.se
Email: imy@imy.se

17. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will update the "Last updated" date and, for material changes, notify you by email or prominent notice on our website. Your continued use of the Services after changes take effect indicates acceptance of the updated policy.

18. Contact us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@eclean.gg
Company: ECL Sweden AB

We aim to respond to all requests within 30 days. If a request is complex, we'll let you know and keep you updated.