← Back to ClayBot
Terms Cookies

Privacy Policy

Last updated: February 25, 2026

1. Overview — The Short Version

whyhireclay.ai is a personal branding site for Clay Cash featuring ClayBot, an AI chatbot powered by Anthropic's Claude API. Here is the plain-English summary of how we handle your data:

  • We do not use tracking cookies, analytics scripts, or advertising of any kind.
  • When you chat with ClayBot, your questions are evaluated for substance. Substantive questions are stored anonymously in a database. Simple greetings and small talk are discarded immediately.
  • Your IP address is never stored in raw form. We only store a truncated, one-way SHA-256 hash for rate limiting and abuse prevention.
  • We use minimal browser storage (sessionStorage and localStorage) for functionality only — not for tracking.
  • We share data only with the services required to operate the site: Vercel (hosting), Anthropic (AI), Upstash (database and vector search), and Google Fonts (typography).
  • We will never sell, share, rent, or trade your data — including email addresses — to any third party. Period.
  • You can request deletion of your data at any time by emailing info@cdiscovery.io.

This policy explains our data practices in detail and covers your rights under US federal and state privacy laws (CCPA/CPRA, NY SHIELD Act, Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Minnesota CDPA), the GDPR (EU/EEA), UK GDPR, and the Australian Privacy Act 1988.

2. Data Controller

The data controller for information collected through this site is:

Clay Cash is the sole operator of this site and is responsible for deciding how and why personal data is processed. For GDPR purposes, Clay Cash acts as both data controller and, where applicable, data processor.

3. What We Collect

When you interact with ClayBot, each question you submit is evaluated in real time for substance and interest. The system classifies questions into two categories:

Questions That ARE Stored

Substantive, interesting, or business-relevant questions are stored anonymously in Upstash Redis. Examples include:

  • Business inquiries (e.g., "Can you help our law firm with eDiscovery?")
  • Hiring or engagement interest (e.g., "What are your rates?")
  • Partnership or collaboration proposals
  • Specific project requests
  • Thoughtful technical or professional questions
  • Questions with unique perspectives, ideas, or novel problems
  • Messages containing contact information you voluntarily provide

Questions That Are NOT Stored

Simple conversational messages are evaluated and discarded immediately:

  • Greetings ("hi", "hello", "hey")
  • Acknowledgments ("ok", "thanks", "cool", "got it")
  • Yes/no responses
  • Farewells ("bye", "see ya")
  • Generic small talk with no substantive content

Data Stored With Each Substantive Question

Data Point Description Purpose
Question text Your message as written Understanding what visitors are asking about
Bot response First 500 characters of ClayBot's reply Context for understanding the conversation
Category Auto-classified topic (e.g., "business_inquiry", "technical_ediscovery") Trend analysis and organizing questions
Timestamp When the question was asked (ISO 8601) Chronological ordering
Session ID Random UUID generated in your browser session Grouping questions from the same conversation
Hashed IP SHA-256 hash of your IP address, truncated to 16 characters Rate limiting and abuse prevention — your raw IP is never stored
Substance score Numeric score from the classification system Evaluating question quality
Conversation length Number of user messages in the current conversation Understanding engagement depth
User agent Your browser's user-agent string, truncated to 200 characters Understanding what devices and browsers visitors use
Flagged status Whether the question was flagged as high-interest (business inquiry, hiring interest, or high engagement) Prioritizing review of potentially actionable inquiries

Rate Limiting Data

To prevent abuse, we store rate-limiting counters in Redis keyed by hashed IP address. These counters automatically expire and are deleted by Redis after a short window (typically 60 seconds). No raw IP addresses are stored for rate limiting.

Server-Side Session Tracking

When you chat with ClayBot, a server-side session record is created in Redis containing:

  • Message count — how many messages you've sent in this session
  • First and last seen timestamps — when your session started and your most recent message
  • Hashed IP — the same truncated SHA-256 hash used for rate limiting

This session data automatically expires after 24 hours via Redis TTL. It is used solely to understand conversation depth and is not linked to any personal identifier.

High-Engagement Flagging

If you send 5 or more messages in a single session, the system automatically flags subsequent substantive questions as "high engagement." This flag is stored alongside the question data described above. It helps Clay prioritize review of conversations where visitors have shown sustained interest — for example, potential business inquiries or detailed technical discussions. No additional personal data is collected as a result of this flagging.

Notification Email Addresses

If ClayBot cannot confidently answer a question, it may offer to notify you when a better answer is available. If you choose to opt in and provide your email address, we store the following:

  • Email address — the address you voluntarily provide for follow-up.
  • Question context — the question that prompted the notification offer (truncated to 500 characters).
  • Session ID — the same random UUID used for your chat session.
  • Hashed IP — the same truncated SHA-256 hash used for rate limiting.
  • Timestamp — when the notification request was submitted.

This data is stored in Upstash Redis with a 90-day automatic expiry. Your email address is used solely to follow up on the specific question you asked. We will never sell, share, rent, or trade your email address with any third party. You are never required to provide an email — ClayBot will never push for contact information unprompted.

4. What We Do NOT Collect

We want to be explicit about what this site does not do:

  • No analytics scripts — No Google Analytics, Plausible, Fathom, Mixpanel, or any other analytics tool.
  • No advertising — No ad networks, no retargeting pixels, no conversion tracking.
  • No tracking cookies — Zero cookies are set by this site. We use sessionStorage and localStorage only (see Section 8).
  • No fingerprinting — We do not use browser fingerprinting, canvas fingerprinting, or any device identification techniques.
  • No social media trackers — No Facebook Pixel, LinkedIn Insight Tag, Twitter pixel, or similar.
  • No raw IP storage — Your IP address is hashed with SHA-256 and truncated before any storage. The hash is irreversible.
  • No personal profiles — We do not build user profiles, behavioral models, or interest graphs.
  • No data sales or sharing — We will never sell, share, rent, or trade any data — including email addresses you provide for notifications — to any third party.

5. How We Use Your Data

Stored question data is used for the following limited purposes:

  • Trend analysis — Understanding what topics and questions visitors are most interested in, to inform Clay Cash's professional focus and content creation.
  • Improving ClayBot — Clay personally reviews stored questions and responses to identify areas where ClayBot can be improved. When visitors ask questions that ClayBot cannot answer well, and Clay has the expertise to address them, he provides those answers and trains the system to respond better in the future. This is a human-in-the-loop process — Clay reviews and approves all knowledge updates.
  • Understanding visitor interests — Identifying patterns in the types of inquiries received (e.g., demand for specific eDiscovery services, interest in particular technologies).
  • Service integrity — Rate limiting and abuse prevention using hashed IP data to ensure fair access for all visitors.
  • Responding to inquiries — If you voluntarily provide contact information in a chat message, Clay may use it to follow up with you directly.
  • Notification follow-ups — If you opt in to be notified about a question, we use your email address solely to send that follow-up. Your email is never added to a mailing list, used for marketing, or shared with third parties.

We do not use stored data for automated decision-making, profiling, or any purpose not listed above. We will never sell or share your information.

Informational Use Disclaimer

All information provided by ClayBot is purely informational and intended for general guidance on technical and business-related topics. ClayBot's responses do not constitute legal advice, professional consultation, certified technical guidance, or a binding offer of services. There is no guarantee of accuracy. All information should be independently validated by qualified professionals before being relied upon for business, legal, or technical decisions. See our Terms of Service (Section 3) for the full disclaimer.

6. Third-Party Services

The site relies on the following third-party services to operate. Each has its own privacy policy governing how it handles data:

Service Purpose Data Shared Policy
Vercel Hosting and serverless functions Standard web request data (IP address, user agent, headers) for serving pages. Vercel may process this data for infrastructure and security purposes. Privacy Policy
Anthropic (Claude API) AI chatbot responses Your chat messages are sent to Anthropic's API to generate ClayBot responses. Messages are processed in real time and are not retained by Anthropic for model training under their API terms. Privacy Policy
Upstash Redis Anonymous question storage, session tracking, and rate limiting Anonymized question data as described in Section 3, server-side session records (message count, timestamps, hashed IP), and rate-limiting counters. Data is encrypted at rest and in transit. Hosted in the United States. Privacy Policy
Upstash Vector Documentation search (RAG) ClayBot uses a vector database containing pre-indexed RelativityOne documentation to provide more accurate answers about eDiscovery topics. No user data is stored in this database — it contains only publicly available documentation. Your questions are sent as search queries to find relevant documentation excerpts, but are not stored in the vector database. Privacy Policy
Google Fonts CDN Font delivery (Inter, JetBrains Mono) Your browser makes requests to Google's CDN to load font files. Google may log standard request data (IP address, user agent). No cookies are set by this service. Privacy Policy

We do not share, sell, or otherwise transfer your data to any parties beyond those listed above. These services are engaged solely to operate the site.

7. Legal Basis for Processing

Under the GDPR (Article 6) and UK GDPR, we rely on the following legal bases for processing personal data:

Processing Activity Legal Basis (Art. 6) Explanation
Serving web pages and processing chat requests Art. 6(1)(b) — Contract / Service Delivery Necessary to provide the chatbot service you requested by using the site.
Storing anonymized substantive questions Art. 6(1)(f) — Legitimate Interest We have a legitimate interest in understanding what visitors ask about to improve our services and professional offerings. This data is anonymized and minimal. You can object (see Section 12).
Rate limiting via hashed IP Art. 6(1)(f) — Legitimate Interest Necessary to protect the service from abuse and ensure fair access. Only an irreversible hash is stored, which auto-expires.
Sending chat messages to Anthropic API Art. 6(1)(b) — Contract / Service Delivery Necessary to generate AI responses, which is the core function of the chatbot service.
Loading fonts from Google CDN Art. 6(1)(f) — Legitimate Interest Necessary for consistent visual presentation. Minimal data involved (standard HTTP request headers).
Server-side session tracking (message count, timestamps) Art. 6(1)(f) — Legitimate Interest Understanding conversation depth to prioritize meaningful engagement. Session data auto-expires after 24 hours. Only anonymized identifiers are stored.
Documentation search via vector database Art. 6(1)(b) — Contract / Service Delivery Necessary to provide accurate eDiscovery answers. Your question is used as a search query against pre-indexed documentation; no user data is stored in the vector database.
Storing notification email addresses Art. 6(1)(a) — Consent You affirmatively choose to provide your email address for follow-up. Data auto-expires after 90 days. You can request deletion at any time.
Consent banner preference (localStorage) Art. 6(1)(a) — Consent Stored only when you actively dismiss the consent banner. Stores the value "accepted" only.

8. Browser Storage

This site does not use cookies. Instead, we use browser storage APIs for two specific, functional purposes:

Storage Type Key Purpose Duration
sessionStorage claybot_session Unique session identifier (UUID) for grouping chat messages within a single browser session. Used for conversation continuity, not personal identification. Until tab/window closes
localStorage claybot_consent Records whether you have dismissed the consent banner. Stores only the value "accepted" — no personal data. Persistent (until manually cleared)

Neither of these stores personal information. Both can be cleared at any time through your browser's developer tools or settings (typically under "Site Data" or "Storage").

For more detail, see our Cookie & Data Capabilities Policy.

9. Data Retention

We retain data only as long as necessary for its stated purpose:

Data Type Retention Period Deletion Method
Stored substantive questions Indefinite (until deletion requested) Manual deletion upon request via info@cdiscovery.io
Server-side session data 24 hours Automatic expiry (Redis TTL)
Daily aggregate statistics 90 days Automatic expiry (Redis TTL)
Notification email requests 90 days Automatic expiry (Redis TTL)
Rate limiting counters ~60 seconds Automatic expiry (Redis TTL)
Browser sessionStorage Until tab/window closes Automatic (browser behavior)
Browser localStorage Until manually cleared User-controlled via browser settings

10. International Data Transfers

This site is operated from the United States. If you access the site from outside the United States, your data may be transferred to, stored in, and processed in the United States and other countries where our third-party service providers operate.

Specifically:

  • Vercel — Serves content from edge locations worldwide; serverless functions execute in the US.
  • Anthropic — API processing occurs in the United States.
  • Upstash Redis & Vector — Data stored in US-based data centers.
  • Google Fonts — Served from Google's global CDN infrastructure.

For EU/EEA and UK users: Transfers to the United States are conducted in reliance on the EU-US Data Privacy Framework where applicable, and on our legitimate interest assessment. The data transferred is minimal and anonymized (hashed IPs, randomly generated session IDs, question text without personal identifiers). Where personal data is involved, we ensure appropriate safeguards are in place consistent with GDPR Article 46.

For Australian users: By using this site, you acknowledge that your data may be transferred outside Australia. We take reasonable steps to ensure overseas recipients handle your information consistently with the Australian Privacy Principles (APPs).

11. Your Rights — US State Privacy Laws

Depending on your state of residence, you may have specific privacy rights under state law. Because this site collects minimal, largely anonymous data and does not sell personal information, many of these rights are already satisfied by our data practices. Nonetheless, we respect and will honor valid requests.

California — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of personal information we have collected.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. There is no need to opt out because no sale or sharing occurs.
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email info@cdiscovery.io with "California Privacy Request" in the subject line. We will respond within 45 days as required by law.

New York — NY SHIELD Act

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires reasonable safeguards for private information of New York residents. We comply with the SHIELD Act by:

  • Implementing reasonable administrative, technical, and physical safeguards to protect data.
  • Using encryption (SHA-256 hashing) for IP addresses so that raw private information is never stored.
  • Encrypting data in transit (HTTPS/TLS) and at rest (Upstash Redis encryption).
  • Minimizing data collection to only what is necessary for the stated purposes.

If you are a New York resident and have questions about our security practices, contact info@cdiscovery.io.

Colorado — Colorado Privacy Act (CPA)

If you are a Colorado resident, the Colorado Privacy Act grants you the following rights (effective July 1, 2023):

  • Right to Access: You may confirm whether we are processing your personal data and access that data.
  • Right to Correct: You may correct inaccuracies in your personal data.
  • Right to Delete: You may request deletion of your personal data.
  • Right to Data Portability: You may obtain a copy of your personal data in a portable format.
  • Right to Opt Out: You may opt out of targeted advertising, sale of personal data, or profiling. We do not engage in any of these activities.

To exercise these rights, email info@cdiscovery.io with "Colorado Privacy Request" in the subject line. You may appeal a decision regarding your request by contacting us at the same address.

Connecticut — Connecticut Data Privacy Act (CTDPA)

If you are a Connecticut resident, the Connecticut Data Privacy Act grants you the following rights (effective July 1, 2023):

  • Right to Access: You may confirm whether we are processing your personal data and access that data.
  • Right to Correct: You may correct inaccuracies in your personal data.
  • Right to Delete: You may request deletion of your personal data.
  • Right to Data Portability: You may obtain a copy of your personal data in a readily usable format.
  • Right to Opt Out: You may opt out of targeted advertising, sale of personal data, or profiling. We do not engage in any of these activities.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, email info@cdiscovery.io with "Connecticut Privacy Request" in the subject line. We will respond within 45 days. You may appeal a denied request by contacting us at the same address.

Virginia — Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act grants you the following rights (effective January 1, 2023):

  • Right to Access: You may confirm whether we are processing your personal data and access that data.
  • Right to Correct: You may correct inaccuracies in your personal data.
  • Right to Delete: You may request deletion of your personal data.
  • Right to Data Portability: You may obtain a copy of your personal data in a portable, readily usable format.
  • Right to Opt Out: You may opt out of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities.

To exercise these rights, email info@cdiscovery.io with "Virginia Privacy Request" in the subject line. We will respond within 45 days. You may appeal a denied request by contacting us at the same address, and if unsatisfied, you may contact the Virginia Attorney General.

Minnesota — Minnesota Consumer Data Privacy Act (MCDPA)

If you are a Minnesota resident, the Minnesota Consumer Data Privacy Act (effective July 31, 2025) grants you the following rights:

  • Right to Access: You may confirm whether we are processing your personal data and access that data.
  • Right to Correct: You may correct inaccuracies in your personal data.
  • Right to Delete: You may request deletion of your personal data.
  • Right to Data Portability: You may obtain a copy of your personal data in a portable format.
  • Right to Opt Out: You may opt out of targeted advertising, sale of personal data, or profiling. We do not engage in any of these activities.
  • Right to Question Profiling: You may question the result of profiling and be informed of the reasons behind a profiling decision. We do not engage in profiling.

To exercise these rights, email info@cdiscovery.io with "Minnesota Privacy Request" in the subject line.

Wisconsin

Wisconsin does not currently have a comprehensive consumer data privacy law. However, we apply the same data protection standards to all visitors regardless of jurisdiction. Wisconsin residents may still contact us at info@cdiscovery.io to request information about their data, request deletion, or raise any privacy concerns. We will handle such requests in accordance with applicable federal law and general privacy principles.

US Federal — General Principles

In addition to state-specific rights, we adhere to general US federal privacy principles, including:

  • Transparency: This policy clearly discloses what data we collect, how we use it, and who we share it with.
  • Data minimization: We collect only the minimum data necessary for our stated purposes.
  • Purpose limitation: Data is used only for the purposes described in this policy.
  • Security: We implement reasonable security measures to protect data (see Section 16).
  • No deception: Our data practices match what we disclose in this policy, consistent with FTC Act Section 5 requirements.

12. Your Rights — GDPR (EU/EEA)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) grants you the following rights with respect to your personal data:

  • Right of Access (Art. 15): You may request confirmation of whether we process your personal data and obtain a copy of that data.
  • Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for continued processing ("right to be forgotten").
  • Right to Restriction of Processing (Art. 18): You may request that we restrict processing of your personal data under certain circumstances.
  • Right to Data Portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format.
  • Right to Object (Art. 21): You may object to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our question classification system does not produce such effects.

To exercise any of these rights, email info@cdiscovery.io with "GDPR Request" in the subject line. We will respond within 30 days as required by the GDPR. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been infringed.

13. Your Rights — UK GDPR

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR), as supplemented by the Data Protection Act 2018, grants you rights substantially similar to those under the EU GDPR (Section 12 above), including:

  • Right of Access: Confirm and obtain a copy of your personal data.
  • Right to Rectification: Correct inaccurate personal data.
  • Right to Erasure: Request deletion of your personal data.
  • Right to Restriction of Processing: Restrict how we process your data.
  • Right to Data Portability: Receive your data in a portable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent where applicable.
  • Rights Related to Automated Decision-Making: Not to be subject to solely automated decisions with significant effects.

To exercise these rights, email info@cdiscovery.io with "UK GDPR Request" in the subject line. We will respond within one calendar month.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

14. Your Rights — Australia (Privacy Act 1988 + APPs)

If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to our handling of your personal information. Your rights include:

  • Right to Access (APP 12): You may request access to the personal information we hold about you. We will provide access unless a permitted exception applies.
  • Right to Correction (APP 13): You may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
  • Right to Complain (APP 1): You may complain if you believe we have breached the APPs. We will investigate and respond to complaints within 30 days.
  • Right to Anonymity/Pseudonymity (APP 2): You have the option of interacting with us anonymously or using a pseudonym. Our chatbot does not require you to identify yourself.
  • Notification of Collection (APP 5): This policy serves as our notification of the collection of personal information, including the purposes for which it is collected.

Cross-border disclosure (APP 8): As described in Section 10, your data may be transferred to the United States for processing. We take reasonable steps to ensure overseas recipients comply with the APPs.

To exercise your rights or make a complaint, email info@cdiscovery.io with "Australian Privacy Request" in the subject line.

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au/privacy/privacy-complaints.

15. Children's Privacy

This site is not directed at children under the age of 16 (or under 13 in the United States). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information through the chatbot, please contact us at info@cdiscovery.io and we will promptly delete such information.

For purposes of the US Children's Online Privacy Protection Act (COPPA), the EU/UK GDPR (Article 8), and the Australian Privacy Act, we do not offer services to children and do not knowingly process their data.

16. Security

We implement reasonable technical and organizational measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest: Data stored in Upstash Redis is encrypted at rest.
  • IP anonymization: Raw IP addresses are never stored. We use SHA-256 hashing with truncation to 16 characters, making the hash irreversible.
  • Data minimization: We collect only the minimum data necessary for stated purposes. Non-substantive messages are discarded immediately.
  • Auto-expiry: Rate limiting data and session data automatically expire via Redis TTL mechanisms.
  • Access controls: Access to the data store is restricted to authorized personnel (Clay Cash) and protected by authentication credentials.
  • No unnecessary data: We do not collect or store passwords, financial information, government IDs, or other sensitive data categories.

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to info@cdiscovery.io.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or services. When we make changes:

  • The "Last updated" date at the top of this page will be revised.
  • For material changes that significantly affect how we handle personal data, we will make reasonable efforts to provide notice (such as a banner on the site).
  • Your continued use of the site after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this policy periodically. Previous versions of this policy are available upon request.

18. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your data is handled, contact us:

  • Email: info@cdiscovery.io
  • Data Controller: Clay Cash
  • Location: Youngsville, North Carolina, United States

Since stored questions are associated with hashed session identifiers (not personal identifiers), please include the approximate date/time and content of your questions when requesting access or deletion so we can locate the relevant data.

We aim to respond to all privacy-related inquiries within 30 days. For requests under specific regulatory frameworks (CCPA, GDPR, etc.), we will respond within the timeframe required by the applicable law.