Legal

Privacy Policy

Last updated: June 1, 2026

1. Introduction

Clarevon ("we", "our", or "us") operates clarevon.com and provides lease accounting software (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including when you connect third-party ERP and accounting systems such as QuickBooks Online, Microsoft Dynamics 365, SAP, Oracle, Xero, NetSuite, and Sage.

By using Clarevon, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, organisation name, country, and password (stored as a bcrypt hash using asp.net Identity — we never store your plaintext password).
  • Lease data: Lease terms, payment schedules, asset descriptions, and accounting entries you create within the platform. This data belongs to you.
  • Billing information: Subscription plan, billing cycle, and payment reference numbers. We do not store full card numbers — payments are processed by Paystack, Flutterwave, or Stripe depending on your country.
  • Usage data: Log data including IP address, browser type, pages visited, and timestamps. Used for security monitoring and product improvement.
  • ERP credentials and tokens: If you connect an ERP system, your API credentials or OAuth tokens are encrypted at rest using AES-256-GCM with PBKDF2 key derivation. We cannot read your credentials in plaintext.

3. ERP Integration Data

Clarevon allows you to optionally connect your ERP or accounting system to post lease journal entries automatically. Connecting an ERP is not required to use Clarevon — all lease accounting features work without it.

QuickBooks Online (Intuit)

When you connect Clarevon to QuickBooks Online, you authorise us via OAuth 2.0 to act on your behalf within your QuickBooks company account.

What we access: We request the com.intuit.quickbooks.accounting scope, which we use solely to post lease journal entries to your general ledger.

What we do NOT access: We do not read, store, or process your customer lists, invoices, bills, bank accounts, payroll data, tax records, or any other financial records. We do not use your QuickBooks data for any purpose other than posting the specific journal entries you explicitly initiate in Clarevon.

Data storage: Your QuickBooks OAuth access token and refresh token are stored encrypted (AES-256-GCM) in our database. Your QuickBooks login credentials are never accessed or stored by Clarevon.

Disconnecting: You may revoke Clarevon's access at any time from Settings → ERP Integrations → Disconnect. This immediately deletes your stored OAuth tokens and terminates all access to your QuickBooks account. You can also revoke access directly at accounts.intuit.com under Connected Apps.

Microsoft Dynamics 365

When you connect Clarevon to Microsoft Dynamics 365 (Business Central or Finance), you authorise us via OAuth 2.0 through Azure Active Directory.

What we access: We request only the scopes necessary to post journal entries to your Dynamics general ledger. Specifically we request access to the Business Central or Finance API endpoint you configure, scoped to journal entry creation only.

What we do NOT access: We do not read customers, vendors, purchase orders, sales invoices, HR data, or any records unrelated to the journal posting function.

Data storage: Your Azure AD OAuth access token and refresh token are stored encrypted (AES-256-GCM) in our database. Your Microsoft credentials are never accessed or stored by Clarevon.

Disconnecting: Disconnect at any time from Settings → ERP Integrations → Disconnect, which immediately deletes your stored tokens. You can also revoke access from myapps.microsoft.com under App Permissions.

SAP

When you connect Clarevon to SAP (via SAP BTP XSUAA or direct API), you provide your SAP client credentials, which we encrypt and store using AES-256-GCM with PBKDF2 key derivation.

We use your credentials solely to post journal entries to your SAP system via the APIs you configure. We do not read any SAP data beyond confirming a successful post. You may delete your credentials at any time from Settings → ERP Integrations.

Oracle

When you connect Clarevon to Oracle (Fusion Financials or Oracle IDCS), you authorise us via OAuth 2.0 or provide API credentials which are encrypted at rest using AES-256-GCM.

We use the connection solely to post journal entries to your Oracle general ledger. We do not read receivables, payables, HR, or any other Oracle module. You may disconnect at any time from Settings → ERP Integrations.

Xero, NetSuite, and Sage

For Xero, NetSuite, and Sage integrations, you provide API credentials or OAuth authorisation which we encrypt and store using AES-256-GCM. We use these credentials solely to post journal entries you initiate in Clarevon. We do not read any data from these systems beyond confirming successful posts. You may delete your credentials or revoke access at any time from Settings → ERP Integrations.

Summary of OAuth scopes and data access per ERP:

ERPAuth methodScope / access levelWhat we postWhat we never read
QuickBooksOAuth 2.0com.intuit.quickbooks.accountingJournal entriesInvoices, customers, payroll, banking
Dynamics 365OAuth 2.0 (Azure AD)General ledger API onlyJournal entriesSales, HR, purchasing, tax
SAPOAuth 2.0 / API keyJournal entry endpoint onlyJournal entriesAll other modules
OracleOAuth 2.0 / API keyGeneral ledger API onlyJournal entriesReceivables, payables, HR
XeroOAuth 2.0accounting.transactionsJournal entriesInvoices, contacts, payroll
NetSuiteAPI key (Token-Based Auth)Journal entry record onlyJournal entriesAll other records
SageAPI keyJournal entry endpoint onlyJournal entriesAll other modules

4. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process payments and manage your subscription
  • To send transactional emails (password resets, invoices, expiry notices)
  • To enforce our Terms of Service and detect fraud or abuse
  • To post journal entries to ERP systems you explicitly connect and authorise
  • To comply with legal obligations

We do not sell your data. We do not use your lease data or ERP data to train AI models. We do not show you advertisements.

5. Data Storage and Security

Your data is stored in the region you select at registration (US, EU, UK, APAC, MEA, or India). We implement the following security measures:

  • All data encrypted in transit via TLS 1.2 or higher
  • Passwords hashed with bcrypt (never stored in plaintext)
  • ERP credentials and OAuth tokens encrypted with AES-256-GCM + PBKDF2
  • JWT tokens expire after 60 minutes; refresh tokens after 30 days
  • Multi-tenant isolation — your data is never accessible to other organisations
  • All access logged in a tamper-evident audit trail (Regular plan and above)
  • OAuth tokens are scoped to the minimum permissions required for journal posting

6. Third-Party Services

We use the following third-party services to operate the platform:

  • Paystack — payment processing for Nigerian accounts (NGN). Privacy policy
  • Flutterwave — payment processing for African accounts (ex-Nigeria). Privacy policy
  • Stripe — payment processing for all other countries. Privacy policy
  • Anthropic Claude — AI lease document abstraction (Premium and Enterprise plans only). Documents sent for extraction are not retained by Anthropic for model training. Privacy policy
  • Intuit (QuickBooks Online) — ERP journal posting for customers who connect their QuickBooks account. We access only journal entry endpoints. OAuth tokens are encrypted at rest and used only for posting you initiate. Privacy policy
  • Microsoft (Dynamics 365) — ERP journal posting for customers who connect their Dynamics account. OAuth tokens are encrypted at rest and used only for posting you initiate. Privacy policy
  • SAP, Oracle, Xero, NetSuite, Sage — ERP journal posting for customers who connect these systems. Credentials are encrypted at rest and used only for posting you initiate.
  • European Central Bank (Frankfurter API) — daily foreign exchange rates for multi-currency lease calculations. No personal data is sent to this service.

7. Data Retention

We retain your account and lease data for as long as your account is active. If you cancel your account, we retain your data for 30 days to allow recovery, after which it is permanently deleted. Billing records are retained for 7 years to comply with financial regulations.

ERP OAuth tokens and API credentials are deleted immediately upon disconnection from Settings → ERP Integrations, or within 24 hours of account cancellation.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your lease data in CSV or JSON format
  • Disconnect any connected ERP system and have your tokens deleted immediately
  • Object to processing of your data for certain purposes

To exercise these rights, email us at privacy@clarevon.com. We will respond within 30 days.

9. Cookies

Clarevon uses only essential cookies. We use a single HttpOnly, Secure, SameSite=Strict cookie to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a notice within the platform at least 14 days before the change takes effect.

11. Contact

For privacy-related questions or requests, contact us at privacy@clarevon.com.