Document · /transparency·Revision 2026-04-23·Version v1·Audience · Employees at customer companies

For employees.

Your employer deployed ClarityLift. Here is what it sees about you.

This is not a marketing page. It is a receipt. Read it if you want to know, in plain language, what data is processed, what your manager actually sees, and what the product cannot do no matter who asks.

§SectionKindPage

1What happens to one messagePipeline diagramp. 01 2Three hard floorsStructural commitmentsp. 02 3What your manager seesSurface inventoryp. 03 4What your manager does not seeAbsence inventoryp. 04 5Across customersCross-tenant data posturep. 05 6Your rightsActions · with mechanismp. 06 7How to verify this pageDo not trust this documentp. 07

§ 1 One message.

What happens to one message.

Every path a message in your workspace can take through the system. Read top to bottom. The diagram is exhaustive — there is no eighth step.

Fig. 1.a
Message
lifecycle

Read ↓

fig. 1.a — message lifecycle, inbound to storage7 steps · terminal state at step 7

Slack or Teams delivers an event to our webhook.

Your message reaches ClarityLift the same way any Slack/Teams integration receives events — through a webhook your admin authorized when they installed us.

SourceSlack / MS Teams events APITransit only

Handler checks whether the event is a DM. If yes, the event is dropped.

Direct messages between two people never proceed. The check happens before classification, before storage, before anything else. The DM scope is not requested from Slack at install time, so in most deployments DM events never reach the webhook at all.

ResultDiscarded at handlerDrop

A fast pattern-matcher decides whether the message is worth classifying.

A lightweight matcher — length, structural features, a small rule set — filters out the obvious nothing: "ok", "ty", emoji reactions, bot messages, link previews. Most messages are discarded here. They are never sent to a language model, never written to the database, and no record of them is kept.

ResultMost inbound discardedDrop

If the message passes, its text is sent to a language model once, in memory.

The remainder is classified. The text is held in memory for the duration of the provider call and then released. It is not written to our database. It is not written to logs.

LifetimeMilliseconds · in memoryEphemeral

The LLM provider does not retain the text.

We route through Azure OpenAI inside the Microsoft Azure tenant boundary and Anthropic under a Zero Data Retention contract. Neither provider stores the prompt or the response, and neither trains on either.

Azure path: prompt stays inside Microsoft's boundary; no provider-side logging of prompt or completion. Anthropic path: contractual ZDR; no user id metadata set on the request. Architecture page §07 covers retention posture in full.

Provider · AzureTenant-scoped · no retentionProvider · AnthropicZDR contract · no trainingEphemeral

A row is written to our database.

What remains, and what is stored, is a signal record. Seven conceptual fields. No user id. No message body. The two operational-metadata columns the table does carry — a platform message reference used once for idempotency, and an HMAC-keyed sender hash used to count distinct contributors — are documented below the schema. Neither can reconstruct what you wrote.

TableCL_HealthSignalsColumns omitted by designuser_id, message text, quotePersistent

Nothing appears on the dashboard unless the team has 10 or more members.

Signals below the k-anonymity floor are refused at the write boundary. SignalFloorSubscriber.beforeInsert throws SignalBelowFloorError before the row is persisted — no suppression layer, no hidden rows, nothing to query. A team of 9 produces no visible output: not a dimmed reading, not "insufficient data," not a count. The dashboard surface is empty until the floor is crossed.

Floork = 10 (team size)Terminal state

schema · CL_HealthSignals · written at step 06source: src/lib/db/entities/HealthSignal.ts

Field	Type	What it is
organizationId	uuid	Which customer company this signal belongs to.
teamId	uuid	Which team in that company — never an individual.
channelId	string	Which channel the message was in.
signalType	enum	One of the published categories. No free-text labels.
severity	enum	low / medium / high.
confidence	float	Classifier score. 0.0 to 1.0.
detectedAt	datetime	When classification ran.
user_id	uuid	— not written. No column exists on this table.
message_text	text	— not written. No column exists on this table.
quote / excerpt	text	— not written. No column exists on this table.

sourceMessageTs is a platform message reference used once for idempotency on redelivery. It is not the message body and cannot reconstruct one. senderHash is HMAC-SHA256 of (org id · sender id) keyed by a secret held in Azure Key Vault — used to count distinct contributors per cohort without storing the sender. Neither field exposes what was written or, without the key, who wrote it.

§ 2 Floors.

Three hard floors.

These are not policies. A policy is something a company can change. These are structural — enforced in code, in the database schema, and at the query layer. Turning them off is not a config option.

Fig. 2.a
Three
commitments

Structural,
not policy

F01

×Floor 1

No DMs. Ever.

ClarityLift does not request the DM scope from Slack at install time. In workspaces where a prior install granted it, the handler drops DM events at step 2 of the pipeline above. There is no configuration that turns this on.

ENFORCEMENToauth scope + handler guardSCOPEim:history not requestedAUDITpublicly documented

F02

×Floor 2

No team below 10 people produces output.

Below the k-anonymity floor, the product shows nothing — not a muted reading, not "insufficient data," not a blurred chart. The floor is enforced at the database insert subscriber and re-checked at the query layer. Every dashboard read passes through it.

ENFORCEMENTdb subscriber + query filterFLOORk = 10 team membersBYPASSnone exists

F03

×Floor 3

No message text is retained.

The CL_HealthSignals table has no text column. There is no quote, no excerpt, no snippet. The LLM provider does not retain the prompt. No one at ClarityLift — not engineering, not support, not your account manager — can look up what you wrote.

ENFORCEMENTschema + provider contractRETENTIONtext: 0sAUDITentity published

These commitments appear identically on the landing page and trust architecture. Cross-page consistency is intentional.→ §7 explains how to verify each one yourself

§ 3 · 4 Sees / does not.

What your manager sees — and what they do not.

Two inventories, placed side by side. The left column is the visible dashboard surface. The right column is the explicit list of absences. They are published together so the comparison is obvious.

Fig. 3.a
Surface
inventory

Fig. 4.a
Absence
inventory

✓§ 3 · Visible on the dashboard4 surfaces

What your manager sees.

3.1

Team-level scores, rolled up across the whole team.One number per team, per signal category. No one is singled out.

3.2

Signal category counts, in aggregate."This team had N signals in the frustration category this week." No who, no what.

3.3

Anomalies against the team's own baseline.Movement compared to this team's own history — never a ranking against other teams.

3.4

Written insights, generated from the aggregates above.Short paragraphs describing what changed. Same inputs as the charts — no additional data source.

×§ 4 · Not present in the product8 absences

What your manager does not see.

4.1

Messages.No quotes, no excerpts, no "flagged phrase." Not stored, not retrievable.

4.2

Your identity on any signal.Signal rows do not carry a user id. The column does not exist.

4.3

A retrievable link between a message and its signal.No message body is stored. Operational references used for idempotency are not enough to reconstruct a conversation.

4.4

Direct messages.Dropped at the webhook (pipeline step 02). Never classified, never counted.

4.5

Private-channel messages — unless an admin explicitly enabled that channel.Default is off. Enabling is auditable and visible in /my-data.

4.6

A per-employee score.Does not exist. Cannot be computed from the stored data because the stored data carries no user id.

4.7

A "flight-risk" list, or any list of named individuals.Not a product feature. Not in the roadmap. The schema cannot support it.

4.8

Transcripts of anything.No recording, no archive, no searchable log of workspace conversation.

The row heights on the two panels do not match. That is because one list is 4 and the other is 8.4 visible · 8 structurally absent

§ 5 Across customers.

What ClarityLift does and does not do with data across customers.

Sections 1 through 4 cover what happens to your data inside your own workspace. This section covers what happens across customers. The default is the strict version: your data stays in your tenant. Cross-customer aggregation is opt-in, not opt-out.

§ 5
Cross-tenant
posture

Default:
opt-out

✓§ 5.1 · Default posture · opt-out

Your data does not leave your tenant unless your admin opts in.

ClarityLift can compute platform-level benchmarks across customers. It does not do that with your data unless your workspace admin has explicitly opted in via /dashboard/settings/platform-aggregation. The opt-in is reversible. Revocation removes your contribution from the next aggregation run within one cycle. Every flag flip is audit-logged.

When the aggregation pipeline ships and customers opt in, the floor mirrors the in-tenant 10-person rule. No benchmark publishes from fewer than 10 opted-in customers. The same k-anonymity principle, applied at the customer tier instead of the team tier.

3§ 5.2 · Three consent levels · independent

Three different things your admin can agree to. Each is opt-in separately.

Level 1. Anonymous platform aggregation. Your team-level signal data contributes to cross-customer benchmarks. Your customer name is never identified in any output. Output reads as “across N opted-in customers, the median team-level friction signal count is X.” Opted-in customers receive the same benchmarks back inside their dashboard.
Level 2. Named case study. Your company is identified by name in a written case study with specific quotes, screenshots, or outcome metrics. Per case study, per specific content. You review and approve the version before publication. Withdrawal removes the case study from all surfaces within 14 business days.
Level 3. Co-marketing. Your logo appears on the ClarityLift marketing site. You participate in joint webinars. You are publicly identified as a customer. Governed by a separate marketing agreement.

A customer can agree to Level 1 for benchmarks, Level 2 for one specific case study, and decline Level 3 entirely. The granularity is intentional.

!§ 5.3 · Status today

The pipeline is not yet shipped. No customer data is being aggregated across tenants.

The opt-in flag, the aggregation pipeline, the customer-level floor, and the benchmark output surfaces are V1 architecture. Until they ship, no cross-customer benchmark can be computed because the runtime that would compute it does not exist. The disclosure above is the commitment that governs the system once it lands. The quarterly trust report (Q3 2026 onwards) reports the opted-in customer count, the aggregation methodology, and any benchmark publications under § 5 each quarter.

Procurement reviewer? The runbook governing this is published at docs/integrity/runbooks.md § Process 5. The case study consent process is § Process 6.

Default posture: opt-out. Customer-level floor: 10. Status: not yet shipped.Designed to be screenshotted.

§ 6 Rights.

Your rights.

Five things you can do right now, each with the specific mechanism. This section is the one you want to screenshot. The links and endpoints do not change between revisions.

§ 6
Actionable
rights

Bookmark
this page

№RightMechanism

Opt in or out of classification.You can exclude your own messages from being classified at all, at any time, without needing to ask your admin.

Whereclaritylift.ai/my-dataEffectTakes effect within one cache cycle. Prior signals cannot be deleted because they carry no user id — but no further signals will be generated from your messages.

Ask your admin which channels are connected.Your admin has a list. It is not a secret. You are entitled to see it.

Who to askYour workspace admin (usually IT or People Ops).What they'll show youA screen in ClarityLift labeled "Connected channels." It is enumerable.

Request a copy of the data tied to you.We will produce what we have on you. For most employees, the honest answer is nothing tied by identity — but the request still runs end-to-end.

Whereclaritylift.ai/my-data → Request my dataTurnaroundWithin 30 days. Machine-readable plus plain-English summary.

Ask your admin to disable a specific channel.Individual channels can be switched off without disabling the product. You may ask for this without explaining why.

Who to askYour workspace admin.EffectClassification stops for that channel within 30 seconds on the next ingest cycle. Auditable in /my-data.

Raise a concern directly.Reporting bypasses your admin. This reaches ClarityLift's AUP team, not your employer.

Whereprivacy@claritylift.aiWhat happensAcknowledged within 3 business days. The Acceptable Use Policy governs escalation.

The endpoints above do not change between page revisions.Designed to be screenshotted.

§ 7 Verify.

How to verify this page.

Do not take our word for any of the above. Four verifications follow. They are designed so that you — or more likely your admin, or a security reviewer at your company — can check them against the running product, not against our marketing.

§ 7
Verification
steps

V.1 – V.4

Trust nothing
claimed above.
Check all of it.

If the product cannot be shown to behave this way on a running workspace, the product is not behaving this way. A vendor promise is not evidence. A schema is.

CheckV.1

The OAuth consent screen shows no DM scope.At install time Slack itself displays the scopes the app is requesting. The DM scope (im:history) is absent. This is the check that does not require trusting us — Slack shows it, not us.

Who can run itAny workspace admin, at install or re-auth.

im:history      · absent
channels:history · present
groups:history  · present (invite-gated; Slack refuses reads unless the bot is added)

CheckV.2

The schema is publicly documented.The data-handling section of the trust architecture page lists every field stored and the fields deliberately absent. You can see everything the table has and, just as importantly, everything it does not have.

Where/privacy-architecture · §07 Data handling

stored fields: 7
text columns: 0
user_id column: absent
message text column: absent

CheckV.3

A test team of 3 people produces no output for a week.Stand up a channel with three people for a week. Send real messages. Check the dashboard afterward. The k-anonymity floor is not a placeholder — there will be no reading, no data row, no "insufficient data" banner. Nothing.

Cost to runOne week, three people, one channel.

dashboard surface: empty
signal count visible: 0
"insufficient data": not shown
k floor: k < 10 → silent

CheckV.4

The privacy mailbox is answered by a human.Concerns submitted to privacy@claritylift.ai are processed under our Acceptable Use Policy. Response times and escalation path are published on the privacy page. This is the lever that reaches us without going through your employer.

Whereprivacy@claritylift.ai

acknowledgement: 3 business days
escalation path: published
employer-bypass: yes

This section is deliberately rendered on a different page stock. You are looking at the audit block.Reviewed 2026-04-23

Most tools in this category hide behind a privacy notice written for lawyers. ClarityLift is built on the argument that you cannot earn trust from a team of people while also hiding what the product does from them.

Our posture: if the tool cannot survive being fully explained to the employees whose workspace it runs in, the tool should not ship.

This page is the test.

Read why surveys are the alternative we are replacing ↗Technical architecture ↗

Document

/transparency v1 rev 2026-04-23

Contact

privacy@claritylift.ai · /my-data · /privacy

Audience

Employees at customer companies