Skip to content

Clerk

The login layer behind a gated website — see Add login to your site. Clerk handles sign-up and sign-in for your app, so the sensitive data here isn't your files — it's your users' identities: their emails, names, phone numbers, and passwords. For a small invite-only tool shared with people you know, this is almost always fine for this; the one thing to weigh is that everything sits on US servers, which matters if your users are EU/UK and a grant or DPA pins you to Europe.

Last verified: 2026-06-07 · Confidence: high on roles, hosting, and the 90-day deletion window; the AI-training question is genuinely unanswered in their docs.

What data it holds — and whose

Clerk splits your data into two buckets, and only one is really yours to worry about: [confirmed]

  • Your users' data (you're in charge of it). The emails, names, phone numbers, passwords, and login sessions of the people who sign into your app. Clerk's terms: "the customer is the controller and we act as a processor" — meaning legally it's your data, and Clerk just stores and processes it for you. [confirmed]
  • Your account data (Clerk is in charge of it). Your own email, billing details, and dashboard activity as the account holder — covered by Clerk's own privacy policy, where it's "an independent controller." [confirmed]

The practical upshot: your users trust you with their identity, and you're handing that to Clerk under a processor relationship — the standard arrangement for an auth provider, and the one a GDPR review expects to see.

Does it train AI on your users' data?

Their docs don't say — neither way. Clerk's privacy policy and Data Processing Addendum are both silent on whether end-user data is used to train or improve any AI/ML model. There's no stated training program, and so no opt-out toggle to flip — but also no written promise that it never happens. [unclear] (neither the privacy policy nor the DPA addresses AI/ML training — checked 2026-06)

  • What it does run on is third parties, not a Clerk model. Logins, emails, and SMS codes pass through named subprocessors — Google Cloud and Cloudflare for hosting, SendGrid/Twilio for messages — under contract, with a 15-day notice before the list changes. No AI/LLM provider (e.g. OpenAI) is on that list. [confirmed]
  • Don't confuse it with clerk.io. The e-commerce search company at clerk.io does describe AI-training practices; clerk.com (this auth provider) does not — they're unrelated. [confirmed]

If a no-training guarantee is load-bearing for you, ask Clerk directly before relying on one — the public documents don't give you one to cite.

How long they keep it, and can you delete it

  • Delete a user, delete the account — you control your users' records live from the dashboard or API, and removing one removes their identity from Clerk. [confirmed]
  • When you leave, there's a 90-day window. The DPA commits Clerk to "delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data" within 90 days of the agreement ending. So deletion is contractual, but not instant — plan for up to three months. [confirmed]
  • Your own account data has no fixed timer. Clerk keeps it "for as long as you use our Services or as necessary to fulfill the purpose(s)," and you can "request deletion" — but the policy names no specific number of days. [unclear] (privacy policy gives no fixed figure for account-holder data — checked 2026-06)

What a paid/enterprise tier changes

The good defaults — processor role, the signed DPA, SCCs — already apply across plans; enterprise mostly adds paperwork and controls for regulated data: [confirmed]

  • A BAA for health data. Storing protected health info requires a separately signed Business Associate Agreement, which Clerk offers on Enterprise, not the free tier. [confirmed]
  • Admin and audit controls — enterprise SSO for your workspace, application logs with custom retention, an uptime SLA, and dedicated support. [confirmed]
  • Clerk is SOC 2 Type II certified and self-certifies under the EU-U.S. Data Privacy Framework — the compliance evidence a review asks for, available regardless of tier. [confirmed]

Where your users' data lives (matters under GDPR)

  • US-only. Clerk "hosts Personal Data primarily in Google Cloud data centers and Cloudflare," and every listed subprocessor is US-based. There's no EU-resident hosting option. [confirmed]
  • It can move anywhere. The DPA reserves the right to "store and process Customer Personal Data anywhere Clerk or its Sub-processors maintain facilities." [confirmed]
  • Transfers are covered on paper. For EU/UK/Swiss data, Clerk relies on the Data Privacy Framework, plus Standard Contractual Clauses (Modules One–Three) and the UK and Swiss Addenda as backup. [confirmed]

The short version: fine for an invite-only tool or an internal app, even with EU/UK users in the everyday case. If a funder or DPA forbids personal data leaving the EU/UK, Clerk can't meet that — it has no EU region, and you'd need an auth provider that offers one.

Sources