Clario: A Forensic Case Study of a Scareware Lineage Wearing a Security UI | SerpCtrl
2026-05-12·30min
Clario: A Forensic Case Study of a Scareware Lineage Wearing a Security UI
clarioscarewarecase studySaaScyber security
Disclosure: I am the affected consumer in this case study. I purchased Clario as a paying customer, tested it on a deliberately infected test device, and was subjected to the conduct described. I have preserved screenshots, billing records, and the full email thread of the ignored GDPR data subject access request. SerpCtrl operates under SIA Cyber Unicorn (Latvian registration 40203002129) and has no commercial relationship with any of the named entities in this piece. We are not in the consumer antivirus category. We have no competitive interest in Clario's market position.
TL;DR
Clario is not a new cybersecurity startup. Clario Tech Limited was incorporated in London on 26 September 2019 under the name Lumis Technology Limited, renamed Clario eight weeks later, and dissolved 5 March 2024. Its current operating entity is Clario Tech DMCC in Dubai. Its initial 75%+ beneficial owner of record at UK Companies House was Viacheslav Kolomeichuk, who shares a surname (Kolomeichuk / Kolomiychuk are transliteration variants) with Slava Kolomiychuk, the CEO of ZeoBIT LLC - the company that built MacKeeper, the subject of a $2 million class action settlement in 2015 for scareware tactics ("identifies problems that don't exist, generates false error messages to scare users").
ZeoBIT sold MacKeeper to Kromtech Alliance Corp in 2013. Kromtech hired "many former Kyiv-based ZeoBIT employees." In December 2015, Kromtech suffered a data breach exposing 13 million MacKeeper user records. In December 2019, Clario Tech Limited acquired "both IP and human capital from Kromtech Alliance Corp." The same Ukrainian engineering team has been operating consumer security products under three different corporate names since 2010.
The current product behavior matches both the historical pattern and the broader scareware category. All claims below are documented in preserved emails, billing records, and the full evidence file:
One checkout produced three sequential subscriptions (order IDs CLA-A29D-202604-98609, 98610, 98611, all created within 60 seconds at 04:58-04:59 UTC on 18 April 2026, totaling ~$2,900/year of recurring commitment from a single user action). One purchase intent, three subscriptions.
The bundled "Apps Bundle Pack" is not security apps. The accompanying access email lists five unrelated consumer apps as the actual bundle payload: Sipless, Ripito, CasaVista, Flirtonic (a dating app), Emblemo. The cybersecurity framing is the bait; the cross-category apps are the catch, almost certainly affiliate-monetized through the public Clario affiliate program.
Deceptive merchant descriptor: all three charges appear on bank statements as ANTISPY_APPSMARKET, not "Clario," producing statement-reconciliation friction and chargeback complication.
Two legal entities, swapped mid-thread: order confirmations are signed by Clario Tech DMCC; support correspondence quietly switched to Clario Tech FZCO between 26 April 06:25 UTC and 27 April 20:30 UTC. The consumer is now communicating with a different legal entity than the one that contracted the subscriptions. Asked directly for clarification of contracting entity, Clario did not answer.
Cancellation does not fully cancel: cancelling the primary subscription leaves the Apps Bundle subscription active, attempting to renew. Per Clario's own retention email: "it is different subscriptions and should be canceled separately."
Product name changed between order and refund: the "Apps Bundle Pack" purchased on 18 April was refunded on 29 April under a different name ("Сlario 5 Months Apps Bundle", with a Cyrillic С in the subject). Same order ID. Different label.
Pro features oversell what iOS allows: Camera Scan / Unlock Catcher and Devices on Wi-Fi / Spy Cam Detector are constrained by the iOS sandbox; the marketing claims of "photographing unauthorized users" and "see disguised cameras on your network" are not technically deliverable from inside iOS.
GDPR Article 15 evasive non-response: SAR sent 26 April 2026 with seven specific points. Clario response (29 April) addressed only marketing-purpose data sharing - one fragment of one point. Six of seven SAR points remain unanswered as of publication. Statutory deadline: 26 May 2026.
The closest regulatory precedent is the March 2024 FTC enforcement action against Restoro Cyprus Ltd + Reimage Cyprus Ltd, settled for $26 million with 736,375 PayPal refunds distributed in March 2025. Same Cyprus tax structure. Same product category. Same conduct pattern. The FTC charged: fake Windows pop-ups, fabricated severity, friction-loaded cancellation. Clario has not yet been individually FTC-actioned. The pattern match is structural.
This case study has four jobs:
Establish the corporate and operational lineage so future buyers can do the same diagnostic in 15 minutes
Document the consumer harm pattern with named verbatim complaints from Trustpilot, the App Store, and PissedConsumer
Provide an actionable GDPR Article 15 escalation template so affected EU residents have a path
Map the broader scareware-rebrand playbook so the next Clario can be spotted on launch
Part 1: The lineage
This is the load-bearing section of the case study. The forensic work matters because the marketing framing of Clario is "fresh start." The corporate record says it is the third rebrand of the same operation.
ZeoBIT LLC (2010 - 2013)
Incorporated in Sunnyvale, California, with engineering in Kyiv, Ukraine.
CEO: Slava (Viacheslav) Kolomiychuk (Slava is the Ukrainian short form of Viacheslav).
Product: MacKeeper, a Mac "system utility" and "security" app.
Result: Yencha v. ZeoBIT class action in Pennsylvania, settled August 2015 for US$2 million. The complaint, in plain language: "identifies problems that don't exist, generates false error messages to scare users into paying for unneeded fixes."
The class action covered approximately 513,330 eligible refundees. The settlement was paid. The product continued to exist.
Kromtech Alliance Corp (2013 - 2019)
April 2013: ZeoBIT sold MacKeeper to Kromtech Alliance Corp.
Kromtech registered in the British Virgin Islands, headquartered in Cologne, Germany, engineering operations in Kyiv.
Kromtech "hired many former Kyiv-based ZeoBIT employees" per Wikipedia and contemporary reporting. The corporate wrapper changed. The people did not.
December 2015: Kromtech suffered a data breach exposing 13 million MacKeeper user records including names, emails, password hashes, and license information. Researcher Chris Vickery discovered the database on an unsecured internet-facing server.
Throughout the Kromtech era, MacKeeper continued to be flagged by independent reviewers (Brian Krebs, AV-Comparatives) as scareware-adjacent. AV-Comparatives specifically found MacKeeper warning of "serious" issues on a clean macOS installation.
Clario Tech Limited (September 2019 - March 2024 UK, ongoing in UAE)
Incorporated at UK Companies House on 26 September 2019 at 8th Floor, 6 New Street Square, London EC4A 3AQ.
Renamed to Clario Tech Limited eight weeks later, on 20 November 2019.
Initial 75%+ Person with Significant Control: Viacheslav Kolomeichuk (Cypriot national, UAE resident, DOB September 1986).
Control transferred 8 April 2022 to Halyna Kolomeichuk (Cypriot, UAE-resident, DOB December 1963 - presumed family member).
December 2019: Per the Wikipedia entry for Clario Tech and corroborated by Companies House filings, Clario Tech "acquired both IP and human capital from Kromtech Alliance Corp."
5 March 2024: Clario Tech Limited (UK) is dissolved. The UK entity is now a shell. The operating entity is Clario Tech DMCC, registered in Dubai's Jumeirah Lakes Towers free zone.
What the lineage says, defensibly
The agent that conducted this research correctly flagged that the individual identity question between Slava Kolomiychuk (ZeoBIT CEO, Ukrainian transliteration) and Viacheslav Kolomeichuk (Clario PSC, Cypriot-passport transliteration) cannot be asserted as the same individual without primary-source confirmation, because the DOBs do not match the publicly documented age of the ZeoBIT founder.
The defensible claim, on the public record:
Clario Tech Limited acquired the intellectual property and the engineering team of Kromtech Alliance Corp in December 2019. Kromtech had operated MacKeeper since 2013, after acquiring it from ZeoBIT LLC. ZeoBIT paid a US$2 million class action settlement in 2015 over MacKeeper's scareware tactics. The initial UK beneficial owner of Clario Tech (Viacheslav Kolomeichuk) shares the surname of ZeoBIT's CEO (Slava Kolomiychuk). The same Ukrainian engineering operation has been operating consumer-security products under three different corporate names since 2010.
That is the defensible spine. The piece does not need to assert same-individual identity to make the case. The corporate-lineage record is enough.
The jurisdictional architecture (the exit ramp)
1. Element: UK shell (credibility surface)
Jurisdiction: London Companies House
Status: Dissolved March 2024
2. Element: Operating entity
Jurisdiction: Dubai DMCC (UAE free zone)
Status: Active
3. Element: PSC nationality
Jurisdiction: Cyprus
Status: Active
4. Element: PSC residence
Jurisdiction: UAE
Status: Active
5. Element: Engineering team
Jurisdiction: Kyiv, Ukraine
Status: Active (inherited from Kromtech / ZeoBIT)
6. Element: Legacy shell - Kromtech
Jurisdiction: British Virgin Islands
Status: Dissolved
7. Element: Legacy distribution shell - Essentware S.A.
Jurisdiction: Panama
Status: Dissolved
This is textbook exit-ramp architecture: revenue collected through a low-tax free zone, beneficial owners behind Cypriot passports and UAE residence, intellectual property and operations in Ukraine, and a UK shell for credibility that gets dissolved the moment regulatory heat builds. The 5 March 2024 dissolution of the UK entity is the operative signal. The same playbook is the third iteration: BVI shell (Kromtech) dissolved, US LLC (ZeoBIT) wound down, UK shell (Clario Tech Limited) dissolved. The operating entity has migrated to a jurisdiction with weaker EU consumer-protection reach each time.
Part 2: The product reality, decoded
The marketing positions Clario as a comprehensive consumer cybersecurity platform. The product reality is more limited and more interesting.
The macOS scanner
The macOS scanner is the Bitdefender OEM antivirus engine licensed by Clario and wrapped in a Clario UI. This is confirmed in multiple independent reviews (Cloudwards, VPNPro, and others). The headline "100% AV-Test detection" score that appears in Clario marketing is a real test result for the macOS desktop product. It is also, mechanically, Bitdefender's detection score.
This is not a criticism of Bitdefender. Bitdefender's engine is one of the strongest in the industry, and many consumer security products license it. The criticism is that the differentiator Clario charges a 2-3x category premium for is the UI and the support chat, not the protection.
Bitdefender Total Security: approximately $30 to $50 per year, 5 devices.
Norton 360: $40 to $100 per year, 5 devices.
Clario: starts at $99 per year, 3 devices. Monthly tier is $14.99.
The iOS AntiSpy app
This is where the product reality diverges sharply from the marketing.
The Clario AntiSpy iOS app has no independent AV-Test or AV-Comparatives result. The "AV-Test certification" applied to Clario marketing materials covers approximately 30% of the product surface, specifically the macOS desktop product.
The marquee iOS features include:
Camera Scan / Unlock Catcher: claims to photograph unauthorized users via the front camera on failed unlock attempts. iOS authentication-event access is heavily sandboxed; the actual implementation can only fire the front camera during specific authentication failure events under tight restrictions. Independent reviewers (Macworld, others) have flagged the iOS implementation as "dubious given iOS permission model."
Devices on Wi-Fi / Spy Cam Detector: marketed as "see disguised cameras on your network." The actual implementation is a LAN device enumeration, technically an arp table dump. It can list MAC addresses of devices on the local network. It cannot identify which of those devices is a "hidden camera." The marketing language oversells what any iOS app can actually do.
Data breach monitor: marketed as "24/7 monitoring." The implementation is a HaveIBeenPwned-class API check. HaveIBeenPwned is free to use directly.
What does not exist
The Clario product does not include a password manager despite "all-in-one digital safety" framing. The "identity theft protection" feature is a partner upsell pushed by chat agents, not a Clario-operated service. Most importantly: there is no Clario product on Windows. If you experienced Clario on Windows, you experienced a different product or a misdirection.
The pricing comparison
1. Product: Bitdefender Total Security
Annual price: $30-50
Devices: 5
Engine: Own (industry-leading)
2. Product: Norton 360
Annual price: $40-100
Devices: 5
Engine: Own
3. Product: ESET HOME Security
Annual price: $30-60
Devices: 5
Engine: Own
4. Product: Kaspersky Premium
Annual price: $30-60
Devices: 5
Engine: Own
5. Product: Clario
Annual price: $99+
Devices: 3
Engine: Licensed Bitdefender
The premium is for the UI, the support chat, and the hand-holding model. The protection on macOS is Bitdefender's. The protection on iOS is the iOS sandbox.
Part 3: The lived experience, with evidence
This is the part of the case study where I am the affected consumer. The timeline below is reconstructed from preserved emails, billing records, and refund confirmations. Order numbers and dates are exact. Personal identifiers (card last-four, full order IDs) are redacted in the published version; the originals are preserved for any regulatory submission.
The single checkout that created three subscriptions
On 18 April 2026 at 04:58-04:59 AM UTC, a single Apple Pay checkout on the Clario AntiSpy iOS app produced three separate subscription confirmation emails in the inbox, arriving within 60 seconds of each other. The order numbers are sequential, which proves they were created in the same backend transaction:
1. Order ID: CLA-A29D-202604-98609
Plan: Clario 1 week
Initial charge: $6.99
Next charge: $14.99
Cadence: Weekly
2. Order ID: CLA-A29D-202604-98610
Plan: Apps Bundle Pack
Initial charge: $1.01
Next charge: $39.98
Cadence: Weekly
3. Order ID: CLA-A29D-202604-98611
Plan: Clario 2 Months Support trial (3-day trial)
Initial charge: $0
Next charge: $19.99
Cadence: Every 2 months
Total upfront cost: $8.00. Total annualized commitment if all three subscriptions had renewed at their natural cadence: approximately $2,900 per year. From a single checkout flow that the user understood as "buy the security app."
The "one click, three subscriptions" pattern is the central dark pattern in the documented Clario customer experience. It is the verbatim Trustpilot complaint:
"Signed up for a one-month subscription at $14.99 but charged additional amounts of $39.99 and $19.99 without authority."
The Trustpilot reviewer quoted amounts that match my own confirmation emails almost exactly ($14.99 / $39.98 / $19.99). The reviewer went through the same checkout flow I did and got the same three-subscription outcome.
The deceptive merchant descriptor
All three charges appear on the bank statement as ANTISPY_APPSMARKET. Not "Clario." Not "Clario Tech DMCC." Not anything that links the charge to the brand the user remembers signing up for.
This is operationally important for two reasons:
Statement reconciliation friction: A user scanning their bank statement does not immediately associate ANTISPY_APPSMARKET with "the security app I bought on Saturday." Unfamiliar descriptors are more likely to be missed.
Chargeback complication: If the user disputes the charge, the bank's first question is "what merchant is this?" The descriptor obscures the answer.
This pattern - the descriptor on the statement not matching the brand - is itself a regulated practice under EU consumer-protection law. Directive 2005/29/EC on unfair commercial practices includes Article 7 (misleading omissions), and the Payment Services Directive 2 requires clear merchant identification on transaction records.
The Apps Bundle is not security apps
Within minutes of the checkout, a fourth email arrived titled "Access your apps bundle" with download links for five apps:
Sipless
Ripito
CasaVista
Flirtonic (a dating app)
Emblemo
None of these are security applications. None are described or branded as security tools. The user signed up for "Clario AntiSpy" - a consumer cybersecurity product - and the bundle delivered a dating app, what appears to be a real-estate app, and three other unrelated consumer apps.
This is the affiliate-funnel claim from the original case study draft, now documentary. The "security tool" is a wrapper. The actual payload is a portfolio of unrelated subscription consumer apps, almost certainly affiliate-monetized through the public Clario affiliate program at clario.co/affiliate-program. The cybersecurity framing is the bait; the apps bundle is the catch.
Two legal entities, swapped mid-thread
Order confirmation emails from 18 April are signed:
The 27 April 20:30 response is the moment the entity swap appears. The 29 April response is also signed by Clario Tech FZCO. The user is now communicating with a different legal entity than the one the original subscription contract was concluded under, and the FZCO entity is the one that purported to confirm cancellation and refund.
I raised this directly in my data subject access request, point #6: "Clarification of the contracting entity and merchant of record, since Clario materials refer to CLARIO TECH DMCC and Google Play developer details also show CLARIO TECH FZCO."
The question was not answered.
The product non-delivery on the iOS pro features
I tested the iOS AntiSpy pro features on the deliberately infected device:
Camera Scan / Unlock Catcher did not deliver against the marketing claim of "photographing unauthorized users." iOS sandbox limitations on authentication-event camera access are real; the marketing language oversells what any iOS app can actually do under Apple's privacy framework.
Devices on Wi-Fi / Spy Cam Detector returned an ARP table dump - a list of MAC addresses on the local network. It did not identify any device as a camera, surveillance device, or unauthorized access point. The marketing claim of "see disguised cameras on your network" is not technically possible from inside iOS's sandbox.
These features are not Clario-specific shortcomings - they are inherent to what iOS allows any app to do. But the marketing language sells what the platform cannot deliver. This is the gap between what a security-aware engineer expects and what the product can actually do, and it is one of the recurring App Store complaints: "doesn't do anything my phone doesn't already do."
The cancellation that did not fully cancel
I cancelled the Clario AntiSpy and Clario High Priority Support subscriptions through Clario's flow.
The Apps Bundle subscription (CLA-A29D-202604-98610) remained active and attempted to renew. Per Clario's own 26 April 2026 retention email:
"According to our records, you canceled your Clario AntiSpy and Clario High Priority Support subscriptions. Additionally, your Apps Bundle subscription remained active and tried to renew recently. Please note that it is different subscriptions and should be canceled separately."
The user clicks one button to subscribe. The user must click multiple separate cancellations to fully unsubscribe. Different surfaces. Different flows. The asymmetry is the design.
The product name changed between order and refund
A small forensic curiosity that matters legally: the product purchased on 18 April was named "Apps Bundle Pack" in the order confirmation. The same product, with the same order ID CLA-A29D-202604-98610, was refunded on 29 April under the name "Сlario 5 Months Apps Bundle" (note the Cyrillic С in the refund email subject - a tell of the Ukrainian engineering origin documented in the corporate-lineage section).
The product name changed. The order ID did not. Post-hoc relabeling between order and refund is the kind of detail that matters in a refund/chargeback dispute, because it complicates the audit trail.
The GDPR Article 15 request and the evasive non-response
On 26 April 2026 at 06:16 UTC, I sent a written data subject access request to hello@weareclario.com invoking my rights under Article 15 of the General Data Protection Regulation. The request was specific, with seven enumerated points:
A full list of every subscription, trial, bundle, add-on, expert consultation, renewal agreement, and payment agreement associated with my email, device, Apple/Google account, card token, or payment profile.
The product name, plan name, amount, billing frequency, merchant descriptor, order ID, checkout source, and payment processor for each charge or attempted charge.
The exact timestamp and consent record for each alleged subscription, including the checkout screen or offer that you claim authorized it.
Written confirmation that all renewals, add-ons, bundles, and payment agreements are canceled and that no further charges will be attempted.
A refund for any charges or attempted charges not clearly authorized by me.
Clarification of the contracting entity and merchant of record (DMCC vs FZCO).
A GDPR data access and deletion response: what personal data was collected, what processors or third parties received it, whether the email was used for tracking or marketing disclosure, and confirmation that the account and personal data have been deleted except where retention is legally required.
The response timeline:
26 April 06:25 UTC (9 minutes after the request): auto-acknowledgement, "we need some time to review your request"
27 April 16:28 UTC: my follow-up about payments still attempting to process
27 April 20:30 UTC: Clario response claiming cancellation, signed under the new FZCO entity, no answer to the SAR points
29 April 11:25 UTC: refund of $1.01 for the Apps Bundle (note: this is the initial charge for that single subscription, not a refund of any other amount; the other two subscriptions were not refunded)
29 April 12:38 UTC: substantive response from Clario Tech FZCO
The 29 April substantive response, on the question of third-party data sharing, in its entirety:
"Please note that no personal data is shared or sold for marketing purposes."
That sentence is the full response to my point #7. It addresses only marketing-purpose data sharing. It does not address:
The response also does not answer points 1, 2, 3, or 6 of the SAR (subscriptions list, billing details, consent records, contracting entity).
Article 15 requires a substantive response covering the data subject's actual question. Answering a narrower question than was asked, and treating that narrow answer as complete, is a textbook GDPR evasion. It is procedurally worse than silence because it pretends to be a response.
The status, as of publication
SAR sent: 26 April 2026
Statutory one-month deadline (Article 12(3)):26 May 2026
Today: 15 May 2026
Days remaining on the statutory clock: 11
A formal deadline-restart follow-up has been sent to Clario this week, identifying each specific unanswered point and the statutory deadline. The text of that follow-up is preserved in the evidence file and reproduced in Part 11 below as a reusable template for other affected EU residents.
If a substantive response addressing all seven SAR points is received by 26 May 2026, this case study will be updated to reflect the outcome. If no such response is received, the escalation path documented in Part 10 begins immediately.
I deleted the application from all my devices on the day I sent the SAR. I preserved every email, every confirmation, every refund record, and every billing entry.
Part 4: The Trustpilot pattern (it is not just me)
The single most important fact about my experience is that it is the documented model, not a one-off. The recurring themes across the Trustpilot page-1 to page-5 reviews of clario.co, plus App Store reviews of the iOS AntiSpy app, plus the PissedConsumer Clario database, plus the Sitejabber Clario complaints:
Theme 1: Multiple subscriptions on one account. Verbatim from a Trustpilot one-star: "signed up for a one-month subscription at $14.99 but charged additional amounts of $39.99 and $19.99 without authority." And: "checked their account and found they were charged for four months - the first month was $9.99 followed by $69.99 and $49.99 every month after that for a total of $229.95."
Theme 2: Cancellation impossible by design. Verbatim: "the company makes it so you almost can't cancel, with canceling giving repeated errors and customer support chat not working either."
Theme 3: Add-ons sold outside the App Store. Verbatim: "Clario offers add-ons to the main app subscription separately and outside of the app store... two separate bills and 2 separate cancellations."
Theme 4: Refund denied past 14 days even when never used. Verbatim: "told they couldn't get a refund because services were provided during their subscription" even for cases where the subscription had not been actively used.
Theme 5: Customer support silence. Verbatim: "the screen goes blank" and "sorry, nothing can be done except hope it doesn't happen again."
Theme 6: Pro features that do not deliver as marketed. App Store reviewers on the iOS AntiSpy app: "doesn't do anything my phone doesn't already do" and "tells you what to do, not what's wrong."
These six themes are the operating pattern of the consumer-facing product. They map cleanly to the conduct charged by the FTC in the closest enforcement precedent.
Part 5: The Restoro / Reimage precedent
The closest individual regulatory precedent in this category is the March 2024 FTC enforcement action against Restoro Cyprus Ltd and Reimage Cyprus Ltd.
The relevant difference: the FTC reached the Restoro/Reimage operators in 2024. The European supervisory authorities are typically 12 to 18 months behind US enforcement on this category. The Clario operating entity has already moved to Dubai (UAE) ahead of any potential EU enforcement action, with the UK shell dissolved in March 2024 - approximately one month after the FTC announced the Restoro/Reimage settlement. The timing is suggestive.
Part 6: GDPR Article 15 - the actionable path for affected EU residents
If you are an EU resident who has been a Clario customer and you want to exercise your rights under the GDPR, the following is the operational path.
Step 1: Send the Article 15 Subject Access Request (SAR)
Use a template along these lines. Send it to support@clario.co and CC the company's published data protection officer email if one exists. Send it from the email address associated with the account.
Subject: GDPR Article 15 Data Subject Access Request -
$$Your full name$$
To the Data Protection Officer, Clario Tech DMCC,
Pursuant to Article 15 of Regulation (EU) 2016/679 (the General Data Protection Regulation), I am exercising my right of access as a data subject.
I formally request the following:
Confirmation that you are processing personal data concerning me.
A complete copy of all personal data you hold concerning me, in a structured, commonly used and machine-readable format.
The purposes of the processing.
The categories of personal data concerned.
The recipients or categories of recipients to whom the personal data have been or will be disclosed, including in third countries.
Where the personal data are not collected from me, any available information as to their source.
The existence of any automated decision-making, including profiling, and meaningful information about the logic involved.
The envisaged period for which the personal data will be stored, or the criteria used to determine that period.
The safeguards in place when personal data are transferred to a third country or to an international organization.
My account is associated with the email address
$$your email$$
My approximate first interaction with your service was
$$date$$
Pursuant to Article 12(3) of the GDPR, you must respond to this request without undue delay and in any event within one month of receipt. If you require an extension, you must notify me within that first month with the reasons for the extension.
If you fail to respond within the legally required period, I will file a complaint with the competent supervisory authority under Article 77 of the GDPR.
Yours faithfully,
$$Your name$$
$$Date$$
Step 2: If they fail to respond, escalate to the supervisory authority
Because Clario Tech Limited (UK) was dissolved in March 2024 and the current operating entity is Clario Tech DMCC in the UAE (which is outside EU jurisdiction directly), there is no Lead Supervisory Authority for Clario in the EU. Under the EDPB One-Stop-Shop mechanism, this means every EU Data Protection Authority where Clario has users has independent jurisdiction. This is procedurally stronger for the complainant.
For Latvian residents, file the complaint with Datu valsts inspekcija (DVI), the Latvian Data State Inspectorate:
Online electronic form: dvi.gov.lv/en (accepts complaints in English)
Postal address: Elijas iela 17, Rīga, LV-1050, Latvia
Email: pasts@dvi.gov.lv
For non-Latvian EU residents, file with your local DPA. The European Data Protection Board maintains the full directory at edpb.europa.eu.
Step 3: Parallel actions
The GDPR complaint is one of several parallel channels available:
PSD2 unauthorized-transaction chargeback with your bank. If you have charges you did not authorize (the "second and third subscription" pattern), your bank is required to investigate and may reverse them under the Payment Services Directive 2.
App Store refund request through Apple or Google for any in-app billed subscriptions. Apple has refunded App Store charges for documented misleading subscription practices.
Latvian Consumer Rights Protection Centre (PTAC) complaint under Directive 2005/29/EC on unfair commercial practices. This is a separate channel from the GDPR DPA and runs in parallel (ptac.gov.lv).
Article 82 GDPR compensation claim for material and non-material damage. The CJEU ruling in C-300/21 (May 2023) lowered the bar significantly for non-material damage claims, holding that the mere violation of GDPR rights can constitute compensable damage in certain circumstances.
Step 4: Document everything
Preserve:
Screenshots of the subscription flows you completed
Screenshots of all "active subscriptions" in your account after cancellation
All email correspondence with Clario customer support
The original SAR and all follow-ups
All billing records (Stripe, App Store, Google Play, credit card statements)
Screenshots of any "recommended download" prompts
These materials are evidence for the DPA complaint, the chargeback, and the consumer-rights complaint.
Part 7: The 15-minute diagnostic for the next Clario
The Clario pattern is not unique. It is the operating model of an entire category. Here is the diagnostic to run before any consumer-security subscription purchase.
Check corporate lineage at Companies House and Crunchbase. Search for the company name and its registered address. Look for prior names. Look for the directors and search their other ventures. A consumer-security company with a clean, single-name, single-jurisdiction corporate history is the exception. Multiple shells, multiple jurisdictions, dissolved entities, and director-overlap with prior brands in the same category are the diagnostic signals.
Check the WHOIS for the domain. A domain registered years before the company existed is a signal of an operator sitting on the brand asset across rebrands. Clario.co was registered in June 2013, six years before Clario Tech Limited existed.
Search for the company name in the AV-Test and AV-Comparatives databases. Verify which specific product SKU is tested. Clario's "AV-Test certified" claim is real for the macOS product and absent for the iOS AntiSpy product. The certification scope matters.
Check the engine. If the company is selling an antivirus, find out whose engine they license. Bitdefender, Kaspersky, Avira, and ESET are commonly licensed. If the company is charging more than the direct vendor for what is functionally the same engine, the premium is for marketing and support, not protection.
Read Trustpilot's 1-star and 2-star reviews with a stopwatch. Spend 10 minutes specifically on the negative reviews. The patterns are diagnostic. Multiple-subscription complaints, cancellation friction, refund denial, customer support silence - any one of these in volume is a hard pass signal.
Check whether add-ons are sold inside or outside the App Store. If the company sells add-ons outside the platform's subscription console, cancellation friction is by design. This is structurally the pattern. Avoid.
Test the cancellation flow before subscribing. Sign up for the free trial. Immediately attempt to cancel. Document the time required, the friction encountered, and the clarity of the confirmation. If cancellation takes longer than 60 seconds, friction is the product.
Send the SAR in advance. EU residents can send an Article 15 SAR to any data controller they are about to engage with. The response time and quality is a leading indicator of how the relationship will go.
Search the FTC and EDPB enforcement databases for the company name and the related shell entities. Past enforcement against the operating group (even under prior brand names) is dispositive.
Cross-check the press coverage. Is the launch coverage from outlets known for industry critique (Ars Technica, The Verge, Wired, 9to5Mac, MacRumors)? Or is it from outlets that primarily run sponsored content and affiliate reviews? A consumer-security company that gets a clean Fast Company launch piece and zero adversarial coverage is a company whose pitch has been buying the press cycle.
Count the order confirmation emails after a single checkout. If one checkout produces more than one confirmation email, especially with sequential order IDs in the same minute, you have just been entered into a multi-subscription bundle without explicit per-subscription consent. This is the single most reliable forensic signal of the dark pattern documented in this case study. One checkout should produce one confirmation.
Check what the merchant descriptor on your bank statement will be. Before completing checkout, search the company's name plus "merchant descriptor" or "appears on statement as." If the merchant identifier on your bank statement is something other than the brand name (Clario's is ANTISPY_APPSMARKET), statement reconciliation friction is the design. A legitimate operator wants you to recognize their charge. An extraction operator wants the opposite.
Check what is in any "bundle" the product is part of. If a consumer security product is delivered as part of a "bundle" that also includes unrelated consumer apps (dating, real estate, drinks tracking, logo making, anything not security), the security product is the trust label and the bundle is the actual revenue. Clario's Apps Bundle delivers five unrelated consumer apps including a dating app. That is the diagnostic.
Check whether the legal entity stays consistent across the customer journey. If your order confirmation is signed by Company A and your support reply is signed by Company B (Clario: DMCC for orders, FZCO for support, swap appears mid-thread), the operator is running multi-entity ambiguity by design. Demand clarification in writing of which entity is the data controller and the contracting party. Note whether they answer.
Part 8: What this case study is not
A few things this piece is explicitly not, for clarity:
It is not an accusation that Clario distributes malware. The macOS Bitdefender-engine scanner detects malware. The product is not a virus.
It is not an accusation that any individual at Clario engaged in fraud. The corporate lineage is documented in public Companies House and Wikipedia records. The conduct documented is the conduct of the legal entity. Individual liability is for courts to determine if it arises.
It is not an assertion that the individual identified as Viacheslav Kolomeichuk is the same individual as Slava Kolomiychuk of ZeoBIT. The two names share a surname (one in Cypriot-passport transliteration, one in Ukrainian-passport transliteration) and the corporate-lineage record shows operational and IP continuity between ZeoBIT, Kromtech, and Clario Tech. Whether the specific PSC of Clario is the same individual as the CEO of ZeoBIT is a question that the public record does not definitively answer. The case study does not require it to answer.
It is not anti-consumer-security as a category. There are good consumer security products. Bitdefender, ESET, Kaspersky, Norton, F-Secure, and Malwarebytes are legitimate products with documented protection records. The case study is specifically about a particular operator's particular conduct pattern.
What it is: a forensic account of a specific brand, a specific consumer harm pattern, a specific GDPR Article 15 violation, a specific actionable enforcement path for affected EU residents, and a specific diagnostic for the next operator that fits the pattern.
Part 9: The broader category lesson
Consumer cybersecurity has a structural attribute that produces this category of operator: the buyer cannot easily evaluate the product.
If you buy a CRM, you can tell within a week whether your team is using it. If you buy a project management tool, you can tell within a sprint whether it organizes work. If you buy a meal-prep service, you can tell within a week whether the food shows up.
If you buy an antivirus, the only way to tell whether it is protecting you is to be attacked and to know what would have happened without the product. Most users will never get that test. The product's perceived value is therefore not a function of its actual performance. It is a function of the marketing, the UI, the support-chat reassurance, and the trust signals (certifications, awards, expert mentions).
This is the same attribute that produces other categories where the buyer cannot easily evaluate the product: financial advisors, vitamin supplements, life insurance, weight-loss programs, alternative medicine, and SEO services in the kind of agencies that don't show you their actual work.
In every one of those categories, the operating model gravitates toward two clusters: legitimate operators who do the harder work of producing measurable signal (audit trails, independent verification, transparent methodology) and operators who optimize the trust theater that lets them collect subscriptions without producing measurable signal. The first cluster is smaller and harder to scale. The second cluster is what dominates the marketing channels.
Clario is a specific instance of the second cluster. The lineage from ZeoBIT through Kromtech to Clario Tech is the historical evidence of how that operating model is durable across rebrands when the regulatory enforcement cycle takes 5 to 10 years to catch up.
Part 10: My case, the current state, and the next move
What has already been done
The 7-point GDPR Article 15 SAR was sent on 26 April 2026 to hello@weareclario.com. The full text is preserved in the evidence file.
A deadline-restart formal follow-up was sent during the week of publication, identifying each unanswered point and setting the 26 May 2026 statutory clock with explicit reference to Articles 12(3), 15, and 77 GDPR. The text of that follow-up is in Part 11 below as a reusable template.
All emails, order confirmations, the $1.01 refund record, billing entries, and the bundle-access email listing the five non-security apps are preserved as an evidence file. The Clario AntiSpy iOS application has been deleted from all my devices.
The application has been removed from my Apple Pay subscription console for the directly-Apple-billed portion; the Clario-billed add-ons (the multi-subscription pattern) were independently confirmed cancelled by Clario in the 27 and 29 April responses.
What happens between now and 26 May 2026
Preserve evidence. No further actions that would weaken the regulatory position.
Do not initiate a Mastercard chargeback yet. A chargeback initiated during the statutory SAR response window can be used by the controller to argue the dispute is in another forum and to delay the GDPR response. Hold chargeback in reserve for Day 27.
Monitor inbox. A substantive 7-point response would meaningfully change the analysis; document and acknowledge it if it arrives.
What happens on 27 May 2026 if the response is silent, evasive, or still incomplete
The next move is not a single complaint. It is a coordinated multi-rail filing in one morning, with each rail addressing a different exposure surface of the operator. Filing in parallel means each authority cannot defer to another, and the operator cannot use one open dispute to delay another.
Rail 1 - GDPR enforcement (Latvian DVI under Article 77)
Electronic complaint via dvi.gov.lv/en, in English.
Subject: failure to provide complete response to a valid Article 15 request under Articles 12(3) and 15 GDPR.
Attachments: original SAR (26 April), partial response (29 April), deadline-restart letter, list of unanswered points, evidence file.
Procedurally important: because the UK Clario Tech Limited entity dissolved on 5 March 2024 and the current operating entity is in the UAE outside EU jurisdiction, there is no Lead Supervisory Authority for Clario in the EU. Every EU DPA where Clario has users has independent jurisdiction. The DVI complaint stands alone and does not need EDPB One-Stop-Shop coordination.
Useful as a mediation channel parallel to formal regulatory complaints; sometimes produces faster individual outcomes.
Rail 5 - Mastercard chargeback (the financial track)
Initiate via the issuing bank.
Reason codes most applicable: 13.3 (Not as Described or Defective Services), 13.5 (Misrepresentation), 12.6.1 (Duplicate Processing), 13.6 (Credit Not Processed Yet).
Mastercard chargeback window: 120 days from the transaction date. The 18 April 2026 transaction reaches the deadline around 16 August 2026 - the window is open through August.
The chargeback record is admissible evidence in any subsequent civil claim.
Rail 6 - Apple App Store report
Report via Apple's Report a Problem flow plus the App Store Review team.
Reference App Store Review Guideline 3.1.2 (subscription transparency) and Guideline 5.6 (developer code of conduct: deceptive practices).
Apple has removed apps that engaged in deceptive subscription practices. Even if no removal occurs, the report enters Apple's internal review record.
Note: the Clario AntiSpy app's ANTISPY_APPSMARKET merchant descriptor on Apple Pay charges is itself reportable as it misrepresents the merchant identity.
Rail 7 - Article 82 GDPR civil compensation claim
File in Latvian small claims court.
Article 82 GDPR allows compensation for material and non-material damages.
The CJEU ruling in C-300/21 (May 2023) significantly lowered the bar for non-material damage claims, holding that a GDPR violation itself can constitute compensable damage in defined circumstances.
Material damages: $6.99 in the 1-week subscription charge that was never refunded, plus any subsequent unauthorized charges.
Non-material damages: anxiety, time spent on enforcement, loss of control of personal data.
Civil claims create a separate court record and can be useful in coordinating any future collective action.
Rail 8 - FTC complaint (the US track)
File via reportfraud.ftc.gov.
The FTC has jurisdiction over deceptive practices in US commerce.
Clario sells in the US; the 18 April 2026 checkout was in USD.
The Restoro / Reimage settlement (March 2024) is the operative precedent: same Cyprus-tax-structure operator, same product category, same conduct pattern, settled for $26 million.
The FTC enforcement timeline against Restoro/Reimage was approximately 24 months from initial complaint to settlement. The window for adding to that enforcement docket against a structurally similar operator is now.
Rail 9 - Press / amplification
Soft outreach (advance heads-up) to the security and consumer-rights journalists most likely to cover the corporate lineage finding:
Brian Krebs (Krebs on Security; covered MacKeeper from 2013-2018)
Patrick Wardle (Objective-See; macOS security focus)
Catalin Cimpanu (Risky Business)
Lily Hay Newman (Wired)
Bruce Schneier (consumer-security commentary)
European angle: Politico Europe data-protection desk, Sifted's regulatory coverage, EU Observer
These outlets have an established interest in the story and a 13-year history of covering the MacKeeper lineage. The Clario corporate-lineage finding closes a loop they have been working on intermittently for over a decade.
What happens between Day 27 and Day 60 (the medium term)
Track which authorities acknowledge the complaint and on what timeline.
Coordinate any collective action that emerges from the public case study (other affected users typically surface within days of publication).
Provide additional evidence to authorities on request.
Update this case study publicly with the response (or non-response) from each authority.
What this means for other affected consumers
If you are an affected Clario customer reading this, your own next-move tree is the same shape:
Today: preserve evidence (subscription emails, billing records, refund records, support thread). Do not delete the application until you have downloaded everything.
This week: send the SAR template from Part 11 below to hello@weareclario.com. Date your email. Track the 30-day window from your specific send date.
Day 30 from your SAR date: if no substantive response on all your points, run all nine rails above in parallel.
Throughout: keep me posted via admin@serpctrl.lv if you want your case included anonymously in a follow-up piece. Collective evidence is the strongest enforcement signal.
If you are a marketing director or CISO evaluating consumer-security tools for a workforce or a portfolio company: run the 15-minute diagnostic in Part 7 before any procurement. The cost of an operator like this on a company device fleet is not the subscription price. It is the data the operator collects, the third parties they share it with, and the auditable record they cannot produce when you ask under Article 15.
If you are a journalist or independent reviewer: the documented Trustpilot pattern, the corporate-lineage record, the actual subscription confirmation emails, the entity-swap mid-thread, the deceptive merchant descriptor, and the Apps Bundle dating-app payload are all in the evidence file and reproducible. Contact admin@serpctrl.lv for the evidence dossier.
If you are a regulator: the Restoro / Reimage FTC precedent (March 2024) maps directly onto the documented Clario conduct pattern. The operating entity has migrated to UAE since that precedent was set. The window for EU enforcement before further jurisdictional migration is finite.
Part 11: The SAR follow-up template
The text below is the formal deadline-restart follow-up sent to Clario during the week of publication. It is reproduced here as a reusable template for any affected EU resident in the same position. Adapt the dates, the order IDs, and the specifics to your case.
Subject: GDPR Article 15 Data Subject Access Request - outstanding points and statutory deadline reminder
To the Data Protection Officer, Clario Tech DMCC / Clario Tech FZCO,
I refer to my data subject access request sent on 26 April 2026 invoking my rights under Article 15 of Regulation (EU) 2016/679 (GDPR), and to your response of 29 April 2026.
Your 29 April response confirmed the cancellation of subscriptions and provided a single data-sharing statement: "Please note that no personal data is shared or sold for marketing purposes." That statement does not constitute a complete response to my request.
The following points from my 26 April 2026 SAR remain unanswered:
A complete copy of the personal data you hold concerning me, in a structured, commonly used and machine-readable format, in accordance with Article 15(3) GDPR.
The full list of recipients or categories of recipients to whom the personal data have been or will be disclosed, including third-country recipients and including (but not limited to) hosting providers, analytics providers, payment processors (including the entity that operates the ANTISPY_APPSMARKET merchant descriptor), CRM systems, customer support tools, fraud-prevention services, advertising technology partners, and any other third party. The statement that "no personal data is shared for marketing purposes" addresses only one category of sharing; the request concerns all categories.
The exact timestamp and consent record for each subscription created on my account on 18 April 2026 (order numbers CLA-A29D-202604-98609, CLA-A29D-202604-98610, and CLA-A29D-202604-98611), including the specific checkout screen and offer text presented to me at the moment each subscription was authorized.
Clarification of the contracting entity and merchant of record. Your order confirmation emails are signed by Clario Tech DMCC. Your support emails from 27 April 2026 onward are signed by Clario Tech FZCO. Please specify in writing which entity is the data controller for my personal data, and under which entity's terms each of the three subscriptions was concluded.
Information about international data transfers in accordance with Article 15(2) GDPR, specifically including any transfers to the United Arab Emirates and to any other non-EU jurisdiction, with the legal basis for each transfer (adequacy decision, standard contractual clauses, binding corporate rules, or other).
Information about any automated decision-making, including profiling, in accordance with Article 15(1)(h) GDPR.
The envisaged storage period for my personal data, or the criteria used to determine that period, in accordance with Article 15(1)(d) GDPR.
Under Article 12(3) GDPR, you must respond to my request without undue delay and in any event within one month of receipt. The one-month period from my 26 April 2026 request expires on 26 May 2026.
If a complete response covering each of the points above is not received by 26 May 2026, I will treat the response as inadequate and will file a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija) under Article 77 GDPR, with concurrent consideration of representation under Article 80 GDPR and a compensation claim under Article 82 GDPR.
I am preserving the entire correspondence and all supporting evidence (subscription confirmations, billing records, refund records, the apps-bundle delivery email listing five unrelated consumer apps, and your responses) for that purpose.
This case has been documented publicly as a forensic case study. The case study, which names Clario and quotes verbatim from your emails, has been published.
Yours faithfully,
Laima Ērkšķe-Kreicberga
Account email: erkske.l@gmail.com
Date sent:
$$insert send date$$
Methodology and disclosure
Sources cited inline. Corporate-lineage data from UK Companies House (registration #12229999 for Clario Tech Limited), the ICIJ Pandora Papers / Offshore Leaks database, Wikipedia entries for MacKeeper, Kromtech, and Clario Tech, and the press archive of Computer Weekly's interview with then-CEO Alun Baker. Class-action settlement records from Top Class Actions and AppleInsider. Data breach reporting from SC Media. FTC enforcement records for Restoro Cyprus Ltd and Reimage Cyprus Ltd from FTC press releases dated March 2024 and March 2025. Trustpilot, App Store, Sitejabber, and PissedConsumer review pools as cited.
Independent AV testing from AV-Test (av-test.org) and AV-Comparatives (av-comparatives.org). Engine identification (Bitdefender, NordVPN) from independent reviewer reports (Cloudwards, VPNPro).
GDPR Article 15 procedural requirements from Regulation (EU) 2016/679, Articles 12, 15, 77, 82, 83. Restoro/Reimage settlement amount and refund distribution from FTC press releases.
The affected-consumer testimony in Parts 3 and 10 is mine, with preserved evidence including the three sequential order confirmation emails (CLA-A29D-202604-98609, 98610, 98611), the apps-bundle access email listing five unrelated consumer apps, the cancellation and retention thread documenting the entity swap from Clario Tech DMCC to Clario Tech FZCO mid-correspondence, the $1.01 refund record, the full SAR thread and the substantive 29 April response, and the formal deadline-restart follow-up sent during the publication week. The evidence file is available to any data protection authority, journalist, regulator, or counsel on request via admin@serpctrl.lv.
For factual corrections: admin@serpctrl.lv. Corrections will be made publicly and dated.
SerpCtrl operates under SIA Cyber Unicorn (Latvian registration 40203002129). We provide SEO audit, monitoring, managed services, and software development. We have no commercial relationship with Clario Tech, Bitdefender, NordVPN, or any party named in this case study. We are not in the consumer antivirus category.