1. Our Commitment
Kleif AI is committed to complying with the EU General Data Protection Regulation (GDPR). We take your data privacy seriously and ensure that all personal data is processed lawfully, fairly, and transparently.
This page outlines how we protect your rights as a data subject and how you can exercise them. It supplements our Privacy Policy with specific information relevant to the GDPR.
2. Data Controller and Processor
Kleif AI acts as the Data Controller for the personal data we collect directly from our users (account information, billing data, usage analytics).
For data processed through AI agents on behalf of our customers (end-user conversations, lead data), Kleif AI acts as the Data Processor, processing data according to our customers' instructions.
Data Protection Contact
Email:privacy@kleif.ai
3. Legal Basis for Processing
We process personal data based on the following legal grounds under Article 6 of the GDPR:
- Contractual Necessity (Art. 6(1)(b)): To provide our AI platform services as agreed in your subscription and to fulfill our contractual obligations to you
- Legitimate Interest (Art. 6(1)(f)): To improve our services, prevent fraud, ensure platform security, and conduct internal analytics where our interests do not override your rights
- Consent (Art. 6(1)(a)): For marketing communications, optional analytics, and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing
- Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, regulations, court orders, and legal processes, including tax and financial reporting requirements
4. Your Rights Under GDPR
As a data subject in the European Economic Area (EEA), you have the following rights under Articles 15-22 of the GDPR:
Right of Access (Art. 15)
You have the right to request a copy of all personal data we hold about you, free of charge. You can export your data directly from your dashboard under Settings, or contact us for a comprehensive data export in a structured format.
Right to Rectification (Art. 16)
You can update or correct your personal information at any time through your account settings. If you identify inaccuracies you cannot correct yourself, contact our support team and we will rectify them promptly.
Right to Erasure (Art. 17)
You may request complete deletion of your account and all associated data. Upon request, we will permanently delete your personal data, AI training data, conversation logs, and all related content within 30 days, except where we are legally required to retain certain records.
Right to Data Portability (Art. 20)
You can request your data in a structured, commonly used, and machine-readable format (JSON). This includes your profile data, conversation history, AI agent configurations, and analytics data. You may also request direct transfer to another controller where technically feasible.
Right to Restrict Processing (Art. 18)
You may request that we limit the processing of your personal data when you contest the accuracy of data, the processing is unlawful, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. For other objections, we will assess whether our legitimate grounds override your interests.
Right Regarding Automated Decision-Making (Art. 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI agents assist human decision-making but do not make autonomous decisions with legal effects on individuals.
5. Data We Collect and Process
| Data Category | Purpose | Retention Period |
|---|---|---|
| Account Information | Service delivery, authentication, communication | Until account deletion + 30 days |
| Billing Data | Payment processing, invoicing, tax compliance | As required by tax law (up to 7 years) |
| AI Training Data | Powering your AI agents, knowledge base | Until agent or account deletion |
| Conversation Logs | Service delivery, analytics, lead capture | Until account deletion |
| Usage Analytics | Platform improvement, feature development | Anonymized after 12 months |
| Technical Logs | Security, debugging, performance monitoring | 90 days |
6. International Data Transfers
Your data may be processed outside the EEA by our service providers. When this occurs, we ensure adequate safeguards are in place in accordance with Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914
- Adequacy Decisions where the European Commission has determined the receiving country provides adequate data protection
- Binding contractual commitments with all sub-processors requiring equivalent data protection standards
Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | AI conversation processing | United States |
| Stripe | Payment processing | United States |
| SendGrid | Email delivery | United States |
| Twilio | SMS, voice, and WhatsApp services | United States |
We will notify customers of any changes to our sub-processor list at least 30 days in advance, allowing you to object if the change affects your data processing.
7. Data Security Measures
We implement comprehensive technical and organizational measures to protect your data in accordance with Article 32 of the GDPR:
AES-256 at rest, TLS 1.3 in transit
RBAC, MFA, JWT authentication
Audit logging, intrusion detection
Encrypted backups, disaster recovery
Rate limiting, DDoS protection
CSP, HSTS, CSRF protection
8. Data Breach Notification
In compliance with Articles 33 and 34 of the GDPR, in the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
- Affected individuals will be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- We maintain a comprehensive breach register documenting all incidents, their effects, and remedial actions taken
- Our incident response plan includes containment, assessment, notification, and remediation procedures
9. Cookies and Consent
We use cookies in accordance with the GDPR and the ePrivacy Directive:
- Essential Cookies: Required for platform functionality and security (no consent needed under Art. 6(1)(f))
- Analytics Cookies: Used to improve our services and user experience (consent required under Art. 6(1)(a))
- Marketing Cookies: Not currently used. If introduced, we will obtain explicit consent
You can manage your cookie preferences at any time through your browser settings. Withdrawing consent for non-essential cookies will not affect the functionality of essential platform features.
10. Data Protection Impact Assessments
In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This includes our AI processing capabilities and automated conversation analysis features.
11. Data Processing Agreements
For business customers who use Kleif AI to process their end-users' personal data, we offer a comprehensive Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR. The DPA covers:
- Scope, nature, and purpose of data processing
- Types of personal data processed and categories of data subjects
- Technical and organizational security measures
- Sub-processor management, approval, and notification procedures
- Assistance with data subject rights requests
- Data deletion and return upon contract termination
- Audit rights and compliance verification
To request a DPA, contact us at privacy@kleif.ai
12. How to Exercise Your Rights
Self-Service Options
Use the data export and account deletion features in your dashboard Settings page for immediate access to your data or account removal.
Contact Us Directly
Send your GDPR request to privacy@kleif.ai. We will acknowledge your request within 3 business days and fulfill it within 30 days. We may request identity verification to protect your data from unauthorized access.
If your request is complex or we receive a large number of requests, we may extend the response period by up to 60 additional days, in which case we will inform you of the extension and the reasons for it.
13. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority under Article 77 of the GDPR. A list of EU/EEA data protection authorities can be found on the European Data Protection Board website.
We encourage you to contact us first so we can attempt to resolve your concern directly.
14. Updates to This Policy
We may update this GDPR compliance page to reflect changes in our data practices, legal requirements, or regulatory guidance. Material changes will be communicated via email to registered users at least 30 days before taking effect. We encourage you to review this page periodically.
15. Contact Us
For any GDPR-related questions, concerns, or data subject requests:
Email:privacy@kleif.ai