What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Privacy Policy

1. Introduction

Open Digital WEB LTD (trading as Klarvo), a company registered in England and Wales with its registered office at 36 Tyndall Court, Lynchwood Business Park, Peterborough, PE2 6LR, United Kingdom ("Company," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our EU AI Act compliance platform and related services (the "Service").

This policy applies to all users of the Service, including visitors to our website, registered users, and customers. We act as the data controller for the personal data described in this policy.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using the Service, including:

Account Information: Name, email address, company name, job title, and password when you register.
Profile Information: Additional details you add to your profile.
Compliance Data: Information about your AI systems, vendors, policies, and evidence that you enter into the platform.
Communications: Messages you send to us for support or feedback.
Payment Information: Billing details and payment information (processed by our payment provider, Stripe).

2.2 Information Collected Automatically

When you access the Service, we automatically collect:

Device Information: Device type, operating system, browser type, and unique device identifiers.
Usage Data: Pages visited, features used, time spent, and interaction patterns.
Log Data: IP address, access times, and referring URLs.
Cookies: As described in our Cookie Policy.

2.3 Information Collected via the Klarvo AI Transparency WordPress Plugin & Embedded Widget

The Klarvo AI Transparency WordPress plugin and embeddable JavaScript widget may be installed on third-party websites by website operators to display EU AI Act Article 50 transparency notices.

Standalone Mode — No Data Collection

When the Plugin operates in standalone mode (no Klarvo Site Key configured), it makes zero external requests. No data is collected from website visitors. No cookies are set. No personal data is processed. All functionality runs locally on the website operator's server.

Connected Mode — Limited Anonymous Data

When a website operator configures the Plugin in connected mode, the following data is collected:

Site Key: A unique identifier for the website, configured by the website operator
Page URL: The URL of the page where the widget is displayed
Detected AI Tools: Names and categories of AI tools detected on the website (e.g., "Tidio — interaction")
Anonymous Impression Events: A count of widget views, expansions, and dismissals, transmitted via a lightweight beacon
Widget Configuration: Display preferences such as badge position and accent colour

What We Do NOT Collect from Website Visitors

No personal data (names, emails, phone numbers)
No IP addresses
No cookies or tracking identifiers
No device fingerprints
No browsing history beyond the current page URL
No form data or user inputs

Data Recipients

Connected mode data is transmitted to:

Klarvo servers at klarvo.io (hosted on Cloudflare infrastructure) for widget script and signature delivery
Klarvo API hosted on Supabase (supabase.co) for configuration, analytics, and detection reporting

Data Retention (Widget)

Anonymous impression data is retained for the duration of the website operator's subscription. Aggregated analytics (daily impression counts) are retained. Raw event data is deleted after 90 days.

Legal Basis — Widget Data (GDPR)

Processing of anonymous impression data in connected mode is based on the website operator's legitimate interest in monitoring compliance widget performance. As no personal data is collected from website visitors, GDPR consent requirements for visitor data do not apply.

Website Operator Obligations

Website operators using connected mode should inform their visitors about the use of the Klarvo Widget in their own privacy policy.

3. How We Use Your Information

We use the collected information for the following purposes:

Service Delivery: To provide, maintain, and improve the Service.
Account Management: To create and manage your account.
Communications: To send service-related notifications, updates, and support responses.
Analytics: To understand usage patterns and improve user experience.
Security: To detect, prevent, and address security threats.
Legal Compliance: To comply with applicable laws and regulations.
Marketing: With your consent, to send promotional communications.

4. Legal Basis for Processing (GDPR & UK GDPR)

Under the General Data Protection Regulation (GDPR) and the UK GDPR, we process personal data based on:

Contract Performance: Processing necessary to provide the Service you requested.
Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security.
Legal Obligation: Processing required by law.
Consent: Processing based on your explicit consent (e.g., marketing emails).

5. Data Sharing and Disclosure

We may share your information with:

Service Providers: Third-party vendors who help us operate the Service (hosting, analytics, payment processing).
Business Partners: With your consent, for joint offerings or integrations.
Legal Requirements: When required by law, court order, or government request.
Business Transfers: In connection with a merger, acquisition, or sale of assets.
Protection of Rights: To protect our rights, privacy, safety, or property.

We do not sell your personal information to third parties.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. We may retain certain information longer as required by law or for legitimate business purposes (e.g., audit trails, legal claims).

Compliance data that you enter into the platform is retained according to your subscription terms and the regulatory requirements for EU AI Act compliance documentation.

7. Your Rights (GDPR & UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

Access: Request a copy of your personal data.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your data ("right to be forgotten").
Restriction: Request restriction of processing.
Data Portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Withdraw consent at any time (where processing is based on consent).

To exercise these rights, contact us at privacy@klarvo.io or write to: Data Protection Officer, Open Digital WEB LTD, 36 Tyndall Court, Lynchwood Business Park, Peterborough, PE2 6LR, United Kingdom.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. When we transfer data outside the EEA or UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office (ICO).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS) and at rest
Access controls and authentication
Regular security assessments
Employee training on data protection

For more details on our security practices, see our Security page.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use after such notification constitutes acceptance.

12. Supervisory Authority

As a UK-registered company, our lead supervisory authority is the UK Information Commissioner's Office (ICO). You have the right to lodge a complaint with the ICO or with the supervisory authority in your country of residence.

ICO website: ico.org.uk
ICO telephone: 0303 123 1113

13. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email: privacy@klarvo.io
Data Protection Officer: dpo@klarvo.io
Address: Open Digital WEB LTD, 36 Tyndall Court, Lynchwood Business Park, Peterborough, PE2 6LR, United Kingdom