Skip to content
Klarvo
Start free

Legal

Privacy policy

Effective 28 May 2026

How Open Digital WEB LTD trading as Klarvo ("Klarvo", "we") collects, uses, and protects personal data.

1. Who we are

Klarvo is operated by Open Digital WEB LTD trading as Klarvo, registered at 36 Tyndall Court, Lynchwood Business Park, Peterborough, PE2 6LR, United Kingdom. We act as the data controller for personal data we collect about visitors to klarvo.io and account holders on app.klarvo.io.

For any privacy enquiry, email hello@klarvo.io.

2. What data we collect

Three categories, no more:

  • Account data. Name, email, organisation, role. Provided by you at signup or by your admin when they invite you.
  • Compliance content. The AI-system descriptions, classifications, obligations, evidence files, and policies you create in Klarvo. Held in your private organisation workspace; invisible to other organisations.
  • Operational metadata. Server logs (IP, timestamp, request path), error reports, billing records, audit logs of actions you take inside the platform.

3. Why we collect it

  • To provide the service. Classifications, evidence storage, billing.
  • To meet legal obligations. Tax and accounting retention; security and abuse prevention.
  • To improve Klarvo. Aggregated, non-identifiable usage analytics. No personal profile is built about you.

We rely on the GDPR lawful bases of contract (operating your account), legal obligation (tax, accounting, fraud prevention), and legitimate interests (security, abuse prevention, product analytics — assessed and balanced against your rights).

4. KlarvoEngine and AI processing

When you classify an AI system, the description you provide is sent to KlarvoEngine for classification. KlarvoEngine processes the description, returns the verdict, and we store the verdict and the input in your private workspace.

The underlying capability provider receives the description as transient input to produce the classification. Your data is not used to train any model. We never share your evidence file contents with any external party — the engine reads metadata only.

AI privacy controls in Settings let your organisation reduce what is sent (minimal mode) or disable AI processing entirely on a per-feature basis.

5. Data sharing

We share data with a small list of processors only to operate the service:

  • Supabase — primary database, authentication, file storage (EU region).
  • Stripe — billing and payment processing.
  • Resend — transactional email (account confirmations, deadline reminders).
  • Cloudflare — hosting and CDN for klarvo.io.
  • The AI capability provider behind KlarvoEngine — for the duration of each classification call.

Each processor is bound by a Data Processing Agreement that mirrors the requirements of GDPR Articles 28–29.

6. Retention

Account and compliance content — held for the life of your account and 90 days after deletion (so accidental deletion can be reversed).

Audit logs — held for 12 months in identifiable form, then pseudonymised, then hard-deleted at 7 years (legal-defensibility window for AI Act enforcement).

Billing records — held for 7 years to meet UK / EU tax retention requirements.

Server logs — held for 30 days.

7. Your rights

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (subject to the limited retention periods above).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Lodge a complaint with your local supervisory authority (e.g. the UK ICO; the relevant Member State data protection authority in the EU).

Email hello@klarvo.io to exercise any right. We respond within 30 days.

8. International transfers

Where data leaves the European Economic Area (e.g. some processors hosted in the United States), we rely on the European Commission's Standard Contractual Clauses (or successor mechanisms) and run a transfer impact assessment per the EDPB guidance.

9. Cookies & analytics

The marketing site uses a small number of essential cookies only. See the cookies policy for the full list.

For usage analytics we use Plausible Analytics, an EU-hosted, cookieless service. It sets no cookies, stores no persistent identifiers, and collects no personal data — only aggregated page and event counts. The same applies inside the Klarvo app.

10. Updates

We update this policy when the product or the legal framework changes. The effective date at the top reflects the most recent change. Material changes are notified to account holders by email.