This Privacy Policy describes how Ask Klairr — AI Solutions LTD, a private company limited by shares incorporated under the laws of the Republic of Cyprus ("Klairr," "we," "us," or "our"), collects, uses, stores, and protects your information when you use our AI Analyst platform ("Service"). It applies to all users of the Service, including administrators, power users, analysts, and members.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. Voluntary Provision of Information: You acknowledge that providing your personal information to us is entirely voluntary. However, certain information is necessary to create an account and use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your name, email address (used for authentication, notifications, and account recovery), password (stored only as a one-way cryptographic hash — we never store or have access to your plaintext password), organization name, and your assigned role within the platform.
1.2 Question & Answer Data
Each time a user asks a question, we collect and store the question text, the AI-generated answer, the queries the platform generated and executed against the connected data sources, and conversation context for follow-up questions.
1.3 Result Samples
For each question, we store up to twenty (20) rows of query results. These result samples are displayed within the answer card so users can verify the data behind the answer.
Important: These result samples contain your actual business data — the rows returned by the query executed against your data source. The specific content depends on what tables and columns your question references. This may include revenue figures, customer names, transaction details, user behavior data, or any other information present in the queried tables.
1.4 Usage Metadata
For each question, we record timestamps, query latency, row counts, confidence levels, data source used, and connector selection mode.
1.5 Feedback Data
Users may provide Helpful / Not Helpful ratings and optional comments on answers. When feedback is used to improve answer quality, we disassociate it from your user identity.
1.6 AI Memory
Administrators configure entity aliases, metric definitions, data hints, and response directives that the AI uses when generating queries and answers.
1.7 Error Telemetry
When the Service encounters a runtime error in the user interface, we send a diagnostic event to our error-monitoring sub-processor (see Section 7 and our Sub-Processors page). The event includes the error message, application version, page URL, and a technical stack trace. It does not include question text, answers, or query results.
1.8 Analytics Data
If product analytics are enabled for your organization (with appropriate consent where required by law), we collect page views, feature usage, and session data. The active analytics provider is listed on our Sub-Processors page; if analytics is not currently enabled for your organization, no analytics data is collected.
2. Information We Do NOT Collect
- We Do Not Replicate Your Database. We store only the limited result samples described in Section 1.3 (up to 20 rows per question). Your full datasets remain in your own infrastructure.
- Data Source Credentials Are Protected. Credentials are encrypted at rest, never logged, never displayed after initial configuration, and never accessible in plaintext.
- We Do Not Collect Payment Card Data. Payment processing is handled entirely by our payment-processing sub-processor; refer to that provider's published security and compliance documentation.
3. How We Use Your Information
- AI Query Processing: Question text, conversation history, AI Memory content, and schema metadata are sent to our AI sub-processor for query generation and answer synthesis. No query result data is sent to the AI sub-processor.
- Query Execution: Generated queries are executed against your connected data sources to ground answers in real data.
- Platform Operation: Usage metadata and analytics data (where enabled) are used to monitor performance, resolve errors, develop features, and generate aggregate statistics.
- Billing: Question counts and usage metrics are used to calculate subscription charges.
- Support: We may access your account information and question history to resolve support requests.
- Security: Account and usage data is used to detect unauthorized access, enforce rate limits, and prevent abuse.
4. GDPR Legal Basis for Processing
If you are located in the EEA, UK, or Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6(1):
| Data Category | Legal Basis | Explanation |
|---|---|---|
| Account information | Contract performance (Art. 6(1)(b)) | Necessary to create and maintain your account |
| Question & answer data | Contract performance (Art. 6(1)(b)) | Core functionality of the Service |
| Result samples | Contract performance (Art. 6(1)(b)) | Displayed within answer cards |
| Usage metadata | Contract performance (Art. 6(1)(b)) | Required for billing and service delivery |
| AI Memory content | Contract performance (Art. 6(1)(b)) | Configured by Customer to customize AI |
| Error telemetry | Legitimate interest (Art. 6(1)(f)) | Diagnose and fix product defects |
| Analytics data | Consent (Art. 6(1)(a)) | Collected only with explicit consent where required |
| Feedback data | Legitimate interest (Art. 6(1)(f)) | Used to improve answer quality |
| Security logs | Legitimate interest (Art. 6(1)(f)) | Detect unauthorized access, prevent fraud |
| Data sent to AI sub-processor | Contract performance (Art. 6(1)(b)) | Necessary for AI-powered answers |
Where we rely on legitimate interest, we have conducted a balancing test. You may object to processing based on legitimate interest at any time by contacting us.
5. AI Model Processing
5.1 What Data Is Sent to the AI Sub-Processor
Question text, conversation context, AI Memory content, and schema metadata of the connected data sources (table names, column names, column types, and sample enum values where they are needed to disambiguate filters).
5.2 What Data Is NOT Sent to the AI Sub-Processor
Query result data (your actual business data rows), data source credentials, user passwords, payment information, and full database contents.
5.3 AI Sub-Processor's Data Handling
Our use of the AI sub-processor is governed by the sub-processor's commercial API terms, which restrict the use of API inputs and outputs for model training. API inputs and outputs may be retained by the sub-processor for a limited period for safety monitoring and abuse prevention, after which they are deleted, in accordance with that sub-processor's published policy. The current AI sub-processor and a link to its DPA are listed on our Sub-Processors page. If the AI sub-processor materially changes its data-usage, retention, or sub-processor policies in a manner that affects how we process your data, we will notify you within thirty (30) days.
5.4 Data Transfer to the AI Sub-Processor
The AI sub-processor's API infrastructure is located outside the European Economic Area, including in the United States. Such transfers are governed by Standard Contractual Clauses and other appropriate safeguards. See Section 16 for details.
6. Data Storage & Security
- Region: Application data is hosted in the European Union. Question text and conversational context are processed by our AI sub-processor, which may involve transfer to the United States.
- Database: A managed document database hosted in the EU, with encryption at rest.
- Authentication: Industry-standard password hashing, signed session tokens with rotation, and role-based access control.
- Encryption: Strong TLS in transit; industry-standard encryption at rest for database storage and data-source credentials.
- Application Security: Write and schema-modifying database operations are blocked at the application layer. We strongly recommend Customers provide read-only database credentials as defense-in-depth.
7. Data Sharing
We share personal data only with the sub-processors listed on our public Sub-Processors page, each of which is engaged to perform a specific function (AI model processing, cloud infrastructure, managed database hosting, payment processing, transactional email, edge delivery, or error monitoring). The Sub-Processors page is the canonical, up-to-date list and is incorporated into this Privacy Policy by reference.
No query result data is sent to the AI sub-processor. No payment card data is transmitted to Klairr's servers; payment is handled directly between you and the payment-processing sub-processor.
We do not sell, rent, or make available your personal information to third parties for their commercial purposes. We do not share personal information for cross-context behavioral advertising.
8. Cookies & Local Storage
8.1 Essential Cookies
Authentication tokens and CSRF tokens are required for the Service to function and cannot be disabled.
8.2 Preference Storage
UI preferences (theme, dismissed banners) are stored in browser local storage and are not transmitted to our servers.
8.3 Analytics Cookies
Where required by applicable law, analytics cookies are only set with your explicit consent and are blocked by default. You may opt out at any time through your account settings or the cookie consent banner without affecting core functionality.
8.4 No Advertising Cookies
We do not use advertising cookies, tracking pixels, or any third-party advertising technology.
9. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data, subject to legal retention obligations.
- Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON, CSV). The Service provides built-in export functionality.
- Restriction: Request restriction of processing under certain circumstances.
- Object: Object to processing based on legitimate interests.
- Opt Out of Analytics: Opt out at any time through account settings.
- Withdraw Consent: Where we process data based on consent, you may withdraw at any time.
- Lodge a Complaint: Lodge a complaint with a supervisory authority in your jurisdiction (see Section 21).
To exercise any of these rights, contact us at privacy@klairr.com. Response timelines per regime:
| Regime | Response Time | Extension |
|---|---|---|
| GDPR / UK GDPR (EEA, UK, Switzerland) | Within one (1) month of receipt | Up to two (2) further months for complex requests, with notice |
| CCPA / CPRA (California) | Within forty-five (45) days | One additional 45-day period with notice |
| LGPD (Brazil) | Within fifteen (15) days | None (statutory) |
| Other jurisdictions | The longer of the timeframe required by applicable law and one (1) month | As required by applicable law |
We may verify your identity before processing a request. For complex requests involving multiple data sources, we will provide updates throughout the process.
10. CCPA / CPRA Disclosures (California Residents)
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with specific rights:
10.1 Categories of Personal Information Collected
| Category (CCPA §1798.140) | Examples in Klairr | Sources | Business Purpose |
|---|---|---|---|
| Identifiers | Name, email, account ID, IP address | Directly from you | Account, authentication, support, security |
| Commercial information | Subscription plan, billing records | Directly from you, payment processor | Billing and contract performance |
| Internet activity | Page views, feature usage, session events (where analytics is enabled) | Directly from your browser, with consent | Service improvement and analytics |
| Professional information | Organization name, role within the platform | Directly from you | Access control and team collaboration |
| Inferences | Usage patterns, feedback signals | Derived from your use of the Service | Service improvement |
We do not collect categories of "sensitive personal information" within the meaning of CCPA §1798.140(ae) for the purpose of inferring characteristics about a consumer.
10.2 No Sale or Sharing
We do not sell your personal information. We do not share it for cross-context behavioral advertising. There is therefore no need to opt out of "sale" or "sharing"; we honor any such request as a confirmation of our default behavior.
10.3 Your California Rights
You have the right to know, delete, correct, limit the use of sensitive personal information, and opt out. We will not discriminate against you for exercising these rights. To submit a request, email privacy@klairr.com.
10.4 Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal under the California Consumer Privacy Act for any data category where opt-out applies. If your browser transmits a GPC header with a request, we treat that header as an opt-out for that browsing session and any associated identifier.
10.5 Retention by Category
Retention periods for each category of personal information are described in Section 12 (Data Retention). We retain each category only for as long as necessary for the business purpose identified in Section 10.1, subject to legal-hold and audit-log retention requirements.
11. LGPD Disclosures (Brazilian Residents)
If you are located in Brazil, the LGPD provides you with specific rights including confirmation, access, correction, anonymization, portability, deletion, information about sharing, and withdrawal of consent. We process your data under contract performance, legitimate interest, and consent as applicable. International transfers comply with Chapter V of the LGPD. To exercise rights, contact us at privacy@klairr.com. We will respond within fifteen (15) days.
12. Data Retention
- Account Data: Retained while active. Upon termination, retained for 30 days for data export, then permanently deleted.
- Question & Answer History: Retained while active. Users may delete individual conversations at any time. Deleted conversations are removed within 30 days.
- Audit Logs: Retained for twelve (12) months from the logged event. Audit logs may be retained beyond account deletion under our legitimate interest in compliance and fraud prevention (GDPR Art. 6(1)(f)).
- Error Telemetry: Retained for ninety (90) days, after which it is automatically purged.
- Backups: 30-day rolling retention, subject to the same security controls as active data.
- Anonymized Data: We may retain anonymized, aggregated data that cannot identify you or your organization indefinitely for statistical analysis.
13. Security and Breach Notification
We implement appropriate technical and organizational security measures. In the event of a confirmed personal data breach, we will notify affected Customers without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, consistent with GDPR Article 33. We will provide details about the nature of the breach, the categories and approximate number of records affected, likely consequences, and remedial measures. Where required by law, we will also notify the relevant supervisory authority.
14. EU AI Act Transparency
14.1 AI System Description
The Service uses third-party large language models, supplied by our AI sub-processor (see Sub-Processors), to interpret natural-language questions and generate query plans against your connected data sources.
14.2 Human Oversight
The Service provides transparency mechanisms: query display, raw result rows, confidence scoring, query live edit, and a full audit trail. Answers are decision-support, intended for human review.
14.3 Limitations and Risks
The AI may generate incorrect queries, misinterpret terminology, or produce plausible-sounding but factually incorrect answers. Confidence scores are estimates, not guarantees.
14.4 Risk Classification
As a general-purpose business intelligence tool used for internal data analysis and decision support, the Service is not inherently classified as high-risk under Annex III of the EU AI Act. However, certain Customer use cases may trigger high-risk classification — for example, if the Service is used to evaluate employee performance, creditworthiness, or access to essential services. The Customer is responsible for determining whether their specific use of the Service requires compliance with high-risk AI system requirements under the EU AI Act and for implementing any additional safeguards accordingly.
15. Automated Decision-Making (GDPR Article 22)
Klairr does not engage in decision-making based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you within the meaning of GDPR Article 22. The Service provides AI-generated answers as decision-support information for human review.
If Customer uses the Service to support decisions that produce legal effects or similarly significantly affect natural persons (for example, employment, credit, or eligibility decisions), Customer is the controller for that decision, is responsible for ensuring meaningful human review, and must establish any legal basis required under Article 22(2) GDPR.
16. International Data Transfers
Application data is hosted in the European Union. Where personal data is transferred to a sub-processor located outside the European Economic Area (for example, for AI model processing or payment processing in the United States), the transfer is governed by the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor) and any applicable supplementary measures.
For transfers from the United Kingdom, we rely on the UK Addendum to the EU Standard Contractual Clauses (International Data Transfer Addendum) or the UK International Data Transfer Agreement (IDTA), as applicable. For transfers from Switzerland, we rely on the Swiss adaptation of the Standard Contractual Clauses recognized by the FDPIC.
The current sub-processor list, including each sub-processor's location and applicable transfer mechanism, is published at klairr.com/legal/subprocessors and is updated whenever the list changes. The Sub-Processors page is the authoritative source.
17. "Do Not Track" and Universal Opt-Out Signals
The Service does not currently alter its practices in response to legacy Do Not Track (DNT) signals. We do, however, honor the Global Privacy Control (GPC) signal as described in Section 10.4. We do not track users across third-party websites. If analytics is disabled, no tracking cookies are set.
18. Cookie Policy
| Cookie / Storage | Purpose | Duration | Type |
|---|---|---|---|
| Authentication token | Logged-in session | Session / refresh | Essential |
| CSRF token | Cross-site request forgery protection | Session | Essential |
| Preferences | Theme, dismissed banners | Persistent | Functional |
| Analytics (if consented) | Page views, feature usage | Session | Consent-based |
No third-party advertising cookies are used. You can manage cookies through your browser settings or the cookie consent banner.
19. Children
The Service is designed for business use and is not directed at children. We do not knowingly collect personal information from anyone under the age of thirteen (13) in the United States (per COPPA) or under sixteen (16) in the EEA (per GDPR Article 8). If we become aware that we have collected personal information from a person under the applicable age threshold, we will take prompt steps to delete it. In jurisdictions where a different age threshold applies, we comply with the applicable local age requirement.
20. Merger, Acquisition, or Transfer of Ownership
In the event of a merger, acquisition, or other change of control, your personal data may be transferred to the successor entity. We will notify you at least thirty (30) days before any transfer. You will have the opportunity to terminate your account and request deletion before the transfer takes effect.
21. Complaints and Dispute Resolution
If you have concerns about how your personal data is handled, you may contact our Data Protection Officer at dpo@klairr.com. We will investigate and respond within fourteen (14) days.
You may also escalate to a competent supervisory authority. Klairr's EU/EEA lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus. You may alternatively contact your local data-protection supervisory authority in the European Economic Area, the United Kingdom Information Commissioner's Office (ICO), the Swiss Federal Data Protection and Information Commissioner (FDPIC), the relevant U.S. state Attorney General or privacy regulator (for state privacy laws including the CCPA / CPRA), or the Brazilian National Data Protection Authority (ANPD) for LGPD matters.
22. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' prior notice via email. Your continued use after the effective date constitutes acceptance.
23. Contact
Data Controller: Ask Klairr — AI Solutions LTD
Jurisdiction of Incorporation: Republic of Cyprus
General Email: support@klairr.com
Privacy Inquiries: privacy@klairr.com
Data Protection Officer (DPO): dpo@klairr.com
EU/EEA Lead Supervisory Authority: Office of the Commissioner for Personal Data Protection of the Republic of Cyprus
End of Privacy Policy