Privacy Policy
Plain-English summary
Klovac is an AI customer support platform operated by Klovant Tech Private Limited (India). We collect personal data only where we need to operate the service, comply with the law, or fulfil a contract. We do not sell personal data. We do not use the content of conversations to train models. End users of our customers (the people chatting with a Klovac-powered agent) interact with us as a data processor on behalf of the business they contacted; that business is the data controller. This page explains what we collect, why, with whom we share it, and how you can exercise your rights.
Contents
- Who we are
- Scope & roles (controller vs processor)
- Personal data we collect
- Purposes & legal bases
- WhatsApp Business data & Meta compliance
- AI processing & model training
- Sharing & sub-processors
- International data transfers
- Retention
- Security
- Your rights (GDPR, UK GDPR, CCPA, LGPD & others)
- Cookies & tracking
- Children
- Automated decision-making
- Changes to this policy
- Contact & complaints
1. Who we are
This Privacy Policy is issued by Klovant Tech Private Limited ("Klovac", "we", "us", "our"), an Indian private limited company that operates the Klovac platform and the websites klovac.com and app.klovac.com. Klovac is a product of Klovant Tech Private Limited.
Our registered office and contact details are listed in the Contact section.
2. Scope & roles
This policy covers personal data we handle in two distinct roles:
2.1 As controller — for our customers and visitors
When you sign up for a Klovac account, talk to our sales team, visit klovac.com, or otherwise interact with us directly, we determine the purposes and means of processing. We are the controller for that data.
2.2 As processor — for end users of our customers
When a customer of ours (a "Workspace") deploys a Klovac agent on their website or WhatsApp number, the people who chat with that agent are end users of the Workspace. The Workspace decides what data to ingest, what knowledge base to use, and how long to retain conversations. We process that data strictly on the Workspace's documented instructions, under a Data Processing Agreement (DPA). If you are an end user and want a copy of your data or want it deleted, please contact the business you were chatting with first; they are the controller.
3. Personal data we collect
3.1 Account & workspace data (we are controller)
- Identifiers: name, work email, hashed password, profile photo (optional), workspace slug.
- Billing data: company name, billing address, VAT/tax ID, last four digits and brand of payment instrument (we do not store full card numbers — see Sub-processors).
- Configuration & encrypted secrets: the API keys you provide for your own AI providers (BYOK) are encrypted at rest in a dedicated vault and decrypted only at inference time.
- Usage & technical data: IP address, device/browser type, pages visited, feature events, error logs.
- Communications: emails, support tickets, sales call notes.
3.2 Knowledge base content (we are processor)
Documents, web pages, CSVs, FAQs, and other source material you upload or point us at. We chunk, embed, and index this content so the agent can retrieve it during a conversation. Where personal data is present in source material, you remain the controller.
3.3 Conversation data (we are processor)
- Messages exchanged between an end user and the agent.
- Contact identifiers the end user shares (name, email, phone, order number, etc.).
- Channel metadata (Web visitor token, WhatsApp phone number, timestamps, message IDs).
- Resolution outcome and handoff records.
3.4 Website & marketing data (we are controller)
If you submit our demo or pricing forms, we collect the fields you provide plus a hashed IP address for rate-limiting. See the Cookies Policy for analytics and consent.
4. Purposes & legal bases
Under the EU GDPR, UK GDPR, and equivalent laws we rely on the following legal bases:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Provide the platform you signed up for; authenticate you; deliver chat responses; bill you | Performance of a contract (Art. 6(1)(b)) |
| Protect against fraud, abuse, and security incidents; keep audit logs; rate-limit forms | Legitimate interests (Art. 6(1)(f)) |
| Send service emails (security, billing, breach notifications) | Legitimate interests / legal obligation |
| Send marketing emails, run analytics with non-strictly-necessary cookies | Consent (Art. 6(1)(a)); withdrawable at any time |
| Comply with tax, accounting, and other legal obligations | Legal obligation (Art. 6(1)(c)) |
| Process special-category data within knowledge bases or messages, if any | Strictly on the Workspace's documented instructions and lawful basis (DPA) |
Where we rely on legitimate interests, we have performed and recorded a balancing test. You can object on grounds relating to your particular situation — see Your rights.
5. WhatsApp Business data & Meta platform compliance
Klovac integrates with the WhatsApp Business Platform operated by Meta Platforms, Inc. ("Meta"). When a Workspace connects a WhatsApp Business number to Klovac, the following applies:
5.1 What WhatsApp data we process
- End-user phone numbers and WhatsApp display names.
- Message content (inbound and outbound), media attachments, timestamps, and message status (delivered, read).
- The WhatsApp Business Account ID, phone number ID, and associated webhook payload metadata required by the Meta Cloud API.
5.2 How we use it
- To route incoming messages to the Workspace's agent and deliver replies back to the end user.
- To display the conversation thread in the Workspace's operator console.
- To enforce per-conversation cost caps, rate limits, and abuse detection.
- We do not use WhatsApp data to train machine-learning models.
- We do not sell or rent WhatsApp data.
- We do not share WhatsApp data with advertisers or third-party data brokers.
5.3 Retention & deletion of WhatsApp data
WhatsApp message content is retained for the period configured by the Workspace (default: 90 days, configurable to as low as 7 days). End users can request deletion at any time by contacting the business they messaged. The business can also use our admin console to delete any conversation. On deletion, content is removed from primary stores immediately and from backups within 30 days.
5.4 Compliance commitments
Klovac complies with:
- The WhatsApp Business Solution Terms.
- The Meta Platform Terms and Developer Policies.
- The Meta Business Messaging Policies, including limits on promotional messaging and the 24-hour customer service window.
- Applicable laws in the jurisdictions where the Workspace and its end users are located.
End users always retain their rights under WhatsApp's own privacy policy with respect to Meta.
5.5 Reporting abuse
If you believe a Klovac-powered WhatsApp number is being used to send spam, harass, scam, or otherwise violate WhatsApp policies, please report it to hello@klovac.com with the phone number and a description. We investigate within 24 business hours and may suspend the offending Workspace.
6. AI processing & model training
Klovac sends conversation content to the AI providers chosen and authorised by the Workspace — typically Anthropic or Groq for chat responses and Voyage AI for knowledge-base embeddings — using the Workspace's own API keys (BYOK). The Workspace's contract with each AI provider governs how that provider may use the data.
We do not train our own foundation models. We do not use customer or end-user data to train, fine-tune, or evaluate any machine-learning model unless the Workspace explicitly opts in in writing. Aggregated, fully anonymised, non-reversible metrics (e.g. average response time across the platform) may be used to improve the service.
7. Sharing & sub-processors
We use the sub-processors below to operate the service. We can provide an updated list on request to hello@klovac.com.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage (encrypted at rest) | US / EU |
| Vercel | Application hosting and edge network | US / global |
| Upstash (Redis) | Rate limiting and caching | US / EU |
| Razorpay | Payment processing — subscriptions, one-time orders, invoices (we never store full card numbers) | India |
| Meta Platforms | WhatsApp Business Platform for the WhatsApp channel | Per Meta's policies |
| Resend | Transactional email (handoff alerts, team invites) | US |
| Trigger.dev | Background jobs (knowledge-base re-indexing) | US |
| Firecrawl | Website crawling for the knowledge base | US |
| Langfuse | LLM request tracing and analytics | EU / US |
| Sentry | Error and performance monitoring | US / EU |
| Website analytics (Google Analytics) and fonts | US | |
| AI providers (BYOK) | Inference and embeddings on the Workspace's own account — typically Anthropic, Groq, Voyage AI | Per the provider chosen |
We sign written agreements with every sub-processor requiring confidentiality, GDPR-compliant security, and processor-to-processor flow-down terms. We do not sell personal data. We do not share personal data with advertisers.
We may disclose personal data when legally compelled (subpoena, court order) or to protect rights, property, or safety. Where the law allows, we notify the affected customer first.
8. International data transfers
Klovant Tech Private Limited is established in India and uses infrastructure and sub-processors that may store or process data in the United States, the European Union, and other regions (see §7). Where personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those areas, we rely on one or more of:
- Adequacy decisions of the European Commission (e.g. EU–US Data Privacy Framework where the recipient is certified).
- The European Commission's Standard Contractual Clauses (Module 2 or 3 as appropriate) supplemented by a Transfer Impact Assessment.
- The UK Information Commissioner's Office International Data Transfer Addendum.
- The Swiss FADP-aligned addendum where applicable.
A copy of the SCCs is available on request to hello@klovac.com.
9. Retention
| Category | Default retention |
|---|---|
| Account & workspace data | For the life of the account, then deleted after a 30-day grace period following termination |
| Conversation content (Web & WhatsApp) | 90 days (Workspace-configurable, minimum 7 days) |
| Knowledge base content | Until the Workspace deletes it |
| Billing records | 8 years (statutory tax & accounting obligations) |
| Server logs | 30 days |
| Audit logs | 13 months |
| Marketing contacts (after withdrawal of consent) | Immediately suppressed; 24-month suppression record |
| Backups | Rolling 30-day window; deletion propagates within 30 days |
10. Security
We maintain technical and organisational security measures appropriate to the risk, including:
- Encryption. TLS in transit; encryption at rest. Your BYOK API keys are encrypted in a dedicated vault and decrypted only at inference time.
- Tenant isolation. Workspace data is logically isolated using row-level access controls.
- Access controls. Role-based team access within each Workspace, an optional IP allowlist for the chat widget, and an optional approval (human-review) mode.
- Governance & privacy. Configurable data-retention periods, one-click GDPR data export, and topic allow/block controls.
- Monitoring. Application error and performance monitoring (Sentry) and audit logging.
- Incident response. We notify affected customers of confirmed personal-data breaches without undue delay and within the timeframes required by applicable law (e.g. GDPR: 72 hours to the supervisory authority).
11. Your rights
11.1 If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR / FADP)
You have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data rectified (Art. 16).
- Have your data erased ("right to be forgotten") (Art. 17).
- Restrict or object to processing (Art. 18, 21).
- Data portability — receive your data in a structured, commonly used format (Art. 20).
- Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3)).
- Lodge a complaint with your national supervisory authority. EU residents can find theirs at edpb.europa.eu. UK residents can complain to the ICO.
11.2 If you are in California (CCPA / CPRA)
You have the right to know, delete, correct, and limit the use of sensitive personal information. You also have the right to opt out of "sale" or "sharing" of personal information — Klovac does not sell or share personal information as defined under the CCPA, and has not in the preceding 12 months.
11.3 If you are in Brazil (LGPD), Quebec (Law 25), South Africa (POPIA), India (DPDP Act), Australia (Privacy Act), or other jurisdictions
You have equivalent rights of access, correction, deletion, portability, and complaint to your local data-protection authority. We honour valid requests under any applicable law.
11.4 How to exercise your rights
Email hello@klovac.com or use the in-app "Data & privacy" page once signed in. We respond within 30 days (extendable by 60 days for complex requests, with notice). We will need to verify your identity before disclosing data.
If you are an end user of a Workspace (e.g. you chatted with a business on WhatsApp), please contact that business first — they are the controller of your data and we will refer your request to them.
12. Cookies & tracking
See our separate Cookies Policy for the full list, your choices, and the consent manager.
13. Children
Klovac is a B2B platform not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (or the relevant national age of digital consent). If you believe a child has provided us with personal data, contact hello@klovac.com and we will delete it.
Workspaces are responsible for not directing Klovac-powered agents at children unless they have a lawful basis and appropriate parental consent.
14. Automated decision-making & AI outputs
Klovac generates AI responses that are surfaced to end users in real time. These responses do not produce legal effects on the end user (e.g. they do not decide credit eligibility, employment, or insurance). The Workspace remains responsible for any decision it takes based on a Klovac response and must provide a path to human review on request — we ship a built-in human-handoff feature for exactly this.
15. Changes to this policy
We may update this policy from time to time. We post the new version at this URL with a refreshed "Effective" date. Material changes are announced by email to account admins and by in-app banner at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
16. Contact & complaints
Data controller — Klovant Tech Private Limited
Klovant Tech Private Limited
Flat 501, Ananda Nilayam, Kranthi Nagar Road 6, Bachupally · Qutubullapur · K.V. Rangareddy · Telangana 500090 · India
Privacy, data requests, security & abuse: hello@klovac.com
If you are in India, you may also raise a grievance under the Digital Personal Data Protection Act, 2023 with our grievance contact at hello@klovac.com.