Home Legal Privacy Policy

Privacy Policy

Effective: 23 June 2026 Last updated: 23 June 2026 Version: 2.1

Plain-English summary

Klovac is an AI customer support platform operated by Klovant Tech Private Limited (India). We collect personal data only where we need to operate the service, comply with the law, or fulfil a contract. We do not sell personal data. We do not use the content of conversations to train models. End users of our customers (the people chatting with a Klovac-powered agent) interact with us as a data processor on behalf of the business they contacted; that business is the data controller. This page explains what we collect, why, with whom we share it, and how you can exercise your rights.

Contents

  1. Who we are
  2. Scope & roles (controller vs processor)
  3. Personal data we collect
  4. Purposes & legal bases
  5. WhatsApp Business data & Meta compliance
  6. AI processing & model training
  7. Sharing & sub-processors
  8. International data transfers
  9. Retention
  10. Security
  11. Your rights (GDPR, UK GDPR, CCPA, LGPD & others)
  12. Cookies & tracking
  13. Children
  14. Automated decision-making
  15. Changes to this policy
  16. Contact & complaints

1. Who we are

This Privacy Policy is issued by Klovant Tech Private Limited ("Klovac", "we", "us", "our"), an Indian private limited company that operates the Klovac platform and the websites klovac.com and app.klovac.com. Klovac is a product of Klovant Tech Private Limited.

Our registered office and contact details are listed in the Contact section.

2. Scope & roles

This policy covers personal data we handle in two distinct roles:

2.1 As controller — for our customers and visitors

When you sign up for a Klovac account, talk to our sales team, visit klovac.com, or otherwise interact with us directly, we determine the purposes and means of processing. We are the controller for that data.

2.2 As processor — for end users of our customers

When a customer of ours (a "Workspace") deploys a Klovac agent on their website or WhatsApp number, the people who chat with that agent are end users of the Workspace. The Workspace decides what data to ingest, what knowledge base to use, and how long to retain conversations. We process that data strictly on the Workspace's documented instructions, under a Data Processing Agreement (DPA). If you are an end user and want a copy of your data or want it deleted, please contact the business you were chatting with first; they are the controller.

3. Personal data we collect

3.1 Account & workspace data (we are controller)

3.2 Knowledge base content (we are processor)

Documents, web pages, CSVs, FAQs, and other source material you upload or point us at. We chunk, embed, and index this content so the agent can retrieve it during a conversation. Where personal data is present in source material, you remain the controller.

3.3 Conversation data (we are processor)

3.4 Website & marketing data (we are controller)

If you submit our demo or pricing forms, we collect the fields you provide plus a hashed IP address for rate-limiting. See the Cookies Policy for analytics and consent.

4. Purposes & legal bases

Under the EU GDPR, UK GDPR, and equivalent laws we rely on the following legal bases:

PurposeLegal basis (Art. 6 GDPR)
Provide the platform you signed up for; authenticate you; deliver chat responses; bill youPerformance of a contract (Art. 6(1)(b))
Protect against fraud, abuse, and security incidents; keep audit logs; rate-limit formsLegitimate interests (Art. 6(1)(f))
Send service emails (security, billing, breach notifications)Legitimate interests / legal obligation
Send marketing emails, run analytics with non-strictly-necessary cookiesConsent (Art. 6(1)(a)); withdrawable at any time
Comply with tax, accounting, and other legal obligationsLegal obligation (Art. 6(1)(c))
Process special-category data within knowledge bases or messages, if anyStrictly on the Workspace's documented instructions and lawful basis (DPA)

Where we rely on legitimate interests, we have performed and recorded a balancing test. You can object on grounds relating to your particular situation — see Your rights.

5. WhatsApp Business data & Meta platform compliance

Klovac integrates with the WhatsApp Business Platform operated by Meta Platforms, Inc. ("Meta"). When a Workspace connects a WhatsApp Business number to Klovac, the following applies:

5.1 What WhatsApp data we process

5.2 How we use it

5.3 Retention & deletion of WhatsApp data

WhatsApp message content is retained for the period configured by the Workspace (default: 90 days, configurable to as low as 7 days). End users can request deletion at any time by contacting the business they messaged. The business can also use our admin console to delete any conversation. On deletion, content is removed from primary stores immediately and from backups within 30 days.

5.4 Compliance commitments

Klovac complies with:

End users always retain their rights under WhatsApp's own privacy policy with respect to Meta.

5.5 Reporting abuse

If you believe a Klovac-powered WhatsApp number is being used to send spam, harass, scam, or otherwise violate WhatsApp policies, please report it to hello@klovac.com with the phone number and a description. We investigate within 24 business hours and may suspend the offending Workspace.

6. AI processing & model training

Klovac sends conversation content to the AI providers chosen and authorised by the Workspace — typically Anthropic or Groq for chat responses and Voyage AI for knowledge-base embeddings — using the Workspace's own API keys (BYOK). The Workspace's contract with each AI provider governs how that provider may use the data.

We do not train our own foundation models. We do not use customer or end-user data to train, fine-tune, or evaluate any machine-learning model unless the Workspace explicitly opts in in writing. Aggregated, fully anonymised, non-reversible metrics (e.g. average response time across the platform) may be used to improve the service.

7. Sharing & sub-processors

We use the sub-processors below to operate the service. We can provide an updated list on request to hello@klovac.com.

Sub-processorPurposeLocation
SupabaseDatabase, authentication, and file storage (encrypted at rest)US / EU
VercelApplication hosting and edge networkUS / global
Upstash (Redis)Rate limiting and cachingUS / EU
RazorpayPayment processing — subscriptions, one-time orders, invoices (we never store full card numbers)India
Meta PlatformsWhatsApp Business Platform for the WhatsApp channelPer Meta's policies
ResendTransactional email (handoff alerts, team invites)US
Trigger.devBackground jobs (knowledge-base re-indexing)US
FirecrawlWebsite crawling for the knowledge baseUS
LangfuseLLM request tracing and analyticsEU / US
SentryError and performance monitoringUS / EU
GoogleWebsite analytics (Google Analytics) and fontsUS
AI providers (BYOK)Inference and embeddings on the Workspace's own account — typically Anthropic, Groq, Voyage AIPer the provider chosen

We sign written agreements with every sub-processor requiring confidentiality, GDPR-compliant security, and processor-to-processor flow-down terms. We do not sell personal data. We do not share personal data with advertisers.

We may disclose personal data when legally compelled (subpoena, court order) or to protect rights, property, or safety. Where the law allows, we notify the affected customer first.

8. International data transfers

Klovant Tech Private Limited is established in India and uses infrastructure and sub-processors that may store or process data in the United States, the European Union, and other regions (see §7). Where personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those areas, we rely on one or more of:

A copy of the SCCs is available on request to hello@klovac.com.

9. Retention

CategoryDefault retention
Account & workspace dataFor the life of the account, then deleted after a 30-day grace period following termination
Conversation content (Web & WhatsApp)90 days (Workspace-configurable, minimum 7 days)
Knowledge base contentUntil the Workspace deletes it
Billing records8 years (statutory tax & accounting obligations)
Server logs30 days
Audit logs13 months
Marketing contacts (after withdrawal of consent)Immediately suppressed; 24-month suppression record
BackupsRolling 30-day window; deletion propagates within 30 days

10. Security

We maintain technical and organisational security measures appropriate to the risk, including:

11. Your rights

11.1 If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR / FADP)

You have the right to:

11.2 If you are in California (CCPA / CPRA)

You have the right to know, delete, correct, and limit the use of sensitive personal information. You also have the right to opt out of "sale" or "sharing" of personal information — Klovac does not sell or share personal information as defined under the CCPA, and has not in the preceding 12 months.

11.3 If you are in Brazil (LGPD), Quebec (Law 25), South Africa (POPIA), India (DPDP Act), Australia (Privacy Act), or other jurisdictions

You have equivalent rights of access, correction, deletion, portability, and complaint to your local data-protection authority. We honour valid requests under any applicable law.

11.4 How to exercise your rights

Email hello@klovac.com or use the in-app "Data & privacy" page once signed in. We respond within 30 days (extendable by 60 days for complex requests, with notice). We will need to verify your identity before disclosing data.

If you are an end user of a Workspace (e.g. you chatted with a business on WhatsApp), please contact that business first — they are the controller of your data and we will refer your request to them.

12. Cookies & tracking

See our separate Cookies Policy for the full list, your choices, and the consent manager.

13. Children

Klovac is a B2B platform not directed at children. We do not knowingly collect personal data from anyone under the age of 16 (or the relevant national age of digital consent). If you believe a child has provided us with personal data, contact hello@klovac.com and we will delete it.

Workspaces are responsible for not directing Klovac-powered agents at children unless they have a lawful basis and appropriate parental consent.

14. Automated decision-making & AI outputs

Klovac generates AI responses that are surfaced to end users in real time. These responses do not produce legal effects on the end user (e.g. they do not decide credit eligibility, employment, or insurance). The Workspace remains responsible for any decision it takes based on a Klovac response and must provide a path to human review on request — we ship a built-in human-handoff feature for exactly this.

15. Changes to this policy

We may update this policy from time to time. We post the new version at this URL with a refreshed "Effective" date. Material changes are announced by email to account admins and by in-app banner at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

16. Contact & complaints

Data controller — Klovant Tech Private Limited

Klovant Tech Private Limited
Flat 501, Ananda Nilayam, Kranthi Nagar Road 6, Bachupally  ·  Qutubullapur  ·  K.V. Rangareddy  ·  Telangana 500090  ·  India
Privacy, data requests, security & abuse: hello@klovac.com

If you are in India, you may also raise a grievance under the Digital Personal Data Protection Act, 2023 with our grievance contact at hello@klovac.com.