Privacy Policy

The data controller responsible for your personal data is synsugar GmbH, operating the Klaaro / klaaro.ai platform. This Privacy Policy applies to the klaaro.ai website and the document-to-database product and services. Our Terms of Service govern your use of the Service.

Account and sign-up: When you register, we collect your email address, name (from your sign-in provider or the registration form), and a password hash when you use email/password sign-up. When you sign in with a third-party provider (e.g. Google), we receive the profile information that provider shares (e.g. email, name).

Usage data: We collect and process the documents and files you upload, your pipeline configuration (e.g. classifications, schemas), extracted data you store in the Service, and information about your use of the API (e.g. endpoints called, for usage and quotas).

Technical data: We collect your IP address, browser/user agent, and logs that may include request IDs, timestamps, and route identifiers for security, operations, and support.

Cookies and similar technologies: We use session cookies (e.g. for authentication via Supabase), cookies that store OAuth tokens for connected integrations (Google Drive, OneDrive, Dropbox), and a cookie for sidebar preference. We may use analytics (e.g. Vercel Analytics) to understand how the product is used; see the Cookies section below for details.

Where the GDPR applies, we process your data on the following bases: (1) Contract — performance of the Service you have requested. (2) Legitimate interests — for security, abuse prevention, product improvement, and analytics, where balanced against your rights. (3) Consent — where we rely on consent (e.g. for certain non-essential cookies or marketing, if applicable), you may withdraw it at any time.

We use the data we collect to: operate and provide the Service (including authentication, document processing, AI extraction, and storage); communicate with you about your account and the Service; improve our product and develop new features; ensure security and prevent abuse; comply with legal obligations; and, where applicable, for analytics in accordance with this policy. We do not use your documents or extracted data to train third-party or public AI models.

We do not sell your personal data. We share data only as necessary to operate the Service, with the following categories of subprocessors:

• Vercel — hosting, Blob storage, and analytics (United States; subject to appropriate safeguards).
• Supabase — authentication, database, and storage (EU/EEA where available).
• Mistral — document OCR/parsing (in accordance with their data processing terms).
• AI providers — for classification and extraction (e.g. Google Gemini, OpenAI); processing is performed in accordance with our agreements with these providers and we do not use your content to train their public models.
• Resend — email delivery (e.g. transactional and product emails).
• Upstash — where used (e.g. rate limiting), in accordance with their terms and location.

We require subprocessors to protect your data in line with applicable law. We may update this list; material changes will be reflected in this policy or in a dedicated subprocessor page we may publish.

Your data may be processed in the European Economic Area (EEA) and in other countries where our subprocessors operate. When we transfer data outside the EEA, we rely on adequacy decisions, standard contractual clauses, or other mechanisms permitted under applicable law to ensure an adequate level of protection.

We retain account data for the duration of your account and for a limited period after closure as needed for disputes, legal compliance, or support. Logs are retained for a limited period (e.g. up to 90 days) for security and operations. Documents and extracted data are retained for as long as you keep them in your account; upon account closure or upon your request, we will delete or return data in accordance with our policies and any applicable Data Processing Agreement.

We use access controls, encryption in transit and at rest where applicable, and secure development practices to protect your data. Your documents and extracted data are scoped to your team and are not used to train third-party or public AI models. If you use the Service within an organization, your administrator may manage team data and access.

Depending on your location, you may have the right to: access your personal data; rectify inaccurate data; erase your data (right to be forgotten); restrict processing; data portability; object to certain processing; and withdraw consentwhere processing is based on consent. If you are in the EEA or UK, you have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at the address below. If you are in California, you may have rights under the CCPA/CPRA (e.g. access, deletion, and the right to opt out of "sale" of personal information); we do not sell personal information as defined under the CCPA.

We use the following:

• Session and authentication — necessary for signing in and maintaining your session (e.g. Supabase auth cookies).
• OAuth tokens — stored in cookies to support connected integrations (Google Drive, OneDrive, Dropbox); necessary for the functionality you have chosen.
• Preferences — e.g. sidebar state, to improve your experience (functional).
• Analytics— if we use analytics (e.g. Vercel Analytics), we use it to understand product usage; you can learn more and opt out via your browser settings or the provider's tools as described in their policies.

You can manage or block cookies through your browser settings; blocking certain cookies may affect the functionality of the Service.

The Service is not directed at individuals under the age of 16 (or under 13 in jurisdictions that require it). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will provide notice by email or through the Service where appropriate. Your continued use of the Service after the effective date of the changes constitutes acceptance of the updated policy, unless we require explicit consent under applicable law.

For questions about this Privacy Policy or to exercise your data protection rights, contact us at:

synsugar GmbH (Klaaro / klaaro.ai)
Data protection: privacy@klaaro.ai or the support/contact details provided in the application.

Our Terms of Service govern your use of the Service.