Legal

GDPR & Data Rights

Last updated: 22 April 2026

1. Our Commitment

KlevAI takes your privacy seriously. We comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The data controller is Shubert Singoyi (KlevAI), England and Wales. This page explains your rights in plain English and exactly how to exercise them.

2. Your Rights Explained

📋

Right of Access

You can ask us for a full copy of the personal data we hold about you — including what it is, why we have it, and who we share it with.

✏️

Right to Rectification

If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. We will update it within 30 days.

🗑️

Right to Erasure ("Right to be Forgotten")

You can ask us to delete all personal data we hold about you. We will comply unless we have a legal obligation to retain certain records (e.g. payment records for 7 years).

⏸️

Right to Restriction

You can ask us to pause processing your data — for example while you contest its accuracy — without requiring full deletion.

📦

Right to Data Portability

You can ask for your account data in a structured, commonly used, machine-readable format (e.g. JSON or CSV) so you can take it elsewhere.

🚫

Right to Object

You can object to us processing your data on the basis of legitimate interests (e.g. analytics). We will stop unless we can demonstrate compelling grounds that override your rights.

🤖

Rights Related to Automated Decision-Making

KlevAI does not make automated decisions about you that produce legal or similarly significant effects. AI-generated outputs are informational tools, not automated decisions.

3. How to Exercise Your Rights

Email hello@klevai.co.uk with the subject line:

Data Request — [Right You Are Exercising]

For example: “Data Request — Erasure” or “Data Request — Access”.

Include the email address associated with your KlevAI account.
We will acknowledge your request within 5 working days.
We will fulfil your request within 30 calendar days.
For complex or multiple requests we may extend by a further 2 months — we will notify you if so.
We will not charge a fee for reasonable requests.

4. Cookies

KlevAI uses one cookie only:

klevai-session — a strictly necessary JWT that authenticates your session. It is required for the service to function and does not track you across websites.

No analytics cookies (no Google Analytics, Hotjar, or similar).
No advertising pixels or retargeting scripts.
No third-party social media tracking buttons.
Because only a strictly necessary cookie is used, no consent banner is required under PECR.

5. International Data Transfers

Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:

Processor	Location	Safeguard
Supabase	EU West	Data stays in EU/EEA — no transfer
Stripe	US	Standard Contractual Clauses (SCCs)
Vercel	US/EU	SCCs in place; edge serving from EU
DataForSEO	EU	Data stays in EU/EEA — no transfer
Resend	EU/US	SCCs in place

6. Data Retention

Data Type	Retention Period	Reason
Account & personal data	Active + 90 days after closure	Service delivery & account recovery window
Payment records	7 years	UK financial & tax legal obligation
Anonymised usage data	Indefinite	No personal data present once anonymised

7. Contact the ICO

If you are unhappy with how we have handled your data or responded to a rights request, you have the right to complain to the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Phone: 0303 123 1113

We would appreciate the opportunity to resolve your concern directly first — please email hello@klevai.co.uk.