Kliper
Sign in Book a demo
Kliper
LEGAL · PRIVACY

Privacy Policy

Last updated · June 16, 2026·Effective · June 16, 2026

§01Overview

This Privacy Policy explains how Kortlabs (“Kortlabs”, “we”), the company behind the Kliper platform, collects, uses, and protects personal information when you visit our website or use our platform. We build compliance tooling, so protecting data is core to what we do. Kliper is our product; Kortlabs is the company that operates it.

§02Information we collect

  • Account & contact data — name, work email, company, role (when you request a demo, create an account, or contact us).
  • Usage data — pages visited, actions taken, device/browser information, collected via PostHog analytics only with your consent.
  • Customer content — evidence, assessments, and documents you upload, processed strictly within your tenant.

§03How we use information

  • Provide, operate, and secure the platform.
  • Respond to demo requests and support inquiries.
  • Improve the product and website (aggregated analytics).
  • Send service and, with consent, marketing communications.

AI features (Cortex) use OpenAI and self-hosted models on our own Hetzner infrastructure; providers we use do not train on data submitted via their APIs.

§04Google Calendar integration

When you connect your Google Calendar, Kliper accesses the Google Calendar API (calendar.events scope) solely to create and update calendar events that you choose to add from Kliper (for example, assessment meetings and deadlines). We do not read your existing calendar entries beyond what is required to update events Kliper created, we do not use this data for advertising, and we never sell it. You can disconnect at any time in Kliper, which revokes our access; we retain Google tokens only while the connection is active.

Limited Use

Kliper’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

§05Legal bases & applicable laws

Where the EU/UK GDPR applies, we process personal data under: performance of a contract, our legitimate interests (securing and improving the service), your consent (analytics, marketing), and legal obligations. We also comply with Morocco’s Law No. 09-08 (overseen by the CNDP), the California CCPA/CPRA and other U.S. state privacy laws, and other local data-protection laws where you are located.

§06Sharing & sub-processors

We do not sell or share your personal information. Your data is hosted on our own infrastructure; we use a limited set of vetted third-party sub-processors, each bound by data-protection terms:

  • Hetzner Online GmbH — all application hosting and data storage (Germany, EU). Our services run on separate Hetzner servers: the application, our self-hosted Supabase stack (database, storage, realtime, auth), Redis, PostgreSQL, and our self-hosted AI models. Your data is not sent to Supabase, Inc.
  • Cloudflare — DNS and edge/CDN; processes connection metadata such as IP addresses.
  • OpenAI — AI processing for Cortex (US); does not train on data submitted via its API.
  • Resend — transactional email delivery (US).
  • PostHog — product/website analytics (EU region).
  • Polar — payments & billing (Merchant of Record).
  • Google — used when you sign in with Google or connect the Calendar/Drive integrations.
  • VirusTotal — malware reputation checks by file hash only; no file content or personal data is sent (files are scanned locally with ClamAV).
  • Netlify — marketing website hosting (US).
  • Integrations you choose to connect (e.g. Microsoft SharePoint, Jira, Slack, GitHub, Google Drive) receive data only when you enable them.

We also use Twingate for secure staff access to our private infrastructure and BetterStack for uptime monitoring and our public status page; these do not receive your application data. A current sub-processor list is available on request and on our Trust & Security page.

§07Data retention

We retain personal data only as long as necessary for the purposes described, to comply with legal obligations, resolve disputes, and enforce agreements. Customer content is retained per your subscription and deleted on request.

§08Security

We apply encryption in transit and at rest, per-tenant isolation, access controls, and SOC 2 Type II–aligned practices. See Trust & Security for detail.

§09Your rights

Your rights depend on where you live:

  • EU/EEA & UK: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent; you may complain to your local supervisory authority.
  • California & other U.S. states (Virginia, Colorado, Connecticut, Texas, etc.): know, access, delete, correct, and opt out of sale/sharing and targeted advertising — we do not sell or share personal information.
  • Morocco: rights under Law 09-08; you may complain to the CNDP.
  • Other regions: additional local laws (e.g. Singapore PDPA, Japan APPI, India DPDP) may apply.

To exercise any right, email [email protected] — we respond within the timeframes required by law.

§10International transfers

We are based in Morocco and host data in the EU (Germany, on Hetzner). For cross-border transfers we rely on appropriate safeguards: EU Standard Contractual Clauses (for transfers from the EU/EEA, including access by our team in Morocco), the UK International Data Transfer Addendum (from the UK), and equivalent safeguards elsewhere. Copies are available on request.

§11Changes to this policy

We may update this policy from time to time. Material changes will be posted here with an updated effective date.

§12Contact

Questions about this policy? Email [email protected] or use our contact page. Kortlabs — Rue de Bruxelles, 20000 Casablanca, Morocco.