Cookies, honestly.

A cookie is a small text file your browser stores when you visit a site, typically holding a session identifier or a preference. The same logic applies to other browser-side storage — localStorage, sessionStorage, IndexedDB — and to client-side signals like web beacons, SDK identifiers, and device fingerprints. EU/UK law (Article 5(3) of the ePrivacy Directive, often called the “cookie law”) treats these technologies the same: if we store information on your device or read information from it, we tell you and, unless it is strictly necessary to deliver a service you asked for, we ask for your consent first. For brevity, the rest of this policy uses “cookies” to mean cookies and any of these similar technologies.

Strictly necessary. Required to load the site, sign you in, keep you signed in, prevent CSRF and other abuse, and remember your cookie choice so we don't ask twice. These cannot be switched off; if you block them, the portal will not work.

Functional. None today. If we add anything in this category (for example, a language or theme preference stored beyond a single session) we will list it in the table in section 03 first.

Analytics. Anonymous, aggregate usage signals — counts of page views, broad device class, and rough geography at country level. No cross-site tracking, no profile of you as an individual, no sale or sharing of personal information. Loaded only with your consent in the EU/UK and respected if you signal opt-out via Global Privacy Control elsewhere.

Advertising and cross-site tracking. None. We do not run an advertising network, we do not set third-party advertising cookies, we do not embed marketing or social-network pixels (no Meta Pixel, no LinkedIn Insight Tag, no TikTok Pixel, no Google Ads tag), and we do not share device or browser identifiers with ad-tech vendors. If this ever changes, we will update this section before deploying.

In the EU and UK, the rule for cookies and similar storage is Article 5(3) of the ePrivacy Directive (transposed into national law — for us, Article 82 of the French Loi Informatique et Libertés (Law No. 78-17, as amended), supervised by the CNIL and applied in line with the CNIL's recommandation cookies et traceurs). Strictly-necessary cookies are allowed without consent because they are required to deliver a service you explicitly asked for, such as signing into the portal. Everything else — analytics included — is loaded only after you give consent through our cookie banner, and you can withdraw consent at any time.

Where a cookie also processes personal data, GDPR (and UK GDPR) layer on top: our legal basis for strictly-necessary cookies is our legitimate interest in operating the service securely (Article 6(1)(f)), and our legal basis for analytics is your consent (Article 6(1)(a)). You can read about the wider purposes, retention, sub-processors, and international transfers in our privacy policy.

Hermes is an intake widget that prospect site operators embed on their own pages — typically a “talk to us” block or a proposal-intake form. When you interact with Hermes on a third-party site, any cookies or local storage it sets are first-party in that site's domain (for example, prospectcompany.com), not in klair.dev. They hold a session identifier and a draft of what you are typing so a page refresh does not lose your work.

Two consequences follow from that. First, the site operator that embedded Hermes is the deploying party for those cookies under the EU/UK cookie rules, and is responsible for surfacing the appropriate notice and (where applicable) consent on its own site. Second, klair acts as the processor for the data submitted through Hermes back to us; how we handle that data is covered in our privacy policy and in the data-processing agreement we sign with each Hermes-deploying operator.

We do not embed YouTube, Vimeo, Wistia, Twitter/X, LinkedIn, Facebook, Instagram, TikTok, or any other third-party video or social widget on klair.dev. We do not include marketing, conversion, or attribution pixels. Fonts are self-hosted. We do not load tag managers. If we ever add a third-party embed, we will list it in the table in section 03 with its provider, purpose, lifetime, and the category it falls under, and we will block it by default until you give consent.

You can re-open the cookie banner any time by clicking “cookie settings” in the footer. Your choice takes effect immediately: declining analytics removes the klair-analytics cookie on the next page load, and your decision is recorded in klair-consent so we do not ask again. You can also manage cookies directly in your browser — most browsers let you view stored cookies, block third-party cookies, block all cookies for a specific site, or wipe everything on exit. In Chrome and Edge the setting is under Settings → Privacy and security → Cookies and other site data; in Safari it is Safari → Settings → Privacy; in Firefox it is Settings → Privacy & Security → Cookies and Site Data. If you clear klair-consent from local storage, we will show you the banner again on your next visit.

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) gives you the right to know what personal information businesses collect about you, to delete it, to correct it, to limit the use of sensitive personal information, and to opt out of the “sale” or “sharing” of your personal information — where “sharing” is defined to include cross-context behavioural advertising.

klair does not sell personal information, and we do not share personal information for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA. We do not need to operate a separate “Do Not Sell or Share My Personal Information” link because there is nothing to opt out of. We also do not use sensitive personal information for purposes that require a “Limit the Use of My Sensitive Personal Information” mechanism. If this ever changes — for example, if we introduce an advertising-funded surface — we will update this section, surface the required links, and honour opt-out signals before any sharing begins.

You can still exercise your CCPA/CPRA rights to know, delete, or correct your personal information by writing to privacy@klair.dev. We will verify the request, respond inside the statutory window, and not discriminate against you for exercising any of these rights.

Global Privacy Control is a browser-level signal — sent automatically by browsers and extensions such as Brave, DuckDuckGo, and Privacy Badger — that tells every site you visit that you do not want your personal information sold or shared. klair honours the GPC signal worldwide as both (a) an opt-out of any future “sale” or “sharing” under CCPA/CPRA, and (b) a withdrawal of consent for non-essential cookies including our analytics cookie. When GPC is detected we will not load klair-analytics and we will record the decision in klair-consent so the cookie banner does not nag you again.

klair is a French société par actions simplifiée (SAS) registered in France, and this policy applies to visitors everywhere. Our primary storage is in the EU, and where we rely on sub-processors that operate from the United States we use the Standard Contractual Clauses (and equivalents in the UK and Switzerland) as the transfer mechanism. The full sub-processor list, retention periods, and transfer detail live in our privacy policy.

If we change this policy in a way that affects you — for example, adding a new cookie or a new category — we will update the effective date at the top of the page and re-prompt for consent where the change requires it. Material updates are also linked from the changelog. Non-material clarifications (a clearer sentence, a typo) are made in place and noted in the changelog.

Written questions about cookies or this policy go to privacy@klair.dev. Data-protection questions can go to our DPO at dpo@klair.dev. If you are in the EU or the UK and you believe we have mishandled your data, you can lodge a complaint with the CNIL — Commission Nationale de l'Informatique et des Libertés (cnil.fr), which is our lead supervisory authority, or with the data-protection authority in the EU member state where you live or work. If you are in California, you can contact the California Attorney General's Office (oag.ca.gov/privacy); residents of other US states with their own privacy laws can contact their state Attorney General.