What we collect, and why.

klair is a French B2B software company — a société par actions simplifiée (SAS) registered in France. We sell custom software services and three products — Hermes (proposal intake), Apollo (AI development platform), and Moon (post-launch hosting and on-call). We act as the data controller for our website, marketing, sales, billing, and account data, and as a data processor when we handle the content our customers and their end users put into our products. We host primarily in the European Union (Frankfurt). We use a small, named set of sub-processors. We don't sell or share personal information for cross-context behavioural advertising. Everything below explains how that works in practice.

klair.dev (“klair”, “we”, “us”) is a French société par actions simplifiée (SAS) registered in France and is the controller of personal data collected through klair.dev, our marketing site, our portal, and our products when used directly by you. For customers who deploy our products to their own end users (for example, a law firm embedding Hermes on its website), klair acts as a processor on the customer's behalf for the content those end users submit — the customer is the controller of that content. Our Data Protection Officer can be reached at dpo@klair.dev. General privacy questions go to privacy@klair.dev. Our supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).

This policy applies to: visitors to klair.dev; prospects who interact with Hermes intake on third-party sites that have embedded Hermes (in which case the embedding company is also a controller of that conversation); klair customers and the individual users we authenticate into the portal; beta participants in Apollo and Moon; people who email, schedule, or otherwise contact us; and California, EEA, UK, and other global residents whose data we process in connection with any of the above.

At or before we collect personal information from a California resident, this section tells you what we collect, why, and for how long. We collect the categories of personal information described in section 05 (“What we collect”) for the business and commercial purposes described in section 06 (“Why we use it”), retain it for the periods set out in section 09 (“How long we keep it”), and disclose it only to the recipients listed in section 07 (“Who we share it with”). We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes that require a right to limit under the CPRA.

Account data. Your name, work email, organisation, role, timezone, language preference, and authentication identifiers. We use magic-link and OAuth — we never store passwords.

Customer and project content. Proposals, messages, milestone sign-offs, attachments, and anything else you produce in the portal. For Apollo beta participants, also: ticket metadata, draft plans, run logs, and pull-request references. Source code itself is read in-memory during an active task and is not retained beyond that task window.

Hermes intake content. Where you interact with a Hermes-embedded intake on a customer's site (law firm engagement letter, design RFP, accountant scoping, marketing brief, software intake, etc.), we process the text you submit and the AI-generated draft on the customer's behalf. The embedding customer controls that content; klair processes it.

Billing data. Invoice addresses, VAT or other tax identifiers, purchase order references, and the bank details we need to issue a refund. Payment card numbers never reach klair servers — they are collected and stored by Stripe, our payment processor.

Communications. The content of emails, support tickets, scheduled calls, and any feedback you send us. Includes responsible-disclosure reports submitted to security@klair.dev.

Technical data. IP address (hashed with a per-process salt for rate-limiting), user-agent, device and browser metadata, locale, timestamps, request and error logs, and session identifiers. Used to run the service securely and to debug — not to build behavioural profiles.

Cookies and similar storage. A small set of strictly-necessary cookies (session, CSRF, consent state) and an opt-in anonymous analytics cookie. Full list is on our cookies page.

Sensitive personal information. We do not seek to collect special categories of personal data under GDPR (health, biometrics, race, religion, sexual orientation, political views, trade-union membership), or “sensitive personal information” under CPRA (precise geolocation, government ID, account credentials with the means to access an account, contents of private communications not addressed to klair, racial or ethnic origin, etc.). If such data appears inside content you upload to the portal or submit through Hermes, we process it only as needed to provide the service and we do not use it to infer characteristics about you.

Children. klair is a B2B service not directed at children. We do not knowingly collect personal data from anyone under sixteen. If you believe a child has provided us data, contact privacy@klair.dev and we will delete it.

We process personal data to: (a) provide the klair services and products you or your organisation contracted for — legal basis: performance of a contract; (b) run our website, respond to enquiries, and prepare proposals — legitimate interests in operating a B2B sales function and, where required, your consent; (c) issue invoices, collect payment, and meet our accounting and tax obligations — legal obligation; (d) secure the service, prevent fraud and abuse, monitor uptime, investigate incidents, and back up data — legitimate interests in keeping the service trustworthy; (e) send transactional emails (sign-in links, invoices, milestone notifications, incident updates) — performance of a contract; (f) send infrequent product updates and beta news to customer contacts — legitimate interests, with an unsubscribe link on every message; (g) improve our products from aggregate, de-identified usage patterns — legitimate interests; and (h) comply with legal requests and defend our rights — legal obligation and legitimate interests. Where we rely on legitimate interests, we have balanced those interests against your rights and you can object at any time.

We share personal data only with: (1) sub-processors that are necessary to run the service, under a written data-processing agreement — today, Supabase (EU-hosted Postgres database and authentication), Stripe (payments), Resend (transactional email), and Anthropic (LLM inference for Hermes intake chat and Apollo); (2) professional advisors (accountants, auditors, lawyers) bound by confidentiality, where strictly necessary; (3) competent authorities, where we are legally required to disclose; and (4) a successor entity in the event of a merger, acquisition, or sale of assets — in which case we will notify you in advance and your rights under this policy will continue. We do not sell personal information, we do not rent contact lists, and we do not share personal information for cross-context behavioural advertising.

Primary storage is in the European Union (Frankfurt). Encrypted backups are replicated to a second EU region. Some sub-processors are based outside the EEA and UK — Stripe and Anthropic operate from the United States. Transfers to those recipients rely on the European Commission's Standard Contractual Clauses (SCCs), with the UK International Data Transfer Addendum where UK personal data is involved, and with the additional safeguards required under those clauses (encryption in transit and at rest, contractual confidentiality, audit rights, and assessments of the recipient country's law). You can request a copy of the relevant transfer safeguards from privacy@klair.dev.

Account data — for as long as your account is active, plus twelve months after closure. Project and proposal content — for the duration of the engagement plus ten years, to meet French accounting and tax retention obligations (the French Code de commerce generally requires commercial records to be preserved for ten years). Hermes intake records — retained on behalf of the embedding customer per its own retention schedule; klair holds them only as long as that customer instructs. Apollo task data — plan, run logs, and PR references retained for ninety days after the run completes; source code is not retained beyond the active task window. Server, application, and security logs — ninety days. Marketing contacts — until you unsubscribe, then suppressed for the period needed to honour the unsubscribe. Backups roll out of the system within thirty-five days. You can request earlier deletion at any time; we will comply unless we are legally obliged to keep the record (for example, an issued invoice).

If you are in the EEA, the UK, or another jurisdiction with comparable law, you have the right to: access your personal data and receive a copy; have inaccurate data corrected; have data erased; restrict or object to certain processing (including direct marketing); receive your data in a portable format; withdraw consent at any time where processing is based on consent; and not be subject to a decision based solely on automated processing that produces legal or similarly significant effects without safeguards. Send a written request to privacy@klair.dev and we will respond within thirty days. We may extend that period by up to two months for complex requests, in which case we will tell you within the first thirty days. You can also lodge a complaint with the CNIL or your local supervisory authority — but we would prefer the chance to fix it first.

If you are a California resident, you have the right to: know what personal information we collect, use, disclose, and (if applicable) sell or share; access a copy of the specific pieces of personal information we hold about you; correct inaccurate personal information; delete personal information, subject to limited exceptions (for example, completing a transaction or complying with a legal obligation); opt out of the sale or sharing of personal information — although we do not sell or share personal information as those terms are defined under CPRA; limit the use or disclosure of sensitive personal information — we do not use sensitive personal information for purposes that require a right to limit; and not be discriminated against for exercising any of these rights. To exercise any right, write to privacy@klair.dev from the email address associated with your account, or use the contact details below. We will verify your request by matching the information you provide against what we hold; we may ask for additional information to confirm identity for sensitive requests. You can use an authorized agent to submit a request on your behalf with written permission and proof of identity. We respond within forty-five days and may extend once by an additional forty-five days where reasonably necessary, with notice.

klair does not sell personal information for money or other valuable consideration, and we do not share personal information for cross-context behavioural advertising. There is therefore no “Do Not Sell or Share My Personal Information” opt-out to set, because the underlying activity does not occur. If you send a Global Privacy Control (GPC) signal from your browser, we will continue to honour it as a reinforced statement of your preferences and we will not start any sale or sharing activity in the future without first obtaining the consent the law requires.

Residents of US states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others — have rights comparable to those in section 11 (access, correction, deletion, opt-out of targeted advertising, opt-out of certain profiling, and appeal of a denied request). We honour these rights using the same intake process: write to privacy@klair.dev. If we deny a request in whole or in part, you may appeal by replying to that decision; we will respond to the appeal within the period required by your state's law.

Hermes uses a large language model (currently Anthropic Claude) to draft proposal and intake content with the prospect. The output is a draft for human review on both sides — it is not a binding offer and it does not by itself produce legal effects. Apollo uses the same provider to read repository context, draft an implementation plan, and propose changes through a pull request. Every Apollo change is gated on a human review and merge by your team; nothing is shipped to your production branches automatically. We do not use AI to make solely automated decisions that produce legal effects or similarly significant effects about you (for example, credit, employment, or access decisions). We do not train Anthropic's models, or any other model, on your code, your proposals, your messages, or your Hermes intake content. Inputs and outputs are processed under contractual terms that prohibit such training and require deletion after the inference is complete.

We use a small number of strictly-necessary cookies for session and CSRF, and we store an anonymous consent preference so you aren't asked twice. Optional analytics is anonymous and aggregate, and is only set after you accept it. Full detail, including each cookie's name, lifetime, and purpose, lives in our cookies policy.

We send infrequent product updates, beta announcements, and policy changes to customer contacts and to people who have asked to hear from us. Every message has a one-click unsubscribe. If you unsubscribe, we suppress the address from future marketing but retain the suppression record so we can keep honouring your choice.

TLS in transit. At-rest encryption for databases and backups. Magic-link and OAuth authentication (no passwords stored). Least-privilege access for staff, audited through Supabase row-level security. Encrypted secrets management. Logging and alerting on suspicious activity. Annual penetration test by an external firm. Documented incident-response and breach-notification process — where a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority within seventy-two hours and notify affected individuals without undue delay where the risk is high. Responsible-disclosure reports go to security@klair.dev and we respond within one business day.

Before we add or replace a sub-processor that processes personal data on our behalf, we will update the list in section 07 and notify customers with an active account or engagement at least thirty days in advance. If you reasonably object to a new sub-processor on data-protection grounds, contact us within that window and we will work with you on an alternative or, if none is workable, on an orderly exit from the affected service.

If we change this policy in a way that materially affects you, we will email you at least thirty days before it takes effect. Non-material changes are logged on this page with a new effective date.

Data Protection Officer — dpo@klair.dev. General privacy — privacy@klair.dev. Security and responsible disclosure — security@klair.dev. Legal notices and contractual correspondence — legal@klair.dev. Abuse, spam, or misuse of a klair service — abuse@klair.dev. Anything else — hello@klair.dev. Our supervisory authority is the CNIL (cnil.fr); California residents may also contact the California Privacy Protection Agency (cppa.ca.gov). We try to answer every request within one business day.