Table of contents
KLEVU has already reviewed its personal data practices and has implemented the necessary steps to be GDPR-compatible. Before we answer the key questions concerning you as a customer of KLEVU, we feel, it is important to highlight some important definitions in relation to the GDPR guidelines.
Important Definitions
- Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
- Processing: any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission, and so on.
- Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Klevu’s commitments as a processor
As a processor, KLEVU commits to:
- Processing personal data solely for the purposes of carrying out the services correctly. KLEVU will never process or store your information for any other purposes (marketing, etc.).
- Unless otherwise agreed, keeping your data inside the EU and only in countries recognized by the European Union as offering a sufficient degree of protection.
- Informing you if we have enlisted a subcontractor to process your personal data (e.g. payment gateways).
- Adequate security measures to protect the privacy of data.
- Reporting any data breach to you without “undue delay”.
- Providing you with adequate documentation of our services.
Klevu’s commitments as a data controller
KLEVU is classed as a data controller when we collect your data for billing and managing accounts receivable, for example. We are committed to:
- Limiting the data collected to what is strictly necessary and for the purpose for which it was collected.
- Storing personal data for a limited and appropriate time.
- Implementing technical and organizational measures to ensure a high degree of security.
GDPR FAQ
For your convenience, we have put together a list of GDPR-related, frequently asked questions.
What personal data is collected, and for what purposes?
KLEVU collects the following personal information from its customers (i.e., merchants) and shoppers using the search on their websites:
Merchant’s and user details
First name, last name, contact number, company address, and website URL
- Used for identifying a customer in our database and solely for the purpose of communication between Klevu and the merchant.
Email address
- Used as an account identifier,
- Used for billing and account-related matters such as new features announcements, guided tours, personalized content, surveys, plugin upgrades, and other notifications to which the merchant has subscribed,
- Configured by the merchant for receiving daily and/or weekly analytics reports.
Business name, Billing address, and VAT number
- Used for billing and invoicing purposes.
Payer’s email address and credit card details
- Used for collecting payments but never stored in a database or logs.
Email addresses of additional users
Configured by the Merchant for receiving daily and/or weekly analytics reports
Shoppers’ IP addresses
To identify shoppers’ locations (i.e., country and local region) with a view to providing location-based search insights to the merchant.
To calculate transaction-based KLEVU-led conversions.
To provide a personalized search experience to the store’s shoppers.
Shopper IP addresses are encrypted in transit and at rest.
Shoppers’ transaction data (optional)
The ID of the product bought, the price paid, and the IP from which the product was bought. This data is collected to calculate KLEVU-led conversions.
Shoppers’ email addresses
Used in conjunction with the DotMailer Email marketing tool. The collected email addresses are never exposed to anyone at Klevu as they are MD5 hashed, in the irreversible encrypted form.
Used for storing category names, filters, product IDs, and recently searched terms. All but the product IDs are often passed to the backend system as API parameters to obtain personalized product recommendations (for the shopper).
Where is this data stored? Are those premises GDPR compliant?
To operate our services globally and to meet the SLA of 99.9% uptime, we have to store and distribute search indexes and other data across multiple servers, in our affiliated data centers (that comply with the CISPE code of conduct).
Where agreed, these servers may be hosted in data centers closer to the merchants’ own premises with no data other than their own indexes and any related data required to serve the customer.
How long is the data stored?
Search analytics data is retained for analysing consumer search patterns during and after your service is discontinued. If you wish this data to be deleted after discontinuing your service you can raise a ticket with the support team to action this request. No shopper IP address is stored and identifiable as this information in encrypted.
Nothing in this policy contradicts the following statement: Except for the subdomains klaviyo.klevu.com, statsjs.klevu.com, stats.klevu.com, config-cdn.ksearchnet.com, moi-ai.ksearchnet.com and stats.ksearchnet.com, Klevu does not collect, retain or share any data regarding a particular user or device (including IP ADDRESSES AND user identifiers) on sites or apps not owned by Klevu
What if I have queries about the data that you hold about me?
If you have any questions regarding our handling of your data or to make any requests to us as a Data Controller under GDPR please contact us.