General Data Protection Regulation (GDPR) at KLEVU

KLEVU has already reviewed its personal data practices and has implemented the necessary steps to be GDPR compatible. Before we answer the key questions concerning you as a customer of KLEVU, we feel, it is important to highlight some important definitions in relation to the GDPR guidelines.

Important Definitions

  • Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
  • Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission and so on.
  • Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor: the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

KLEVU’s commitments as a processor

As a processor, KLEVU commits to:
  • Processing personal data solely for the purposes of carrying out the services correctly. KLEVU will never process or store your information for any other purposes (marketing, etc.).
  • Unless otherwise agreed, keeping your data inside the EU and only in countries recognised by the European Union as offering a sufficient degree of protection.
  • Informing you if we have enlisted a subcontractor to process your personal data (e.g. payment gateways).
  • Adequate security measures to protect the privacy of data.
  • Reporting any data breach to you without “undue delay”.
  • Providing you adequate documentation of our services.

KLEVU’s commitments as a data controller

KLEVU is classed as a data controller when we collect your data for billing and managing accounts receivable, for example. We are committed to:

  • Limiting the data collected to what is strictly necessary and for the purpose for which it was collected.
  • Storing personal data for a limited and appropriate time.
  • Implementing technical and organisational measures to ensure a high degree of security.

Frequently Asked Questions

For your convenience, we have put together a list of GDPR related, frequently asked questions.

What personal data is collected by KLEVU, and for what purposes?

KLEVU collects the following personal information from its customers (i.e., merchants) and the shoppers using search on their websites:

Merchant’s details

  • First name, last name, contact number and address (all optional)

    – used for identifying a customer in our database and solely for the purpose of communication between KLEVU and the merchant

  • Email address

    – used as an account identifier

    – used for billing and account related matters such as new features announcements, plugin upgrades and other notifications to which the merchant has subscribed

  • Business name, Billing address and their VAT number

    – used for billing and invoicing purposes

  • Payer’s email address and credit card details

    – used for collecting payments but never stored in database or logs

Email addresses of additional users

  • Configured by the Merchant for receiving daily and/or weekly analytics reports

Shoppers’ IP addresses

  • To identify shoppers’ locations (i.e., country and local region) with a view to providing location based search insights to the merchant
  • To calculate transaction based KLEVU-led conversions
  • To provide personalised search experience to the store’s shoppers

Shoppers’ transaction data (optional)

  • ID of the product bought, the price paid, the IP from which the product was bought. These data is collected to calculate KLEVU-led conversions

Shoppers’ Email addresses

  • used in conjunction with the DotMailer Email marketing tool. The collected email addresses are never exposed to anyone at Klevu as they are MD5 hashed, in the irreversible encrypted form.

Browser Cookies

  • Used for storing category names, filters, product IDs and recently searched terms. All but the product IDs are often passed to the backend system as API parameters to obtain personalised product recommendations (for the shopper).

Where is this data stored? Are those premises GDPR compliant?

To operate our services globally and to meet SLA of 99.9% uptime, we have to store and distribute search indexes and other data across multiple servers, in our affiliated data centres (that comply with the CISPE code of conduct).

Where agreed, these servers may be hosted in data centers closer to the merchants’ own premises with no data other than their own indexes and any related data required to serve the customer.

How long is the data stored for?

The data is stored for the duration of your service. You may download or request historical search analytics data during this period. Should you decide to discontinue the service, any personal data held with us is deleted in maximum 90 days. Unless otherwise requested, after termination, the search analytics data is anonymised completely and kept for analysing consumer search patterns.

Does KLEVU share any data with any 3rd party organisations?

KLEVU does not share data gathered through search usage or any other information shared by the customers. For managing payment subscriptions, KLEVU redirects its customers to the involved 3rd party service providers (e.g., payment gateways) where the merchants are instructed to accept the respective service provider’s T&C and data privacy policies.

KLEVU does not share data collected from one store with another. It only uses aggregated data or any search specific activity related information, to improve its core search algorithm, which eventually helps all its customers.

GDPR implementation plan

  1. Conduct a review of our GDPR related practices and data (done)
  2. Identify personal data registries and their usage (done)
  3. Delete unnecessary and outdated data from registries (done)
  4. Data Processing Addendum (DPA) (done)
  5. Informing customers about DPA (done)