Table of contents
KLEVU has already reviewed its personal data practices and has implemented the necessary steps to be GDPR-compatible. Before we answer the key questions concerning you as a customer of KLEVU, we feel, it is important to highlight some important definitions in relation to the GDPR guidelines.
- Personal data: any information relating to an identified or identifiable real person. An identifiable real person is defined as any real person who can be directly or indirectly identified.
- Processing: any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, transmission, storage, conservation, extracting, consultation, use, disclosure by transmission, and so on.
- Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Klevu’s commitments as a processor
As a processor, KLEVU commits to:
- Processing personal data solely for the purposes of carrying out the services correctly. KLEVU will never process or store your information for any other purposes (marketing, etc.).
- Unless otherwise agreed, keeping your data inside the EU and only in countries recognized by the European Union as offering a sufficient degree of protection.
- Informing you if we have enlisted a subcontractor to process your personal data (e.g. payment gateways).
- Adequate security measures to protect the privacy of data.
- Reporting any data breach to you without “undue delay”.
- Providing you with adequate documentation of our services.
Klevu’s commitments as a data controller
KLEVU is classed as a data controller when we collect your data for billing and managing accounts receivable, for example. We are committed to:
- Limiting the data collected to what is strictly necessary and for the purpose for which it was collected.
- Storing personal data for a limited and appropriate time.
- Implementing technical and organizational measures to ensure a high degree of security.
For your convenience, we have put together a list of GDPR-related, frequently asked questions.
What personal data is collected, and for what purposes?
KLEVU collects the following personal information from its customers (i.e., merchants) and shoppers using the search on their websites:
Merchant’s and user details
First name, last name, contact number, company address, and website URL
- Used for identifying a customer in our database and solely for the purpose of communication between Klevu and the merchant.
- Used as an account identifier,
- Used for billing and account-related matters such as new features announcements, guided tours, personalized content, surveys, plugin upgrades, and other notifications to which the merchant has subscribed,
- Configured by the merchant for receiving daily and/or weekly analytics reports.
Business name, Billing address, and VAT number
- Used for billing and invoicing purposes.
Payer’s email address and credit card details
- Used for collecting payments but never stored in a database or logs.
Email addresses of additional users
Configured by the Merchant for receiving daily and/or weekly analytics reports
Shoppers’ IP addresses
To identify shoppers’ locations (i.e., country and local region) with a view to providing location-based search insights to the merchant.
To calculate transaction-based KLEVU-led conversions.
To provide a personalized search experience to the store’s shoppers.
Shoppers’ transaction data (optional)
The ID of the product bought, the price paid, and the IP from which the product was bought. This data is collected to calculate KLEVU-led conversions.
Shoppers’ email addresses
Used in conjunction with the DotMailer Email marketing tool. The collected email addresses are never exposed to anyone at Klevu as they are MD5 hashed, in the irreversible encrypted form.
Used for storing category names, filters, product IDs, and recently searched terms. All but the product IDs are often passed to the backend system as API parameters to obtain personalized product recommendations (for the shopper).
Where is this data stored? Are those premises GDPR compliant?
To operate our services globally and to meet the SLA of 99.9% uptime, we have to store and distribute search indexes and other data across multiple servers, in our affiliated data centers (that comply with the CISPE code of conduct).
Where agreed, these servers may be hosted in data centers closer to the merchants’ own premises with no data other than their own indexes and any related data required to serve the customer.
How long is the data stored?
The data is stored for the duration of your service. You may download or request historical search analytics data during this period. Should you decide to discontinue the service, any personal data held with us is deleted in a maximum of 90 days. Unless otherwise requested, after termination, the search analytics data is anonymized completely and kept for analyzing consumer search patterns.
KLEVU does not share data gathered through search usage or any other information shared by the customers. For managing payment subscriptions, KLEVU redirects its customers to the involved 3rd party service providers (e.g., payment gateways) where the merchants are instructed to accept the respective service provider’s T&C and data privacy policies.
KLEVU does not share data collected from one store with another. It only uses aggregated data or any search specific activity related information, to improve its core search algorithm, which eventually helps all its customers.
What if I have queries about the data that you hold about me?
If you have any questions regarding our handling of your data or to make any requests to us as a Data Controller under GDPR please contact us.