Draft

This Privacy Policy is operational for our private beta. The text is under final counsel review for v1.0 commercial launch — substantive changes will be announced via email and changelog.

Last updated 2026-05-19

Privacy Policy

This Privacy Policy describes how KlyHub processes personal data when you use our multi-tenant knowledge-base service exposed to AI clients via the Model Context Protocol (MCP). It is published in English; a Portuguese (PT-BR) translation will accompany the v1.0 commercial release. Until then, this English text governs; PT-BR localization is available on request at privacy@klyhub.com.

The document is operational for our private beta. The text is under final counsel review for the v1.0 commercial launch — substantive changes will be announced via email and in our public changelog.

1. Identity of controller + DPO contact

Controller: KlyHub (operating entity, registration details published at v1.0 launch).

Data Protection contact (DPO function): privacy@klyhub.com.

For LGPD-specific requests under Lei nº 13.709/2018, write to the same mailbox; the request will be routed to our designated Data Protection Officer. For GDPR requests, the same mailbox is monitored by our EU representative when one is appointed; until then we self-administer the controller responsibilities.

2. Purposes of processing per data category

We process personal data for these purposes, scoped per data category:

Our full personal-data inventory is maintained in our internal docs/PERSONAL-DATA-INVENTORY.md document; the table in section 5 mirrors the 8 personal-data stores enumerated there.

3. Legal bases (LGPD Art. 7 + GDPR Art. 6)

| Data category | LGPD Art. 7 basis | GDPR Art. 6 basis | |---|---|---| | Account identifiers | Execution of contract (Art. 7 V) | Performance of a contract (Art. 6(1)(b)) | | Knowledge-base content | Execution of contract (Art. 7 V) | Performance of a contract (Art. 6(1)(b)) | | Billing data | Compliance with legal obligation (Art. 7 II) + Execution of contract | Legal obligation (Art. 6(1)(c)) + Contract (Art. 6(1)(b)) | | Operational telemetry (server-side) | Legitimate interest (Art. 7 IX) | Legitimate interest (Art. 6(1)(f)) | | Operational telemetry (client-side) | Consent (Art. 7 I) — gated by cookie banner | Consent (Art. 6(1)(a)) | | Audit log | Compliance + legitimate interest (Art. 7 II + IX) | Legal obligation + legitimate interest (Art. 6(1)(c) + (f)) | | Marketing communications | Consent (Art. 7 I) | Consent (Art. 6(1)(a)) |

You may withdraw any consent-based processing at any time by adjusting the cookie banner preferences or by emailing privacy@klyhub.com. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

4. Sub-processors

KlyHub engages the following sub-processors. The internal source of truth is docs/SUBPROCESSORS.md; the table below mirrors it. Each engagement is covered by a Data Processing Addendum (DPA) signed before processing begins. Customers are notified at least 30 days before a new sub-processor is added (post-launch policy).

| Sub-Processor | Purpose | Data Categories | Region | DPA | |---|---|---|---|---| | Cloudflare | Edge runtime (Workers), file storage (R2), idempotency cache (KV), DB pool (Hyperdrive), DNS | Tenant content, uploaded files, session metadata | Global edge | https://www.cloudflare.com/cloudflare-customer-dpa/ | | Vercel | Hosting for 4 Next.js apps (web, app, accounts, doc) | Page requests, IP, user-agent | Global edge | https://vercel.com/legal/dpa | | Neon | Primary Postgres database (with pgvector) | All tenant data | US East (default) | https://neon.tech/dpa | | Stripe | Billing + payment card processing | Email, name, billing address, card metadata (no card numbers) | US / EU | https://stripe.com/legal/dpa | | Resend | Transactional email | Recipient email address, message body | US | https://resend.com/dpa | | PostHog | Product analytics + feature flags + session recordings | Event data, distinct_id (opaque), email_hash (SHA-256), session recordings (see Section 9 — capture knowledge-base content) | US (US Cloud) | https://posthog.com/dpa | | Sentry | Error tracking + performance monitoring | Stack traces, user/tenant context, PII-scrubbed | EU / US | https://sentry.io/legal/dpa/ | | Inngest | Background jobs + cron | Job payloads (may include tenant_id, user_id) | US | https://www.inngest.com/legal/dpa |

5. Retention

| Store | Retention | Notes | |---|---|---| | Postgres (Neon) — hot data | 30-day soft-delete window, then hard-deleted on cascade | Audit rows are NEVER deleted; actor identifiers are hashed with a per-tenant salt to preserve accountability without identifying data. | | Cloudflare R2 — uploaded files | 30-day soft-delete window, then hard-deleted on cascade | Audit-grade deletion evidence at r2://klyhub-deletions/{tenant_id}/ is retained 7 years and is explicitly excluded from the user-erasure sweep. | | Cloudflare KV — quota + idempotency keys | 30-day soft-delete window, then hard-deleted on cascade | — | | Sentry — error events | 30 days on erasure request; vendor retention window completes the clear after ~90 days | PII scrubbing runs at ingest. | | PostHog — events + persons | 30 days on erasure request (per-person delete cascades across event store) | — | | Resend — sent messages | Best-effort; bound by Resend's own retention policy (~90 days default) | No per-recipient delete API; documented limitation. | | Stripe — customer records | Anonymized on erasure (not deleted) to preserve invoice history, accounting evidence, and chargeback defense | Customer email and name replaced with placeholders; subscription cancelled; card metadata stripped. | | Better Auth sessions | 30 days for the session row; immediate invalidation across all subdomains via a Cloudflare KV deny-list of token JTIs | — |

Cold backups: Neon cold backups age out per Neon's own retention policy. We do not promise "complete erasure" within the backup retention window.

6. Your rights (LGPD Art. 18)

Under LGPD Art. 18 and the equivalent GDPR articles, you have the right to:

To exercise any of these rights, use the in-product controls at /settings/privacy or email privacy@klyhub.com.

7. DSAR mechanism — 15-day response commitment

We acknowledge data-subject access requests (DSAR) sent to privacy@klyhub.com within 5 business days and respond substantively within 15 calendar days. Where a request is complex or requires aggregation across multiple sub-processors, we may extend the response window once for up to 15 additional days, with written notice of the extension and the reason.

8. Expedited deletion — 5 business days (per D-93)

For data-subject erasure requests requiring immediate processing under LGPD Art. 18 §3 or GDPR Art. 17, we honor immediate cascades within 5 business days of receipt at privacy@klyhub.com.

The standard in-product deletion flow uses a 30-day soft-delete window that lets you cancel by mistake. That window is a UX hedge, not an LGPD compliance clock — it does not delay our obligation to honor expedited requests when you ask for one.

9. PostHog Session Recordings disclosure

For our first 50 private-beta users, we enable PostHog Session Recordings at a 100% sample rate to understand product friction during onboarding.

What the recordings capture. A session recording is a video-like replay of your browser session. During the private beta these recordings capture the text you type into the app — and that explicitly includes the knowledge-base content and intake answers you enter, not just your clicks and navigation. We use only PostHog's default masking, which means only password fields are masked. Knowledge-base content, intake answers, entity text, and other input fields you type into are recorded verbatim. The recordings also capture click, navigation, and rage-click events so we can identify dead-ends.

We made this choice deliberately: seeing the actual content you struggle to enter is what lets us fix onboarding friction. We are disclosing it plainly here so you can make an informed decision.

How to opt out. Session recording runs only when you have granted analytics cookie consent. To turn it off, decline analytics cookies in the in-app cookie consent banner (Section 11). Declining analytics cookies stops PostHog from loading at all — no recording, no analytics. This is the authoritative opt-out and it takes effect immediately. You may change your cookie choice at any time. If you would also like recordings that were already captured to be deleted, email privacy@klyhub.com and we will action the deletion through our standard data-deletion process (Section 6).

Storage and region. Recordings are stored in PostHog under the same DPA that governs our broader PostHog usage (see Section 4). PostHog is hosted in the United States (US Cloud); see Section 10 on international transfers. The recording sample drops to a lower rate once we exit private beta; a future revision of this Policy will document the post-beta sample.

10. International data transfers

KlyHub operates from the United States. The following sub-processors store or process data outside Brazil and the EEA:

Transfers rely on Standard Contractual Clauses (SCCs) under GDPR Art. 46(2) (c) and the corresponding ANPD-recognised mechanisms under LGPD Art. 33.

11. Cookies

The categories below mirror our in-app cookie consent banner. The banner is the authoritative interface for managing consent.

You can change your cookie preferences at any time by clicking the cookie icon in the footer (or Manage cookies in the workspace footer).

12. Breach notification — ANPD within 72h (LGPD Art. 48)

We will notify the ANPD (Autoridade Nacional de Proteção de Dados) within 72h of becoming aware of a personal-data incident that may produce relevant risk or damage to data subjects, per LGPD Art. 48. Affected data subjects are notified in the same window via the email address on file. For GDPR- governed users, the same 72h supervisory-authority notification applies under Art. 33.

We maintain a written incident-response runbook covering detection, containment, eradication, recovery, post-incident review, and notification mechanics. The runbook is internal; on request, we share a redacted summary with enterprise customers under NDA.

13. Changelog — git history + last_updated frontmatter

This document is version-controlled in our public source repository. The last_updated field in the YAML frontmatter at the top of this page is the canonical revision marker. Git history captures every prior version verbatim. Substantive changes are also announced by email to active account holders and posted to our public changelog.

Privacy Policy · KlyHub