Kleio

Privacy Policy

Last updated: April 10, 2026

Effective date: April 10, 2026

This Privacy Policy describes the policies of Kalo Software GmbH, Zollamtstraße 9, 67663 Kaiserslautern, Germany, email: info@kleio.build on the collection, use and disclosure of your information that we collect when you use our website (https://www.kleio.build) and the Kleio application (together, the “Service”). By accessing or using the Service, you are consenting to the collection, use and disclosure of your information in accordance with this Privacy Policy. If you do not consent to the same, please do not access or use the Service.

We may update this Privacy Policy from time to time. Any changes will be posted on this page and reflected by updating the “Last updated” date above. Where required by law, we will provide additional notice or request your consent.

  1. Information We Collect

    We collect and process the following personal information about you:

    • Name and email address (via registration or GitHub OAuth)
    • Payment information (processed by Stripe; we do not store card numbers)
    • Usage data and engineering context you submit through the Service (captures, decisions, checkpoints)

  2. How We Collect Your Information

    We collect information about you in the following ways:

    • When you register for an account or authenticate via GitHub OAuth
    • When you interact with the Service (web application, CLI, MCP server, or GitHub App)
    • Automatically through cookies and similar technologies (see our Cookie Policy)

  3. How We Use Your Information

    We use the information that we collect about you for the following purposes:

    • Creating and managing your user account
    • Processing payments and managing subscriptions
    • Providing, operating, and improving the Service
    • Customer support and communication
    • Marketing and promotional communications (with consent)
    • Customer feedback collection
    • Site protection and security
    • Enforcing our Terms & Conditions
    • Dispute resolution

    If we want to use your information for any other purpose, we will ask you for consent and will use your information only on receiving your consent and then, only for the purpose(s) for which you grant consent unless we are required to do otherwise by law.

  4. Legal Basis for Processing (GDPR Art. 6)

    We process your personal data under the following legal bases:

    • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, including account creation, authentication via GitHub, and payment processing through Stripe.
    • Legitimate interest (Art. 6(1)(f)): Processing necessary for security, fraud prevention, service improvement, and analytics. Our legitimate interest does not override your fundamental rights and freedoms.
    • Consent (Art. 6(1)(a)): Processing based on your explicit consent, including marketing communications and non-essential cookies. You may withdraw consent at any time.
    • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law, such as tax record retention requirements.

  5. How We Share Your Information

    We will not transfer your personal information to any third party without seeking your consent, except in limited circumstances as described below. We use the following third-party service providers to operate the Service:

    • Stripe (Stripe, Inc., USA) — payment processing. We share your name, email, and billing-related information with Stripe to process subscriptions and manage billing. Stripe processes personal data in accordance with its own privacy documentation. See Stripe's Privacy Policy.
    • GitHub (GitHub, Inc., USA) — authentication and repository integration. When you log in via GitHub OAuth or install the Kleio GitHub App, we receive your name, email, and repository metadata. See GitHub's Privacy Statement.
    • Google Cloud Platform (Google LLC, USA) — infrastructure and hosting. Your data is stored and processed on GCP servers in the EU (europe-west4). See Google Cloud Privacy Notice.
    • Google Analytics (Google LLC, USA) — website analytics. Used to understand how visitors interact with our marketing website. Activated only after cookie consent. See Google's Privacy Policy.

    We select service providers that process personal data for specified purposes and under appropriate contractual and legal safeguards where applicable.

    We may also disclose your personal information for the following: (1) to comply with applicable law, regulation, court order or other legal process; (2) to enforce your agreements with us, including this Privacy Policy; or (3) to respond to claims that your use of the Service violates any third-party rights. If the Service or our company is merged or acquired with another company, your information will be one of the assets that is transferred to the new owner.

  6. Payment Processing

    We use Stripe to process all payments. When you subscribe to a paid plan, your payment card details are collected directly by Stripe and are never stored on our servers. We share your name, email address, and subscription details with Stripe for billing purposes. Stripe is certified as a PCI Level 1 Service Provider, the highest level of certification in the payment card industry. For more information, see Stripe's Privacy Policy.

  7. International Data Transfers

    Our primary infrastructure is hosted in the EU (Google Cloud Platform, europe-west4, Netherlands). However, some of our third-party service providers are based in the United States, including Stripe, GitHub, and Google. When your data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, to protect your personal data in accordance with GDPR requirements.

  8. Retention of Your Information

    We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected:

    • Account data (name, email): retained until you delete your account, plus up to 90 days for backup removal.
    • Billing and transaction records: retained for 10 years after the transaction date, as required by German tax law (AO §147, HGB §257).
    • Engineering context (captures, decisions, checkpoints): retained according to your workspace plan limits, and deleted within 90 days of account termination.
    • Server logs: retained for up to 90 days for security and debugging purposes.

    Residual anonymous and aggregate information that does not identify you (directly or indirectly) may be stored indefinitely.

  9. Your Rights

    Under the GDPR, you have the right to access and rectify or erase your personal data, receive a copy of your personal data (portability), restrict or object to the processing of your data, withdraw any consent you provided to us, and lodge a complaint with your local supervisory authority. To exercise these rights, you can write to us at info@kleio.build. We will respond without undue delay and, in principle, within one month of receiving your request. Where permitted by law, this period may be extended if the request is particularly complex or numerous.

    You may opt-out of direct marketing communications at any time by writing to us at info@kleio.build or by using the unsubscribe link in our emails.

    If you do not allow us to collect or process the required personal information or withdraw the consent to process the same for the required purposes, you may not be able to access or use the services for which your information was sought.

  10. Cookies

    Our website uses cookies and similar tracking technologies. Non-essential cookies (analytics, marketing) are only activated after you provide consent through our cookie banner. To learn more about the specific cookies we use and your choices, please refer to our Cookie Policy.

  11. Security

    The security of your information is important to us and we use reasonable security measures to prevent the loss, misuse or unauthorized alteration of your information under our control. These measures include encrypted data transmission (TLS), authenticated access, and tenant-aware data separation. However, given the inherent risks, we cannot guarantee absolute security and consequently, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk.

  12. Third Party Links & Use of Your Information

    Our Service may contain links to other websites that are not operated by us. This Privacy Policy does not address the privacy policy and other practices of any third parties, including any third party operating any website or service that may be accessible via a link on the Service. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

  13. Privacy Contact

    If you have any questions or concerns about this Privacy Policy or the processing of your personal data, you may contact us at Kalo Software GmbH, Zollamtstraße 9, 67663 Kaiserslautern, Germany, email: info@kleio.build. We will address your concerns in accordance with applicable law.