Privacy Policy
Last updated: 2026-05-21 Effective date: 2026-05-21
1. Who we are
This Privacy Policy applies to Klar ("Klar", "we", "our", or "us") — a product of AEYEON Technologies Private Limited, a private limited company incorporated in India.
| Legal entity | AEYEON Technologies Private Limited |
| Registered office | 1/58, 3rd Cross, Kalkere, Ramamurthy Nagar, Bangalore North, Bangalore – 560016, Karnataka, India |
| CIN | U62011KA2025PTC212385 |
| Privacy contact | privacy@aeye-on.com |
| Data Protection Officer | privacy@aeye-on.com |
| Support contact | support@aeye-on.com |
| App URL | https://klar.aeye-on.com |
This policy describes what data we collect, how we use it, who we share it with, and what rights you have over it.
2. What we collect
We collect three categories of information:
2.1 Account information you provide
- Email address
- Full name
- Company name (optional)
- Password hash (never your plaintext password)
- Workspace name + role
- Billing details (handled by Paddle — see §4.4)
2.2 Usage telemetry we collect automatically
- Pages you visit within Klar
- Features you use (e.g. number of dashboards generated, datasets uploaded)
- Browser type, IP address, session timestamps (for security and abuse detection)
- Error logs and performance metrics (for debugging)
We use this telemetry to operate and improve Klar — never for marketing without your consent.
2.3 Customer Data you connect or upload
This is the most important category. Customer Data is the business data you bring to Klar so we can render dashboards on your behalf:
- Files you upload — CSVs, Excel files, copy-pasted tabular data
- Database connections you configure — for Postgres, MySQL, Snowflake, BigQuery, we store your connection credentials encrypted (AWS Secrets Manager) and read your tables on your behalf when you load a dashboard
- OAuth-connected SaaS data — when you connect Stripe, Google Analytics, or Google Sheets, we read data from those services using OAuth access tokens you grant us
You retain ownership of all Customer Data. Klar acts as a data processor; you (or your organization) are the data controller. Section §6 explains data retention.
2.4 Data we read via Google OAuth (specific disclosure for Google verification)
When you connect a Google service to Klar, you grant us read-only OAuth access via Google's standard consent flow. The exact scopes Klar requests, and how we use the data:
| Scope | What it lets us read | How we use it |
|---|---|---|
https://www.googleapis.com/auth/analytics.readonly | Your Google Analytics 4 properties — sessions, events, dimensions, metrics | We aggregate this into dashboards (e.g. "Sessions by Source", "Conversion rate by Country") |
https://www.googleapis.com/auth/spreadsheets.readonly | Cell content of Google Sheets — only for sheets you explicitly identify by URL or ID | You paste the Sheet's URL into Klar; we read the rows of that specific Sheet into a dataset you can build dashboards on |
Klar does not write to, modify, or delete any Google data. The scopes are read-only by design.
Klar does not use Google user data to develop, improve, or train generalized AI/ML models. Customer Data sent to our AI provider (Anthropic — see §4.3) is used only to render dashboards and insights for the specific request, then is subject to Anthropic's standard 30-day retention policy. We have not opted into Anthropic's user-feedback program or Development Partner Program; Anthropic does not train models on API data.
You can disconnect any Google OAuth connection at any time from Klar's Connections page. On disconnect, we revoke the access token and delete cached data for that connection within 30 days.
3. How we use information
We use information to:
| Purpose | Lawful basis (GDPR) / DPDP Act |
|---|---|
| Provide the Klar service (render dashboards, run queries, store your datasets) | Contract |
| Authenticate you and prevent unauthorized access | Legitimate interest |
| Process payments via Paddle | Contract |
| Send transactional emails (account, billing, password reset, dashboard email digests if you opt in) | Contract / Consent |
| Detect and prevent abuse, fraud, and security incidents | Legitimate interest |
| Comply with legal obligations (tax records, lawful requests) | Legal obligation |
| Communicate product updates (only if you opted in to marketing emails) | Consent |
We do not:
- Sell your data to third parties
- Use your Customer Data to train any AI/ML model (ours or third-party)
- Share Customer Data with advertising partners
- Profile you for advertising targeting
4. Subprocessors
We share data with the following subprocessors, each bound by a Data Processing Agreement:
| Subprocessor | Purpose | Data accessed | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute, RDS Postgres, S3 object storage, Secrets Manager | All Klar data (encrypted at rest) | ap-south-1 (Mumbai); us-east-1 for some services |
| Cloudflare | DNS, CDN, R2 object storage | Domain DNS, static assets | Global |
| Anthropic PBC | AI inference (Claude API) — generates dashboards + insights | Schema + small data samples for AI prompts | US |
| Paddle.com Market Limited | Merchant of Record for billing | Billing data (name, email, billing address, payment method) | UK / global |
| Google APIs | Customer-initiated connector — when you connect GA4/Drive/Sheets | OAuth-granted scopes only | Customer's Google region |
4.1 AWS
We host all Klar infrastructure on AWS. Data at rest is encrypted using AWS-managed keys (S3 SSE, RDS encryption). All connections are TLS 1.2+.
4.2 Cloudflare
We use Cloudflare for DNS resolution and DDoS protection of our public API surface.
4.3 Anthropic (AI inference)
Klar uses Anthropic's Claude API to generate dashboard plans and write insight narratives. When you trigger an auto-dashboard, schema metadata and small data samples are sent to Anthropic for the duration of each AI request.
Under Anthropic's commercial terms:
- Request/response data is retained for up to 30 days for safety and abuse-review purposes, after which it is automatically deleted
- Anthropic does not use Customer Data sent via the API for training or improving its models
- We have not opted into Anthropic's user-feedback program or Development Partner Program — neither of which would share Customer Data for training
If your organization requires zero data retention (ZDR) with Anthropic, contact us at privacy@aeye-on.com — ZDR is available to enterprise customers.
4.4 Paddle (billing)
Paddle.com Market Limited acts as our Merchant of Record. When you subscribe, your billing details (name, email, billing address, payment method) are processed by Paddle, not Klar. We receive limited information back (subscription status, last 4 digits of card). Paddle's privacy policy is at https://www.paddle.com/legal/privacy.
5. Customer Data flow when you connect external services
| Connector | What we read | When we read it | Where it's stored |
|---|---|---|---|
| Postgres / MySQL | Tables you select, on demand when you load a dashboard | At dashboard load time (Live mode) | Result cached in our Redis cache (10 minutes); not persisted |
| Snowflake / BigQuery | Same as above — direct query, results cached briefly | At dashboard load time | Result cached briefly; not persisted |
| Stripe | Charges, customers, subscriptions, invoices via OAuth | On schedule (15-60 min refresh) | Stored as Parquet in our S3 (Mumbai region); encrypted at rest |
| Google Analytics 4 | Aggregated daily reports via OAuth | On schedule (24h refresh) | Stored as Parquet in our S3 (Mumbai region); encrypted at rest |
| Google Sheets | Selected sheets + ranges via OAuth | On manual refresh | Stored as Parquet in our S3 (Mumbai region); encrypted at rest |
| Excel / CSV upload | Uploaded file contents | At upload time | Stored as Parquet in our S3 (Mumbai region); encrypted at rest |
All connection credentials and OAuth refresh tokens are stored encrypted via AWS Secrets Manager.
6. Data retention
| Data | Retention |
|---|---|
| Account data (email, name, hashed password) | Lifetime of your account |
| Customer Data (uploaded files, mirrored SaaS data) | Lifetime of your account; deletable on-demand from Klar |
| Connection credentials (DB passwords, OAuth tokens) | Until you disconnect or delete the connection |
| Query result cache | 10 minutes (Redis) |
| Telemetry / usage logs | 90 days |
| Audit logs (Pro+ and above) | 12 months |
| Anthropic API requests | 30 days at Anthropic, then auto-deleted (we don't store the prompts) |
| Billing records (held by Paddle) | 7 years (tax law requirement) |
On account cancellation: all Customer Data is deleted within 30 days. You can request immediate deletion by emailing privacy@aeye-on.com.
7. Your rights
If you are in the EU/UK (GDPR), in California (CCPA), or in India (DPDP Act 2023), you have the following rights:
| Right | How to exercise |
|---|---|
| Access — get a copy of your data | Email privacy@aeye-on.com |
| Rectification — correct inaccurate data | Edit in-app, or email privacy@aeye-on.com |
| Erasure — delete your data | In-app account deletion, or email privacy@aeye-on.com |
| Restriction — pause processing | Email privacy@aeye-on.com |
| Portability — export your data | Built-in CSV / Excel download per dataset |
| Objection — opt out of processing | Email privacy@aeye-on.com |
| Withdraw consent — for marketing | Unsubscribe link in any email, or email privacy@aeye-on.com |
| Lodge a complaint — with a regulator | EU: your local DPA; India: Data Protection Board |
We respond to verified rights requests within 30 days.
8. Cookies and tracking
Klar uses two categories of cookies:
| Type | Purpose | Required? |
|---|---|---|
| Session cookies | Keep you logged in | Yes (essential) |
| Preferences | Remember your dashboard theme, palette, etc. | No (functional) |
We do not use third-party advertising cookies. We use Sentry for error reporting which sets a session cookie for crash correlation only.
9. Data residency
By default, Klar stores all data in AWS ap-south-1 (Mumbai, India). Some auxiliary services (Anthropic AI inference, Paddle billing) are based outside India — we transfer the minimum data necessary for those services to function, under standard contractual clauses where required.
EU-region storage is available on Enterprise plans by request.
10. Security
We implement technical and organizational measures to protect your data:
- Encryption at rest: AWS S3 SSE-S3, RDS encryption
- Encryption in transit: TLS 1.2+ for all connections
- Access controls: SSO / MFA for our team; per-tenant data isolation
- Audit logs: internal logs of who-accessed-what (Pro+ tier exposes these to customers)
- Secrets management: AWS Secrets Manager for all credentials
- Vulnerability disclosure: report security issues to security@aeye-on.com
We are pursuing SOC 2 Type II compliance. For our current compliance posture, contact privacy@aeye-on.com.
11. Children's privacy
Klar is a B2B SaaS product not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact privacy@aeye-on.com and we will delete the account.
12. International users
If you are accessing Klar from outside India, your data will be transferred to and processed in India and other countries where our subprocessors operate. By using Klar, you consent to this transfer.
For EU/UK customers: transfers outside the EEA/UK are protected by Standard Contractual Clauses (SCCs).
13. Changes to this policy
We may update this policy as Klar evolves or as laws change. When we make material changes:
- We update the "Last updated" date at the top
- We notify active customers by email at least 14 days before the change takes effect
- Continued use after the effective date constitutes acceptance
14. Contact
| Reason | |
|---|---|
| Privacy questions / GDPR requests | privacy@aeye-on.com |
| Security disclosures | security@aeye-on.com |
| Support | support@aeye-on.com |
| Legal | legal@aeye-on.com |
AEYEON Technologies Private Limited India
For our registered office address, contact privacy@aeye-on.com.