Compliance overview — not legal advice

GDPR Compliance

Last updated: December 22, 2024

Summary

  • GDPR-ready architecture designed to support your compliance obligations
  • Customer controls for data management, retention, and access
  • Data minimization and purpose limitation by design
  • Support for data subject rights requests
  • Data Processing Addendum (DPA) available for enterprise customers

Contents

Controller vs. Processor — Quick Explanation

Under GDPR, the data controller determines the purposes and means of processing personal data. The data processor processes data on behalf of the controller.

Customer (Controller)

  • • Decides what data to collect from End Users
  • • Determines how Mentoros is deployed
  • • Provides privacy notices to End Users
  • • Responds to data subject requests

KleonoxAI (Processor)

  • • Processes data per Customer instructions
  • • Implements security measures
  • • Assists with data subject requests
  • • Maintains subprocessor relationships

How KleonoxAI Fits into GDPR

KleonoxAI provides Mentoros, an AI assistant platform, to business customers (tenants). Our role under GDPR depends on the context:

Typical Customer-Facing Use

When Customers deploy Mentoros on their websites to interact with End Users, the Customer is the data controller for End User data. KleonoxAI acts as a data processor, processing data on the Customer's behalf according to their instructions.

Internal Use

When Mentoros is used internally (e.g., employee-facing assistants), the Customer remains the controller. The same processor relationship applies.

Direct Data Collection

For data we collect directly (website analytics, account information, support communications), KleonoxAI is the data controller.

Data We Process

We process different categories of personal data depending on how the Services are used.

Account and Admin Data

Information provided by tenant users when creating and managing accounts.

Examples:

  • Name and email address
  • Company name and role
  • Login credentials (hashed)
  • Account settings and preferences

Retention: Retained while account is active, plus a reasonable period after closure for legal and operational purposes.

End User Chat Messages

Content provided by visitors when interacting with Mentoros assistants on Customer websites.

Examples:

  • Messages sent by End Users
  • Conversation context and history
  • Session identifiers
  • Timestamps

Retention: Retention period is configurable by Customer. Default retention applies unless otherwise configured.

Customer Content

Data uploaded by Customers to configure and train their AI assistants.

Examples:

  • FAQs and knowledge base articles
  • Product catalogs and documentation
  • Custom instructions and prompts
  • Brand and configuration settings

Retention: Retained while the Customer account is active. Deleted upon account termination or Customer request.

Technical and Security Logs

Automatically collected data for security, troubleshooting, and service operation.

Examples:

  • IP addresses
  • Browser and device information
  • Access logs and timestamps
  • Error and performance logs

Retention: Typically retained for up to 12 months for security and operational purposes.

Billing Data

Payment and transaction information processed through third-party payment providers.

Examples:

  • Billing address
  • Payment method (processed by payment provider)
  • Invoice records
  • Transaction history

Retention: Retained as required for accounting, tax, and legal compliance purposes.

AI Processing Note

Mentoros uses AI to generate responses based on conversation inputs and Customer Content.

  • Prompts and inputs are processed to generate responses. Depending on configuration, third-party AI model providers may be involved in this processing.
  • Conversation content shared with AI providers is subject to confidentiality obligations. We do not use Customer Content to train our models unless explicitly agreed.
  • Customers should advise End Users to avoid sharing sensitive personal data (health, financial, ID numbers) in chat unless necessary and appropriate.

Purposes of Processing

We process personal data for the following purposes:

Service Delivery

Generate AI responses, operate the merchant console, and deliver the core Mentoros functionality.

Security and Abuse Prevention

Detect and prevent unauthorized access, fraud, abuse, and security incidents.

Support and Troubleshooting

Respond to Customer inquiries and resolve technical issues.

Analytics and Performance

Analyze usage patterns and improve service quality. Scope depends on Customer configuration.

Legal Compliance

Comply with applicable laws, regulations, and legal processes.

Lawful Bases

We rely on the following lawful bases under GDPR for processing personal data:

Contract Necessity

Processing necessary to perform our contract with you and deliver the Services.

Applies to: Service delivery, Account management, Customer support

Legitimate Interests

Processing necessary for our legitimate interests, balanced against your rights.

Applies to: Security and fraud prevention, Service improvements, Analytics

Consent

Processing based on your freely given, specific, and informed consent.

Applies to: Marketing communications, Non-essential cookies, Optional features

Legal Obligation

Processing necessary to comply with legal requirements.

Applies to: Tax and accounting, Regulatory compliance, Legal requests

Data Protection Principles

Our data handling practices are guided by GDPR's core principles:

Data Minimization

We collect only the data necessary to provide and improve the Services. We do not collect data beyond what is required for the stated purposes.

Purpose Limitation

Data is processed only for the specific purposes communicated to you. We do not use your data for unrelated purposes without appropriate notice or consent.

Storage Limitation

We retain data only as long as necessary for the purposes for which it was collected, or as required by law.

Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect data against unauthorized access, loss, or damage.

Privacy by Design and Default

Data protection considerations are integrated into our product development and operational processes. Default settings are privacy-protective.

Customer Controls

Customers have access to the following controls through the merchant console:

Knowledge Management

Available

Add, update, or remove Customer Content through the merchant console.

Conversation History

Available

View, search, and manage End User conversation logs.

Data Export

Available

Export your data in standard formats for portability.

Data Deletion

Available

Request deletion of specific data or full account deletion.

Retention Configuration

Config-dependent

Configure conversation retention periods based on your requirements.

Access Controls

Available

Manage user roles and permissions within your organization.

What Customers Should Do

As the data controller for End User interactions, Customers should:

  • Update your website privacy notice to disclose use of Mentoros and data collection through the chat assistant.
  • Implement cookie consent mechanisms where required (especially for analytics cookies).
  • Configure conversation retention settings appropriate for your use case and legal requirements.
  • Set up role-based access controls for team members accessing the merchant console.
  • Define internal procedures for handling data subject rights requests from End Users.
  • Establish an escalation path for sensitive queries or personal data disclosed in chats.

Subprocessors

We engage third-party service providers (subprocessors) to help deliver the Services. Subprocessors are contractually bound to protect personal data and process it only as we instruct.

Subprocessor categories:

Cloud Hosting and Infrastructure

Host and operate the Services, store data, and ensure availability.

Analytics and Monitoring

Monitor service performance, track errors, and analyze usage patterns.

Email and Communication

Send transactional emails, notifications, and support communications.

Payment Processing

Process payments and manage billing securely.

AI Model Providers

Process prompts and generate AI responses. Data shared is limited to conversation content.

Customer Support Tools

Manage support tickets and customer communications.

Subprocessor List: A detailed list of our subprocessors, including their names and locations, is available upon request. Contact us or your account manager to receive the current list.

International Transfers

KleonoxAI is headquartered in the European Union. Data is primarily processed and stored within the EEA. However, some subprocessors may be located outside the EEA.

When transfers occur:

  • When using subprocessors located outside the EEA
  • When providing support or services from non-EEA locations
  • When AI model providers process data in their infrastructure

Safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfers to countries with adequacy decisions where applicable
  • Additional technical and organizational measures as appropriate

Details of transfer mechanisms for specific subprocessors are available upon request.

Security Measures

We implement appropriate technical and organizational measures to protect personal data:

Encryption in Transit

All data transmitted to and from the Services is encrypted using TLS/HTTPS.

Encryption at Rest

Stored data is encrypted using industry-standard encryption algorithms.

Access Controls

Role-based access controls limit data access to authorized personnel only.

Logging and Monitoring

Security events are logged and monitored to detect potential threats.

Incident Response

Documented procedures for detecting, reporting, and responding to security incidents.

Least Privilege

Access to systems and data is granted on a need-to-know basis.

No system is completely secure. We continuously evaluate and improve our security practices. Specific security commitments are documented in our Data Processing Addendum.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law.

Customer Content

Retained while the Customer account is active. Deleted upon account termination or Customer request, subject to any legal retention requirements.

Chat Logs

Retention period is configurable by Customer. Default retention applies unless otherwise configured. Customers may request deletion of specific conversations.

Analytics Data

Typically retained for up to 24 months for performance analysis. Aggregated, anonymized data may be retained longer.

Data Subject Rights Support

GDPR grants individuals certain rights regarding their personal data. We support Customers in fulfilling these rights for their End Users.

Right of Access

Obtain confirmation of whether personal data is being processed and access a copy of that data.

Right to Rectification

Request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure

Request deletion of personal data in certain circumstances ("right to be forgotten").

Right to Restriction

Request limitation of processing of personal data in certain circumstances.

Right to Data Portability

Receive personal data in a structured, commonly used, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

How Rights Requests Work

For End User data collected through Customer deployments:

  1. End User submits request to Customer (the data controller)
  2. Customer verifies the request and determines appropriate action
  3. Customer uses merchant console tools or contacts us for assistance
  4. We support the Customer in fulfilling the request as processor

For data we control directly, submit requests through our contact form.

Data Processing Addendum

To ensure full GDPR compliance for our B2B customers, we provide a standard Data Processing Addendum (DPA) that governs the relationship between KleonoxAI (Processor) and your business (Controller).

Download DPA (PDF)Request Custom DPA

Our standard DPA covers:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Customer instructions for processing
  • Subprocessor engagement and notification
  • Security measures and commitments
  • Data breach notification procedures
  • Audit rights and cooperation
  • International transfer mechanisms (SCCs)
  • Assistance with data subject rights
  • Data deletion upon termination

Request a DPA: Contact us through our contact form with "DPA Request" as the subject, or reach out to your account manager.

Cookies

We use cookies and similar technologies on our website and Services. Details about the cookies we use, their purposes, and your choices are described in our Cookie Policy.

We implement cookie consent mechanisms in accordance with GDPR and ePrivacy requirements. You can manage your cookie preferences at any time through the cookie settings link in our footer.

Contact

For questions about GDPR compliance, data protection, or to exercise your rights:

DPA Requests

Request a Data Processing Addendum through our contact form or your account manager.

Subprocessor List

Request the current subprocessor list through our contact form.

GDPR FAQ

GDPR at a Glance

Our Role

  • Processor for Customer deployments
  • Controller for direct data collection
  • DPA available for Customers

Your Protections

  • Data minimization by design
  • SCCs for international transfers
  • Security measures documented

Your Controls

  • Data export and deletion
  • Retention configuration
  • Access controls and roles

Need more information?

For detailed questions about our GDPR compliance, to request a DPA, or to discuss specific compliance requirements, please contact us.

Contact UsPrivacy Policy