Klientify Privacy Policy Version: 3.0 Last updated: February 12, 2026 1. Controller The controller of personal data described in this Privacy Policy is Jan Krajnak, entrepreneur, address: 769/2, PL-34-604 Przyszowa, Poland, NIP: 7343609750, e-mail: contact@klientify.me ("Controller", "we"). This Privacy Policy applies to Klientify, including our website, product, dashboards, subscriptions, implementation, support, and related business communications. 2. When this Policy applies This Policy explains how we process personal data when we act as controller, especially for: - website visitors, - prospective customers and business contacts, - account users and workspace administrators, - billing and payment contacts, - support, implementation, and security contacts. If a customer uses Klientify to store, organize, automate, or analyze data relating to that customer's own end customers, bookings, payments, messages, storefront orders, or AI-supported workflows, that customer is usually the controller of such operational data and we act as processor or sub-processor under the applicable contract and data processing agreement. 3. Categories of controller-side data Depending on the relationship, we may process: - identification and contact data such as name, e-mail, phone number, company name, role, and invoicing details, - account and authentication data, - subscription, payment, invoicing, and tax data, - communications, support history, and implementation records, - technical and usage data such as IP address, device or browser data, logs, timestamps, security events, and cookie or local-storage identifiers, - preferences and consent records, including cookie choices and marketing preferences. 4. Sources of data We obtain personal data: - directly from you, - from your employer or organization, - from other authorized users in the same customer workspace, - from payment, communication, analytics, and infrastructure providers involved in service delivery, - from public sources or business directories where relevant to B2B contact. 5. Purposes and legal bases We process personal data under Article 6(1) GDPR for the following purposes: - to perform a contract or take steps before entering into a contract, including onboarding, account administration, billing, support, and delivery of Klientify features, - to comply with legal obligations, including accounting, tax, complaint handling, and security obligations, - for our legitimate interests, including platform security, abuse prevention, product analytics, service improvement, internal administration, debt recovery, and defense against claims, - on the basis of consent, where consent is legally required, including analytics cookies and optional marketing preferences. 6. Customer operational data processed on behalf of customers Klientify may process customer-controlled data such as customer profiles, contact details, booking details, appointment history, payment status, subscription events, pass usage, notes, messages, and AI-assisted workflow inputs or outputs on behalf of the customer. In these situations: - the customer determines the lawful basis and transparency obligations toward its own end customers, - the customer determines the relevant retention period unless otherwise agreed, - where the customer publishes a storefront or checkout through Klientify, the customer remains responsible for the merchant-facing privacy notice, seller disclosures, and other legally required customer-facing documents, - we process such data only for service delivery, support, security, maintenance, and documented customer instructions, - our processing is governed by the main contract and applicable DPA. 7. AI-supported features Klientify may include optional AI-supported features such as summaries, workflow assistance, automation suggestions, or communication support. These features may rely on probabilistic systems and may produce incomplete or inaccurate output. Customers remain responsible for reviewing critical business actions, notices, and decisions before relying on them in production. 8. Recipients and named vendors We may share personal data with trusted recipients where necessary to operate Klientify, including: - Convex for backend infrastructure and database services, - Vercel for hosting and deployment-related infrastructure, - PostHog for product analytics in the EU region when analytics consent is granted, - Stripe for billing, checkout, and payment-related processing, - UseSend for transactional e-mail delivery, - SMSAPI for SMS delivery, - Twilio where telephony or messaging functionality is enabled, - legal, accounting, compliance, and professional advisors, - competent public authorities where required by law. 9. International transfers Some vendors may process data outside the EEA, including in the United States. Where that occurs, we rely on lawful transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, and supplementary safeguards where appropriate. 10. Retention periods We keep controller-side data only as long as necessary for the relevant purpose, including: - account and contract data for the duration of the relationship and the limitation period for related claims, - billing and tax data for the period required by accounting and tax law, - support and implementation records for as long as needed to manage the relationship and document service history, - security logs and abuse-prevention records for as long as justified by security and incident response needs, - consent-based records until consent is withdrawn or the underlying purpose expires. Customer-controlled operational data stored in Klientify is retained according to the customer's configuration, contractual arrangements, documented instructions, and legal obligations. 11. Data subject rights Subject to applicable law, you have the right to request: - access to your personal data, - rectification, - erasure, - restriction of processing, - data portability where applicable, - objection to processing based on legitimate interests, - withdrawal of consent at any time where processing is based on consent, - complaint to a competent supervisory authority. If your request concerns data that we process for one of our customers, we may direct you to that customer as controller while assisting them as required under Article 28 GDPR. 12. Automated decision-making As a rule, we do not make decisions producing legal effects concerning you based solely on automated processing within the meaning of Article 22 GDPR. 13. Security We apply appropriate technical and organizational measures, including access controls, encryption in transit, role-based permissions, logging, backups, and incident-response procedures. No system can be guaranteed to be entirely risk free. 14. Cookies and similar technologies Klientify uses cookies, local storage, and similar technologies for essential functionality, consent preferences, interface preferences, and optional analytics. Details are available in our Cookie Policy. 15. Children and special categories of data Klientify is intended for professional and business use and is not directed to children. Unless separately agreed in writing for a specific compliant implementation, Klientify is not intended for the routine processing of special categories of personal data under Article 9 GDPR, criminal-offence data, payment card data, authentication secrets, or emergency-use information. 16. Changes to this Policy We may update this Privacy Policy to reflect legal, operational, or technical changes. The current version is published on this page. Material changes may also be communicated by e-mail or in-app notice. 17. Contact and DSAR requests For privacy requests, objections, consent withdrawal, or other data protection matters, contact: contact@klientify.me. If you are an end customer of one of our business customers, that business customer is usually the primary controller of your booking, order, or service data and should be your first point of contact.