Last updated: May 20, 2026
Klair is a trade name of Nextstep Expert Consulting Limited, a company incorporated under the laws of the United Arab Emirates, registered with the RAK International Corporate Centre under number ICC20250869, with registered office at Office 416, Burlington Tower, Business Bay, Dubai, United Arab Emirates.
Contact: [email protected]
GDPR Representative in the European Union (Article 27 GDPR):
Emmanuel Beauvais
This Privacy Policy applies to all services accessible via klair.work and the Klair API (hereinafter "the Services"), as well as any interaction with our AI-based tools.
Klair targets users located in the European Union. Accordingly, Nextstep Expert Consulting Limited commits to complying with the General Data Protection Regulation (GDPR — Regulation EU 2016/679) pursuant to Article 3(2).
Klair is built on the principle of user sovereignty: your data belongs to you. Klair does not host any AI model and does not hold any API key on your behalf. You connect your own AI account (Claude, ChatGPT, Gemini, Cursor...) via the MCP protocol.
EU hosting — Frankfurt: all personal data is hosted exclusively in the European Union, on DigitalOcean Managed PostgreSQL infrastructure in the FRA1 region (Frankfurt, Germany). DigitalOcean FRA1 is ISO 27001 and SOC 2 certified, and operates under German jurisdiction.
Authentication-gated access: access to business data (contacts, history, files...) is strictly conditional on an authenticated session via JWT. AI tools you connect only access data covered by your token. Klair has no access to your data in clear text outside an authenticated session.
Active monitoring: Klair continuously monitors platform availability and health (Better Uptime + Sentry). In case of an incident, transparent communication is published as soon as possible.
The Privacy & Data page in your Klair account allows you at any time to view, edit, download and delete your data. It is only accessible from this interface — never via your AI.
| Data type | Purpose | Retention period | Deletion |
|---|---|---|---|
| Profile & settings | Account access, personalisation | Until deleted | On request |
| CRM contacts | AI context for your conversations | Until deleted | On request |
| AI action logs | Activity history, skill billing | 12 months rolling | On request |
| Privacy settings | Per-field visibility preferences | Until deleted | On request |
| Connector tokens | AI tool authentication | Until revoked | Immediate |
| Marketplace signals | Consented profile publications | Until depublished | Immediate |
| Sharing history | Access audit trail | 24 months | On request |
| Billing data | Invoicing and tax compliance | 7 years (legal requirement) | Not possible |
| Activation consents (SkillConsent) | Legal proof of skill activation | 5 years (legal requirement) | Not possible |
| Processing | Legal basis |
|---|---|
| Service contract performance | Art. 6(1)(b) GDPR |
| Invoicing and tax obligations | Art. 6(1)(c) GDPR |
| Service personalisation and improvement | Art. 6(1)(f) GDPR (legitimate interest) |
| Marketplace signals | Art. 6(1)(a) GDPR (explicit consent) |
| Anonymised analytics (opt-in) | Art. 6(1)(a) GDPR (explicit consent) |
Each contact channel (work email, personal email, phone, WhatsApp, Telegram, LinkedIn...) has three visibility levels that you control independently from your Privacy & Data page:
Access to a contact detail is individual: having access to your work email does not grant access to your personal email.
If you enable anonymous publication on the Klair Marketplace, your identity (name, email, LinkedIn) is hidden — only your skills, location and experience level are visible.
Identity reveal can only occur after payment or your manual agreement. You are notified before each publication if you enable this option.
Klair uses the following subprocessors:
| Subprocessor | Role | Location |
|---|---|---|
| DigitalOcean (FRA1) | Database hosting | EU (Frankfurt) |
| Cloudflare | DNS, SSL, protection | EU/USA — SCC |
| Stripe | Payments and billing | USA — SCC + Privacy Shield |
| Brevo | Transactional emails | EU (France) |
| Unipile | Multi-channel connectors | EU |
| Upstash Redis | Cache and task queues | EU |
| Sentry | Error monitoring | USA — SCC |
For transfers outside the EU (Cloudflare, Stripe, Sentry), Standard Contractual Clauses (SCC) approved by the European Commission are in place.
Under the GDPR, you have the following rights:
Exercising your rights: from your Privacy & Data page (export within 48h, deletion within 30 days) or by email to [email protected].
In case of an unresolved complaint, you may contact the supervisory authority of your country of residence (CNIL in France, BfDI in Germany, ICO in the UK...).
Klair implements appropriate technical and organisational measures: encryption in transit (TLS) and at rest (AES-256 for sensitive tokens), multi-tenant isolation, access logging, continuous monitoring (Sentry + Better Uptime).
Klair uses only strictly necessary cookies for service operation (authentication, security). No advertising or third-party tracking cookies are deployed.
Any substantial change to this policy will be notified by email with 30 days' prior notice.
Nextstep Expert Consulting Limited — Klair
Office 416, Burlington Tower, Business Bay, Dubai, UAE