Klarvyn ("we," "our," or "us") is a product of Northpunch Media Group Limited, a company registered in Limassol, Cyprus. Klarvyn provides AI-powered marketing attribution and analytics services that help businesses understand the true performance of their advertising campaigns.

This Privacy Policy explains how we collect, use, store, protect, and share information when you use our website (klarvyn.com), platform, APIs, and related services (collectively, the "Services"). It also describes your rights regarding your personal data and our obligations under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

1. Information We Collect

1.1 Information You Provide Directly

Account registration information (name, email address, company name, billing details)

Payment and billing information processed through our third-party payment provider

Communications you send to us (support requests, emails, feedback)

Survey responses, contest entries, or other interactive features

1.2 Information Collected Automatically

Usage data: pages visited, features used, click patterns, session duration

Device and browser information: IP address, browser type, operating system, device identifiers

Cookies and similar tracking technologies (see Section 4)

Log data: access times, referring URLs, error logs

1.3 Information from Third-Party Integrations

When you connect third-party advertising platforms (such as Google Ads, Meta Ads, TikTok Ads, or other services) to Klarvyn, we may access:

Campaign and ad performance data (impressions, clicks, conversions, spend)

Audience and targeting data as configured in your ad accounts

Conversion and attribution data from connected analytics platforms

CRM or e-commerce data you choose to integrate (e.g., revenue, customer records)

1.4 Google User Data

When you connect your Google accounts (Google Ads, Google Analytics, etc.) to Klarvyn through OAuth, we access only the data scopes you explicitly authorize. This may include:

Google Ads campaign performance metrics and reporting data

Google Analytics website and conversion data

Google Sheets data (only when you explicitly connect a sheet for import/export)

We do not access Gmail content, Google Drive files, Google Calendar data, or any other Google service data beyond what is explicitly listed above and authorized by you during the connection process.

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing and operating the Services: Processing your ad attribution data, generating reports, and delivering the core functionality of Klarvyn

Account management: Creating and maintaining your account, processing payments, and providing customer support

Service improvement: Analyzing usage patterns to improve features, fix bugs, and develop new capabilities

Communications: Sending service-related notices, security alerts, product updates, and (with your consent) marketing communications

Security and compliance: Detecting fraud, preventing abuse, enforcing our Terms of Service, and complying with legal obligations

Analytics and aggregation: Creating anonymized, aggregated datasets to improve our models and benchmark performance (never sold to third parties)

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Contractual necessity: Processing required to provide the Services you have subscribed to (Article 6(1)(b) GDPR)

Legitimate interests: Analytics, service improvement, security, and fraud prevention, where our interests do not override your rights (Article 6(1)(f) GDPR)

Consent: Marketing communications and optional cookies are processed based on your explicit consent (Article 6(1)(a) GDPR)

Legal obligation: Processing required to comply with applicable laws, regulations, or court orders (Article 6(1)(c) GDPR)

You may withdraw consent at any time by contacting us at [email protected] or adjusting your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Services:

Essential cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.

Analytics cookies: Help us understand how users interact with the platform so we can improve the experience. These are enabled only with your consent.

Preference cookies: Store your settings and preferences (e.g., dashboard layout, report filters) across sessions.

We do not use advertising or retargeting cookies on klarvyn.com. You can manage cookie preferences through the cookie banner displayed on your first visit or through your browser settings.

5. Data Sharing and Disclosure

We do not sell your personal data. We share information only in the following limited circumstances:

5.1 Service Providers (Sub-Processors)

We engage trusted third-party service providers to help operate the Services. These sub-processors are contractually bound to process data only as instructed by us and to maintain appropriate security measures. Our current categories of sub-processors include:

Cloud infrastructure and hosting (data storage, computation)

Payment processing (billing and subscription management)

Email delivery (transactional and marketing emails)

Analytics and monitoring (application performance and error tracking)

Customer support tools (ticketing and communication platforms)

A current list of sub-processors is available upon request by contacting [email protected].

5.2 Legal and Compliance Disclosures

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Klarvyn, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity. We will notify you via email or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share data with third parties when you have given explicit consent for a specific purpose.

5.5 Google User Data — Limited Use Disclosure

Important: Klarvyn's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use Google user data to provide and improve the Klarvyn attribution services that you have connected.

We do not transfer Google user data to third parties except as necessary to provide or improve the Services, to comply with applicable law, or as part of a merger/acquisition with adequate data protection.

We do not use Google user data for serving advertisements.

We do not allow humans to read Google user data unless: (a) you have given explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is required to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.

6. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

Account data: Retained for the duration of your active subscription plus 90 days after account closure to allow for reactivation or dispute resolution.

Attribution and analytics data: Retained for up to 24 months from the date of collection while your account is active, or as configured in your account settings.

Billing records: Retained for up to 7 years as required by applicable tax and financial regulations.

Support communications: Retained for up to 24 months after resolution.

Server logs: Retained for up to 90 days for security and debugging purposes.

Upon account termination or deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as billing records). Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytics and service improvement.

Google user data is deleted within 30 days of account disconnection or upon your request, whichever comes first.

7. Data Security and Protection Mechanisms

We implement comprehensive technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

7.1 Encryption

Data in transit: All data transmitted between your browser/devices and our servers is encrypted using TLS 1.2 or higher (HTTPS). All API calls are encrypted end-to-end.

Data at rest: All stored personal data and attribution data is encrypted using AES-256 encryption. Database backups are also encrypted at rest.

Secrets management: API keys, OAuth tokens, and other credentials are stored in encrypted vaults and are never logged or exposed in plaintext.

7.2 Access Controls

Role-Based Access Control (RBAC): Access to user data is restricted based on job function. Only authorized personnel with a legitimate business need can access personal data.

Multi-Factor Authentication (MFA): Required for all team members accessing production systems and administrative tools.

Principle of least privilege: Employees and systems are granted the minimum level of access required to perform their functions.

Unique credentials: All access uses individual accounts; shared credentials are prohibited.

7.3 Infrastructure Security

Our Services are hosted on industry-leading cloud infrastructure providers that maintain SOC 2, ISO 27001, and other relevant certifications.

Network security controls include firewalls, intrusion detection systems, and DDoS protection.

Production environments are logically isolated from development and staging environments.

7.4 Security Monitoring and Testing

Continuous monitoring: We monitor our systems 24/7 for suspicious activity, unauthorized access attempts, and security anomalies.

Vulnerability management: We conduct regular vulnerability scans and apply security patches promptly.

Penetration testing: We perform periodic penetration testing to identify and remediate potential security weaknesses.

Code reviews: All code changes undergo security-focused review before deployment.

7.5 Organizational Measures

Security training: All team members complete security awareness training upon onboarding and periodically thereafter.

Confidentiality agreements: All employees and contractors are bound by confidentiality obligations.

Incident response plan: We maintain a documented security incident response plan (see Section 8).

While we strive to protect your personal data using industry-standard measures, no method of electronic storage or transmission is 100% secure. We continuously review and improve our security practices.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.

Document all data breaches, including the facts, effects, and remedial actions taken, in our internal breach register.

Breach notifications will include: a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

9. International Data Transfers

Klarvyn is operated by Northpunch Media Group Limited, based in Limassol, Cyprus (European Union). Your data may be processed in countries outside the EEA where our infrastructure providers maintain data centers.

When personal data is transferred outside the EEA, we ensure adequate protection through the following safeguards:

Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses with all sub-processors located outside the EEA.

EU-U.S. Data Privacy Framework (DPF): Where applicable, we rely on transfers to organizations certified under the EU-U.S. Data Privacy Framework.

Adequacy decisions: We transfer data to countries recognized by the European Commission as providing an adequate level of data protection.

Transfer Impact Assessments: We conduct assessments to verify that the legal framework in the recipient country provides adequate protection for transferred data.

You may request a copy of the safeguards in place by contacting us at [email protected].

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of access: Request a copy of the personal data we hold about you.

Right to rectification: Request correction of inaccurate or incomplete personal data.

Right to erasure: Request deletion of your personal data (subject to legal retention requirements).

Right to restrict processing: Request that we limit how we use your data.

Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.

Right to object: Object to processing based on legitimate interests or for direct marketing purposes.

Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at [email protected] or [email protected]. We will respond to your request within 30 days (or sooner as required by applicable law). We may need to verify your identity before processing your request.

For Google user data specifically, you can also disconnect your Google account from Klarvyn at any time through your account settings, which will stop further data collection and trigger deletion of previously collected Google data within 30 days.

11. Children's Privacy

Klarvyn is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete that information.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, integrations, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through Klarvyn.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy.

Notify you via email or through a prominent notice in the platform at least 30 days before the changes take effect.

Where required by law, obtain your consent to material changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Northpunch Media Group Limited

Limassol, Cyprus

Privacy and data requests: [email protected]

Website: https://klarvyn.com

If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.