Privacy Policy

This Privacy Policy explains how KLNR Labs P.S.A. collects, uses, discloses and protects personal data across the KLNR family of products — Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS and Bill — and the rights you have over your personal data. KLNR is built evidence-first: AI assists, a qualified human authors and decides, and we do not train our models on your client or legal content. Effective date: [effective date]. — DRAFT, pending legal review.

WORKING DRAFT — modeled on industry best practice and adapted for KLNR; pending legal review before publication as binding. Fields [...] are completed by KLNR. English is the authoritative language of these documents.

1. Who We Are and Scope of This Policy

KLNR Labs P.S.A. ("prosta spółka akcyjna"), seated in Gdańsk, Poland, registered under [KRS], tax number [NIP], statistical number [REGON], with its registered office at [address] and share capital of [share capital] ("KLNR", "we", "us", "our"), is the single data controller for personal data processed across the KLNR group and its products.

This Privacy Policy applies to the master site klnr.ai, the single sign-on service ("klnr-gate"), and the following products: Search (legal search), Lexor (law in Microsoft Word), FRRE.ai (professional legal work), Sign (electronic signatures, eIDAS), Comms (email), CoLab (collaborative workspace), AgentOS (AI agents and workflows) and Bill (invoicing and KSeF) (together, the "Services").

Where you access the Services as the client, employee or end-user of an organisation (for example, a law firm or company that subscribes to KLNR), that organisation is responsible for its own privacy practices and may act as the controller of the content it submits, with KLNR acting as its processor. In those cases, this Policy describes how we handle personal data for which KLNR itself decides the purposes and means.

This Policy does not apply to third-party websites, applications or services that may be linked from or integrated with the Services and that are governed by their own privacy notices.

2. Collection of Personal Data

We collect personal data that you provide directly, data we receive automatically through your use of the Services, and data we obtain from other sources. We do not collect personal data in order to train our models on your client or legal content — see Section 10.

Personal data you provide directly. This includes information you give us when you create an account, subscribe, communicate with us, participate in research or pilots, or otherwise interact with the Services.

Personal data we receive automatically. When you use the Services we automatically collect technical and usage data, such as device and connection information, log files, approximate location derived from IP address, and information collected through cookies and similar technologies (see our separate Cookie Policy).

Personal data from other sources. We may receive personal data from your organisation or administrator, from identity and payment providers, from partners and resellers, from public registries and official legal sources, and from publicly available information, in each case to the extent permitted by law.

The table below summarises the categories of personal data we may process.

CategoryExamples
Identity and account dataName, username, account identifiers, organisation/role, professional credentials (e.g. bar membership)
Contact dataEmail address, postal address, telephone number
Authentication and security dataLogin credentials (hashed), single sign-on tokens (klnr-gate), multi-factor authentication data, security logs
Inputs and OutputsPrompts, queries, documents, files and other content you submit to the Services, and the responses, drafts, search results and analyses the Services generate ("Inputs" and "Outputs")
Signature and identity-verification data (Sign)Signatory identifiers, audit trails, certificate and timestamp data, and identity-verification data used to meet eIDAS requirements
Communications data (Comms)Email content, metadata, recipients and delivery information that you choose to process through the Service
Billing and transaction data (Bill)Invoice and payment details, tax identifiers, KSeF data, and limited payment-method information (full card data is handled by our payment processors)
Usage and technical dataDevice and browser type, operating system, IP address, log files, feature usage, diagnostics and cookie identifiers
Support and correspondenceInformation you provide when you contact us, including the content of your messages

If you include personal data — including the personal data of third parties — in your Inputs, we will process that data as part of delivering the Services, and it may be reflected in the corresponding Outputs. You are responsible for ensuring you have an appropriate legal basis to submit such data to us.

3. How We Use Personal Data

We use personal data only where applicable data protection law permits, and for the following purposes:

  • To provide and operate the Services, including authentication, processing your Inputs, generating Outputs, delivering search results, drafts and signatures, and maintaining your account.
  • To process payments and invoicing, including KSeF and statutory accounting obligations through Bill.
  • To maintain security and prevent abuse, including detecting, investigating and preventing fraud, misuse, security incidents and breaches of our Terms.
  • To provide support and respond to your requests and correspondence.
  • To debug, maintain and improve the Services, including measuring performance and reliability, in line with the restrictions in Section 10.
  • To communicate with you about the Services, including service, security and transactional messages and, where permitted, marketing.
  • To comply with legal obligations and to establish, exercise or defend legal claims.
  • To conduct research and develop new features using aggregated or de-identified data, subject to Section 10.

We will use Inputs and Outputs only as needed to deliver and secure the Services you use. We do not use your client or legal content to train or improve our foundation models. See Section 10.

4. Legal Bases for Processing (GDPR Art. 6)

Where the EU General Data Protection Regulation (GDPR), the UK GDPR or comparable laws apply, we rely on the following legal bases. The table maps each purpose to the data involved and the corresponding GDPR Article 6 basis.

PurposeData involvedGDPR Art. 6 legal basis
Providing the Services and your account under our TermsIdentity, contact, authentication, Inputs/Outputs, usage dataArt. 6(1)(b) — performance of a contract
Processing payments, invoicing and KSeF reportingBilling and transaction data, identity dataArt. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (tax/accounting)
Security, fraud and abuse preventionAuthentication and security data, usage and technical dataArt. 6(1)(f) — legitimate interests (keeping the Services secure)
Debugging, maintaining and improving the ServicesUsage and technical data, aggregated/de-identified dataArt. 6(1)(f) — legitimate interests
Service, security and transactional communicationsIdentity and contact dataArt. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests
Marketing communications (where applicable)Contact data, usage dataArt. 6(1)(a) — consent; Art. 6(1)(f) — legitimate interests where permitted
Optional cookies and analyticsCookie identifiers, usage dataArt. 6(1)(a) — consent
Complying with legal obligations and responding to lawful requestsAny relevant dataArt. 6(1)(c) — legal obligation
Establishing, exercising or defending legal claimsAny relevant dataArt. 6(1)(f) — legitimate interests
Protecting vital interests in an emergencyAny relevant dataArt. 6(1)(d) — vital interests

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may request further information about this balancing assessment at [privacy@klnr.ai].

5. Recipients and Disclosure of Personal Data

We do not sell your personal data. We disclose personal data only as described below:

  • Service providers and sub-processors. We use vetted vendors to host, secure, support and operate the Services (for example, cloud infrastructure, email delivery, payment processing and customer support). They process personal data only on our documented instructions under a written contract. See Section 6 and our separate Sub-processor List.
  • Your organisation and administrator. If you use the Services through an organisation account, your administrator may access account, usage and content data and manage your access.
  • Integrations and third-party services you choose. Where you connect the Services to a third-party service (for example, Microsoft Word for Lexor, or a third-party email or payment provider), the relevant data is shared with that service and processed under its own privacy policy.
  • Professional advisers, auditors and corporate transactions. We may disclose data in connection with audits, financing, a merger, acquisition or reorganisation, subject to confidentiality protections.
  • Legal and regulatory authorities. We may disclose data where required by law, to comply with legal process, or to protect the rights, safety and property of KLNR, our users or others. Where the data is subject to professional secrecy (attorney-client privilege), we apply heightened safeguards and resist disclosure to the extent the law permits.
  • With your consent or at your direction.

6. Sub-processors

We engage carefully selected sub-processors to help us deliver the Services. Each sub-processor is bound by a written agreement requiring it to process personal data only on our instructions, to apply appropriate technical and organisational security measures, and to comply with applicable data protection law, including the transfer safeguards described in Section 7.

A current list of our sub-processors, including their function and processing location, is maintained separately and is available at [link to Sub-processor List] or on request at [privacy@klnr.ai]. We will provide a mechanism to be notified of changes to that list so that you can object to a new sub-processor where you have the right to do so.

7. International Data Transfers

KLNR is established in the European Union (Gdańsk, Poland) and prioritises processing personal data within the European Economic Area (EEA). Some of our service providers and sub-processors, however, may process personal data outside the EEA and the United Kingdom, including in the United States.

Where we transfer personal data outside the EEA or the UK, we rely on one or more of the following safeguards:

  • Adequacy decisions. Transfers to countries the European Commission (or the UK authorities) has recognised as providing an adequate level of protection.
  • Standard Contractual Clauses (SCCs). The European Commission's SCCs under Article 46 GDPR (and the UK International Data Transfer Addendum where relevant), together with supplementary technical, organisational and contractual measures where required following a transfer impact assessment.
  • Other lawful transfer mechanisms permitted under applicable law, or your explicit consent where appropriate.

You may request a copy of the relevant safeguards by contacting [dpo@klnr.ai].

8. Data Retention and Deletion

We retain personal data only for as long as reasonably necessary for the purposes set out in this Policy, and in particular:

  • for the duration of your account and our contractual relationship;
  • as required to meet legal, tax, accounting and regulatory obligations (for example, invoicing records processed through Bill, and signature audit trails under eIDAS, which may carry statutory retention periods);
  • as needed to establish, exercise or defend legal claims; and
  • to maintain the security and integrity of the Services.

When personal data is no longer needed, we delete it or de-identify it. Where you delete specific content or close your account, we delete the associated personal data within a reasonable period (target: [retention period, e.g. 30 days]), subject to the retention obligations above and to data held in routine backups, which are purged on a rolling cycle. The criteria we use to determine retention periods include the nature and sensitivity of the data, the purpose for which we hold it, and applicable legal requirements.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against loss, misuse, and unauthorised access, disclosure, alteration or destruction. These measures include encryption in transit and at rest, access controls and least-privilege principles, single sign-on and multi-factor authentication through klnr-gate, logging and monitoring, tenant isolation, and regular review of our security practices.

No method of transmission or storage is completely secure. If we become aware of a personal data breach that is likely to affect you, we will notify you and the competent authorities as required by applicable law. You can report a suspected security issue to [security@klnr.ai].

10. AI, Model Training and Your Content

KLNR is built evidence-first: AI assists, but a qualified human authors the work product and makes the decision. Our systems are designed to abstain rather than guess — where the available evidence does not support a reliable answer, the Service is intended to say so rather than fabricate one.

No training on client or legal content. We do not use your client content or legal content — including the documents, matters, queries, drafts and other Inputs and Outputs you process through the Services — to train or improve our foundation models. Your content is processed solely to deliver the Services to you.

Where we use third-party AI providers as sub-processors to power certain features, we contractually require them not to train their models on your content, and we transmit only the data necessary to perform the requested task.

We may use aggregated and de-identified data, and data that does not identify you or any client, to monitor, debug and improve the quality, safety and reliability of the Services. We respect professional secrecy and attorney-client privilege at all stages of processing.

11. Special Categories of Data (GDPR Art. 9)

Some Services — particularly those used for professional legal work (FRRE.ai, Search, Lexor) — may incidentally involve special categories of personal data within the meaning of Article 9 GDPR, such as data revealing health, racial or ethnic origin, religious beliefs, or data concerning criminal matters (Article 10), where such data appears in the legal documents and matters you submit.

KLNR does not seek out special-category data and does not use it to train models. Where you submit such data in your Inputs, you are responsible for ensuring you have a valid condition for processing it (for example, that the processing is necessary for the establishment, exercise or defence of legal claims under Article 9(2)(f) GDPR, or another applicable condition). We process such data only as necessary to provide the Service to you, under appropriate safeguards and subject to professional secrecy. We ask that you do not submit special-category data unless it is necessary for the matter you are working on.

12. Automated Decision-Making (GDPR Art. 22)

KLNR's AI features are assistive. They support research, drafting, search and review, but they do not make decisions that produce legal effects concerning you or that similarly significantly affect you. A qualified human is responsible for reviewing AI-generated material, authoring the final work product, and making any decision.

Accordingly, we do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects within the meaning of Article 22 GDPR. If this changes for any feature, we will provide the information and safeguards Article 22 requires, including meaningful information about the logic involved and your right to obtain human intervention, to express your point of view, and to contest the decision.

13. Your Rights and Choices

Depending on where you live and the applicable law, you may have the following rights in relation to your personal data:

  • Access — to know what personal data we process and to obtain a copy.
  • Rectification — to correct inaccurate or incomplete data.
  • Erasure — to have your data deleted, subject to legal exceptions.
  • Restriction — to limit how we process your data in certain circumstances.
  • Objection — to object to processing based on legitimate interests, and to direct marketing at any time.
  • Portability — to receive certain data in a structured, machine-readable format and have it transmitted to another controller.
  • Withdrawal of consent — where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
  • No solely automated decisions with legal or similarly significant effects (see Section 12).

To exercise your rights, contact us at [privacy@klnr.ai]. We will respond within the time required by law (under the GDPR, generally within one month, extendable by up to two further months for complex or numerous requests). We may need to verify your identity before acting on a request. You will not be discriminated against for exercising your rights. If you use the Services through an organisation, you may need to direct certain requests to that organisation as controller.

14. Children

The Services are intended for professional and business use and are not directed to children. We do not knowingly collect personal data from children under the age of 16 (or the higher age set by applicable local law, such as 18 where required). If you believe a child has provided us with personal data, please contact [privacy@klnr.ai] and we will take steps to delete it.

15. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Services, remember your preferences, maintain your session and security, and — where you consent — to measure and improve performance. You can manage non-essential cookies through our cookie controls. For details, see our separate Cookie Policy.

16. Regional Supplemental Disclosures

This section provides additional disclosures for individuals in specific jurisdictions. In the event of a conflict between this section and the rest of the Policy, this section controls for the relevant jurisdiction.

European Economic Area, United Kingdom and Switzerland. KLNR Labs P.S.A. is the controller of personal data described in this Policy. The legal bases on which we rely are set out in Section 4, and our international transfer safeguards in Section 7. You have the rights set out in Section 13. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or the place of the alleged infringement. KLNR's lead supervisory authority is the Polish President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warsaw, Poland. Individuals in the UK may complain to the Information Commissioner's Office (ICO); individuals in Switzerland to the Federal Data Protection and Information Commissioner (FDPIC). We encourage you to contact our Data Protection Officer at [dpo@klnr.ai] first so we can try to resolve your concern.

United States — General. The following disclosures apply to residents of US states with comprehensive consumer privacy laws. We describe the categories of personal data we collect in Section 2, the purposes in Section 3, and the categories of recipients in Section 5. Subject to verification and legal exceptions, you may have the rights described below. KLNR does not "sell" personal data and does not "share" personal data for cross-context behavioural advertising as those terms are defined under US state privacy laws, and we do not knowingly sell or share the personal data of consumers under 16 years of age.

California (CCPA/CPRA). California residents have the right to: (i) know and access the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the categories of third parties to whom we disclose it; (ii) delete personal information, subject to exceptions; (iii) correct inaccurate personal information; (iv) opt out of the "sale" or "sharing" of personal information; and (v) limit the use and disclosure of "sensitive personal information." We do not sell or share your personal information; nonetheless, to exercise a "Do Not Sell or Share My Personal Information" request or any other right, contact us at [privacy@klnr.ai]. We will not discriminate against you for exercising your rights, and we honour recognised opt-out preference signals where required. You may use an authorised agent to submit requests. Information about our handling of sensitive personal information is set out in Sections 10 and 11.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and Texas (TDPSA). Residents of these states have the right to: (i) confirm whether we process their personal data and access it; (ii) correct inaccuracies (where the applicable law provides this right); (iii) delete personal data; (iv) obtain a portable copy; and (v) opt out of targeted advertising, the sale of personal data, and certain profiling in furtherance of decisions producing legal or similarly significant effects. We do not engage in such selling, targeted advertising or qualifying profiling. To exercise these rights, contact [privacy@klnr.ai]. In Colorado and Connecticut we honour universal opt-out mechanisms where required. If we deny a request, you may appeal by replying to our decision; in Colorado, Connecticut, Virginia and Texas you may also contact your State Attorney General if you have concerns about the outcome.

Other US states. Residents of other states with applicable privacy laws may have similar rights. Contact [privacy@klnr.ai] to exercise any rights available to you.

17. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the effective date above and, where required, notify you (for example, by email or through the Services). Previous versions will be made available on request. Your continued use of the Services after an update takes effect indicates your awareness of the revised Policy, to the extent permitted by law.

18. Contact Us

Data controller: KLNR Labs P.S.A., [address], Gdańsk, Poland (KRS [KRS], NIP [NIP], REGON [REGON]).

General privacy enquiries: [privacy@klnr.ai]

Data Protection Officer (DPO): [dpo@klnr.ai]

Security reports: [security@klnr.ai]

General contact: [kontakt@klnr.ai]

If you are in the EEA, UK or Switzerland, you also have the right to lodge a complaint with your supervisory authority as described in Section 16.

KLNR Labs P.S.A. · Gdańsk, Poland · Home · DRAFT · 2026-06-13