Privacy Policy

The controller of your personal data is:

This Policy applies to:

• the Kleyn App for iOS and Android;
• our website and any sub-domains;
• the back-end services that support the App (databases, file storage, edge functions);
• communications we send you (such as account verification and password reset emails).

This Policy does not apply to third-party websites, apps or services that we link to. Please review their privacy policies separately.

We only process the data we actually need to operate the Service. Concretely, we process the following categories of personal data.

Under Article 6 GDPR every processing activity needs a legal basis. The table below summarises ours.

We do not currently send marketing emails. If we ever introduce them, we will only do so on the basis of your prior consent (Art. 6(1)(a) GDPR), and you will be able to withdraw that consent at any time.

AI photo analysis is included with paid plans (Starter and Premium). The Free plan does not include AI analysis and photos on the Free plan are never sent to Google.

On paid plans, when you add a photo to a box the photo is sent over an encrypted connection to Google's Gemini API (gemini-2.5-flash-lite), hosted in the European Union, so that Google can return:

• a list of recognised items;
• structured attributes for each item (brand, object type, colour, material, category, estimated count);
• a short description used to power in-app natural-language search such as "where are my red Nike sneakers?".

The transmission is initiated by our secure back-end and is authenticated server-side; we do not expose API keys to the App.

Important points to know:

• Google acts as our processor / sub-processor for this purpose.
• We do not give Google your name, email address or other account identifiers together with the image.
• According to Google's terms for the paid Gemini API, your prompts and responses are not used to train Google's generative models. We rely on those terms; please consult Google's documentation for the most up-to-date information.
• The recognised item list, the structured attributes and a numerical "embedding" of the description are stored in your account so that you can edit the list and so that search works offline from Google.
• Anonymous insights derived from the analysis are separately covered by Section 8.1.

You are informed of this processing during onboarding, before your first upload, and you can read this Section 5 again at any time. If you prefer not to have your photos analysed, do not upgrade to a paid plan: the Free plan is fully functional without AI.

We do not sell your personal data. We only share it with the limited number of carefully selected processors and partners listed below.

Our primary infrastructure (Supabase, Sentry) is hosted in the European Union. Some sub-processors — in particular Google (Gemini API) and Apple — may process data outside the European Economic Area, including in the United States.

Where we transfer personal data outside the EEA, we rely on one of the safeguards permitted by Chapter V GDPR:

• an adequacy decision of the European Commission (e.g. the EU–US Data Privacy Framework, where the recipient is certified);
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by additional technical measures;
• one of the derogations of Article 49 GDPR where strictly necessary.

You can request a copy of the relevant safeguards by emailing privacy@kleyn.app.

We do not keep personal data longer than necessary for the purposes for which we collected it.

When you delete your account, deletion cascades through our database (boxes, items, photos, memberships) and storage bucket.

You have the following rights in respect of your personal data:

• Right of access (Art. 15) — to obtain confirmation of whether we process your data and a copy of it;
• Right to rectification (Art. 16) — to have inaccurate data corrected;
• Right to erasure / "right to be forgotten" (Art. 17) — to have your data deleted;
• Right to restriction of processing (Art. 18);
• Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format;
• Right to object (Art. 21) — in particular to processing based on legitimate interests;
• Right to withdraw consent (Art. 7(3)) — without affecting the lawfulness of prior processing;
• Right not to be subject to a decision based solely on automated processing (Art. 22). The AI scan only proposes a list for you to review and edit; it does not produce legal effects.

You can exercise most of these rights directly in the App: edit your name, change your password, delete individual boxes, items and photos, or delete your entire account from the profile screen.

For other requests, email privacy@kleyn.app. We respond within one month (Art. 12(3) GDPR). You also have the right to lodge a complaint with a supervisory authority such as the Belgian Gegevensbeschermingsautoriteit (GBA).

We take appropriate technical and organisational measures to protect your data, including:

• TLS / HTTPS encryption for all traffic between the App and our back-end and between our back-end and sub-processors;
• encryption at rest for the database and the photo storage bucket;
• row-level security policies that ensure each user can only access their own data;
• short-lived signed URLs (1-hour expiry) for photo downloads;
• salted password hashing handled by our authentication provider;
• principle of least privilege for staff and infrastructure access;
• monitoring and alerting for unusual activity;
• regular software updates and dependency reviews.

Despite these measures, no online service can guarantee absolute security. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) within 72 hours in accordance with Article 33 GDPR and, where required by Article 34 GDPR, inform affected users without undue delay.

The Kleyn App is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data without verifiable parental consent, please contact us at privacy@kleyn.app and we will delete that data.

When you use Kleyn, your operating system will ask your permission for the following:

You can revoke any of these permissions at any time in your device settings. Some features will then no longer work (for example, you cannot scan a QR code without camera access).

The Kleyn mobile app does not use browser cookies. It uses local secure storage on your device to keep you signed in (a Supabase session token) and to remember basic preferences. These are first-party, strictly necessary, and required for the App to function.

Our website may use a small number of strictly necessary cookies and, where applicable, analytics cookies. A separate Cookie Notice is published on the website; analytics cookies are only set after your prior consent in line with Article 129 of the Belgian Act of 13 June 2005 on electronic communications, transposing Article 5(3) of the ePrivacy Directive (2002/58/EC as amended).

We may update this Policy from time to time, for example to reflect changes in the Service or in applicable law. The "Last updated" date at the top of this Policy will always reflect the most recent version.

If we make material changes, we will notify you in the App and/or by email before they take effect, and — where required by law — we will ask for your consent.

For any question, request or complaint about this Policy or the way we handle your data: