GDPR Compliance | Klen AI - AI-Powered Recruiting Platform

GDPR Compliance

Your data protection rights under the General Data Protection Regulation (GDPR) and how we safeguard your personal information.

Last updated: January 10, 2025

Our Commitment to GDPR Compliance

Klen AI, Inc. is committed to protecting the privacy and personal data of all individuals, particularly those within the European Union (EU) and European Economic Area (EEA). We comply with the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018.

This page explains how our AI-powered recruiting platform adheres to GDPR requirements, your rights as a data subject, and the measures we've implemented to ensure your personal data is processed lawfully, fairly, and transparently.

Scope of Application

This GDPR compliance information applies to all EU/EEA residents using our services, regardless of where they access our platform. We extend the same data protection standards to all our users worldwide.

Data Controller Information

Data Controller

Klen AI, Inc. acts as the data controller for personal data processed through our platform.

Legal Basis

We process personal data based on legitimate interests, contractual necessity, and consent where required.

Contact Information

Klen AI, Inc.
169 Madison Ave #15667
New York, NY 10016
United States
[email protected]

EU Representative

For GDPR-related inquiries, you can contact us directly at the above address. We are currently establishing an EU representative as our operations expand.

Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

Contractual Necessity (Article 6(1)(b))

Processing necessary for the performance of our service contract with you:

  • Account creation and management
  • Providing AI recruiting services
  • Processing candidate applications
  • Email and calendar integration services

Legitimate Interests (Article 6(1)(f))

Processing based on our legitimate business interests, balanced against your rights:

  • Improving AI algorithms and platform functionality
  • Analyzing usage patterns for service optimization
  • Fraud prevention and security monitoring
  • Customer support and communication

Consent (Article 6(1)(a))

Processing based on your explicit consent for:

  • Marketing communications and newsletters
  • Optional analytics and tracking cookies
  • Third-party integrations beyond core functionality
  • Voice assistant recordings for service improvement

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

  • Tax and accounting requirements
  • Employment law compliance
  • Data protection impact assessments
  • Law enforcement requests where legally required

Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data. These rights are free of charge and we will respond within 30 days:

Right of Access (Article 15)

Request access to your personal data and receive information about how we process it.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restriction (Article 18)

Request restriction of processing under certain circumstances.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing.

Rights Related to Automated Decision-Making (Article 22)

Right not to be subject to decisions based solely on automated processing.

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

AI-Specific GDPR Protections

Our AI-powered recruiting platform includes additional protections specific to automated decision-making and AI processing:

Automated Decision-Making Safeguards

  • Human oversight: All AI recommendations require human review before final hiring decisions
  • Right to explanation: You can request information about how AI decisions are made
  • Right to contest: Challenge automated decisions and request human intervention
  • Algorithm transparency: Information about AI model logic available upon request

AI Model Training

  • Personal data used for training is pseudonymized where possible
  • You can opt-out of AI model training
  • Regular bias audits and fairness assessments
  • Data minimization principles applied to training datasets

Voice Assistant Processing

  • Voice recordings processed with explicit consent
  • Option to use voice assistant without recording
  • Automatic deletion of voice data after processing
  • End-to-end encryption for voice communications

Important Note on AI Decisions

While our AI provides recommendations and insights, final hiring decisions are always made by humans. Our platform is designed to augment human decision-making, not replace it. You have the right to know when AI is involved in processing your data and to request human intervention in any automated processes.

Google Workspace GDPR Compliance

When you connect Google Workspace services, additional GDPR protections apply to the integrated data:

Gmail Integration Protections

  • Limited scope: We only access necessary email sending capabilities
  • No email reading: We cannot read your existing emails
  • Explicit consent: Each Gmail permission requires explicit consent
  • Revokable access: You can revoke Gmail access at any time
  • Google's DPA: Protected under Google's Data Processing Agreement

Calendar Integration Protections

  • Availability only: We only access availability information
  • Meeting creation: Limited to interview-related events
  • Transparent processing: Clear notification of calendar actions
  • Data minimization: Only necessary calendar data is processed
  • EU data centers: Google processes EU data within EU when possible

Joint Data Processing

For Google Workspace integrations, both Klen AI and Google act as data processors under your instruction. Google maintains its own GDPR compliance measures, and we ensure our integration respects all GDPR requirements. You maintain control over your Google data through your Google account settings.

International Data Transfers

As a US-based company, we may transfer your personal data outside the EU/EEA. We ensure adequate protection through:

Transfer Safeguards

  • Standard Contractual Clauses (SCCs): EU-approved data transfer contracts
  • Adequacy decisions: Transfers to countries with adequate protection
  • Additional safeguards: Technical and organizational measures
  • Regular assessments: Ongoing evaluation of transfer safety

Data Localization

  • EU data residency: Option to store EU data within EU
  • Regional processing: Local processing where technically feasible
  • Data mapping: Clear documentation of data locations
  • Transfer notifications: Information about data transfer destinations

US-EU Data Privacy Framework

We are monitoring the development of the US-EU Data Privacy Framework and will implement certification when available. In the meantime, we rely on Standard Contractual Clauses and additional safeguards to protect your data.

How to Exercise Your GDPR Rights

You can exercise your GDPR rights through the following methods:

Self-Service Options

  • Account Settings: Access, update, or delete personal information
  • Privacy Dashboard: View and manage data processing activities
  • Data Export: Download your personal data in portable formats
  • Consent Management: Modify or withdraw consent settings

Contact Methods

  • Email: [email protected]
  • Subject Line: "GDPR Request - [Type of Request]"
  • Response Time: Within 30 days (may extend to 90 days for complex requests)
  • Verification: Identity verification may be required

Request Information to Include

When making a GDPR request, please include:

  • Your full name and email address associated with your account
  • Specific right you wish to exercise (access, rectification, erasure, etc.)
  • Details about the personal data concerned (if applicable)
  • Proof of identity (for security purposes)
  • Any specific concerns or requirements

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

  • Your local data protection authority in the EU/EEA
  • The lead supervisory authority for cross-border processing
  • Any supervisory authority where you have your habitual residence, place of work, or where an alleged infringement occurred

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

DPIA Triggers

  • Automated decision-making with legal effects
  • Large-scale processing of sensitive data
  • Systematic monitoring of publicly accessible areas
  • New AI technologies or processing methods

DPIA Components

  • Risk assessment and mitigation measures
  • Necessity and proportionality evaluation
  • Data subject rights protection analysis
  • Technical and organizational safeguards review

Privacy by Design and Default

Our platform is built with privacy by design principles, implementing data protection measures from the ground up:

Technical Measures

  • End-to-end encryption for data transmission
  • Data pseudonymization and anonymization
  • Regular security audits and penetration testing
  • Automated data retention and deletion
  • Privacy-preserving AI model training

Organizational Measures

  • Staff privacy training and awareness programs
  • Data processing records and documentation
  • Incident response and breach notification procedures
  • Regular privacy impact assessments
  • Vendor due diligence and data processing agreements

Default Privacy Settings

Our platform is configured with the most privacy-friendly settings by default. Optional features that involve additional data processing require explicit opt-in consent. You maintain control over your privacy settings at all times.

Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

Supervisory Authority Notification

  • Timeline: Within 72 hours of becoming aware
  • Information: Nature of breach, affected data, and mitigation measures
  • Follow-up: Additional information provided as it becomes available

Individual Notification

  • High-risk breaches: Direct notification to affected individuals
  • Clear communication: Plain language explanation of the breach
  • Protective measures: Recommended actions to protect yourself

Breach Response Plan

We maintain a comprehensive incident response plan that includes immediate containment, forensic analysis, impact assessment, and remediation measures. Our security team is trained to respond quickly and effectively to any security incidents.

Contact Us About GDPR

GDPR Inquiries

For any GDPR-related questions or to exercise your rights:

Email: [email protected]
Subject: GDPR Request - [Your Request Type]

Mailing Address

Klen AI, Inc.
GDPR Compliance Officer
169 Madison Ave #15667
New York, NY 10016
United States

Response Commitment

We are committed to responding to all GDPR requests within 30 days. For complex requests, we may extend this period by an additional 60 days and will inform you of any delay within the initial 30-day period. All GDPR services are provided free of charge unless requests are manifestly unfounded or excessive.