Privacy Policy

1. Introduction

This Privacy Policy explains how Politeia Ltd. ("we", "us", "our"), the company behind KettenKlar, collects, uses, stores, and protects your personal data when you use our website and services.

KettenKlar is an AI-assisted tool that helps suppliers generate self-declaration documents for the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, LkSG). We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Bulgarian data protection law.

2. Data Controller

The data controller responsible for your personal data is:

Politeia Ltd.
Email: kettenklar@plt.ltd
Website: https://plt.ltd/

For any privacy-related inquiries, please contact us at kettenklar@plt.ltd.

3. Data We Collect

3.1 Account Data

When you create an account, we collect the following information through our authentication provider:

• Email address
• First and last name
• Preferred language setting (English or German)

3.2 Company Profile Data

When you create a declaration profile, you provide the following information about your company:

• Company name
• Company address
• Country
• Industry sector
• Number of employees
• Company logo (optional file upload)

3.3 LkSG Questionnaire Answers

When you complete the LkSG questionnaire wizard, we collect your responses to questions covering topics such as child labor and forced labor policies, occupational health and safety, environmental protection, fair wages, ethics and governance, and whistleblower protections.

3.4 Generated Content

We store the AI-polished declaration text generated from your answers in both English and German, as well as the resulting PDF documents.

3.5 Payment Data

Payments are processed by Paddle (our merchant of record). We store your Paddle customer ID, transaction ID, purchase amount, and payment status. We do not process or store your credit card number, bank account details, or other direct payment credentials — these are handled entirely by Paddle.

3.6 Technical Data

We generate and store share tokens (unique identifiers for shareable declaration report links), content hashes for change detection, and timestamps.

3.7 Guest Flow Data

If you use the wizard without creating an account, your answers and progress are stored locally in your browser's localStorage. This data is never sent to our servers until you create an account, at which point it is transferred and the local copy is cleared.

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services, including account creation, document generation, and payment processing.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, such as service improvement, fraud prevention, and security of our systems.
• Consent (Art. 6(1)(a) GDPR): Where you have given your consent, such as for waitlist signup or optional communications. You may withdraw your consent at any time.
• Legal obligations (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations, such as tax and accounting requirements.

5. How We Use Your Data

We use your personal data for the following purposes:

• Generating self-declaration documents based on your questionnaire answers
• Polishing your answers into formal business language using AI
• Creating and hosting shareable declaration report links
• Processing payments and managing your purchases
• Providing customer support and responding to your inquiries
• Improving our services and user experience
• Complying with legal and regulatory requirements

6. Sub-processors and International Data Transfers

We use the following third-party service providers (sub-processors) to operate KettenKlar. Some of these providers are located outside the European Economic Area (EEA):

For transfers of personal data outside the EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, adequacy decisions or the EU-US Data Privacy Framework.

7. Cookies and Tracking

KettenKlar uses minimal tracking technologies:

• Vercel Analytics: We use Vercel Analytics for basic performance monitoring. This service is cookie-free and does not collect personal data or track individual users.
• Authentication cookies: Our authentication provider (Clerk) uses essential session cookies strictly necessary for maintaining your login session. These are functional cookies that do not require consent under GDPR.
• localStorage: For the guest wizard flow, we store your progress and answers in your browser's localStorage. This data remains on your device and is not transmitted to our servers until you create an account.

We do not use marketing cookies, advertising trackers, or third-party tracking pixels.

8. Data Retention

• Account data: Retained for as long as your account is active. Deleted within 30 days of an account deletion request.
• Declaration profiles and generated documents: Retained for 12 months from generation, aligned with the hosted link validity period. Renewed if you purchase an extension.
• Payment records: Retained for 7 years to comply with Bulgarian tax and accounting obligations.
• Guest localStorage data: Controlled entirely by your browser. Automatically cleared when you create an account and your data is transferred.

9. Your Rights

Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete data.
• Right to erasure: You can request deletion of your personal data, subject to legal retention obligations.
• Right to restriction: You can request that we limit the processing of your data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to object: You can object to the processing of your data based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at kettenklar@plt.ltd. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority for Politeia Ltd. is the Bulgarian Commission for Personal Data Protection (CPDP). You may also contact the supervisory authority in your country of residence.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS encryption for all data in transit
• Encrypted database connections
• Webhook signature verification for payment processing
• Passwordless authentication via magic links (no passwords stored)
• Access controls and secure session management

11. Children's Privacy

KettenKlar is a business-to-business service not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us at kettenklar@plt.ltd and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by posting a notice on our website. The "Last updated" date at the top of this page indicates when this policy was last revised.

13. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

Politeia Ltd.
ul. Anton Chehov 8
Blagoevgrad 2700, Bulgaria
Email: kettenklar@plt.ltd