Privacy Policy

Klozr LLC ("Klozr," "we," "us," or "our"), a New York limited liability company, respects your privacy and is committed to protecting the personal data we collect through our AI-powered sales training platform at www.klozr.co (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. This policy should be read in conjunction with our Terms of Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, company name, job title, and organizational role. For team plans, account administrators may provide information about team members.

1.2 Business Profile Data

During onboarding and through settings, you may provide company context including your products, sales methodology, competitors, common objections, deal size, sales cycle length, and buyer titles. This data is used to personalize your AI training experience and improve the realism of roleplay scenarios.

1.3 Voice and Audio Data

When you use voice mode, we capture audio from your microphone during active roleplay sessions. This audio is streamed in real-time to our speech processing provider (Deepgram) for speech-to-text conversion. Audio is processed transiently and is not permanently stored as audio files by Klozr or by Deepgram. The resulting text transcripts are stored as part of your session data.

1.4 Session and Conversation Data

We collect and store the content of your roleplay sessions, including text transcripts (both your messages and AI persona responses), conversation state data (phase, disposition, trust level, emotional state), AI-generated scores across 8 performance categories, coaching feedback, per-turn annotations (tone detection, score impacts, coaching notes), and objective completion results.

1.5 Usage Data

We automatically collect information about how you use the Service, including session duration, practice hours consumed, features used, pages visited, learning path progress, XP and achievement data, and interaction patterns. This data helps us improve the Service and provide analytics features.

1.6 Payment Information

Payment information (credit card numbers, billing addresses) is collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers. We receive and store limited billing information from Stripe, such as the last four digits of your card, card type, subscription status, and billing history.

1.7 Device and Technical Data

We collect browser type, operating system, IP address, device identifiers, and other technical data through standard web technologies and error monitoring tools (Sentry).

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including AI roleplay, scoring, and coaching features
• Personalize your training experience using your business profile and session history
• Process your conversations through AI models to generate persona responses, scores, and coaching feedback
• Process payments and manage your subscription
• Provide analytics, progress tracking, gamification features, and team performance dashboards
• Send you service-related communications, including billing notices, security alerts, and product updates
• Enforce our Terms of Service and prevent abuse, fraud, and unauthorized access
• Diagnose technical problems, monitor errors, and improve platform reliability
• Comply with legal obligations and respond to lawful requests from public authorities

2.1 Legal Bases for Processing (GDPR)

If you are in the European Economic Area, UK, or Switzerland, our legal bases for processing your data are:

• Performance of a contract: Processing necessary to provide the Service you subscribed to (account management, AI roleplay, scoring, analytics)
• Legitimate interests: Improving the Service, preventing fraud, ensuring security, and providing customer support
• Consent: Voice recording processing (you can withdraw consent by switching to text-only mode)
• Legal obligation: Retaining billing records for tax compliance, responding to lawful data requests

3. AI Processing Disclosure

Our Service uses artificial intelligence to power roleplay conversations, generate coaching feedback, and score performance. You should be aware of the following:

3.1 Conversation Processing

Your roleplay conversation text is sent to Anthropic's Claude API for processing. This includes your messages, the conversation context (persona details, scenario setup, business profile), and conversation state. Anthropic processes this data to generate AI persona responses in real-time. Conversation data is transmitted via encrypted connections and is not retained by Anthropic for model training purposes.

3.2 Scoring and Coaching

After each session, your complete conversation transcript is sent to Anthropic's Claude API for analysis. The AI evaluates your performance across 8 categories (Rapport Building, Active Listening, Needs Discovery, Value Articulation, Objection Handling, Conversation Control, Closing Technique, and Professionalism) and generates coaching feedback, scores, and per-turn annotations.

3.3 Voice Processing

When using voice mode, your spoken audio is streamed to Deepgram for real-time speech-to-text conversion. AI-generated text responses are converted to speech by Deepgram's Aura text-to-speech service. Deepgram processes audio data transiently and does not retain recordings after processing is complete.

3.4 AI Training

We do not use your conversation data, session transcripts, business profile information, or any other customer data to train or fine-tune AI models. Your data is used solely for providing the Service to you. Our AI providers (Anthropic, Deepgram) process your data under their respective data processing agreements and API terms, which prohibit the use of API customer data for model training.

4. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data to third parties. We do not share your personal data for cross-context behavioral advertising. We share data only with the following service providers who process data on our behalf under data processing agreements:

We may also disclose data when: (a) required by law, subpoena, or other legal process; (b) necessary to protect our rights, safety, or property; (c) necessary to investigate potential violations of our Terms; or (d) in connection with a merger, acquisition, or sale of assets (in which case you will be notified via email or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy).

5. Data Retention

We retain different types of data for different periods based on the purpose of collection and our legal obligations:

• Account data: Retained while your account is active and for 30 days after account deletion request to allow for recovery
• Session transcripts and scores: Retained while your account is active to support analytics, learning progress, and coaching continuity
• Voice audio: Processed transiently in real-time by Deepgram; not permanently stored as audio files
• Business profile data: Retained while your account is active; deleted within 30 days of account deletion
• Usage analytics: Retained for up to 24 months in aggregated, de-identified form
• Billing records: Retained for 7 years as required for tax and legal compliance
• Error logs: Retained for up to 90 days, then automatically purged
• Cached data (Redis): Automatically expires based on configurable TTL; typically 1-24 hours

When you request deletion of your account, we will delete or de-identify your personal data within 30 days, except for data we are legally required to retain (such as billing records).

6. Security Measures

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest for all stored data
• PostgreSQL Row Level Security (RLS) ensuring strict multi-tenant data isolation -- no organization can access another organization's data
• Role-based access control (RBAC) with 14 granular permissions across 6 user roles
• Secure authentication via Clerk with support for SSO/SCIM on enterprise plans
• Regular security assessments and vulnerability monitoring
• Payment data processed exclusively by PCI DSS Level 1 compliant Stripe -- we never handle raw card numbers
• API key rotation and secure secret management for all third-party integrations

While we strive to protect your data using commercially reasonable measures, no method of electronic transmission or storage is 100% secure. If you become aware of a security issue, please contact us immediately at security@klozr.co.

7. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR; (b) notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms; and (c) document all breaches and remediation steps in our internal records.

Notification will include: the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and the measures taken or proposed to address the breach. For California residents, we will provide notification as required by the California Civil Code Section 1798.82.

8. Your Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Article 15): Request a copy of the personal data we hold about you, including information about how it is processed and shared
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Restrict Processing (Article 18): Request that we limit how we use your data in certain circumstances
• Right to Object (Article 21): Object to our processing of your personal data for certain purposes, including processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent (such as voice recording), you may withdraw consent at any time by switching to text-only mode or contacting us

8.1 Automated Decision-Making (Article 22)

Our Service uses AI to generate performance scores, coaching feedback, and per-turn annotations. These constitute automated processing with profiling elements. You have the right under GDPR Article 22 not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We note that: (a) our AI scoring is designed as a training and development tool, not as the basis for employment, compensation, or disciplinary decisions; (b) all scores include human-reviewable context and coaching notes; and (c) if your organization uses Klozr scores as input to employment decisions, your employer (as data controller) is responsible for ensuring appropriate human oversight. You may request human review of any AI-generated assessment by contacting us.

8.2 UK GDPR

If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR). References to GDPR in this policy apply equally to the UK GDPR. For UK-specific data transfers, we rely on the UK International Data Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses, as appropriate.

To exercise any of these rights, contact us at legal@klozr.co. We will acknowledge your request within 5 business days and respond substantively within 30 days. You also have the right to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner's Office; in the EU, your national supervisory authority).

9. Your Rights Under CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources from which it was collected, the business purposes for collection, and the categories of third parties with whom it is shared
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (such as legal retention requirements)
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Voice recordings may constitute sensitive personal information under CPRA. We use voice data only for the purposes disclosed in this policy (providing the Service). You may limit its use by switching to text-only mode.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA privacy rights

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, IP address, account ID
• Commercial information: Subscription plan, billing history, purchase records
• Internet or network activity: Pages visited, features used, session duration
• Audio information: Voice recordings (processed transiently, not stored)
• Professional information: Job title, company name, sales methodology
• Inferences: AI-generated performance scores, coaching feedback, skill assessments

To exercise these rights, contact us at legal@klozr.co. We will verify your identity using information associated with your account and respond within 45 days. You may also designate an authorized agent to submit requests on your behalf.

10. Children's Privacy

The Service is designed for business professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at legal@klozr.co and we will promptly investigate and delete such information.

11. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for authentication (via Clerk), session management, CSRF protection, and security. These cannot be disabled as the Service will not function without them.
• Functional cookies: Remember your preferences, such as role selection, display settings, and dev-mode configuration.
• Analytics cookies: Help us understand how you use the Service so we can improve it. We use privacy-respecting analytics tools that do not track you across other websites.

We do not use third-party advertising cookies or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

Do Not Track: Our Service currently does not respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard protocol for DNT compliance. However, we do not engage in cross-site tracking regardless of your DNT setting.

12. International Data Transfers

Klozr is based in the United States. Your data is processed and stored in the United States by Klozr and our service providers. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914); (b) the UK International Data Transfer Agreement or UK Addendum to EU SCCs, as applicable; and (c) any other appropriate safeguards recognized under applicable data protection law. Our data processing agreements with third-party providers include appropriate transfer mechanisms.

13. Data Processing for Teams and Organizations

For team and enterprise plans, the organization that purchased the plan acts as the data controller for its members' usage data within the Service. Klozr acts as a data processor on behalf of the organization. The organization's administrator controls user access, role permissions, and can request data exports or deletion for their organization.

If you are a member of an organization using Klozr, your organization's administrators and managers may have access to your session data, scores, coaching feedback, and performance analytics as part of the team management and analytics features. Your organization's privacy practices may differ from this policy, and we recommend reviewing your employer's internal privacy policies regarding sales training data.

Enterprise customers may request a Data Processing Agreement (DPA) by contacting legal@klozr.co.

14. Data Protection Officer and EU Representative

As a growing company, we have not yet appointed a formal Data Protection Officer (DPO). All privacy inquiries are handled by our legal team, who can be reached at legal@klozr.co. We will appoint a DPO and/or an EU representative under GDPR Article 27 if and when our data processing activities require it under applicable law.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date above. For significant changes that materially affect your rights, we will provide additional notice via email or through the Service at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use of the Service.

16. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy concern, please contact us: