klaw.privacy

Data controller in the sense of the GDPR:

DSNCON GmbH
Kloetzlmuellerstrasse 43
84034 Landshut, Germany
Phone: +49 871 20662010
Email: info@dsncon.com

klaw is a SaaS platform that provisions AI agents for each customer. To operate it we process:

• Account data (email, name, optional VAT ID) for identity + billing.
• Agent data (conversations, uploaded documents, configuration) stored in your isolated Kubernetes pod.
• Payment data (card, address) — handled by Stripe; we never store card numbers.
• Service metadata (access logs, token-usage metering) to provide and bill the service.
• Analytics + advertising data (page views, ad conversions) — only if you consent via the cookie banner. See section 10.

Legal bases under GDPR Art. 6(1): (b) performance of the service contract, (f) legitimate interest in operating the service securely, (a) consent where explicitly requested, (c) compliance with legal obligations (tax, accounting).

klaw's application and tenant storage run on Kubernetes in the European Union, provided by:

• OVH SAS (France / Germany). Managed Kubernetes + object storage. Data processing agreement in place under GDPR Art. 28.

All connections to klaw are encrypted via TLS. Data at rest on OVH is encrypted.

Authentication is handled by an instance of Zitadel operated by DSNCON GmbH on its own infrastructure in the European Union. Personal data handled: email, name (if you provide it), session tokens, email-verification state. Processing based on Art. 6(1)(b) GDPR.

Payment processing is provided by Stripe Payments Europe Ltd. (Ireland) and Stripe, Inc. (USA). Stripe handles card details — klaw never sees or stores your card number. For VAT calculation we use Stripe Tax.

Transfers to Stripe Inc. (USA) are covered by the EU–US Data Privacy Framework and Stripe's standard contractual clauses. See stripe.com/privacy.

LLM inference requests from your agents are proxied to Fireworks AI, Inc. (USA) via klaw's internal LiteLLM proxy. Fireworks processes the prompts and generations under their Zero Data Retention policy — prompts and generations are not logged or stored, not used for training, and are not retained after the request completes.

Transfers to the USA are covered by standard contractual clauses and Fireworks' published privacy policy. See fireworks.ai/privacy-policy.

Token-count metadata for each request (prompt tokens, completion tokens, model, timestamp) is stored by klaw for billing and usage analytics. This metadata does not contain your prompt or response contents.

For every agent klaw registers a decentralized identifier (DID) with the MolTrust registry operated by CryptoKRI GmbH (Switzerland). The registration contains: an agent-specific name, the platform identifier "klaw", your account email (used by MolTrust as the registration contact), and a public Ed25519 key.

A cryptographic hash of the registration credential is anchored on the Base L2 public blockchain. This hash cannot be used to derive personal data but is publicly readable. Raw credentials stay in klaw's and MolTrust's databases.

Switzerland is recognized by the EU Commission as a country with an adequate level of data protection. See moltrust.ch.

klaw runs an in-cluster instance of Langfuse for internal observability (error tracking, latency metrics). This data stays within klaw's EU infrastructure and is not shared with any third party.

Our hosting provider automatically collects and stores information in server log files that your browser transmits (browser type and version, operating system, referrer URL, hostname, time of access, IP address). This data is not merged with other data sources. The collection is based on Art. 6(1)(f) GDPR (legitimate interest in secure, efficient service operation). Log files are retained for up to 14 days.

klaw uses three categories of cookies/tracking, governed by our consent banner ("Cookie settings" in the footer). You can review and change your choice at any time.

• Strictly necessary (always on) — session cookies for your authenticated Zitadel session + CSRF protection. Exempt from consent under § 25 (2) TDDDG. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure authentication).
• Analytics — Umami (optional, opt-in) — first-party, cookieless page-view counts collected by our own Umami instance at analytics.dsncon.com, operated by DSNCON GmbH in the EU. No personal data is stored, no cross-site tracking, no third parties. Data is retained for up to 12 months. Legal basis: Art. 6(1)(a) GDPR (your consent via the cookie banner), § 25 (1) TDDDG.
• Advertising — Google Ads (optional, opt-in) — conversion tracking and remarketing pixels provided by Google Ireland Ltd. / Google LLC(USA). When granted, this loads googletagmanager.com/gtag/js and sets cookies such as _gcl_au, IDE, and related identifiers. These enable measuring the effectiveness of our Google Ads campaigns and showing klaw ads to people who visited our site. Data is transferred to Google in the USA and processed under the EU–US Data Privacy Framework and Google's standard contractual clauses. See Google's privacy policy. Legal basis: Art. 6(1)(a) GDPR (your consent), § 25 (1) TDDDG.

We implement Google Consent Mode v2: until you give consent, Google tags load in "denied" mode and no personal identifiers are sent. You can withdraw consent at any time by clicking "Cookie settings" in the footer — the tags will be removed from the page.

Under GDPR you have the right to:

• Access the data we hold about you (Art. 15)
• Rectify inaccurate data (Art. 16)
• Request erasure of your data (Art. 17)
• Request restriction of processing (Art. 18)
• Data portability in a machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7)
• Lodge a complaint with the competent supervisory authority

To exercise any of these rights, email info@dsncon.com. We will respond within 30 days.

We retain personal data only as long as necessary for the purposes listed above or as required by law (in particular tax and accounting retention of up to 10 years under HGB § 257 and AO § 147). When you delete your account, tenant data (conversations, documents, agent memory) is deleted from our Kubernetes cluster within 30 days. The agent's registration credential + blockchain anchor remain because the blockchain record is immutable; no personal data is derivable from the on-chain hash.

Where klaw transfers personal data outside the EU/EEA (currently: Stripe, Fireworks AI, and — if you consent to advertising cookies — Google LLC, all in the United States), transfers are covered by the EU–US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses. See the respective sections above for links to each processor's published policy.

We may update this policy when we change processors or introduce new features. Material changes will be communicated by email at least 30 days in advance. The current version is always accessible at klaw.dsncon.com/privacy.