This Privacy Policy explains how Klarefi B.V. ("Klarefi," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal data in connection with our website, sales and marketing activities, customer onboarding, account administration, billing, support, and the Klarefi platform.

Klarefi provides AI-assisted intake workflow software for regulated businesses. Depending on the context, we may process personal data as a controller or as a processor / service provider acting on behalf of our customers. This Privacy Policy is intended as a general description of our privacy practices and should be read together with applicable customer agreements, including any order form, master services agreement, or data processing addendum ("DPA"), where relevant.

This Privacy Policy applies to Klarefi B.V. unless a customer agreement, DPA, order form, or jurisdiction-specific notice identifies a different Klarefi contracting entity or supplemental terms.

This Privacy Policy applies to personal data that we collect or process in connection with:

• our public-facing website and related marketing pages;
• sales, implementation, customer success, and support interactions;
• customer and prospect account creation, authentication, and organization administration;
• billing, invoicing, subscription administration, and entitlements;
• the Klarefi platform, including hosted intake, document upload, workflow routing, operator review, integrations, and audit-relevant service records; and
• communications with prospective customers, customers, users, applicants, and website visitors.

This Privacy Policy does not override contractual commitments we make to customers regarding customer-submitted data, and it does not constitute legal advice. Where required, Klarefi may provide additional privacy notices, product disclosures, or jurisdiction- specific supplements.

When Klarefi acts as a controller

Klarefi generally acts as a controller for personal data we collect and use for our own business purposes, including website operations, lead generation, sales relationship management, account creation, organization and administrator records, authentication and access administration, billing and invoicing, subscription administration, support, security, abuse prevention, business analytics, and compliance with legal obligations.

When Klarefi acts as a processor / service provider

Klarefi generally acts as a processor or service provider when we process customer-submitted intake and workflow data through the service on behalf of a customer. This typically includes data submitted through customer-configured hosted intake portals, documents and attachments uploaded into the platform, structured and free-text intake responses, workflow routing records, operator review data, and associated case or intake activity generated in the normal operation of the service.

In those cases, the relevant customer determines the purpose of the workflow, the legal basis for processing, the notices to applicants or end users, the categories of information requested, review and routing rules, and the decisions made regarding the underlying matter. If an applicant, claimant, or end user submits information through a customer-configured hosted intake experience, that data is ordinarily processed by Klarefi on behalf of the customer rather than for Klarefi's own independent business purpose.

If you are an applicant, claimant, end user, or other individual whose information was submitted through a customer workflow, the relevant customer is usually the first point of contact for privacy questions and rights requests relating to that workflow data.

The personal data we collect depends on the context in which you interact with Klarefi and may include:

• identifiers and contact details, such as name, email address, phone number, postal address, and business contact details;
• professional and organization data, such as employer, job title, organization membership, team role, and administrator status;
• authentication and access data, including login records, single sign-on details, identity-provider attributes, and organization membership records;
• billing and financial administration data, such as billing contact information, invoices, subscription status, transaction metadata, and related account records;
• support, implementation, and communications content, including requests, attachments, troubleshooting details, and correspondence history;
• website and device data, including IP address, browser type, operating system, referral information, cookie identifiers, and similar usage information;
• customer-submitted intake and workflow data, including structured fields, free-text responses, uploaded documents, attachments, identifiers, and workflow metadata;
• operator review, routing, and case/workflow status data; and
• audit trail, security, and operational log data.

Customers, administrators, and authorized users

We collect information directly from customer employees, administrators, billing contacts, and other authorized users when they request a demo, enter into a commercial relationship, create an account, configure organization settings, manage users or permissions, contact support, or otherwise use the service.

Applicants, claimants, and end users

Customers may configure hosted intake portals or flows through which applicants, claimants, or other end users submit information to support a regulated business process. Depending on customer configuration, those submissions may include names, contact details, policy or claim identifiers, account or reference numbers, demographic or contextual details, structured responses, narrative explanations, uploaded documents, images, PDFs, attachments, and related submission metadata needed to move an intake toward a meaningful milestone.

Klarefi does not determine in the abstract what information a customer chooses to request in a given workflow. Customers are responsible for configuring the intake questions, prompts, routing rules, and review requirements that apply to their use case.

Website visitors, prospects, and support contacts

We collect information directly from website visitors and business contacts when they browse our site, submit forms, sign up for updates, request materials, communicate with us, or participate in sales, onboarding, implementation, or support processes.

We and our service providers may automatically collect certain information about use of our website and service, including:

• log and diagnostic data, such as IP address, timestamps, request paths, device information, browser type, and crash or error data;
• session, cookie, and similar technology data used for authentication, security, fraud prevention, preferences, and site functionality;
• usage and telemetry data, such as page visits, referring URLs, approximate location derived from IP address, feature interactions, and service performance data; and
• service-generated operational metadata, such as session IDs, upload events, workflow state transitions, access events, and other records needed to operate, secure, and troubleshoot the platform.

Additional details about cookies and similar technologies are provided in our Cookie Policy and, where applicable, in product-specific or customer-specific notices.

The platform is designed to support hosted intake, document upload, structured intake collection, operator review workflows, and integrations. As part of those functions, Klarefi may process documents, attachments, free-text responses, structured field data, metadata, and related workflow records on behalf of customers.

Such data may include, depending on the customer workflow:

• uploaded files, scanned documents, photographs, PDFs, email attachments, and other intake materials;
• structured form responses and free-text descriptions supplied by applicants or users;
• identifiers, contact details, account references, policy references, or case references included in submitted materials;
• workflow routing data, gap resolution activity, follow-up prompts, and review states;
• operator workspace actions and related review activity; and
• audit-relevant records of uploads, workflow actions, status changes, administrative events, and security or troubleshooting logs.

Customers may choose to use the service for regulated or potentially sensitive information. Klarefi does not by this Privacy Policy represent that every category of regulated data is appropriate for every deployment, configuration, or service plan. Customers are responsible for assessing the suitability of the service for their use case, configuring workflows appropriately, providing required notices, obtaining any necessary permissions or consents, and entering into any required contractual terms, including a DPA where applicable.

Where Klarefi acts as a controller, we may use personal data to:

• operate, maintain, secure, and improve our website, platform, and related services;
• create and administer accounts, organizations, user access, and authentication features;
• manage sales, contracting, onboarding, implementation, customer success, and support;
• process payments, invoices, subscriptions, entitlements, and related account administration;
• generate internal service administration records, reporting, forecasting, and analytics;
• detect, investigate, and prevent fraud, abuse, misuse, and security incidents;
• comply with legal obligations, enforce agreements, and protect our rights and the rights of others; and
• communicate with prospects, customers, and users regarding the service, updates, and other business-related matters.

Where Klarefi acts as a processor / service provider, we use and otherwise process personal data on behalf of customers to provide the contracted services, including hosting intake flows, processing submissions, supporting uploads, managing workflow routing and gap resolution, enabling operator review, producing audit-relevant service records, and supporting customer integrations.

To the extent applicable under the GDPR, UK GDPR, or similar laws, Klarefi may rely on one or more of the following legal bases for processing personal data where we act as a controller:

• performance of a contract or steps taken at your request before entering into a contract;
• our legitimate interests, such as operating and improving the service, maintaining security, preventing fraud, administering customer relationships, and conducting ordinary B2B business operations;
• compliance with legal obligations; and
• consent, where required by applicable law.

When Klarefi processes personal data on behalf of a customer, the customer is generally responsible for identifying and documenting the appropriate legal basis for that processing.

Additional jurisdiction-specific legal basis disclosures may be provided in supplemental notices for specific regions, product surfaces, or customer deployments.

We may disclose personal data in the following circumstances:

• to affiliates or related entities involved in operating the business, subject to appropriate confidentiality and access controls;
• to service providers, subprocessors, and vendors that perform services on our behalf or on behalf of our customers;
• to integration partners or customer-designated recipients where necessary to deliver customer-requested functionality;
• to professional advisers, auditors, insurers, financing counterparties, or transaction participants where reasonably necessary;
• to competent authorities, regulators, courts, or other third parties where required by law, legal process, or to protect rights, safety, and security; and
• in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar corporate transaction, subject to customary safeguards where appropriate.

We do not sell personal data in exchange for monetary consideration, and we do not disclose customer-submitted intake/workflow data for unrelated third-party marketing purposes.

Klarefi uses third-party providers to support infrastructure, identity and access management, billing, communications, customer support, observability, and related business operations. These providers may process personal data under instructions and subject to contractual or other appropriate restrictions.

Depending on the service configuration, subprocessors may include providers in categories such as cloud hosting / infrastructure, identity and access management, billing and payments, communications, support tooling, security and logging, and document or storage processing.

WorkOS may be used for authentication, SSO, user management, and organization membership administration. Stripe may be used for billing, invoice processing, subscription administration, checkout, and entitlement-related account administration.

Current vendor details, subprocessor notice terms, and objection procedures may be provided through customer agreements, DPAs, diligence materials, or a maintained subprocessor notice where applicable.

A DPA or customer agreement may contain additional information about subprocessors, notice procedures, and customer rights relating to subprocessor changes.

Klarefi may generate and maintain account administration, billing, and service usage records for commercial and operational purposes. These records may include account identifiers, organization and subscription details, invoice data, payment status, entitlement information, support plan data, and service usage events.

Service usage records may include records tied to billable service milestones, including processed-intake milestones, for billing, invoicing, fraud prevention, service integrity, analytics, forecasting, dispute handling, and contract administration. These records are intended to support service administration and metering. They are not intended to disclose underlying customer confidential logic or to act as a public description of the substantive outcome of any matter processed through the service.

Certain enterprise features, including SSO, advanced retention controls, white-labeling, premium support, or managed integrations, may depend on plan, entitlements, or a separate commercial agreement.

Klarefi uses automated systems, including AI-assisted extraction, classification, summarization, gap detection, and workflow support, to help customers operate intake processes more efficiently.

Customers may configure workflows, prompts, routing rules, thresholds, review requirements, and other operational settings. Depending on customer configuration and service design, human review may be included in the processing flow, including operator review, quality control, and escalation states.

Klarefi provides intake and workflow support tooling. Unless otherwise expressly agreed in writing and specifically configured by the customer, Klarefi is not the legal or regulated system of record for coverage, liability, underwriting, eligibility, claims, compliance, or other final business determinations. Customers remain responsible for downstream decisions and for ensuring that their use of automated features is appropriate for their legal and regulatory obligations.

Customer agreements may include additional commitments relating to model training, model isolation, provider retention, or AI-specific restrictions. This Privacy Policy does not expand or replace those contractual commitments.

Klarefi retains personal data for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, comply with applicable law, resolve disputes, enforce agreements, maintain security, and support legitimate business operations. Retention periods vary depending on the data category and the context in which the data is processed.

• Customer-submitted intake and workflow data is generally retained in accordance with customer instructions, customer-configured settings where available, applicable contract terms, and legitimate backup, security, audit, or legal needs.
• Account, administrator, organization, and support records are generally retained during the customer relationship and for a reasonable period thereafter for account administration, dispute handling, continuity, security, and compliance purposes.
• Billing, invoice, transaction, tax, and accounting records may be retained as required for financial reporting, tax compliance, audits, collections, and contract enforcement.
• Website, marketing, cookie, and communications data may be retained for reasonable business periods, applicable consent windows, suppression-list management, campaign measurement, and ordinary B2B relationship management.
• Security, audit, troubleshooting, and backup records may persist for limited additional periods as part of resilience, disaster recovery, service integrity, and fraud prevention processes.

Where customers have negotiated or configured specific retention settings, the applicable retention configuration or customer agreement may govern those service data categories.

Klarefi uses commercially reasonable and appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. Our safeguards may include measures relating to access management, authentication, logging, monitoring, change control, and secure service operations.

No method of transmission over the internet or method of electronic storage is completely secure, and Klarefi does not guarantee absolute security.

Klarefi and its service providers may process personal data in countries other than the country where the data was originally collected. Where required by applicable law, we will implement an appropriate transfer mechanism for cross-border transfers of personal data, which may include contractual safeguards or other recognized transfer tools.

For transfers involving the EEA, UK, or Switzerland, applicable customer agreements or transfer addenda may describe standard contractual clauses or equivalent mechanisms.

Any data residency commitments, hosting-region commitments, or transfer restrictions are governed by the applicable customer agreement or service documentation.

Depending on applicable law and the context in which Klarefi processes personal data, individuals may have rights to request access to, correction of, deletion of, restriction of, or objection to certain processing of personal data, or to request portability of personal data. Individuals may also have the right to withdraw consent where processing is based on consent.

If Klarefi processes your personal data on behalf of a customer, you should usually direct your request to that customer first, because the customer is generally the party that determines the purpose and means of the relevant processing. Klarefi may assist customers with such requests where required by law or contract.

If Klarefi acts as a controller for your data, you may contact us using the details below. We may need to verify your identity before responding to a request.

Where applicable, residents of California or other U.S. states may have rights to know, access, correct, delete, limit, opt out of certain uses or disclosures, and avoid discrimination for exercising privacy rights. Where applicable, individuals in the EEA, UK, or Switzerland may also have the right to lodge a complaint with a supervisory authority.

The website and service are intended for business use and are not directed to children. Klarefi does not knowingly collect personal data directly for its own purposes from children under the age at which parental consent is required under applicable law.

Customers are responsible for determining whether their use of the service involves minors and for ensuring that they have an appropriate legal basis, notices, permissions, and workflow controls for such processing.

Klarefi may update this Privacy Policy from time to time to reflect changes in the service, applicable law, or our data processing practices. When we do, we will update the "Last updated" date above and, where required by law, provide additional notice.

If you have questions about this Privacy Policy, want to exercise a privacy right where Klarefi acts as a controller, or need help identifying the relevant customer for a workflow, you may contact:

• Klarefi B.V.
• Mailing address available in the applicable agreement or upon request
• Privacy inquiries: mike@klarefi.com
• General support contact: mike@klarefi.com