Privacy Policy

Information on the processing of personal data pursuant to Art. 13 of Regulation (EU) 2016/679 (GDPR)

Last Updated: March 24, 2026

1. Data Controllers

The Joint Data Controllers (hereinafter "Controllers") for the project Klarinote are:

  • Kilian Le Creurer
  • Matteo Bottoloni

The Controllers have entered into a joint controllership arrangement pursuant to Art. 26 of the GDPR, under which they share equal responsibility for all data protection obligations. The essence of the arrangement is made available to data subjects upon request.

For the purposes of this privacy policy and for any communication regarding your personal data, the designated contact point is:

2. Types of Data Collected

The Controllers collect and process the following categories of personal data to provide the Klarinote services:

A. Account and Identity Data

When you create an account, we collect:

  • Contact Information: Your email address.
  • Authentication Data: If you sign up via a third-party authentication provider, we process only the basic profile information mandated by the provider to verify your identity: specifically your name, email address, and profile picture. We do not access your contacts or other files stored with the provider unless explicitly uploaded by you.

B. User Content (Uploaded and Generated)

To provide our educational services, we process:

  • Input Materials: The files and links you voluntarily upload, including URLs, audio files, videos, text documents, slides, and images.
  • Generated Output: The study documents, summaries, and notes generated by our system based on your inputs.

Important Note: The user is solely responsible for the content uploaded. Klarinote is an educational tool. We strongly advise against uploading documents containing sensitive personal data (e.g., health data, judicial data) or third-party data without consent.

C. Technical and Usage Data

When you access the platform, our systems automatically collect:

  • Log Data: Technical information such as IP address, browser type, operating system, and connection timestamps. This data is necessary for security and to ensure the service functions correctly.
  • Analytics Data: We collect aggregated data on how you interact with the website (e.g., pages visited, session duration) to analyze performance and improve the user experience.

3. Categories of Recipients of Personal Data

Your personal data is processed primarily by the internal staff of the Controllers. However, to provide the functionality of Klarinote (hosting, database management, and AI generation), we share strictly necessary data with third-party service providers who act as Data Processors pursuant to Art. 28 of the GDPR. The following categories of recipients may receive your data:

A. Cloud Infrastructure and Database Providers

To store your account information and uploaded documents, we utilize services provided by cloud hosting and infrastructure providers and database-as-a-service providers. These providers offer secure storage and database management located within the European Economic Area (EEA) or in regions that ensure an adequate level of data protection.

B. Artificial Intelligence and Content Generation Providers

To generate the summaries, notes, and educational materials you request, the content of your uploaded documents (text, audio, slides) is transmitted to third-party artificial intelligence service providers via API.

Privacy Note on AI Processing: The generation of summaries and notes involves automated processing. Your text and audio inputs are sent to the AI provider solely for the purpose of generating the requested output.
No Training on Your Data: We have configured our agreements with these providers to ensure that your data is not used to train their foundation models. We do not sell your data.

C. Authentication Service Providers

To manage user registration and login, we may rely on third-party authentication and identity providers. These providers process only the data strictly necessary to verify your identity (e.g., name, email address, profile picture).

D. Public Authorities and Legal Obligations

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

An up-to-date list of the specific Data Processors engaged by the Controllers is available upon request by contacting support@klarinote.com.

4. Purpose and Legal Basis of Processing

We process your personal data for the following purposes and based on the following legal grounds:

  • To provide the Service (Contractual Necessity): We process your account data and uploaded content to generate the study documents, summaries, and notes you request. This includes allowing you to view slides, listen to audio, and access your generated data from within the website.
    Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).
  • To ensure Security and Reliability (Legitimate Interest): We process technical log data to prevent fraud, ensure the security of our infrastructure, and debug technical issues.
    Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest of the Controller).
  • To comply with Legal Obligations: We may process data to comply with accounting, tax, or other legal requirements applicable to the Controllers in Italy and Europe.
    Legal Basis: Art. 6(1)(c) GDPR (Legal Obligation).

5. Automated Decision-Making

The Service uses artificial intelligence to generate study materials based on your uploaded content. This processing is carried out solely to fulfill your request and deliver the Service.

No decisions producing legal effects or similarly significant effects on you are made solely by automated means. The AI-generated output is informational and educational in nature; it does not determine your access to the Service, affect your rights, or produce any legal consequences.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

A. Account Data

Your general account information (email, profile) is retained as long as your account remains active. We keep this data until you choose to remove your account.

B. Uploaded and Generated Content

You maintain control over your educational materials.

  • User Deletion: You can remove your documents (slides, text, audio, etc.) at any time directly through the platform interface.
  • Account Deletion: If you delete your account, an automatic process is triggered to delete all associated personal data and documents from our storage buckets and databases.

Note: Technical backups may retain residual copies of data for a limited period (typically 30 days) for disaster recovery purposes before being permanently overwritten.

7. Transfer of Data Outside the EEA

Our primary storage and databases are located within the European Economic Area (EEA).

However, some of our third-party service providers (such as AI processing and authentication providers) may process data in countries outside the EEA, including the United States. In such cases, we ensure compliance with Chapter V of the GDPR by relying on one or more of the following safeguards:

  • Adequacy Decisions: Where available, we rely on adequacy decisions adopted by the European Commission, including certifications under the EU-U.S. Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): We enter into Standard Contractual Clauses approved by the European Commission with our providers to guarantee an adequate level of protection for your data.
  • Other Appropriate Safeguards: Where applicable, we may rely on other safeguards recognised under Art. 46 of the GDPR.

8. Rights of the Data Subject

Under the GDPR, you have the right to control how your personal data is used. You can exercise these rights at any time by contacting us at support@klarinote.com.

  • Right of Access (Art. 15): You have the right to obtain confirmation as to whether or not your personal data is being processed, and access to that data.
  • Right to Rectification (Art. 16): You can request the correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten") (Art. 17): You have the right to request the deletion of your personal data.
    Specific to Klarinote: You may manually delete your documents or your entire account through the platform at any time, which triggers the deletion of your data from our storage and databases.
  • Right to Restriction of Processing (Art. 18): You can ask us to suspend the processing of your data in certain scenarios (e.g., while you contest the accuracy of the data).
  • Right to Data Portability (Art. 20): You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to Object (Art. 21): You may object to the processing of your data at any time, particularly if the processing is based on legitimate interest.

9. Protection of Minors

Klarinote is an educational tool designed for university students and professionals. We do not knowingly collect personal data from minors under the age of 14 (in compliance with Italian Legislative Decree 101/2018) or under the age limit applicable in their jurisdiction.

If we become aware that we have collected personal data from a minor without verification of parental consent, we will take steps to remove that information from our servers immediately.

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our services (e.g., adding new authentication providers) or for other operational, legal, or regulatory reasons.

We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We advise you to review this page periodically.

11. Right to Lodge a Complaint

If you have any concerns about how your personal data is being processed, we encourage you to contact us first at support@klarinote.com so that we can try to resolve the matter directly.

Without prejudice to any other remedy, if you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. In Italy, the competent authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).