Privacy Policy

How we handle your data.

Genealogy research deals with sensitive personal information about living and deceased people. This policy explains what we collect, how we use it, who we share it with, and the rights you have.

Last updated
June 1, 2026
Effective date
June 1, 2026

Contents

  1. 1.Who we are
  2. 2.Scope of this policy
  3. 3.What personal data we collect
  4. 4.How we use your data
  5. 5.AI processing and automated decision-making
  6. 6.Third-party data in genealogy records
  7. 7.Who we share your data with
  8. 8.International data transfers
  9. 9.Data retention
  10. 10.Cookies and tracking technologies
  11. 11.Your privacy rights
  12. 12.How to exercise your rights
  13. 13.Children's privacy
  14. 14.Data security
  15. 15.Data breach notification
  16. 16.Changes to this privacy policy
  17. 17.Contact us

Section 1

Who we are

KleioBase is operated by Itamar Denkberg (“we,” “us,” or “our”), a sole proprietor based in Israel.

KleioBase is a genealogy platform that helps users digitize, organize, and explore historical family records using artificial intelligence.

Contact for privacy matters

Email: [email protected]
Website: https://kleiobase.com

EU representative (GDPR Article 27)

To be appointed. Details will be added here once an EU representative service is designated.

UK representative (UK GDPR Article 27)

To be appointed. Details will be added here once a UK representative service is designated.

Section 2

Scope of this policy

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use KleioBase, including our website at kleiobase.com and all related services (collectively, the “Service”).

This policy applies to users worldwide and includes jurisdiction-specific sections for the European Economic Area (EEA), the United Kingdom, California (USA), Australia, Canada, Israel, and New Zealand.

Section 3

What personal data we collect

3.1 Data you provide directly

Data typeExamplesWhen collected
Account informationEmail address, display name, password (hashed), or OAuth profile data from Google, GitHub, or Apple sign-inAccount creation
Profile informationName, profile preferencesProfile setup
Uploaded documentsPhotographs, scanned records, historical documents containing names, dates, places, and family relationshipsWhen you upload records for AI processing
User-generated contentNotes, tags, corrections to AI-extracted data, family tree entriesWhen you use the platform
Payment informationTransaction history, subscription status. All payment data is collected and processed entirely by Freemius as Merchant of Record. We never receive or store credit card numbers, billing addresses, or payment method details.When you subscribe or purchase credits
CommunicationsEmails, support requestsWhen you contact us

3.2 Data we collect automatically

Data typeExamplesPurpose
Device and browser dataIP address, browser type and version, operating system, device type, screen resolution, browser fingerprintService operation, security, and analytics
Usage dataPages visited, features used, click patterns, session durationProduct improvement and analytics
Cookies and similar technologiesAuthentication tokens, analytics identifiers, marketing pixelsSee Section 10 (Cookies).

3.3 Data generated through AI processing

When you upload documents for processing, our AI system extracts structured data including:

  • Names of individuals mentioned in the document
  • Dates (birth, death, marriage, immigration, and similar)
  • Places and locations (which may be geocoded to coordinates via Mapbox)
  • Family relationships
  • Other factual details present in the record

Important: Uploaded documents, particularly historical records, frequently contain personal data of third parties (people other than you). This may include living individuals. See Section 6 for how we handle third-party data in genealogy records.

Section 4

How we use your data

We process your personal data for the following purposes and on the following legal bases:

PurposeData usedLegal basis (GDPR)
Providing the Service (account management, document storage, AI processing, family tree features)Account info, uploaded documents, AI-extracted dataPerformance of contract (Art. 6(1)(b))
AI transcription and data extractionUploaded documentsPerformance of contract (Art. 6(1)(b)). You upload documents specifically for AI processing.
Geocoding locations mentioned in recordsPlace names extracted by AILegitimate interest (Art. 6(1)(f)). Enhancing the usefulness of extracted data.
Analytics (PostHog)Usage data, device info, IP addressConsent (Art. 6(1)(a)), via cookie consent banner
Marketing analytics (Meta Pixel)Page views, conversion eventsConsent (Art. 6(1)(a)), via cookie consent banner
Transactional emails (account verification, password reset, billing notifications)Email addressPerformance of contract (Art. 6(1)(b))
Product update emails and newsletters (opt-in only)Email addressConsent (Art. 6(1)(a)). You must explicitly opt in.
Waitlist managementEmail addressConsent (Art. 6(1)(a))
Payment processingBilling details (held by Freemius)Performance of contract (Art. 6(1)(b))
Security and abuse preventionIP address, usage patternsLegitimate interest (Art. 6(1)(f)). Protecting the Service and its users.
Legal complianceVarious, as requiredLegal obligation (Art. 6(1)(c))

4.1 Legitimate interest assessments

Where we rely on legitimate interest as a legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at [email protected].

Section 5

AI processing and automated decision-making

5.1 How AI processing works

When you upload a document, it is sent to Google’s Gemini API for text extraction and analysis. The AI identifies and structures information such as names, dates, places, and relationships contained in the document.

Key facts about our AI processing:

  • We use the Google Gemini API on a paid tier. Under Google’s paid API terms, your data is not used to train or improve Google’s AI models.
  • Google retains prompts and contextual information for 55 days solely for abuse monitoring and policy enforcement purposes. This data is not used for model training or fine-tuning.
  • All AI-extracted results are placed in a “review” state by default. You must manually confirm or correct the extracted information before it is treated as verified. The AI does not make final decisions. Human review is always required.
  • AI extraction may contain errors. We make no guarantee of the accuracy of AI-generated genealogical conclusions. You are responsible for verifying all extracted data.

5.2 Automated decision-making (GDPR Article 22)

KleioBase’s AI processing assists you in extracting information from documents. It does not make decisions that produce legal effects or similarly significantly affect you. The AI is a tool that presents suggestions for your review. It does not determine legal rights, financial outcomes, or access to services.

You always have the ability to review, correct, or reject any AI-extracted data.

5.3 AI transparency (EU AI Act)

KleioBase deploys AI systems for document analysis and data extraction. We are transparent about the use of AI throughout the platform: our use of AI is disclosed in this Privacy Policy and in our Terms of Service, which you accept when you create an account, and AI-processed results are clearly labeled in the product and placed in a “review” state for your confirmation.

Section 6

Third-party data in genealogy records

Genealogy records inherently contain personal data about individuals other than the user who uploads them. Historical records may reference living individuals (for example, a birth certificate from 40 years ago names a person who is likely still alive).

Our approach:

  • Deceased individuals are generally not data subjects under the GDPR (Recital 27). However, some jurisdictions may offer limited post-mortem privacy protections.
  • Living individuals named in records you upload are data subjects with privacy rights. By uploading records containing third-party personal data, you represent that you have a lawful basis for doing so (such as a legitimate interest in family history research) and accept responsibility for ensuring that the upload does not violate any applicable privacy laws.
  • We process third-party data contained in your uploads under legitimate interest (Art. 6(1)(f) GDPR), specifically the recognized interest in historical and genealogical research. We have conducted a balancing test weighing the genealogical research purpose against the privacy interests of individuals named in records.
  • Special-category data. Genealogy records can reveal special categories of personal data within the meaning of Art. 9 GDPR, in particular racial or ethnic origin and religious belief. Where they do, our primary condition is Art. 9(2)(j) GDPR - processing necessary for archiving in the public interest or for historical research - applied with the safeguards required by Art. 89(1). Those safeguards include data minimization (we extract only what the record itself contains), strict per-user access isolation so records are not shared across accounts by default, mandatory human review before extracted data is treated as verified, and the right of any identified individual to seek access, correction, or erasure. Where a record was manifestly made public by the individual concerned (for example, a published or publicly archived record), we may additionally rely on Art. 9(2)(e). The large majority of individuals in historical records are deceased and fall outside the GDPR (Recital 27).
  • If any individual identified in records stored on KleioBase contacts us to exercise their privacy rights (access, erasure, objection), we will process their request in accordance with applicable law and notify the uploading user.

Section 7

Who we share your data with

We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary for the stated purposes.

7.1 Service providers (data processors)

ProviderPurposeData sharedLocationTransfer safeguard
SupabaseDatabase hosting, authentication, file storageAll user data, uploaded documents, AI-extracted dataUSAStandard Contractual Clauses (SCCs) and DPA
Google (Gemini API)AI document transcription and data extractionUploaded documents and processing contextUSAEU-US Data Privacy Framework (certified)
FreemiusPayment processing (Merchant of Record)Email address, subscription status. Freemius independently collects and controls all payment details. We never receive or store them.USADPA. Freemius acts as independent controller for payment processing.
MapboxGeocoding of locations extracted from recordsPlace names and addressesUSAEU-US Data Privacy Framework (certified)
PostHogProduct analyticsUsage data, device info, anonymized identifiersUSAEU-US Data Privacy Framework (certified) and SCCs; consent-based
ResendTransactional and marketing email delivery; receives inbound mail to role addresses (privacy@, contact@, support@, abuse@, security@, legal@, marketing@) and forwards it to our application via webhookEmail addresses, email content (outbound and inbound)USAEU-US Data Privacy Framework (certified) and SCCs
Meta (Facebook Pixel and Conversions API)Marketing analytics and advertisingPage views, conversion events (pseudonymized)USAEU-US Data Privacy Framework (certified); consent-based
RailwayApplication hosting and deploymentIP address, request data (server logs)USADPA and SCCs
SentryError monitoring and performance trackingError reports, which may include IP address, browser info, and application state at the time of an errorUSAEU-US Data Privacy Framework (certified) and SCCs
LinearProduct issue tracking and triage of feedback you submit through the in-app feedback formYour email address and the feedback content you submit (description, steps to reproduce, and any screenshot you attach)USADPA and SCCs
Cloudflare (Turnstile)Bot protection on formsBrowser interaction data, IP address (processed transiently for challenge verification)GlobalEU-US Data Privacy Framework (certified)
Google, GitHub, Apple (OAuth)Single sign-on authenticationProfile data you authorize during sign-in (email, name, avatar)USAEU-US Data Privacy Framework (Google, Apple); DPA (GitHub/Microsoft)

7.2 Sharing and collaboration features

Certain paid plans offer sharing and collaboration features that allow you to invite other users to access your knowledge base. Where these features are available on your plan:

  • Read-only collaborators you invite can view but not edit your shared knowledge base.
  • Edit-access collaborators you invite can view and modify the shared knowledge base.
  • Revoking an invitation immediately removes access.
  • We do not share your data with other users unless you explicitly enable sharing.

Availability of these features depends on your subscription plan. See our pricing page for current details.

7.3 Legal requirements

We may disclose personal data if required by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of KleioBase, its users, or the public.

Section 8

International data transfers

KleioBase is operated from Israel. Your data may be transferred to and processed in countries outside your country of residence, including the United States and Israel.

8.1 Transfer safeguards

We use the following mechanisms to ensure adequate protection for international transfers:

Israel: Israel has an adequacy decision from the European Commission (and a separate UK adequacy decision), meaning transfers of personal data from the EU/EEA and UK to Israel are permitted without additional safeguards.

United States: For each US-based service provider, we rely on one or more of the following:

  • EU-US Data Privacy Framework (DPF): Google, Mapbox, PostHog, Resend, Sentry, and Cloudflare are certified under the EU-US DPF, providing an adequate level of protection for transatlantic transfers. Meta is certified under the EU-US DPF for its onward transfers and acts as an independent (and, for the initial collection, joint) controller of advertising-measurement data rather than as our processor.
  • Standard Contractual Clauses (SCCs): For providers not certified under the DPF (Supabase, Freemius, Railway, and Linear), we rely on the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914, controller-to-processor module), supplemented by additional technical and organizational measures (encryption in transit and at rest, data minimization, and per-user access isolation). We have assessed these transfers in an internal Transfer Impact Assessment and concluded they provide an adequate level of protection.
  • Data Processing Agreements (DPAs): Each service provider is bound by a DPA that includes commitments on data security, confidentiality, and breach notification. Most DPAs are incorporated automatically into the provider’s terms or accepted electronically; the remainder are executed by signature.

8.2 United Kingdom transfers

For personal data of UK users transferred to the United States, we rely on the UK Extension to the EU-US Data Privacy Framework (the “UK-US data bridge”) for providers that have separately certified to the UK Extension (Google, Mapbox, Cloudflare, PostHog, Resend, and Sentry). UK certification is a separate step from EU-US certification, so for other US providers we rely on the UK International Data Transfer Addendum to the SCCs, supported by a transfer risk assessment. Transfers from the UK to Israel are permitted under the UK’s adequacy decision for Israel without additional safeguards.

8.3 Australian users: cross-border disclosure (APP 8)

If you are located in Australia, your personal information will be disclosed to overseas recipients in the United States (all providers listed above) and Israel (KleioBase’s place of operation). As our reasonable steps under APP 8.1, we bind each overseas recipient by an enforceable Data Processing Agreement requiring it to handle your personal information in a way consistent with the Australian Privacy Principles. We do not ask you to consent to a waiver of APP 8 protections.

Under section 16C of the Privacy Act, we remain accountable for the handling of your personal information by these overseas recipients as if we had handled it ourselves. If an overseas recipient mishandles your information, you retain your rights and remedies under the Privacy Act against us.

8.4 Canadian users: international transfers

If you are located in Canada, your personal information is transferred to and processed in the United States and Israel. Under PIPEDA, this transfer to our service providers for processing is a “use” of your information for the purposes you originally agreed to, not a separate disclosure requiring fresh consent. We remain accountable for your information and bind each processor by contract to a comparable level of protection.

Foreign access: while your information is stored or processed outside Canada, it may be accessible to the courts, law enforcement, and national security authorities of those jurisdictions under their laws.

Meaningful consent: so that your consent is meaningful, we highlight throughout this policy (1) what personal information we collect, (2) the parties we share it with, including the service providers listed in Section 7, (3) the purposes for which we use it, and (4) the residual risks involved, including the foreign-access risk described above.

8.5 Quebec residents (Law 25)

If you are a resident of Quebec, Quebec’s Act respecting the protection of personal information in the private sector (as amended by Law 25) applies to our handling of your personal information, regardless of where KleioBase is located.

  • Person in charge of privacy. Our designated privacy officer is Itamar Denkberg, reachable at [email protected].
  • Transfers outside Quebec. Before transferring your personal information outside Quebec (to our US and Israel-based infrastructure and service providers), we conduct a privacy impact assessment of the transfer, confirm the information will receive adequate protection, and bind the recipient by contract.
  • Sensitive information. Genealogy records can constitute sensitive personal information. We collect and process it only with your consent, which you provide when you upload documents for processing, and use it solely to provide the Service.
  • Your rights. You have the rights of access, rectification, and, where applicable, de-indexing and data portability. To exercise them, or to complain, contact our privacy officer above. You may also lodge a complaint with the Commission d’accès à l’information du Québec (CAI).

Section 9

Data retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Data categoryRetention period
Active account dataRetained while your account is active
Uploaded documents and AI-extracted dataRetained while your account is active; permanently deleted immediately upon account deletion
Trashed records and profilesPermanently deleted 30 days after you move them to trash
Analytics data (PostHog)Retained according to PostHog's default retention settings; anonymized or deleted when no longer needed
Marketing data (Meta Pixel)Subject to Meta's data retention policies; we cease sharing data when you withdraw consent
Transactional email recordsRetained for up to 2 years for operational and legal purposes
Payment recordsRetained as required by tax and accounting laws (typically 7 years)
Server logs (Railway)Retained for up to 30 days
AI processing logs (Google)Google retains for 55 days for abuse monitoring, then deletes
Waitlist entriesRetained until you convert to an account or remove yourself via the one-click unsubscribe link in any waitlist email

When you delete your account via the self-service flow (Settings - Account), deletion is processed immediately and covers: all data in our database (records, profiles, families, conversations, and your account row), your uploaded files in our file storage, your contact record in Resend (email delivery), your analytics profile in PostHog, and your active Freemius subscription (if any). A durable audit log entry is retained without personally identifiable information for fraud-prevention and legal-compliance purposes. Payment records held by Freemius as Merchant of Record are subject to their own retention obligations (typically 7 years for tax purposes).

Data sharing with Meta via the Meta Pixel is governed by the CCPA opt-out described in Section 11.3. Account deletion removes the identifiers we share with Meta going forward; historical attribution data already processed by Meta is subject to Meta's own retention policies.

Mail you send to our role addresses (privacy@, contact@, support@, abuse@, security@, legal@, marketing@) is stored in our own systems and retained until manually deleted. Quarantined spam is automatically deleted after 30 days. You may request deletion of your message at any time by writing to [email protected].

Section 10

Cookies and tracking technologies

We use cookies and similar technologies on our website. We categorize them as follows.

Essential cookies (always active)

  • Supabase authentication session cookies (managed by @supabase/ssr)
  • kb-low-contrast - accessibility preference (stores your display contrast setting)
  • kb_beta_access - beta access gate token
  • kb-cookie-consent - records your analytics and marketing cookie choices, the detected region, any Global Privacy Control signal, and the timestamp of your decision

Local storage (browser storage, not cookies)

  • PostHog analytics identifiers. PostHog uses browser localStorage (not cookies) to maintain an anonymous session identifier for product analytics. This data is subject to your consent via the cookie/tracking consent mechanism.

Marketing cookies (requires your consent)

  • Meta Pixel: sets cookies to measure advertising effectiveness and deliver relevant advertisements.

Bot protection

  • Cloudflare Turnstile: may set cookies transiently during bot verification challenges on forms.

You can manage your tracking preferences at any time through our consent banner or by visiting your tracking settings. Rejecting non-essential tracking does not affect your ability to use KleioBase.

For more information about how to control cookies and local storage in your browser, visit your browser’s help documentation.

Section 11

Your privacy rights

11.1 Rights for all users

Regardless of where you are located, you can:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Export your data (including GEDCOM export of family tree data)
  • Withdraw consent for optional processing (analytics, marketing)
  • Object to processing based on legitimate interest

Many of these rights are available as self-service actions inside the platform, without needing to contact us:

  • Download my data - a full ZIP export of all personal data we hold (account, records, people, families, matches, Research Companion history, and original file uploads) is available at Settings - Import / Export. We email you a download link when the archive is ready. The link expires after 7 days and can be regenerated.
  • Delete account - permanently erases your account and all associated data. Available at Settings - Account. The flow requires you to type your account email, click a single-use confirmation link sent to that address, and then re-authenticate (re-enter your password, or re-sign-in with your identity provider). See Section 9 for what deletion covers.
  • Clear KB data - deletes all knowledge-base content (records, profiles, families, matches, Research Companion conversations) while keeping your account active. Available at Settings - Account. Like account deletion, it requires confirming via a single-use link emailed to you and then re-authenticating.

For any right not covered by a self-service flow, contact us at [email protected].

11.2 EEA and UK residents (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, you have the following additional rights under the GDPR (or UK GDPR):

  • Right of access (Art. 15): obtain a copy of all personal data we process about you.
  • Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data (“right to be forgotten”).
  • Right to restriction of processing (Art. 18): request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format. We support GEDCOM export for genealogy data and JSON export for other data.
  • Right to object (Art. 21): object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint: you may file a complaint with your local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu. For UK residents, contact the Information Commissioner’s Office (ICO) at ico.org.uk.

11.3 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of personal information collected

Using CCPA-defined categories, we collect the following:

CCPA categoryExamplesSourceBusiness purposeRetention
A. IdentifiersEmail address, display name, IP address, device identifiersDirectly from you; automatically collectedAccount management, service delivery, analyticsDuration of account
B. Personal information categories (Cal. Civ. Code § 1798.80(e))Name, email addressDirectly from youAccount managementDuration of account
C. Protected classification characteristicsRacial or ethnic origin, nationality, or ancestry as may be revealed by genealogy records you uploadGenerated from your uploads via AI processingCore service functionality (genealogy research)Duration of account
D. Commercial informationSubscription type, purchase history, PAYG credit balanceDirectly from you; from FreemiusBilling, service deliveryDuration of account + 7 years (tax records)
F. Internet or similar network activityBrowsing history on our site, interactions with the ServiceAutomatically collectedAnalytics, product improvementPer analytics retention settings
G. Geolocation dataIP-derived approximate locationAutomatically collectedAnalytics, content deliveryPer analytics retention settings
H. Sensory dataPhotographs and scanned images of historical documents you uploadDirectly from youAI processing and document storageDuration of account
K. InferencesAI-extracted genealogical relationships, family connectionsGenerated from your uploads via AI processingCore service functionalityDuration of account

Sale and sharing of personal information

We do not sell your personal information as defined by the CCPA.

We may “share” personal information (as defined by the CCPA/CPRA) with Meta for cross-context behavioral advertising purposes when you have consented to marketing cookies. You can opt out of this sharing at any time by:

  • Adjusting your cookie preferences to reject marketing cookies
  • Using the “Do Not Sell or Share My Personal Information” link in our website footer
  • Enabling the Global Privacy Control (GPC) signal in your browser. We honor GPC signals as a valid opt-out request.

Sensitive personal information

Genealogical data may be considered sensitive personal information under the CPRA, particularly where it reveals racial or ethnic origin. We use sensitive personal information only as necessary to provide the Service (document processing and genealogy research) and do not use it for purposes beyond what is permitted under the CCPA/CPRA.

Your CCPA/CPRA rights

  • Right to know: request disclosure of (a) the categories of personal information we have collected about you, (b) the categories of sources, (c) the business or commercial purpose for collecting, and (d) the specific pieces of personal information we have collected about you (CCPA § 1798.110).
  • Right to delete: request deletion of your personal information.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: opt out of the sharing of your personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information: direct us to limit the use of your sensitive personal information to what is necessary for the Service.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA § 1798.121.

Authorized agents

You may designate an authorized agent to make requests on your behalf. We may require the agent to provide proof of your written authorization and verify your identity directly.

Financial incentive programs

We do not offer any financial incentive programs tied to the collection of personal information.

11.4 Australian residents

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

  • Access your personal information (APP 12)
  • Request correction of inaccurate, out-of-date, incomplete, or misleading personal information (APP 13)
  • Complain about a breach of the APPs. We will respond to your complaint within 30 days.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you are not satisfied with our response.

Sensitive information: genealogy records may contain information that reveals racial or ethnic origin, which is “sensitive information” under the Australian Privacy Act. We collect such information only with your consent (which you provide by uploading the document) and use it solely for the purpose of providing the genealogy service.

11.5 Canadian residents (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access your personal information held by us
  • Challenge the accuracy and completeness of your personal information and have it amended as appropriate
  • Withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
  • Complain to us about our personal information handling practices
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca if you are not satisfied with our response.

11.6 New Zealand residents

Under the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs), you have the right to:

  • Access your personal information (IPP 6)
  • Request correction of your personal information (IPP 7)
  • Lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz.

11.7 Israeli residents

Under Israel’s Protection of Privacy Law 5741-1981 (as amended, including Amendment 13 effective August 2025), you have the right to:

  • Access personal data held about you in our databases
  • Request correction or deletion of inaccurate data
  • Object to the use of your data for direct marketing purposes
  • Sue for privacy violations without the need to prove actual harm (under Amendment 13)
  • Lodge a complaint with the Privacy Protection Authority (PPA) at gov.il/privacy-protection-authority.

We have designated a Privacy Protection Officer, reachable at [email protected], who is responsible for our compliance with the Protection of Privacy Law and for handling your requests.

Section 12

How to exercise your rights

To exercise any of the rights described above, please contact us at:

Email: [email protected]

We will respond to your request within:

  • 30 days for GDPR / UK GDPR requests (extendable by two further months for complex requests)
  • 45 days for CCPA/CPRA requests (extendable by an additional 45 days with notice)
  • 30 days for Australian Privacy Act requests
  • 30 days for PIPEDA requests (extendable to 60 days with notice)
  • 20 working days for New Zealand Privacy Act requests
  • 30 days for Israeli Protection of Privacy Law requests

We may need to verify your identity before processing your request. We will not charge a fee for processing reasonable requests, except where requests are manifestly unfounded or excessive.

Section 13

Children's privacy

KleioBase is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If you believe that we have collected personal information from a child under 16, please contact us at [email protected], and we will take steps to delete that information.

Note regarding genealogy data: uploaded historical records may contain information about individuals who were minors at the time the record was created. This data is processed solely for genealogical research purposes and does not involve the direct collection of data from children.

Section 14

Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Authentication via secure, industry-standard methods (Supabase Auth)
  • Access controls limiting who can access personal data
  • Regular review of security practices
  • Incident response procedures (see Section 15)

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee its absolute security.

Section 15

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33 and UK GDPR)
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34)
  • Notify the OAIC and affected individuals as soon as practicable under Australia’s Notifiable Data Breaches scheme
  • Comply with breach notification requirements under CCPA, PIPEDA, the NZ Privacy Act 2020, and Israel’s Privacy Protection Law as applicable

Section 16

Changes to this privacy policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this policy
  • Notify you by email or through a prominent notice on our website
  • Where required by law, obtain your consent to material changes

We encourage you to review this policy periodically.

Section 17

Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]
Website: https://kleiobase.com/privacy

For EEA residents, you may also contact our EU Representative at: [EU Representative details to be added]

For UK residents, you may also contact our UK Representative at: [UK Representative details to be added]

This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Australian Privacy Act 1988, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the New Zealand Privacy Act 2020, and Israel’s Protection of Privacy Law 5741-1981 (as amended).

We use cookies and similar technologies. Essential cookies keep the site working. We only load analytics (PostHog) and marketing (Meta Pixel) with your consent. See our Privacy Policy.