Privacy Policy

Last updated: 13 April 2026

This Privacy Policy explains how PIXATECH AI LTD ("we", "us", "our", or "Kloya") collects, uses, shares, and protects personal data when you use the Kloya platform and services (the "Service"). It applies to all users of the Service, including creators who connect their social media accounts and the fans or followers whose messages and comments are processed through the Service.

We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and, where applicable to users in the European Economic Area, the EU General Data Protection Regulation (EU GDPR).

1. Data Controller

The data controller for the purposes of this Privacy Policy is:

  • Company: PIXATECH AI LTD
  • Company number: 17103598 (registered in England and Wales)
  • Registered address: 66 Paul Street, London, England, EC2A 4NA
  • Privacy contact: team@pixastack.app

Where a creator uses the Service to process messages and comments from their fans or followers, the creator acts as the data controller for that fan data and Kloya acts as a data processor on the creator's behalf. See Section 6 (Fan and Third-Party Data Processing) for further detail.

2. Legal Framework

We process personal data in accordance with:

  • The UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018
  • The Data Protection Act 2018 (DPA 2018)
  • The EU General Data Protection Regulation (Regulation (EU) 2016/679), where we process personal data of individuals in the European Economic Area
  • The Privacy and Electronic Communications Regulations 2003 (PECR) in relation to cookies and electronic communications

3. Information We Collect

We collect the following categories of personal data:

3.1 Account Data

  • Email address
  • Full name
  • Password (hashed; or Google OAuth identifier)
  • Account creation date and login activity

3.2 Creator Profile Data

  • Creator display name and niche category
  • Personality and voice configuration (tone, style, formality, warmth)
  • Knowledge base content (bio, FAQs, brand partnerships, niche expertise)
  • Bot configuration settings (response rules, intensity controls)

3.3 Connected Platform Data

  • Social media account usernames and platform identifiers for connected accounts (Instagram, Threads, TikTok, X, YouTube, Facebook, Reddit, Telegram, Bluesky, LinkedIn)
  • OAuth access tokens and refresh tokens (managed and stored by our platform integration partner, Zernio)

3.4 Messages and Comments

  • Incoming direct messages and comments received on connected platforms
  • AI-generated responses sent on behalf of creators
  • Message metadata (timestamps, platform of origin, conversation thread identifiers)

3.5 Fan and Follower Data

  • Platform usernames and display names
  • Location data (only where voluntarily shared by the fan in conversation)
  • Conversation history and interaction patterns
  • Fan memory profiles (facts extracted from conversations, such as interests, preferences, and topics discussed)
  • Engagement metrics (message counts, sentiment indicators, conversation state)

3.6 Payment Data

  • Subscription tier and billing cycle information. Payment card details are collected and processed directly by Stripe and are never stored on our servers.

3.7 Technical Data

  • IP address, browser type, and device information
  • Pages visited and features used within the Service
  • Error logs and performance data

4. Lawful Basis for Processing

Under Article 6 of the UK GDPR and EU GDPR, we rely on the following lawful bases:

  • Performance of a contract (Article 6(1)(b)): Processing of account data, creator profile data, connected platform data, and payment data is necessary to provide the Service under our Terms of Service.
  • Legitimate interests (Article 6(1)(f)): Processing of fan and follower data (messages, conversation history, fan memory profiles) is necessary for the legitimate interests of creators in managing and automating their social media engagement. We have conducted a legitimate interest assessment and concluded that the processing is proportionate and does not override the rights of data subjects, given that the data is limited to publicly-initiated interactions on social media platforms and that fans can opt out by contacting the creator or Kloya directly.
  • Legitimate interests (Article 6(1)(f)): Processing of technical data for security, fraud prevention, and service improvement.
  • Consent (Article 6(1)(a)): Where we send marketing communications or process data for purposes not covered by the above bases, we will obtain your explicit consent. You may withdraw consent at any time by contacting team@pixastack.app.
  • Legal obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation, such as tax and accounting requirements or responding to lawful requests from authorities.

5. How We Use Your Information

  • To provide, operate, and maintain the Service, including AI-powered message and comment response generation
  • To classify incoming messages into scenarios (such as greetings, product questions, collaboration inquiries, or harassment) to generate appropriate responses
  • To build and maintain fan memory profiles so that AI responses are contextually relevant across conversations
  • To enforce creator-configured rules (response intensity, conversation flow limits, cooloff periods, user blocking)
  • To process payments and manage subscriptions via Stripe
  • To send transactional emails (account verification, password resets, service notifications)
  • To detect, prevent, and respond to abuse, fraud, and harassment
  • To improve and develop the Service, including training and evaluating our AI models and systems
  • To comply with legal obligations

6. Fan and Third-Party Data Processing

This section is particularly important. When a creator connects their social media accounts to Kloya, we process direct messages and comments from fans and followers ("Fan Data") who have not directly signed up for or consented to Kloya.

Controller and Processor roles:

  • The creator is the data controller for Fan Data. The creator determines the purposes and means of processing by choosing to connect their accounts, configuring their bot, and setting response rules.
  • Kloya acts as a data processor, processing Fan Data on behalf of and under the instructions of the creator.

Our Terms of Service include Data Processing Agreement (DPA) terms that govern this relationship. Under these terms:

  • We process Fan Data only on the documented instructions of the creator (i.e., as configured through the Service)
  • We implement appropriate technical and organisational security measures
  • We assist creators in responding to data subject rights requests from their fans
  • We delete or return Fan Data upon termination of the creator's account, at the creator's choice
  • We do not use Fan Data for our own purposes beyond what is necessary to provide the Service

Creators are responsible for:

  • Ensuring they have a lawful basis to process Fan Data through Kloya (typically legitimate interest in managing their social media engagement)
  • Including appropriate disclosures in their own privacy policies about the use of automated tools for message handling
  • Responding to data subject rights requests from their fans, with our assistance where needed

If you are a fan or follower whose messages have been processed by Kloya and you wish to exercise your data protection rights, you may contact the creator directly or contact us at team@pixastack.app and we will direct your request to the relevant creator or assist you as appropriate.

7. Automated Decision Making and Profiling

In accordance with Article 22 of the UK GDPR and EU GDPR, we disclose that the Service involves automated processing, including profiling, that may produce effects for data subjects:

  • Message classification: Incoming messages are automatically classified into scenarios (e.g., greeting, product question, collaboration inquiry, harassment, spam) using AI. This classification determines the type and tone of the AI-generated response.
  • Fan profiling: The Service automatically extracts and stores facts from conversations (such as interests, location if voluntarily shared, and topics discussed) to build fan memory profiles. These profiles are used to make AI responses more relevant and contextual.
  • Cooloff periods: The Service automatically applies cooloff periods (temporary pauses in automated responses) based on conversation state, such as after a fan declines a suggestion or after a maximum number of messages in a session.
  • Automated blocking: Messages classified as harassment or severe abuse may result in automatic blocking of the sender. Creators can review and reverse blocks through their dashboard.
  • Geographic filtering:Where configured by the creator, the Service may filter or adjust responses based on a fan's disclosed location.

Human oversight: Creators have full visibility of all conversations and automated actions through their Kloya dashboard. Creators can review, override, or disable any automated behaviour at any time. Fans who believe they have been subject to a decision based solely on automated processing that significantly affects them may contact the creator or team@pixastack.app to request human review.

8. Data Sharing and Sub-Processors

We do not sell your personal data. We share personal data only with the following sub-processors, each of which is bound by data processing agreements:

Sub-ProcessorPurposeData ProcessedLocation
SupabaseDatabase hosting, authenticationAll account data, creator profiles, messages, fan dataEU (London, UK)
OpenRouter / OpenAIAI response generation, message classification, content moderationMessage content, conversation context, creator voice configurationUnited States
ZernioSocial media platform integration, message relay, OAuth token managementMessages, comments, platform usernames, OAuth tokensUnited States
StripePayment processing, subscription managementName, email, payment card details, billing addressUnited States
ResendTransactional email deliveryEmail address, nameUnited States
VercelApplication hosting, serverless compute, edge networkAll data transmitted through the Service (encrypted in transit)Global (primary: US/EU)

We may also share personal data where required by law, regulation, legal process, or enforceable governmental request.

9. International Data Transfers

Our primary database is hosted in the EU (London, UK) by Supabase. However, some of our sub-processors are based in the United States, meaning personal data may be transferred outside the UK and the European Economic Area.

In accordance with Articles 44 to 49 of the UK GDPR and EU GDPR, we ensure that international transfers of personal data are protected by appropriate safeguards:

  • UK-US and EU-US transfers: Where our US-based sub-processors (OpenRouter, OpenAI, Stripe, Zernio, Resend, Vercel) participate in the EU-US Data Privacy Framework or UK Extension to the EU-US Data Privacy Framework, transfers are made on that basis. Where they do not, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.
  • UK adequacy for EU: The European Commission has issued an adequacy decision for the United Kingdom, meaning personal data may flow freely between the EU and UK without additional safeguards.

You may request a copy of the relevant transfer safeguards by contacting team@pixastack.app.

10. Data Storage and Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Data stored in our database is encrypted at rest using AES-256 encryption.
  • EU-hosted database: Our primary database is hosted by Supabase in the EU (London, UK region).
  • Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
  • OAuth token security: Social media OAuth tokens are managed by our integration partner (Zernio) and are not stored directly in our database.
  • Password security: Passwords are hashed using industry-standard algorithms and are never stored in plain text.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account data: Retained until you delete your account. Upon account deletion, account data is permanently deleted within 30 days.
  • Creator profile and configuration: Retained for the duration of your account.
  • Messages and conversation history: Retained for the duration of your account. Creators may delete individual conversations at any time.
  • Fan memory profiles:Retained for the duration of the creator's account. Creators may delete individual fan profiles at any time.
  • Processing logs: Automatically deleted after 7 days.
  • Payment records: Retained for as long as required by applicable tax and accounting legislation (typically 6 years in the UK).

12. Your Rights as a Data Subject

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and certain information about the processing.
  • Right to rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay.
  • Right to erasure (Article 17): You have the right to have your personal data deleted in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing (Article 18): You have the right to restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to object (Article 21): You have the right to object to the processing of your personal data where we rely on legitimate interests as the lawful basis, including profiling based on those interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. See Section 7 for details on how to request human review.

To exercise any of these rights, please contact us at team@pixastack.app. We will respond to your request within one month, as required by law. We may extend this period by a further two months where necessary, taking into account the complexity and number of requests. We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive.

13. Right to Complain

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority.

For UK residents:

  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Website: ico.org.uk
  • Telephone: 0303 123 1113

For EU residents: You may lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or place of the alleged infringement.

14. EU Representative

Under Article 27 of the EU GDPR, controllers not established in the EU but offering services to EU data subjects are required to appoint an EU representative. We have not yet appointed an EU representative. If you are located in the EU and wish to exercise your rights, you may contact us directly at team@pixastack.app. We will appoint an EU representative and update this policy accordingly as our EU user base grows.

15. Cookies

We use only strictly necessary cookies. We do not use any advertising, analytics, or tracking cookies. In compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), strictly necessary cookies do not require consent.

The cookies we use are:

CookiePurposeTypeDuration
sb-*-auth-tokenSupabase authentication session. Required to keep you logged in.Strictly necessarySession

No third-party cookies are set by the Service. We do not use cookies for advertising, remarketing, or cross-site tracking purposes.

16. Children

The Service is not intended for, and we do not knowingly collect personal data from, individuals under the age of 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that a child under 18 has provided us with personal data, please contact us at team@pixastack.app.

17. Data Breach Notification

In the event of a personal data breach, we will comply with our obligations under Articles 33 and 34 of the UK GDPR and EU GDPR:

  • We will notify the Information Commissioner's Office (and, where applicable, the relevant EU supervisory authority) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, we will notify the affected individuals without undue delay, describing the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
  • Where Kloya is acting as a data processor (for Fan Data), we will notify the relevant creator (data controller) without undue delay upon becoming aware of a breach affecting their Fan Data.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. Where changes are significant, we will provide reasonable notice by email or through a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

19. Contact

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all enquiries within 5 working days.