Privacy Policy

1. Data Controller

Klibio acts as a data processor under Regulation (EU) 2016/679 (GDPR). The data controller is the client company (tenant) that uses Klibio to manage their employees' data.

Privacy inquiries: privacy@klibio.eu

2. Data We Process

We only process data necessary to provide the service:

• Managed employees: name, email, role, start/end dates, tool access.
• Owners and managers: name, email, language preference.
• Audit log: record of actions (who did what and when).
• Billing data: managed directly by Stripe.

We do not process special category data (Art. 9 GDPR): we do not collect health data, ethnic origin, ideology or religion.

3. Legal Basis

• Contract performance (Art. 6.1.b): providing the onboarding/offboarding service.
• Legitimate interest (Art. 6.1.f): service security, fraud prevention.
• Legal obligation (Art. 6.1.c): retention of accounting records.

4. Retention Periods

• Active employees: for the duration of employment.
• Offboarded employees: 2 years after offboarding completion, then automatic anonymisation.
• Audit log: 5 years (traceability obligation).
• Cancelled tenants: 90 days after cancellation, then complete deletion.

5. Sub-processors

Klibio uses the following authorised sub-processors, all with adequate safeguards under GDPR:

6. Data Subject Rights

Managed employees may exercise their GDPR rights (access, rectification, erasure, portability, restriction, objection) by contacting the company that manages them (data controller). Klibio provides the tools for the controller to handle these requests.

7. Security Measures

• Data at rest: AES-256 encryption for PII columns.
• Data in transit: TLS 1.3 on all endpoints.
• Access control: roles and permissions with least-privilege principle.
• Immutable audit log: every action is permanently recorded.
• EU servers: GDPR jurisdiction at all times.

8. Contact

For any privacy inquiry or rights exercise: privacy@klibio.eu