Privacy Policy

KleonoxAI is a technology company headquartered in Athens, Greece. We develop and operate Mentoros, an enterprise AI assistant platform that includes customer-facing assistants, a merchant console for configuration and knowledge management, and analytics for conversation intelligence.

For the purposes of European Union and United Kingdom data protection law, KleonoxAI is the controller of personal data collected through our website and account-holder interactions. When we process personal data on behalf of a customer in connection with the operation of a Mentoros assistant deployed on that customer\u2019s property, we act as a processor; the customer is the controller. This distinction is described further in Section 3.

This Policy applies to personal data processed in connection with:

• The KleonoxAI website and any related domains operated by us;
• The Mentoros platform, including the merchant console and APIs;
• Mentoros AI assistants deployed on customer websites or applications;
• Communications and other interactions between an individual and KleonoxAI.

This Policy does not apply to third-party websites, products or services that may be linked from, or integrated with, our Services. Those third parties are responsible for their own processing of personal data and operate under their own privacy notices.

Data protection law distinguishes between a “controller”, which determines the purposes and means of processing personal data, and a “processor”, which processes personal data on behalf of a controller. The roles of KleonoxAI differ depending on the context.

KleonoxAI as controller

We act as controller for personal data collected directly from individuals through our website, sales interactions, account registration, support communications and similar channels. We determine the purposes and means of that processing and are accountable under applicable law.

KleonoxAI as processor

When a customer deploys a Mentoros assistant on its own property, the customer determines the purposes and means of processing personal data submitted by, or collected from, end users. KleonoxAI processes that personal data on the documented instructions of the customer and in accordance with a Data Processing Agreement.

Customer responsibilities

Customers are responsible for providing appropriate notices to their end users, obtaining any consents required under applicable law, configuring retention and access controls within the Services and ensuring that their use of the Services complies with applicable law.

We collect different categories of personal data depending on how an individual interacts with the Services and on customer configuration. The categories below describe the principal types of personal data processed.

Sources of personal data

We collect personal data directly from individuals, automatically through use of our website or Services, from customers that configure and operate Mentoros deployments, and from service providers or third parties where relevant to account administration, security, communications, or lawful business operations.

Categories of personal data

We process personal data for the following purposes:

Provide and operate the Services

Operate Mentoros assistants and the merchant console, generate responses, deliver analytics and maintain core functionality.

Maintain and improve the Services

Diagnose issues, monitor performance, conduct testing and develop new features. We do not use customer or end-user content to train foundation models.

Customer support

Respond to enquiries, investigate incidents and assist customers with their use of the Services.

Security, abuse prevention and integrity

Detect, investigate and prevent fraudulent, malicious or unauthorized activity and protect the rights, property and safety of KleonoxAI, our customers and the public.

Legal and regulatory compliance

Comply with applicable laws, respond to lawful requests from public authorities and enforce our agreements.

Communications and, where permitted, marketing

Send service messages, security notices and, where permitted by applicable law, information about our products and services.

Where the European Union General Data Protection Regulation (GDPR) or the United Kingdom General Data Protection Regulation (UK GDPR) applies, we rely on the following legal bases for processing personal data:

We and our service providers use cookies, pixels, local storage and similar technologies (collectively, “cookies”) on our website. Cookies serve a range of functions, from operating the site to measuring usage and, where permitted, supporting marketing.

The following description outlines, at a high level, how personal data moves through Mentoros when a customer deploys an assistant on its property.

1. 1

   Customer configuration

   The customer uploads or connects content (FAQs, product catalogs, documentation) and configures their assistant through the merchant console.

2. 2

   End-user interaction

   An end user interacts with the assistant on the customer’s property. The assistant processes the message together with relevant configuration and content.

3. 3

   Response generation

   Where appropriate, the assistant uses third-party AI model providers to generate a response. Conversation content may be processed by these providers for the purpose of generating a response, subject to applicable contractual and technical safeguards.

4. 4

   Logging and analytics

   Conversation logs and analytics are made available to the customer through the merchant console. Access controls and retention settings are configured by the customer, subject to applicable law.

KleonoxAI does not sell personal data. We disclose personal data only in the limited circumstances described in this Section and subject to appropriate contractual and technical safeguards.

Subprocessors and service providers

We engage carefully selected third parties to support the operation of the Services. These subprocessors are contractually required to process personal data only on our documented instructions and to maintain appropriate technical and organizational measures. The categories of subprocessor we engage are:

• Cloud hosting and infrastructure providers
• AI model providers used to generate assistant responses
• Payment processing providers
• Email, communications and customer messaging providers
• Logging, monitoring and analytics providers
• Customer support and ticketing platforms
• Security, fraud prevention and identity verification services

A current list of subprocessors is available to customers on request and is identified in the applicable Data Processing Agreement.

Legal and regulatory disclosures

We may disclose personal data where we are required to do so by law, by a court order or by other legally binding request, or where we believe in good faith that disclosure is necessary to protect the rights, property or safety of KleonoxAI, our customers, our personnel or the public, and to enforce our agreements.

Corporate transactions

In the event of a merger, acquisition, financing, reorganization or sale of all or part of our business or assets, personal data may be disclosed or transferred to the relevant counterparty, subject to appropriate confidentiality undertakings and applicable law. We will provide notice where required.

With your consent or at your direction

We may disclose personal data to other third parties where the individual has given consent or has otherwise directed us to do so.

KleonoxAI is established in the European Union. To deliver the Services, personal data may be transferred to, or accessed from, jurisdictions outside the European Economic Area or the United Kingdom, including countries that have not been recognized as providing an adequate level of protection.

Where such transfers occur, we implement appropriate safeguards, which may include:

• Transfers to countries benefiting from an adequacy decision of the European Commission or the United Kingdom government;
• Standard Contractual Clauses adopted by the European Commission, together with the United Kingdom International Data Transfer Addendum where applicable;
• Other transfer mechanisms permitted under applicable law, supplemented as necessary by additional technical and organizational measures.

Information about the transfer mechanisms applicable to a specific processing activity is available on request to the contact identified in Section 17.

We retain personal data for no longer than is necessary for the purposes for which it was collected, as described in this Policy, or to comply with our legal, regulatory and contractual obligations. The criteria we use to determine retention periods include the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing and applicable legal requirements.

Indicative retention principles

• Account data is retained for the duration of the customer relationship and for a reasonable period thereafter.
• Conversation and interaction data processed on behalf of customers is retained in accordance with the customer’s configuration and instructions, subject to applicable law.
• Usage, device and log data is retained for the period necessary to operate, secure and analyze the Services.
• Records relating to legal, tax and accounting obligations are retained for the periods required by applicable law.

When personal data is no longer required, it is deleted, anonymized or otherwise rendered no longer associated with an identifiable individual, in accordance with our internal procedures.

We maintain a written information security program that includes technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. These measures include, among others:

• Encryption of personal data in transit and, where appropriate, at rest;
• Role-based access controls and authentication for systems that process personal data;
• Logging, monitoring and alerting on access to production systems;
• Periodic risk assessments and review of security controls;
• Personnel training on data protection and information security;
• A documented incident response process, including notification procedures required by applicable law.

Notwithstanding these measures, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Subject to applicable law and to verification of identity, individuals may have rights with respect to their personal data. The specific rights available depend on the law of the relevant jurisdiction. Region-specific notices are set out in Section 14.

Submitting a request

Requests to exercise privacy rights may be submitted using the channels described in Section 17. Where KleonoxAI acts as a processor, end users should direct their requests to the relevant customer, which is the controller of the personal data; we will assist customers, as required, in responding to such requests.

Authorized agents

Where permitted by applicable law, an authorized agent may submit a request on behalf of an individual. We may require evidence of the agent\u2019s authority and verification of the individual\u2019s identity before processing the request.

European Economic Area, including Greece

Individuals located in the European Economic Area, including Greece, may exercise the following rights under the GDPR, subject to the conditions set out in that Regulation:

Right of access

Obtain confirmation that we process your personal data and request a copy of it.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data where one of the grounds in the GDPR applies.

Right to restriction of processing

Request that we limit the processing of your personal data in defined circumstances.

Right to data portability

Receive personal data you provided to us in a structured, commonly used, machine-readable format.

Right to object

Object to processing carried out on the basis of legitimate interests, including profiling, and to direct marketing at any time.

Right to withdraw consent

Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.

Right to lodge a complaint

Lodge a complaint with a competent supervisory authority. In Greece, this is the Hellenic Data Protection Authority (HDPA).

United Kingdom

Individuals located in the United Kingdom may exercise the following rights under the UK GDPR and the Data Protection Act 2018, subject to the conditions set out in those laws:

Right to be informed

Receive clear information about how your personal data is used.

Right of access

Obtain a copy of your personal data and supplementary information.

Right to rectification

Have inaccurate personal data corrected and incomplete data completed.

Right to erasure

Request deletion of your personal data where the UK GDPR conditions are met.

Right to restrict processing

Request that we limit the processing of your personal data in defined circumstances.

Right to data portability

Receive personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to object

Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.

Rights related to automated decision-making

Be protected against decisions based solely on automated processing that produce legal or similarly significant effects.

Right to complain to the ICO

Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

United States

Residents of certain U.S. states may have privacy rights under applicable state law. The availability and scope of these rights vary by state and depend on the relevant statutory thresholds.

Where applicable, these rights may include:

• Right to know what categories of personal information we have collected and how we use and disclose it
• Right to access a copy of personal information we hold about you
• Right to request correction of inaccurate personal information
• Right to request deletion of personal information, subject to legal exceptions
• Right to opt out of certain types of sharing of personal information for cross-context behavioral advertising, where applicable
• Right to non-discrimination for exercising any of these rights

KleonoxAI does not sell personal information for monetary consideration. Where applicable state law grants opt-out rights in relation to certain disclosures or uses of personal information, individuals may submit such requests using the methods described in this Policy. We do not use personal information for purposes incompatible with those disclosed at the point of collection.

References to the United States in this Policy do not imply the existence of a single federal privacy law of general application. The rights described above are conferred by individual state laws and apply only to residents of states that have enacted such laws and only to the extent the relevant statutory thresholds are met.

KleonoxAI uses automated systems to process prompts, retrieve relevant content, generate assistant responses, and support analytics within the Mentoros platform. These processes may involve automated evaluation of content relevance, usage patterns, and system behavior.

KleonoxAI does not intentionally make solely automated decisions that produce legal effects or similarly significant effects on individuals in the ordinary course of providing the Services, unless such processing is explicitly configured by a customer and permitted under applicable law.

Where applicable law grants rights relating to automated decision-making or profiling, individuals may contact us or, where we act as a processor, the relevant customer.

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children where doing so is prohibited by applicable law. If we become aware that we have collected personal data from a child without appropriate authorization, we will take reasonable steps to delete that personal data.

Customers that deploy Mentoros in contexts directed to children are responsible for compliance with applicable children\u2019s privacy laws, including, where applicable, the U.S. Children\u2019s Online Privacy Protection Act.

We may update this Policy from time to time to reflect changes in our practices, the Services, applicable law or for other operational, legal or regulatory reasons. When we make material changes, we will update the “Last updated” date at the top of this Policy and, where appropriate, provide additional notice (for example, by email or through the Services). We encourage individuals to review this Policy periodically.

Questions about this Policy, requests to exercise privacy rights and other privacy-related enquiries may be directed to KleonoxAI using the channels below. We will respond within the period required by applicable law.

Individuals in the EEA, the United Kingdom or other jurisdictions also have the right to lodge a complaint with their competent data protection authority.