Last updated: 10 July 2026
Privacy Policy
This policy explains what Klebby collects, why it is used, who helps process it, and how you can exercise your rights.
1. Controller and contact
The data controller for Klebby is Emanuel Jose Vargas Luis (ENI, Portugal), Avenida do Atlantico 16, 14º, Escritorio 8, 1990-019 Lisboa, NIF PT233800263. For privacy requests, email privacy@klebby.com.
Klebby is for users aged 16 or older.
2. Data we process
We process account email and profile data, hashed passwords, server-side sessions, notes, tags, comments, board layout and sharing graph, invitee email addresses, notification preferences, push tokens, IP address, device/browser and basic log data, authentication, password-reset and email-verification tokens, subscription entitlement references, security logs, and support emails.
Payment card details are handled by Paddle. Klebby does not store card numbers. We store the subscription/customer references needed to unlock Pro and handle support, plus billing and tax metadata received from Paddle such as country for VAT and invoice references.
3. Why we use data
We use data to create and secure your account, provide the board, sync, sharing, comments, reminders, notifications, export, deletion, subscriptions, customer support, fraud prevention, abuse prevention, and service reliability.
4. Legal bases
The purposes above use these legal bases: contract covers account, app features, sync, sharing, support, subscriptions, cancellation, and withdrawal handling; legitimate interests cover security, abuse and fraud prevention, debugging, and reliability; consent covers push notifications and optional communications; legal obligation covers tax, accounting, consumer-law, and rights-request records.
- Contract: account, app features, sync, sharing, support, subscriptions, cancellation, and withdrawal handling.
- Legitimate interests: security, abuse and fraud prevention, debugging, reliability, and understanding whether the service works, balanced against your rights.
- Consent: push notifications and optional communications that require consent. You may withdraw consent at any time.
- Legal obligation: tax, accounting, consumer-law, security, and rights-request records where the law requires retention.
5. Sharing, providers, and recipients
Content is shared with other users only when you choose to share a tag or accept shared access. Those users may see the notes and comments covered by the share.
Klebby currently uses alwaysdata in France for EU hosting and transactional email through alwaysdata SMTP, Paddle as merchant of record for web payments, and Google Firebase Cloud Messaging (FCM) for Android push delivery.
6. International transfers
alwaysdata hosts in the EU. Paddle and Google FCM may process some data outside the EEA. Where that happens, Klebby relies on appropriate safeguards such as adequacy decisions, standard contractual clauses, and the providers' published transfer safeguards.
7. Cookies and checkout
Klebby uses essential cookies only, such as secure session cookies and preferences needed to run the service. We do not use advertising cookies on the marketing site.
Klebby collects only anonymous, cookieless aggregate usage statistics as daily event counters, with no personal data, cookies, or device identifiers.
If you open Paddle checkout, Paddle may set cookies or similar technologies necessary for checkout, fraud prevention, tax, and payment processing under Paddle's own terms and privacy notices.
8. Retention
Account and content data is kept while your account is active. Soft-deleted notes and related sync records are purged after the 30-day sync-retention window. On account deletion, personal data is anonymized or removed while shared-note and comment substance that co-members still depend on is preserved.
Sessions expire and are deleted after their lifetime. Push tokens are kept until removed, invalid, or the account is deleted. Security logs are kept up to 12 months. Support emails are kept up to 24 months. Subscription and tax records are kept for the statutory accounting period, up to 10 years under Portuguese tax law, as required.
9. Your rights and complaints
Depending on your situation, you can request access, export, correction, erasure, portability, restriction, objection, and withdrawal of consent. Email privacy@klebby.com to exercise these rights. We may need to verify your account before acting on a request.
You also have the right to complain to CNPD, the Portuguese data protection authority, at https://www.cnpd.pt/.
10. Security and changes
Passwords are hashed with Node's built-in crypto.scrypt. Sessions are stored server-side and sent in httpOnly, Secure, SameSite cookies. We use parameterized SQL, access checks for shared data, and EU hosting through alwaysdata.
We may update this policy when Klebby, law, or processors change. The page will show the current last-updated date.