Klaviyo Privacy Notice (October 10, 2023)


Updated October 10, 2023

Thank you for your interest in Klaviyo! This Privacy Notice explains how information about you, that directly identifies you, or that makes you identifiable (“personal information”) is collected, used, disclosed, and otherwise processed by Klaviyo in connection with our services. 

When we use the terms “Klaviyo”, “Klaviyo Group”, “we”, “us”, or “our” in this Privacy Notice, we are referring to Klaviyo, Inc. and its affiliates. When we use the term “Service,” we are referring to all of the services and product offerings that we offer as a controller, our website https://www.klaviyo.com/ or any other Klaviyo Group product or service that posts or links to this Privacy Notice.

Klaviyo as a Data Controller: For purposes of data protection laws, Klaviyo is the “data controller” (or similar term under applicable laws) and is generally responsible for and controls the processing of your personal information collected through your use of our Service. This Privacy Notice applies only to instances where Klaviyo acts as a data controller.

Klaviyo as a Data Processor:  In providing our Service, our customers may collect data in our products and services, or we may collect data on their behalf, which may include personal information or data about our customers’ end users (“Customer Data”). In such instances, Klaviyo acts as a “data processor” (or similar term under applicable laws), and we have contractually committed ourselves to process Customer Data on behalf and under the instruction of the respective customer, who is the data controller. This Privacy Notice does not apply to the processing of Customer Data and we recommend you read the privacy notice of the respective customer if their processing concerns your personal information.

Table of Contents

  1. How We Collect Your Personal Information
  2. How We Use Your Personal Information
  3. How We Share Personal Information
  4. Online Advertising
  5. Control Over Your Information
  6. Privacy Rights
  7. Children
  8. Third Party Websites and Services
  9. Changes to Privacy Notice
  10. Contact Us
  11. Region-Specific Disclosures
  12. EU-US DATA PRIVACY FRAMEWORK (“DPF”), UK EXTENSION TO THE EU-US DPF, AND THE SWISS-US DATA PRIVACY FRAMEWORK PRINCIPLES
  13. EU, Swiss, and UK Representative


Back to top ⬆︎

1. HOW WE COLLECT YOUR PERSONAL INFORMATION

When you interact with us, we are collecting personal information about you. Sometimes we collect personal information automatically when you interact with our Services and sometimes we collect the personal information directly from you. At times, we may collect personal information about you from third parties.

Personal Information You Provide

We may collect the following personal information you provide in connection with our Service:

  • Account Creation and Profile Information for a Klaviyo Account. We may collect personal information that you provide when you register for an account (where available). This information includes your email and password, company name, company URL, office phone number and office address. You may also add or confirm your name, company industry, tax ID, billing address, time zone and source of contact/lead.
  • Contract Data. If your company enters into a contractual relationship with us, we may collect your name, job title, email address, signature (if wet signed or a copy of their autograph is used), customer name and address, and information about how you heard about us.
  • Payment and Transaction Information. If you sign up for one of our Services requiring payment, we collect the information provided in connection with such payment. Please note that we use third party payment processors to process payments made to us. As such, all such information is provided directly by you to our third-party processor. The payment processor’s use of your personal information is governed by their privacy notice. We will only receive the last 4 digits of the credit card number along with transaction-related information (i.e., payment date, amount, device type, IP address and card type). If custom billing is arranged, the account contact’s name, email, job title, company and address may be collected as well.
  • Communications. When you contact us through any method of communications, including through one of our website “Contact Us”, “Chat” or “Support” functions or you request a demo of the Klaviyo platform, we may collect your name, email address, mailing address, phone number, company/company URL, account ID, type of inquiry, or any other personal information you choose to provide to us, such as how many contacts you have/your company has, which products interest you, what platform is currently being used, and meeting dates and times.
  • Newsletter, Marketing Emails, and Blog. If you sign up to receive news or alerts from us, or subscribe to our blog, we may collect your email and applicable interests and communication preferences.
  • Klaviyo Academy. If you sign up for training sessions via the Klaviyo Academy, we ask for your user’s name, email, and password. You may add a profile picture. When using the platform, a user’s history on registrations, courses taken, scores, and product certifications, survey responses and lead status as well as unique identifier are captured.
  • Klaviyo Community. If you wish to participate in the Klaviyo network with other account holders and find resources, insights and further support from other used, you may participate in the Klaviyo Community. In this case we may collect the following data: your account credentials, your Klaviyo account ID, email address and partner ID. Your account will also show classifications based on your involvement in the Community and badges showing your based on your involvement/accomplishment (both of which can be manages in the profile settings to be visible or not visible to other users of the Community) as well as all content you share via the Community function. Moreover, you may add your name, username, job title, city, country, profile picture, social media (Instagram and Twitter), and bio/signature details that may be visible to the other users of the Community.
  • Klaviyo Partner. If you apply to be a Klaviyo partner, we may collect personal information that you provide when you sign up (where available). This information includes your name, email, title, business phone number, company name, company URL and office address.
  • Events, Surveys, Feedback and Promotions (including Contests, Sweepstakes, Webinars, and Training Sessions). If you fill out any forms or otherwise provide your information to us in connection with Klaviyo events, surveys, or other promotional events (including contests, sweepstakes, webinars, and trainings), as well as when you provide feedback to us, we may collect your contact information (such as your name, email, and phone number), your organization company, your job title, the office address and any other information you provide to us. 

Personal Information Automatically Collected

As is true of most digital platforms, we and our third-party providers and partners collect certain personal information automatically when you visit, interact with, or use our Service:

  • Log Data:  Including your internet protocol (IP) address, operating system, browser details such as type, ID, and configuration, unique identifiers, local and language settings; session logging, heatmaps and scrolls; screen resolution, ISP, device type and version, the referring URL, date/time of your visit, the time you spent on our services and any errors that may occur during your visit to our Services.
  • Analytics Data:  Including the electronic path you take to our services, through our services and when exiting our services, UTM source, as well as your usage and activity on our services, such as the time zone, activity information (first and last active date and time), usage history (flows created, campaigns scheduled, emails opened, total log-ins) as well as the pages, links, objects, products and benefits you view, click or otherwise interact with. We may also analyze the interaction between you and your customer using our Services.  
  • Digital Behavioral Data: Web page interactions (clicks, hovers, focus, mouse movements, browsing, zooms and other interactions), referring web page/source through which you accessed the Sites, and statistics associated with the interaction between device or browser and the Sites.
  • Location Data:  Including your general geographic location based on the IP address we collect.
  • Platform data: If you have an account to use the services we offer as a processor, we may in addition also collect your name, phone number, email address, company information, status in the sales cycle, lead and commercial details (like platform specifics, initial marketing channel), and user and account ID and other identifiers (such as Salesforce ID and Klaviyo ID), NPS/account sentiments, Klaviyo Academy user profile/history data, account health status, event attendance, status as lead/account, integrations.

We and our third-party providers may use (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”) to automatically collect this personal information. For more information about these practices and your choices regarding cookies, please see our Cookie Notice.

Personal Information from Other Sources and Third Parties

We may also obtain personal information from third parties, which we may combine with personal information we collect either automatically or directly from an individual.

We may receive personal information from the following third parties:

  • Klaviyo Entities: We may receive personal information from other companies and brands owned or controlled by Klaviyo Group, and other companies owned by or under common ownership as Klaviyo Group. 
  • Klaviyo Business and Marketing Partners. We may also disclose personal information with other business and marketing partners with whom we jointly offer products or services, co-market or host events, or who are part of our partner ecosystem. The information we disclose may include your name, phone number, email address, company name and address, opportunity/interest details of your company, and information on whether your company is a current client of our partner.
  • Social Media: When an individual interacts with us through various social media networks, such as when someone “Likes” us on Facebook or follows us or shares our content on Facebook, Twitter, Instagram or other social networks through, for example, the social media buttons embedded into our website, we may receive some information about individuals that they permit the social network to share with third parties. The data we receive is dependent upon an individual’s privacy settings with the social network. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services.
  • Service Providers: Our service providers that perform services solely on our behalf, such as chat services, payout processing, and marketing providers, collect personal information and often share some or all of this information with us.

Back to top ⬆︎ 

2.  HOW WE USE YOUR PERSONAL INFORMATION

We may use the personal information we collect for the following purposes: 

  • Fulfill our contractual obligations, to deliver the Services you have requested, including facilitating your messages to other users or groups and for account and contract management (including customer support);
  • Communicate with individuals, including via email, text message, social media and/or telephone and video calls;
  • Review our business performance;
  • Market and Sales of our Services to individuals, including through email, direct mail, phone, video call,  text message, or through other forms of communications platforms (i.e., WhatsApp);
  • Send gifts to you;
  • Administer, improve and personalize our Services, including by recognizing an individual and remembering their information when they return to our Services and analyzing our client-base;
  • Process payment for our Services;
  • Conduct market research;
  • Opportunity tracking, conversion and lead generation; 
  • Test, enhance, update and monitor the Services, or diagnose or fix technology problems;
  • Help maintain the safety, security and integrity of our property and Services, technology assets and business;
  • Enforce our Terms of Service, resolve disputes, carry out our obligations and enforce our rights, and protect our business interests and the interests and rights of third parties;
  • Prevent, investigate or provide notice of fraud or unlawful or criminal activity;
  • Process and deliver contest and sweepstakes entry and awards; and
  • Comply with legal obligations.

Back to top ⬆︎

3. HOW WE SHARE PERSONAL INFORMATION

We may also share, transmit, disclose, grant access to, make available, and provide personal information with and to third parties, as described below. 

  • Service Providers: We share personal information with third party contractors and service providers, that are subject to reasonable confidentiality terms, and which may include processing payments, providing web hosting and maintenance services, technology support providers, email and messaging communications providers, analytics providers, data storage providers, and web and video hosting providers and developers. Any such service providers will be subject to confidentiality provisions, and be bound to only process the data on our behalf and under our instructions, unless such service providers act as their own controllers (e.g., in the case we seek advice from lawyers and tax consultants).
  • Klaviyo Group: We may share with other companies and brands owned or controlled by Klaviyo Group, and other companies owned by or under common ownership as Klaviyo Group. These companies will use your personal information in the same way as we can under this Privacy Notice.
  • Business and Marketing Partners: We may also disclose personal information with other business and marketing partners with whom we jointly offer products or services, co-market or host events, or who are part of our partner ecosystem. We may obtain your consent where required by applicable law. Our business and marketing partners will use your information in accordance with their own privacy notices. 
  • Advertising Partners: We may share certain personal information (including information collected through cookies) with our advertising service providers and vendors in order to advertise our Services to you. For more information on how we collect and share this information, please see the Online Advertising section of this Privacy Notice.
  • Corporate Transaction: We may transfer any information we collect in the event we sell or transfer all or a portion of our business or assets (including any shares in the company) or any portion or combination of our products, services, businesses and/or assets. Should such a transaction occur (whether a divestiture, merger, acquisition, bankruptcy, dissolution, reorganization, liquidation, change of control or similar transaction or proceeding), we will use reasonable efforts to ensure that any transferred information is treated in a manner consistent with this Privacy Notice.
  • Legal Obligations and Rights: We may disclose personal information to third parties, such as legal advisors and law enforcement agencies, regulators, other authorities and other third parties for legal reasons if we reasonably believe that such action is necessary:
    • in connection with the establishment, exercise, or defense of legal claims; 
    • to comply with laws or to respond to lawful requests and legal process; 
    • to protect our rights and property and the rights, personal safety and property of others, including to enforce our agreements and policies;
    • to detect, suppress, or prevent fraud; or
    • as otherwise required by applicable law.
  • The Public/Other Klaviyo Community users, when you post content on the Klaviyo Community portion of the website: Remember, our websites allow you to connect and interact with others. In that case, your personal data may be visible to others as set out above under “Klaviyo Community”.
  • With Your Consent: We may disclose personal information about an individual to certain other third parties or publicly with their consent or direction. For example, with an individual’s consent or direction we may post their testimonial on our website or service-related publications. 

Back to top ⬆︎

4. ONLINE ADVERTISING

We may share (or we may permit these parties to collect) personal information with online advertising networks, social media companies, and other third-party services, including information about your use of our Service over time, so that they may play or display ads that may be relevant to your interests on other websites or apps, or on other devices you may use.  Typically, though not always, the information we share is provided through cookies or similar tracking technologies, which recognize the device you are using and collect information, including hashed data, clickstream information, browser type, time and date you visited the website and other information.  This information is used to display targeted ads on other websites, apps, or services. We or the online advertising networks use this information to make the advertisements you see online more relevant to your interests. We may also display targeted advertising to you through social media platforms, such as LinkedIn, Facebook, Twitter, Google, and others. These companies have interest-based advertising programs that allow us to direct advertisements to users who have shown interest in our services while those users are on the social media platform, or to groups of other users who share similar traits, such as likely commercial interests and demographics. These advertisements are governed by the privacy policies of those social media companies that provide them. For more information on our online practices specifically in relation to cookies, please see our Cookie Notice

Back to top ⬆︎

5. CONTROL OVER YOUR INFORMATION

  • Email Communications. From time to time, we may send you emails regarding updates to our Services, products or services, notices about our organization, or information about products/services we offer that we think may be of interest to you. If you wish to unsubscribe from such emails, simply click the “unsubscribe link” provided at the bottom of the email communication. Note that you cannot unsubscribe from certain services-related communications (e.g., account verification, confirmations of transactions, technical or legal notices).
  • Messaging Platforms. We may use personal information we collect to communicate with individuals via messaging platforms (such as WhatsApp), including to market to you or offer you information and updates on products or services we think you may be interested in. You can unsubscribe from these messages at any time by replying STOP in one of our messages.
  • SMS Text Messaging. We may use personal information we collect to communicate with individuals via text message, including (with your consent) to market to you or offer you information and updates on products or services we think you may be interested in. You can unsubscribe from marketing text messages at any time by replying STOP or clicking the unsubscribe link (where available) in one of our messages. For more information, please see our Terms of Service
  • Modifying Account Information. If you have a Klaviyo service account with us, you have the ability to modify certain information in your account (e.g., your contact information and profile picture) through the “Contact Information” tab in the “Account” section in your Klaviyo account. Not all personal information is maintained in a format that you can access or change. If you would like to request access to, or correction or deletion of personal information, you may send your request to us by messaging support in the support portal through your Klaviyo account. We will review your request and may require you to provide additional information to identify yourself, but we do not promise that we will be able to satisfy your request.

Back to top ⬆︎

6. PRIVACY RIGHTS

In accordance with applicable privacy law and the jurisdiction in which you reside (including, without limitation, Colorado, Connecticut, Utah, and Virginia), you may be able to exercise some or all of the following rights in relation to the personal information about you that we have collected (subject to certain limitations at law):

  • Right of access and portability. You may have the right to obtain access to the personal information we have collected about you and, where required by law, the right to obtain a copy of the personal information.
  • Right to correction. You may have the right to require us to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
  • Right to deletion. You may have the right to request the deletion of your personal information, subject to certain exceptions.
  • Right to opt-out. You may have the right to opt-out of certain processing activities. For example, you may have the right to opt-out of the use of your personal information for targeted advertising purposes, or the “sale” of your personal information to third parties in certain contexts. You may also have the right to direct us not to use automated decision-making or profiling for certain purposes.
  • Right to exercise control over sensitive personal information. You may have the right to exercise control over our collection and processing of certain sensitive personal information. 
  • Right to non-retaliation. You may have the right to be free from retaliatory or discriminatory treatment for exercising any of the rights described above.

To exercise your rights: please submit a request by filling out our Privacy Rights Request.

Before processing your request, we will need to verify your identity and confirm you are a resident of a jurisdiction that offers such right(s). In order to verify your identity, we will generally either require the successful authentication of your account, or the matching of sufficient information you provide us to the information we maintain about you in our systems. This process may require us to request additional personal information from you. In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.

To exercise your right to opt-out: please submit a request, as follows: 

Opt-out of targeted advertising (cookies opt-out), please use our cookie management tool:
Cookie Management Tool

Opt-out of data “sales”, please submit a request by filling out our Privacy Rights Request.

Unless you have exercised your right to opt-out, we may disclose or “sell” your personal information to third parties for monetary or other valuable consideration, or use your information for all the purposes described in this Privacy Notice, including for targeted advertising. The third parties to whom we sell or disclose personal information may use such information for their own purposes in accordance with their own privacy statements. 

You do not need to create an account with us to exercise your right to opt-out. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your opt-out request. We will only use personal information provided in an opt-out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems. We may not process your request if we, in good faith, believe that the request is fraudulent. In such instances, we will send a notice to the requestor explaining our decision.

Back to top ⬆︎

7. CHILDREN

Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If an individual is under the age of 16, they should not use our Services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 16, we will promptly delete that personal information.

Back to top ⬆︎

8. THIRD PARTY WEBSITES AND SERVICES

The Services may contain integrations or links to third party websites or services, including those of our business partners. By interacting with these third parties, you are providing information directly to the third party and not Klaviyo. Please note that Klaviyo is not responsible for the privacy practices of these third parties or any entity that it does not own or control. We encourage you to review the privacy notices and online terms of those third parties to learn more about how they handle your personal information.

Back to top ⬆︎

9. CHANGES TO PRIVACY NOTICE

We reserve the right to change this Privacy Notice from time to time in our sole discretion. We will notify you about material changes in the way we treat personal information by adequately informing you via your account, by placing a prominent notice on our website, or through other appropriate communication channels. It is your responsibility to review this Privacy Notice periodically. All changes shall be effective from the date of publication unless otherwise provided.

Back to top ⬆︎

10. CONTACT US

If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please send an email to privacy@klaviyo.com

Back to top ⬆︎

11. REGION-SPECIFIC DISCLOSURES

This Privacy Notice is designed to apply to our website visitors, users of our Service, and other companies and users on a global basis. Please refer below for additional disclosures that may be applicable to you:

Back to top ⬆︎

ADDITIONAL DISCLOSURES FOR AUSTRALIA RESIDENTS

These additional disclosures for Australian residents (“Australian Disclosures”) supplement the information contained in our Privacy Notice and applies solely to individuals in Australia (“you”). 

These Australian Disclosures provide additional information about how we collect, use, disclose and otherwise process personal information of individuals in Australia, either online or offline, within the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”) found in Schedule 1 of the Privacy Act.   

Unless otherwise expressly stated, all terms in these Australian Disclosures have the same meaning as defined in our Privacy Notice or as otherwise defined in the Privacy Act.  

When we use the term “personal information” in this Australian Disclosures notice, we mean information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion:

  • is true or not; and
  • is recorded in a material form or not. 
A. HOW WE COLLECT YOUR PERSONAL INFORMATION

The various ways in which your personal information is collected are described in Section 1 of our Privacy Notice, We may also collect your personal information if we record any phone calls or video calls (with your permission) between you and Klaviyo. 

B. OVERSEAS TRANSFERS OF YOUR PERSONAL INFORMATION

Your personal information may be transferred to and stored in locations outside Australia where we and our third-party service providers have operations, including in the United States, where Klaviyo, Inc. is located and the United Kingdom.

In the event of a transfer by Klaviyo to a location outside Australia, we ensure that: (i) personal information is transferred to countries recognised as having an equivalent level of privacy protection to Australia; or (ii) the transfer is made pursuant to appropriate safeguards, such as contractual obligations. 

C. STORING YOUR PERSONAL INFORMATION

We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, change or damage. All personal information we collect will be stored by our cloud hosting provider on secure servers. 

We will never send you unsolicited emails or contact you by phone requesting credit or debit card information.

D. YOUR PRIVACY RIGHTS

You have various rights under the APPs.

Right to access and request

You have the right to request access to and/or the correction of your personal information held by Klaviyo. You can exercise these rights by contacting our Privacy Officer at privacy@klaviyo.com.  

We will respond to your request within a reasonable time. If your request is refused, you will be provided with written reasons for the refusal and information about the mechanisms you can use to complain about the refusal. 

Right to complain

You also have a right to make a privacy complaint to our Privacy Officer at privacy@klaviyo.com

Our Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. Our Privacy Officer will endeavour to complete the investigation into your complaint promptly. You may be asked to provide further information about your complaint and the outcome you are seeking. Our Privacy Officer will then typically gather relevant facts, locate, and review relevant documents, and speak with individuals involved.

In most cases, our Privacy Officer will investigate and provide a written response to your complaint within 30 days of receipt of the complaint. If the matter is more complex or the investigation may take longer, our Privacy Officer will let you know.

If you are not satisfied with Klaviyo’s response to your complaint, a complaint may be made to the Office of the Australian Information Commissioner (“OAIC”). The OAIC can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

Back to top ⬆︎

ADDITIONAL DISCLOSURES FOR CALIFORNIA RESIDENTS (UNITED STATES)

These additional disclosures for California residents (“CA Disclosures”) supplement the information contained in our Privacy Notice and apply solely to individual residents of the State of California (“consumers” or “you”). 

These CA Disclosures provide additional information about how we collect, use, disclose and otherwise process personal information of individual residents of the State of California, either online or offline, within the scope of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”)

Unless otherwise expressly stated, all terms in these CA Disclosures have the same meaning as defined in our Privacy Notice or as otherwise defined in the CCPA.  

When we use the term “personal information” in this CA Notice, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

A. COLLECTION AND USE OF PERSONAL INFORMATION

We collect personal information from and about you for a variety of purposes, as described in the How We Collect Your Personal Information and How We Use Your Personal Information sections of the Privacy Notice

Categories of Personal Information Collected. In the last 12 months, we have collected the following categories of personal information:

  • Identifiers, such as your first, middle and last name, email address, username, or other similar identifiers;
  • CA Customer Categories, such as your name, phone number, and postal address; 
  • Commercial Information, such as records of services purchased, obtained or considered;
  • Internet/Network Information, such as device information, logs and analytics data;
  • Geolocation Data, such as approximate location data generated based on your IP address or other information;
  • Sensory Information, such as recordings of any phone calls or video calls (with your permission, as applicable) between you and Klaviyo;
  • Professional/Employment Information, such as the business or organization you represent, your title with that business or organization and information relating to your role with the business or organization, job application information and other details contained in your resume;
  • Inferences about your interests and preferences, generated from your use of our sites; and
  • Other Personal Information, including information you submit into the feedback form and any communications between you and Klaviyo, as well as information we receive from social networking sites.

We collect this information from the following sources: directly from you, from our business partners and affiliates, from your browser or device when you visit our App or use our Services, or from third parties that you permit to share information with us. Please see the How We Collect Your Personal Information section of the Privacy Notice for more information about the sources of personal information we collect.

B. DISCLOSURE OF PERSONAL INFORMATION

We share personal information with third parties for business purposes. The categories of third parties to whom we disclose your personal information for a business purpose include: (i) other brands and affiliates in our family of companies; (ii) our service providers and advisors; (iii) analytics providers; (iv) marketing and strategic partners; and (v) social networks. 

In the previous 12 months, we have disclosed all of the categories of personal information we collect, explained in the Collection and Use of Personal Information section of these CA Disclosures, to third parties for a business purpose, as describe the How We Share Your Personal Information section of the Privacy Notice.

C. SALE OF PERSONAL INFORMATION 

As further described in the How We Share Your Personal Information section of the Privacy Notice, we may “sell” or “share” your personal information (as those terms are defined by the CCPA) to third parties, subject to your right to opt out of those sales or sharing (see Exercise Your Right to Opt-Out below). 

In the last 12 months, we have sold or shared the following categories of personal information for the purposes described in our Privacy Notice, subject to your settings and preferences and your Right to Opt-Out: Identifiers, such as your name and email address, CA Customer Categories, such as your name and phone number, and Commercial Information, such as records of services purchased, obtained or considered.

The categories of third parties to whom we may sell or share the personal information include: 

  • Business and Marketing Partners
  • Online Advertising Networks and Analytics Providers
  • Social Networks

We may also disclose personal information to third parties at your direction or upon your request, in connection with a corporate business transaction, or to comply with legal or contractual obligations, as described in our Privacy Notice.

D. YOUR CALIFORNIA PRIVACY RIGHTS

As a California resident, you may be able to exercise the following rights in relation to the personal information that we have collected about you (subject to certain limitations at law):

The Right to Access/Know
  

You have the right to request any or all of the following information relating to your personal information we have collected and disclosed in the last 12 months, upon verification of your identity:
• The specific pieces of personal information we have collected about you;
• The categories of personal information we have collected about you;
• The categories of sources of the personal information;
• The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
• The categories of personal information we have sold about you (if any), and the categories of third parties to whom the information was sold; and
• The business or commercial purposes for collecting or, if applicable, selling the personal information.
 
The Right to Request Deletion
 
You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions.
 
The Right to Correction
 
You have the right to request that any inaccuracies in your personal information be corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.
 
The Right to Opt-Out of Sales or Sharing of Personal Information
 
You have the right to direct us not to “sell” your personal information to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes.
If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales.
 
The Right to Limit Use and Disclosure of Personal Information
 
You have the right to direct us to limit the use of your sensitive personal information to certain purposes, subject to certain exceptions.
 
The Right to Control Over Automated Decision-Making / Profiling
 
You have the right to direct us not to use automated decision-making or profiling for certain purposes.
 
The Right to Non-Retaliation
 
You have the right not to receive retaliatory or discriminatory treatment for exercising these rights.
However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you our products and services or engage with you in the same manner.
 
“Shine the Light”
 
California residents that have an established business relationship with us have rights to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law, or the right to opt out of such practices (Civ. Code §1798.83).
 

 

E. HOW TO EXERCISE YOUR CALIFORNIA PRIVACY RIGHTS
Exercise Your Right to Access, Right to Know, Right to Correction, and Right to Deletion 

To exercise your Right to Access, Right to Know, Right to Correction, or your Right to Deletion: please submit a request by filling out our Privacy Rights Request.

Before processing your request, we will need to verify your identity and confirm you are a resident of the State of California. In order to verify your identity, we will generally either require the successful authentication of your account, or the matching of sufficient information you provide us to the information we maintain about you in our systems. This process may require us to request additional personal information from you, including, but not limited to, your email address, phone number, and/or date of last transaction on our Services.

In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.

Exercise Your Right to Opt-Out of Personal Information Sales or Sharing for Targeted Advertising 

Unless you have exercised your Right to Opt-Out, we may disclose or “sell” your personal information to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy policies. 

You do not need to create an account with us to exercise your Right to Opt-Out. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your opt-out request. We will only use personal information provided in an opt-out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems.

To exercise the Right to Opt-Out of personal information “sales,” you may submit a request by clicking the link below:

DO NOT SELL MY PERSONAL INFORMATION

Additionally, as is common practice among companies that operate online, we permit third party advertising networks, social media companies and other third party businesses to collect and disclose your personal information (including preferences, geolocation, commercial information and internet, network and device information) directly from your browser or device through cookies or tracking technologies when you visit or interact with our websites, use our apps or otherwise engage with us. These third parties use this information for the purposes of serving ads that are more relevant, for ad campaign measurement and analytics, and for fraud detection and reporting and may sell or share that information to other businesses for advertising and other purposes. To learn more about how third parties collect information through tracking technologies and what other choices you may have in relation to those activities, please see our Cookie Notice.

To exercise the Right to Opt-Out of the sharing of your personal information for cross-context behavioral advertising purposes (targeted advertising), you may submit a request by clicking the link below to be added to our suppression list:

Authorized Agents

In certain circumstances, you may permit an authorized agent to submit requests to exercise your California Privacy Rights on your behalf. The authorized agent must provide a letter signed by you confirming the agent has permission to submit a request on your behalf or must provide sufficient evidence to show that the authorized agent has been lawfully vested with power of attorney. 

For security purposes, we may need to verify your identity and confirm directly with you that you have provided the authorized agent permission to submit the request, and it may take additional time to fulfil agent-submitted requests. We may deny a request in the event we are not able to verify the authorized agent’s authority to act on your behalf. Please note that for privacy and security reasons, we will direct future communications to the data subject on whose behalf the request was made.

“Shine the Light” Disclosures 

The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. To opt out of this type of sharing, please submit a request by filling out our Privacy Rights Request

Notice of Financial Incentives

In addition, we may offer you financial incentives for the collection, sale, retention, and use of your personal information as permitted by the CCPA that can, without limitation, result in reasonably different prices, rates, or quality levels. The material aspects of any financial incentive will be explained and described in its program terms. Please note that participating in incentive programs is entirely optional, you will have to affirmatively opt-in to the program and you can opt-out of each program (i.e., terminate participation and forgo the ongoing incentives) prospectively by following the instructions in the applicable program description and terms. We may add or change incentive programs, and/or their terms by posting notice on the program descriptions and terms linked to above, so check them regularly.

Each financial incentive or price or service difference related to the collection and use of personal information is based upon our reasonable, good-faith determination of the estimated value of such information to our business, taking into consideration the value of the offer itself and the anticipated revenue generation that may be realized by rewarding brand loyalty. We calculate the value of the offer and financial incentive by using the expense related to the offer.

Minors 

We do not sell the personal information and do not have actual knowledge that we sell the personal information of minors under 16 years of age. Please contact us at privacy@klaviyo.com to inform us if you, or your minor child, are under the age of 16.

If you are under the age of 18 and you want to remove your name or comments from our website or publicly displayed content, please contact us directly at privacy@klaviyo.com. We may not be able to modify or delete your information in all circumstances.

Back to top ⬆︎

ADDITIONAL DISCLOSURES FOR NEVADA RESIDENTS (UNITED STATES)

If you are a resident of the State of Nevada in the United States, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. To opt out of this kind of future sales, please submit a request by filling out our Privacy Rights Request.

Back to top ⬆︎

ADDITIONAL DISCLOSURES FOR THE EUROPEAN ECONOMIC AREA, UNITED KINGDOM, AND SWITZERLAND

Klaviyo Group maintains operations in Europe and may direct our services to individuals located in the EEA, UK and Switzerland. In these instances, the following additional disclosures apply to our processing of personal data.

When we use the term “personal data” in this section, we mean information relating to an identified or identifiable natural person.

CONTROLLERS 

Klaviyo, Inc. is the controller of your personal data. 

In addition, Klaviyo Ltd is jointly responsible to process your personal data for the following reasons: perform our contractual services, as further described below. 

Regularly, we use your personal data based on the following legal grounds according to the Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 GDPR:

Perform our contractual services, including prior to entering into a contract with you: If you order Services from us or if you contact us to request our Services, we use your personal data to provide you with these Services, including for account and contract management, to facilitate user benefits and services, including customer support, and evaluate your candidacy for employment and to facilitate the onboarding process.

Justified by our legitimate interests: The usage of your personal data may also be necessary for our own business interests. For example, we may use some of your personal data to send gifts to you; market our Services to individuals; administer, improve and personalize our Services, including by recognizing an individual and remembering their information when they return to our Services and analyzing our client-base; Process payment for our Services; conduct market research; opportunity tracking, conversion and lead generation; test, enhance, update and monitor the Services, or diagnose or fix technology problems; help maintain the safety, security and integrity of our property and Services, technology assets and business; enforce our Terms of Service, resolve disputes, carry out our obligations and enforce our rights, and protect our business interests and the interests and rights of third parties; and prevent, investigate or provide notice of fraud or unlawful or criminal activity. 

Consent: In some cases, we may ask you to grant us separate consent to use your personal data. 

Compliance with legal obligations. We are obligated to retain certain personal data because of legal requirements, for example, tax or commercial laws, or we may be required by law enforcement to provide personal data on request.

We do not use your personal data for automated individual decision-making.

 B. HOW LONG WILL WE STORE YOUR PERSONAL DATA

We will usually store the personal data we collect about you for no longer than necessary for the purposes as set above, and in accordance with our legal obligations and legitimate business interests. 

The criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:

  • Contract. Where we are processing personal data is based on contract, we generally will retain your personal data for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from our contractual relationship.
  • Legitimate Interests. Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account your fundamental interests and your rights and freedoms.
  • Consent. Where we are processing personal data based on your consent, we generally will retain your personal data until you withdraw your consent, or otherwise for the period of time necessary to fulfil the underlying agreement with you or provide you with the applicable service for which we process that personal data.
  • Legal Obligation. Where we are processing personal data based on a legal obligation, we generally will retain your personal data for the period of time necessary to fulfil the legal obligation.
  • Legal Claim. We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim or intent to establish a claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

In all cases, in addition to the purposes and legal bases, we consider the amount, nature and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of your personal data.

C. MARKETING AND ADVERTISING

From time to time we may contact you with information about our services, including sending you marketing messages and asking for your feedback on our Services. Most marketing messages we send will be by email or via messaging platform. For some marketing messages, we may use personal data we collect about you to help us determine the most relevant marketing information to share with you. 

We may send you marketing messages if you have given us your consent to do so or where we have relied on the soft opt-in rule (where applicable).  If you wish to unsubscribe from such communication, please see the details set out above under “Control over Your Information”. 

D. STORING AND TRANSFERRING YOUR PERSONAL DATA

Security. We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, change or damage. All personal data we collect will be stored by our cloud hosting provider on secure servers. We will never send you unsolicited emails or contact you by phone requesting credit or debit card information.

International Transfers of your Personal data. The personal data we collect may be transferred to and stored in countries outside the EEA, UK and Switzerland in countries where we and our third-party service providers have operations, including in the United States, where Klaviyo, Inc. is located.

In the event of a transfer by Klaviyo, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as standard contractual clauses adopted by the European Commission. 

If you wish to enquire further about these safeguards used, please contact us using the details set out under the “Contact Us” section of the Privacy Notice. 

E. YOUR RIGHTS IN RESPECT OF YOUR PERSONAL DATA

In accordance with applicable privacy law, you may have the following rights in respect of your personal data that we hold:

  • Right of access. You have the right to obtain certain information about our processing of your personal data which includes:
    • confirmation of whether, and where, we are processing your personal data;
    • information about the categories of personal data we are processing, the purposes for which we process your personal data and information as to how we determine applicable retention periods;
    • information about the categories of recipients with whom we may share your personal data; and
    • a copy of the personal data we hold about you.
  • Right of portability. You have the right, in certain circumstances, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.
  • Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal data we hold about you without undue delay. 
  • Right to erasure. You have the right, in some circumstances, to require us to erase your personal data without undue delay, such as if the continued processing of that personal data is not justified. 
  • Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal data, such as where the accuracy of the personal data is contested by you.
  • Right to withdraw consent. There are certain circumstances where we require your consent to process your personal data. In these instances, and if you have provided consent, you have the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of our use of your personal data before your withdrawal. 
  • You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason at any time.

You also have the right to lodge a complaint to your local data protection authority. If you are based in the EU, information about how to contact your local data protection authority is available here. If you are based in the UK or Switzerland, your local data protection authorities are the UK Information Commissioner’s Office (https://ico.org.uk/global/contact-us/) and the Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact/address.html). 

If you wish to exercise one of these rights, please submit a request by filling out our Privacy Rights Request.

Due to the confidential nature of data processing, we may ask you to provide proof of identity when exercising the above rights.

F. COOKIES AND SIMILAR TECHNOLOGIES

Our European Services and emails use cookies and similar technologies such as pixels and Local Storage Objects (LSOs) like HTML5 (together “cookies”) to distinguish you from other users of our Services. This helps us to provide you with a good experience when you use our Services and also allows us to monitor and analyse how you use and interact with our Services so that we can continue to improve our Services. It also helps us and our partners to determine products and services that may be of interest to you. Please see our Cookie Notice for more information about these practices and your choices regarding cookies.d matters, please contact us at privacy@klaviyo.com.

12. EU-US DATA PRIVACY FRAMEWORK (“DPF”), UK EXTENSION TO THE EU-US DPF, AND THE SWISS-US DATA PRIVACY FRAMEWORK PRINCIPLES 

Klaviyo complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.  Klaviyo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Klaviyo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.    

In compliance with the EU-U.S DPF, the UK Extension to the EU-U.S DPF, and the Swiss-U.S DPF Principles, Klaviyo commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-U.S DPF, the UK extension to the EU-U.S DPF, and the Swiss-U.S Data Privacy Framework Principles. EU, UK, and Swiss individuals with inquiries or complaints should first contact:

Privacy@klaviyo.com 

Klaviyo has further committed to refer unresolved privacy complaints under the Data Privacy Framework program to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit here for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See here

13.  EU, SWISS, AND UK REPRESENTATIVE

Klaviyo, which processes the personal data of individuals in the European Union, European Economic Area, the UK, and/or Switzerland, , has appointed European Data Protection Office (EDPO) as its Data Protection Representative for the purposes of EU GDPR in the EU/EEA,  UK GDPR in the UK, and the Federal Act on Data Protection (“FADP”) in Switzerland.

Klaviyo takes the protection of personal data seriously, and has appointed EDPO as their Data Protection Representative in the European Union, the UK, or Switzerland, as applicable, so that you can contact them directly.

If you want to raise a question to Klaviyo, or otherwise exercise your rights in respect of your personal data, you may do so by:

Back to top ⬆︎

Previous versions:

June 29, 2023
December 9, 2022
December 30, 2019