Klovi (klovi.ai) is operated by OFF Creations, LLC, a Nevada limited liability company based in Las Vegas, NV. This policy explains what data we collect, why we collect it, how we protect it, and your rights regarding that data.
1. Information We Collect
Account information (via LinkedIn OAuth)
When you sign in with LinkedIn, we receive and store:
Your name, email address, and profile picture URL
Your LinkedIn access token (used to publish posts on your behalf)
A unique LinkedIn identifier
We do not access your LinkedIn connections, messages, or any data beyond what is needed to create and publish posts.
Content you upload
Photos are sent directly to our AI service for analysis and are not stored on our servers after generation completes.
Videos are temporarily staged in encrypted cloud storage (Supabase) to transfer them to LinkedIn, then deleted automatically.
Profile preferences
If you set up a voice profile ("My Voice"), we store your job title, industry, audience description, post topics, and writing style notes to personalize your generated posts.
Payment information
Payments are processed by Stripe. We do not store your credit card number. We store only your Stripe customer ID and subscription status.
Usage data
We track the number of posts generated per account for billing purposes. We do not use third-party analytics trackers, advertising pixels, or cookie-based tracking.
2. How We Use Your Data
To generate posts: Your photos, videos, and context are sent to Anthropic's Claude AI to generate LinkedIn post text.
To publish posts: Your LinkedIn access token is used to publish content to your LinkedIn profile via LinkedIn's official API.
To personalize content: Your voice profile preferences are included in the AI prompt to match your writing style.
To manage your subscription: Your Stripe customer ID is used to check plan status and process payments.
3. How We Protect Your Data
LinkedIn tokens are encrypted at rest using AES-256-GCM with a unique initialization vector per encryption. They are decrypted only at the moment of use and never logged.
Session cookies are HMAC-signed, httpOnly, and use the Secure flag in production. We use constant-time comparison to prevent timing attacks.
All traffic is served over HTTPS. API routes are protected with CORS restrictions and rate limiting.
Videos uploaded for processing are stored temporarily in a private Supabase Storage bucket and deleted after transfer to LinkedIn.
4. Third-Party Services
Klovi uses the following third-party services, each with their own privacy policies:
Anthropic (Claude AI) — processes your photos, videos, and text to generate posts. Anthropic Privacy Policy
Your account data is retained for as long as your account exists.
Uploaded photos are not stored after post generation completes.
Uploaded videos are deleted from staging storage after transfer to LinkedIn.
Generated post text is not stored by Klovi (it is returned to your browser and discarded server-side).
If you delete your account, all associated data is removed from our database.
6. Your Rights
You may request to:
Access the personal data we hold about you
Delete your account and all associated data
Revoke LinkedIn access by removing Klovi from your LinkedIn authorized apps
To make a request, email us at the address below.
7. Cookies
Klovi uses a single session cookie (klovi_session) to keep you signed in. It is:
httpOnly (not accessible to JavaScript)
Secure (only sent over HTTPS in production)
SameSite=Lax
Expires after 30 days
We do not use advertising cookies, tracking cookies, or third-party cookies.
8. Children's Privacy
Klovi is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with a revised effective date. Continued use of Klovi after changes constitutes acceptance of the updated policy.