Privacy FAQs

April 15, 2024

Data Storage

1. Where is Customer Data stored? Where are Klaviyo’s Servers located?

Klaviyo currently stores all Customer Data in the United States using the AWS-East-1 data center, located in Northern Virginia.

2. How long is Customer Data kept?

Each Customer has full control over the individual data and profiles that are uploaded to the Klaviyo platform, and a Customer may delete all or part of the data at any time. Without any intervention by a Customer, the data is retained by Klaviyo until the termination of the Agreement, after which it will be deleted within

90 days from the effective date of termination.

Data Centers

Does Klaviyo offer data centers in other locations where data can be stored locally (i.e.EU, UK, Canada, etc.)?

At this time, Klaviyo does not offer any data storage in jurisdictions other than the United States.

Sub-Processors

1. Do other parties have access to my data? What do 3rd parties do with my data?

In order to provide services to its Clients, Klaviyo uses 3rd party Sub-processors who have access to Client data, including Personal Data. Our Subprocessors are bound by Data Processing Agreements (DPAs) and may only use Customer Data in accordance with Klaviyo’s written instructions, which does not permit the use of personal data for the benefit of the Sub-processor or any other Customer of Klaviyo. This is the case for most software as a service (SaaS) providers. A list of our current sub-processors and the purposes for which they process Customer Data is available here.

2. Klaviyo has entities in Australia and the United Kingdom; is my data stored there?

In order to provide Klaviyo Services, and to support our Customers in different regions around the world, our employees in Australia and the United Kingdom may need to access (but not store) your data from Australia or from the United Kingdom.

Sale/Sharing of Personal Data for Advertising Purposes

1. Does Klaviyo share its Client’s customer data with anyone for advertising purposes?

Klaviyo DOES NOT sell OR share with third parties Personal Data / Personally Identifiable Information (PII) from our Customers’ end-consumer lists provided to the Klaviyo platform. This is set out in Appendix 6 of Klaviyo’s Data Processing Agreement, which we enter into with all of our Customers.

2. Does Klaviyo use my data for the benefit of its other Customers?

Klaviyo solely uses Personal Data of its Customers to provide the services to those Customers and not for the benefit of its other Customers. For clarity, Klaviyo may use de-identified data that does not identify a Customer or any individuals to improve the services, generally.

International Data Transfers and Data Protection Framework (DPF)

1. What mechanism does Klaviyo use to transfer data to the US?

Klaviyo is a participant in the EU-U.S. Data Protection Framework (DPF) and relies on the DPF to transfer data from the EU and the US. Additionally, the UK Extension to DPF (UK Extension to the DPF) and the Swiss-US Data Protection Framework (Swiss-US DPF) apply to transfers of Data to personal character from the United Kingdom and Switzerland, respectively. For transfers that aren’t subject to the DPF, Klaviyo relies on the Standard Contractual Clauses (SCCs).

2. Is Klaviyo part of the EU-U.S. Data Protection Framework (DPF?) or use the Standard Contractual Clauses (SCCs)?

Yes, Klaviyo is a participant in the EU-U.S. Data Protection Framework (DPF). Furthermore, Klaviyo is a participant in the UK Extension to the DPF and the Swiss-US Data Protection Framework. In the event that CPD is not permitted for a particular transfer, or is invalidated as a transfer mechanism, the Standard SCCs will apply as a transfer mechanism with respect to such Personal Data. The European Commission has approved these two arrangements as valid transfer mechanisms for EU Personal Data. The UK Extension to EU-US CPD and Swiss-US CPD allows transfers of Personal Data from the UK and Switzerland respectively.

Country-Specific Privacy Laws

Does Klaviyo comply with each country’s privacy laws?

The Klaviyo platform is designed to be fully compliant with the EU’s GDPR, which is one of the most stringent privacy laws in the world. Additionally, under our DPA, Klaviyo contractually undertakes to comply with “applicable data protection laws” to the extent they are applicable to Klaviyo.

Security Measures

What measures does Klaviyo take to protect Customer Personal Data?

Klaviyo manages Customer Personal Data in accordance with our DPA entered into with all of our Customers. The DPA specifies the Technical and Organizational Measures (TOMs) and Supplementary Measures taken by Klaviyo in order to protect the Customer’s personal data. These measures are set out in Annex 2 of the DPA. Specific security documentation is available upon request.

Deleting Data

What happens if I receive a GDPR deletion request?

The Klaviyo platform allows its Customers to exercise full control and provide self-service management of all data, including Personal Data, provided to the platform. To learn more about GDPR deletions on the Klaviyo platform, please click here. Additionally, for more information on list cleanup in Klaviyo, please click here.

Sensitive Data

Can we use the Klaviyo platform to manage and store sensitive or special categories of data, for example health data?

Klaviyo’s Acceptable Use Policy prohibits the use of sensitive data within the platform. Customers may, however, use the Klaviyo platform regarding other non-sensitive data relating to end customers.