๐Ÿ‡ช๐Ÿ‡บ GDPR Compliant ยท Data hosted in Sweden

GDPR & Data Sovereignty

How Koply is built to make GDPR compliance easy for your e-commerce store.

Our approach to data protection

GDPR compliance is not an afterthought at Koply โ€” it is a core design decision. Unlike US-based search providers, your product catalogue and your customers' search behaviour never leave the European Union. This fundamentally simplifies your GDPR obligations.

What data does Koply process from your store visitors?

The Koply widget processes search queries typed by your visitors. Specifically:

  • The search query text is sent to our API to retrieve results.
  • The approximate country of origin is inferred from the IP address for analytics purposes. The IP address itself is not stored.
  • No cookies are set on your visitors' browsers by the Koply widget.
  • No personal identifiers (name, email, device fingerprint) are collected from your visitors.
  • No cross-site tracking takes place.

Because no personal data is stored about individual visitors, in most cases you do not need to mention Koply in your cookie banner or obtain additional consent from your customers to use our widget.

Infrastructure and data location

Search infrastructure

Meilisearch cluster hosted on AWS EU (Stockholm region). Product indices never replicated outside the EU.

Application servers

Laravel application deployed on Kubernetes in AWS EU (Stockholm). All compute stays within Sweden.

Database

MySQL database hosted in the same EU cluster. Encrypted at rest with AES-256.

CDN (widget delivery)

The koply.js widget is served from cdn.koply.eu. The CDN serves static files only โ€” no visitor data is logged by the CDN.

Data Processing Agreement (DPA)

When you use Koply to process search queries from your store visitors, Koply acts as a data processor on your behalf. We are happy to sign a Data Processing Agreement (DPA) as required by GDPR Article 28. To request a DPA, contact us at privacy@koply.eu.

AI features and data privacy

Some Koply features use AI models (Claude by Anthropic) to improve search quality:

  • Synonym suggestions โ€” analyses product titles and categories from your catalogue. No visitor data is involved.
  • Product enrichment โ€” generates descriptions for products without one, using title, brand and category. No visitor data is involved.
  • Zero-results recovery โ€” reformulates a search query that returned no results. The query text is sent to the AI without any visitor identifier attached.
  • Image search โ€” the uploaded image is analysed to extract a text description, then immediately discarded. Images are never stored.

All AI processing uses anonymised or non-personal data. Anthropic processes data under a commercial agreement that includes GDPR-compliant data protection provisions.

Your obligations as a Koply customer

As a Koply customer (data controller), you remain responsible for:

  • Informing your store visitors about the use of third-party services in your Privacy Policy. You may reference Koply as a "EU-hosted site search provider that processes search queries without storing personal data."
  • Ensuring your product feed does not contain personal data (it should contain only product information).
  • Responding to data subject requests from your customers. For requests that require data deletion from Koply's systems, contact us at privacy@koply.eu.

Data Controller

Company: Koply (by Guillermo Eduardo Gallego Pagella)

Address: Helsingborg, Sweden

Email: privacy@koply.eu

Questions

For any GDPR-related questions or to request a Data Processing Agreement, contact us at privacy@koply.eu.