Last updated: May 2024

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Service and tells you about your privacy rights and how the law protects you.

We use your Personal data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. 

I. Interpretation and Definitions


The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.


For the purposes of this Privacy Policy:

II. Collecting and Using your Personal Data

Types of Data Collected:

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as your Device's Internet Protocol address (“IP address”), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service. The technologies we use may include:

For more information about how Mouseflow handles your data, please refer to the Mouseflow privacy policy at Mouseflow Privacy Policy.

Mouseflow FAQs:

What is website session recording?

A website “session” refers to the duration of interaction a user has within a website, within a certain window of time. The session can include multiple pages, events, purchases, and inputs. A session continues to be measured as the same session until the user is inactive for a period of time, typically 30 minutes. A session can also end at a specified time, like the end of a day. The start of a new session can also be a session-ending occurrence, such as if a user enters a website by clicking a paid search ad, clicks around, leaves, then enters again — this time by clicking an organic search result.

So, a session recording is when software is used to track that user’s activity during that session. Clicks, scrolls, hovers, and other mouse data is tracked. So are keyboard inputs (except for anonymized forms) and navigation, documenting users as they fill out forms or search bars and navigate to different pages.

Also referred to as session replay, session recording is a prolific practice in marketing, product management, UX design and research, conversion optimization, data analysis, and other areas of business.

A common analogy for session recording is closed-circuit TV security systems found in most retail and commercial spaces. While those cameras can’t tell you a person’s name, address, or other identifying information, it can give you an idea of where they came from, what they do in the store, etc.

Does session replay capture any sensitive visitor data?

Session recording tools are set to anonymize sensitive visitor data. Mouseflow’s default settings adhere to GDPR and CCPA guidelines and allow even further protection, such as blocking form field inputs.

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser.  We use both Session and Persistent Cookies for the purposes set out below:

Use of your Personal Data

The Company may use Personal Data for the following purposes:

We may share your personal information in the following situations:

Retention of your Personal Data

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those within your jurisdiction.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure of your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

Our Contractors

We may contract with others to perform services on our behalf. If any of these service providers need access to your personal information, we require them to use it only to perform the services for us. We also require that they maintain the confidentiality of the information and/or return the information to us when they no longer need it.

Security of your Personal Data

The security of your Personal Data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.  

We have physical, administrative and technical security measures in place to protect personal information from loss, misuse or alteration while it is under our control. We are required to collect, process and maintain payment card information in accordance with the data security rules adopted by credit card companies such as Visa, MasterCard and American Express. This means that we do not retain debit card PINs or credit card security codes, and that any time we maintain a credit card number, such as when you create an online account, we must limit access to it and use strong encryption to protect it. Further, when you enter personal information online, that information is encrypted prior to transmission using a security protocol called SSL (Secure Sockets Layer). We also use SSL to allow you to securely view your online account and registration information.

Online account information is accessible only by using a password. You must keep your password confidential. You are responsible for all uses of the Service by anyone using your password. Please advise us immediately by calling 800-840-6604 if you believe your password has been misused.

Children's Privacy

Our Service does not address anyone under the age of 13. we do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

Email Communications  

From time to time, we may send you emails regarding updates to our websites, mobile applications or products/services, notices about our organization, or information about products/services we offer (or promotional offers from third parties) that we think may be of interest to you.  If you wish to unsubscribe from such emails, simply click the “unsubscribe” link provided at the bottom of the email communication.  You may also update your subscriptions by clicking the “unsubscribe preferences” link.  Note that you cannot unsubscribe from certain Services-related email communications (e.g., account verification, confirmations of transactions, technical or legal notices).

We are the owner of all email distribution lists distributed using our websites and applications, and we are solely responsible for the composition and membership of each list.  we will not conduct any of the following activities to obtain email distribution lists: harvest emails from websites; purchase lists (regardless of whether they are opt-in or not); have a pre-checked field on websites/forms; have a subscription form that subscribes users to an unrelated list; add an email address into a list without the consumer’s express permission; send unsolicited mail to newsgroups, message boards, distribution lists, or email addresses; email a consumer who has requested to be removed from your list; and utilize a list older than six (6) months without reconfirming the recipients’ subscriptions. 

All we subscribers to be used in connection with we websites and applications have provided permission to us to send them email.  An opt-in can occur via either a sign-up form on a web site, at a point-of-sale sign-up form, or on a physical sign-up sheet.  Any opt-in form should include a clear description of what will be sent and how often it will be sent.  Purchased lists may not be used within our websites and/or applications, regardless of the source or permission status.  

For Canadian recipients, CASL (“Canada’s Anti-Spam Legislation) prohibits spam, malware, spyware, address harvesting, unauthorized alteration of transmission data as well as false and misleading electronic representations. The sender must identify itself and the persons on whose behalf a commercial electronic message is sent.  Commercial electronic messages may be sent only to recipients who have given their prior consent (opt-in).  All recipients’ express, or in certain cases implied, prior permission is required.  When there is a business or non-business relationship, a recipient’s implied consent applies for a period of 36 months.

California Privacy Rights

Section 1798.83 of the California Civil Code permits California residents to request from a business, with whom the California resident has an established business relationship, certain information about the types of personal information the business has shared with third parties for those third parties' direct marketing purposes and the names and addresses of the third parties with whom the business has shared such information during the immediately preceding calendar year. You may request data access by emailing us at privacy@koramoney.com or writing us at:

Kora Financial Inc.

500 Madison Street, Suite 1000

Chicago, IL 60661

If you are a California resident under age 18 and a registered user of the Service, you may ask us to remove content or information that you have posted to the Service by emailing us at privacy@koramoney.com.  Please note that such removal does not ensure complete or comprehensive removal of the content or information posted (for example, your content or information may remain visible because it was copied and posted or reposted by a third party).

Links to Other websites

Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. we will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact us

If you have any questions about this Privacy Policy, you can contact us:



The purpose of this policy is to ensure compliance with the data privacy regulations as set forth by the EU General Data Protection Regulation (GDPR).

This policy applies to personal data obtained and processed regarding individuals within the European Union and the European Economic Area (EEA).


(a) Kora

Kora means Kora Financial Inc., a Delaware corporation, whose address is 500 Madison Street, Suite 1000, Chicago, IL 60661.

(b) GDPR

GDPR means General Data Protection Regulation (EU) 2016/679, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the EEA.

(c) Data Controller

Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is, or is to be, processed.

(d) Data Processor

Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.

(e) Data Subject

Data Subject is any living individual who is using our services and is the subject of Personal Data.

(f) Personal Data

Personal Data means any information relating to a Data Subject, whereby person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Principles for processing personal data

Our principles for processing personal data are:

(a) Fairness and lawfulness. When we process Personal Data, the individual rights of the Data Subjects must be protected. All Personal Data must be collected and processed in a legal and fair manner.

(b) Restricted to a specific purpose. The Personal Data of each Data Subject must be processed only for specific purposes.

(c) Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.

What Personal Data we collect and process

Kora collects several different types of Personal Data for various purposes. Personal Data Kora may collect may include, but is not limited to:

How we use the personal data

Kora uses the collected Personal Data for various purposes:

Legal basis for collecting and processing personal data

Kora’s legal basis for collecting and using the personal data described in this privacy policy depends on the personal data we collect and the specific context in which we collect the information:

(a) Kora needs to perform a contract with you;

(b) You have given Kora permission to do so;

(c) Processing your personal data is in Kora’s legitimate interests;

(d) Kora needs to comply with the law.

When do we collect Personal Data about Data Subjects?

We collect Personal Data about a Data Subject when the Data Subject uses our services and when the Data Subject uses our website.

For example, we may collect Personal Data about a Data Subject when the Data Subject:

(i) Requests our products or services;

(ii) Engages with a company with which Kora does business, who transfers Personal Data to Kora in connection with our provision of services;

(iii) Uses one of our customer services representatives for help;

(iv) Completes a client survey or provides us with feedback;

(v) Interacts with us via social media, such as Facebook. In addition, we may receive Personal Data about Data Subjects from third parties, such as:

(vi) Companies that contract with us to provide services to Data Subjects;

(vii) Companies contracted by us to provide services to Data Subjects;

(viii) Companies such as car dealerships that participate in our services.

How we use cookies

Cookies are a small amount of data sent from the server, which then may be stored on a Data Subject’s computer’s hard disk drive. We may collect information about a Data Subject’s computer, including where available the Data Subject’s IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. For the same reason, we may obtain information about a Data Subject’s general internet usage by using a cookie file which is stored on the hard drive of the Data Subject’s computer. Cookies help us to improve our services and to deliver a better and more personalized service. A Data Subject can delete all cookies that are already on the Data Subject’s computer and may refuse to accept cookies by activating the setting on the Data Subject’s browser which allows the Data Subject to refuse the setting of cookies. However, if this setting is selected, the Data Subject may be unable to access certain parts of our services. Unless the browser setting is adjusted so as to refuse cookies, our system will issue cookies when a Data Subject logs on to our services, unless the cookies to be issued require the Data Subject’s informed consent.

Security, storage, and transfer

We are committed to ensuring that Personal Data is secure at all times. We have in place suitable physical, electronic and managerial procedures to safeguard and secure the Personal Data we collect online.

All of our employees and suppliers with access to Personal Data and/or who are associated with the processing of that data are contractually obliged to respect the confidentiality of such Personal Data. All Personal Data will be stored on and processed by our systems and may also be stored on and processed by systems of a third-party data processor(s) appointed by us. The Personal Data that we collect from Data Subjects may be transferred to, and stored at, a destination outside the EU and EEA. It may also be processed by employees operating outside the EU and EEA who work for us or for one of our suppliers. Such employees may be engaged in, amongst other things, the provision of support services. We obtain Personal Data pursuant to the performance of necessary services, as set forth above. We believe that it is in our legitimate interests to do so.

In addition, to the extent that a Data Subject is being presented with this policy to obtain the Data Subject’s consent for us to process and retain Personal Data, by assenting as set forth herein, the Data Subject agrees to this transfer, storing and/or processing. We will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Policy, the GDPR, and any data protection related laws that are applicable to Kora.

Retention of personal data

Kora will retain the Personal Data of a Data Subject only for as long as is necessary for the purposes set out in this Policy.

Kora will retain and use the Data Subject’s information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

Transmission of information over the internet

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect a Data Subject’s Personal Data, we cannot guarantee the security of such data transmitted to us by a Data Subject. Any such transmission that originates with the Data Subject is at the Data Subject’s risk. Once we have received Personal Data, we will use commercially reasonable procedures and security features to try to prevent unauthorized access.

Data protection rights

Data Subjects have certain data protection rights. Any Data Subject who wishes to be informed what Personal Data we hold about such person and wishes such data to be removed from our systems is instructed to contact privacy@koramoney.com

In certain circumstances, Data Subjects have the following data protection rights:

Withdrawal of Consent

If a Data Subject withdraws consent to the processing of Personal Data of the Data Subject at any time, it may mean we will not be able to provide all or parts of the products or services the Data Subject may have requested from us.

Providing information about someone else

To the extent that a contracting or other third party is providing Personal Data to us about someone else that third party should confirm that the Data Subject has appointed the third party to act for the Data Subject, has consented to the processing of the Data Subject’s Personal Data, and that the third party has informed the Data Subject of our identity, of this Policy, and of the purposes (as set out in this Policy) for which their Personal Data will be processed.

How to access, review, transfer and delete Personal Data

We will make Personal Data available to a Data Subject upon request from the Data Subject. If we are informed that the Personal Data that we hold about the Data Subject is incorrect or is used inappropriately, we will correct, update or delete such data as appropriate. The Data Subject also has other rights such as the right to request from us erasure of personal data or restriction of processing or to object to processing and the right to data portability. For information about how to get access to Personal Data and for exercising the rights set out above, please contact privacy@koramoney.com


The Data Subject also has the right to lodge a complaint with a supervisory authority established within the EEA. List of contact details of supervisory authorities within the EEA is available here.


Responsibility for overseeing compliance with the law and corporate Policy rests with Kora management (Kora’s Division Heads) and Kora’s Director of Compliance.

If any portion of this Policy is held to be invalid or unenforceable for any reason by a court or governmental authority of competent jurisdiction or by a supervisory authority, then such portion will be deemed to be stricken and the remainder of this Policy shall continue in full force and effect.


Further details about rights of Data Subjects under the GDPR can be accessed here.

The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the EEA, and applies to an enterprise established in the EEA or - regardless of its location and the data subjects' citizenship - that is processing the personal information of data subjects inside the EEA.