Last updated: July 2021
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:
Usage Data is collected automatically when using the Service.
Usage Data may include information such as your Device's Internet Protocol address (“IP address”), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.
We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device.
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser. We use both Session and Persistent Cookies for the purposes set out below:
The Company may use Personal Data for the following purposes:
We may share your personal information in the following situations:
The Company will also retain usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those within your jurisdiction.
Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
The Company may disclose your Personal Data in the good faith belief that such action is necessary to:
The security of your Personal Data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
We have physical, administrative and technical security measures in place to protect personal information from loss, misuse or alteration while it is under our control. We are required to collect, process and maintain payment card information in accordance with the data security rules adopted by credit card companies such as Visa, MasterCard and American Express. This means that we do not retain debit card PINs or credit card security codes, and that any time we maintain a credit card number, such as when you create an online account, we must limit access to it and use strong encryption to protect it. Further, when you enter personal information online, that information is encrypted prior to transmission using a security protocol called SSL (Secure Sockets Layer). We also use SSL to allow you to securely view your online account and registration information.
Online account information is accessible only by using a password. You must keep your password confidential. You are responsible for all uses of the Service by anyone using your password. Please advise us immediately by calling 800-840-6604 if you believe your password has been misused.
Our Service does not address anyone under the age of 13. we do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.
If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.
From time to time, we may send you emails regarding updates to our websites, mobile applications or products/services, notices about our organization, or information about products/services we offer (or promotional offers from third parties) that we think may be of interest to you. If you wish to unsubscribe from such emails, simply click the “unsubscribe” link provided at the bottom of the email communication. You may also update your subscriptions by clicking the “unsubscribe preferences” link. Note that you cannot unsubscribe from certain Services-related email communications (e.g., account verification, confirmations of transactions, technical or legal notices).
We are the owner of all email distribution lists distributed using our websites and applications, and we are solely responsible for the composition and membership of each list. we will not conduct any of the following activities to obtain email distribution lists: harvest emails from websites; purchase lists (regardless of whether they are opt-in or not); have a pre-checked field on websites/forms; have a subscription form that subscribes users to an unrelated list; add an email address into a list without the consumer’s express permission; send unsolicited mail to newsgroups, message boards, distribution lists, or email addresses; email a consumer who has requested to be removed from your list; and utilize a list older than six (6) months without reconfirming the recipients’ subscriptions.
All Kora subscribers to be used in connection with Kora websites and applications have provided permission to us to send them email. An opt-in can occur via either a sign-up form on a web site, at a point-of-sale sign-up form, or on a physical sign-up sheet. Any opt-in form should include a clear description of what will be sent and how often it will be sent. Purchased lists may not be used within our websites and/or applications, regardless of the source or permission status.
For Canadian recipients, CASL (“Canada’s Anti-Spam Legislation) prohibits spam, malware, spyware, address harvesting, unauthorized alteration of transmission data as well as false and misleading electronic representations. The sender must identify itself and the persons on whose behalf a commercial electronic message is sent. Commercial electronic messages may be sent only to recipients who have given their prior consent (opt-in). All recipients’ express, or in certain cases implied, prior permission is required. When there is a business or non-business relationship, a recipient’s implied consent applies for a period of 36 months.
Section 1798.83 of the California Civil Code permits California residents to request from a business, with whom the California resident has an established business relationship, certain information about the types of personal information the business has shared with third parties for those third parties' direct marketing purposes and the names and addresses of the third parties with whom the business has shared such information during the immediately preceding calendar year. You may request data access by emailing us at firstname.lastname@example.org or writing us at:
Kora Financial Inc.
500 Madison Street, Suite 1000
Chicago, IL 60661
If you are a California resident under age 18 and a registered user of the Service, you may ask us to remove content or information that you have posted to the Service by emailing us at email@example.com. Please note that such removal does not ensure complete or comprehensive removal of the content or information posted (for example, your content or information may remain visible because it was copied and posted or reposted by a third party).
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
The purpose of this policy is to ensure compliance with the data privacy regulations as set forth by the EU General Data Protection Regulation (GDPR).
This policy applies to personal data obtained and processed regarding individuals within the European Union and the European Economic Area (EEA).
Kora means Kora Financial Inc., a Delaware corporation, whose address is 500 Madison Street, Suite 1000, Chicago, IL 60661.
GDPR means General Data Protection Regulation (EU) 2016/679, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the EEA.
(c) Data Controller
Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is, or is to be, processed.
(d) Data Processor
Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.
(e) Data Subject
Data Subject is any living individual who is using our services and is the subject of Personal Data.
(f) Personal Data
Personal Data means any information relating to a Data Subject, whereby person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Principles for processing personal data
Our principles for processing personal data are:
(a) Fairness and lawfulness. When we process Personal Data, the individual rights of the Data Subjects must be protected. All Personal Data must be collected and processed in a legal and fair manner.
(b) Restricted to a specific purpose. The Personal Data of each Data Subject must be processed only for specific purposes.
(c) Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.
What Personal Data we collect and process
Kora collects several different types of Personal Data for various purposes. Personal Data Kora may collect may include, but is not limited to:
How we use the personal data
Kora uses the collected Personal Data for various purposes:
Legal basis for collecting and processing personal data
(a) Kora needs to perform a contract with you;
(b) You have given Kora permission to do so;
(c) Processing your personal data is in Kora’s legitimate interests;
(d) Kora needs to comply with the law.
When do we collect Personal Data about Data Subjects?
We collect Personal Data about a Data Subject when the Data Subject uses our services and when the Data Subject uses our website.
For example, we may collect Personal Data about a Data Subject when the Data Subject:
(i) Requests our products or services;
(ii) Engages with a company with which Kora does business, who transfers Personal Data to Kora in connection with our provision of services;
(iii) Uses one of our customer services representatives for help;
(iv) Completes a client survey or provides us with feedback;
(v) Interacts with us via social media, such as Facebook. In addition, we may receive Personal Data about Data Subjects from third parties, such as:
(vi) Companies that contract with us to provide services to Data Subjects;
(vii) Companies contracted by us to provide services to Data Subjects;
(viii) Companies such as car dealerships that participate in our services.
Security, storage, and transfer
We are committed to ensuring that Personal Data is secure at all times. We have in place suitable physical, electronic and managerial procedures to safeguard and secure the Personal Data we collect online.
All of our employees and suppliers with access to Personal Data and/or who are associated with the processing of that data are contractually obliged to respect the confidentiality of such Personal Data. All Personal Data will be stored on and processed by our systems and may also be stored on and processed by systems of a third-party data processor(s) appointed by us. The Personal Data that we collect from Data Subjects may be transferred to, and stored at, a destination outside the EU and EEA. It may also be processed by employees operating outside the EU and EEA who work for us or for one of our suppliers. Such employees may be engaged in, amongst other things, the provision of support services. We obtain Personal Data pursuant to the performance of necessary services, as set forth above. We believe that it is in our legitimate interests to do so.
In addition, to the extent that a Data Subject is being presented with this policy to obtain the Data Subject’s consent for us to process and retain Personal Data, by assenting as set forth herein, the Data Subject agrees to this transfer, storing and/or processing. We will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Policy, the GDPR, and any data protection related laws that are applicable to Kora.
Retention of personal data
Kora will retain the Personal Data of a Data Subject only for as long as is necessary for the purposes set out in this Policy.
Kora will retain and use the Data Subject’s information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.
Transmission of information over the internet
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect a Data Subject’s Personal Data, we cannot guarantee the security of such data transmitted to us by a Data Subject. Any such transmission that originates with the Data Subject is at the Data Subject’s risk. Once we have received Personal Data, we will use commercially reasonable procedures and security features to try to prevent unauthorized access.
Data protection rights
Data Subjects have certain data protection rights. Any Data Subject who wishes to be informed what Personal Data we hold about such person and wishes such data to be removed from our systems is instructed to contact firstname.lastname@example.org.
In certain circumstances, Data Subjects have the following data protection rights:
Withdrawal of Consent
If a Data Subject withdraws consent to the processing of Personal Data of the Data Subject at any time, it may mean we will not be able to provide all or parts of the products or services the Data Subject may have requested from us.
Providing information about someone else
To the extent that a contracting or other third party is providing Personal Data to us about someone else that third party should confirm that the Data Subject has appointed the third party to act for the Data Subject, has consented to the processing of the Data Subject’s Personal Data, and that the third party has informed the Data Subject of our identity, of this Policy, and of the purposes (as set out in this Policy) for which their Personal Data will be processed.
How to access, review, transfer and delete Personal Data
We will make Personal Data available to a Data Subject upon request from the Data Subject. If we are informed that the Personal Data that we hold about the Data Subject is incorrect or is used inappropriately, we will correct, update or delete such data as appropriate. The Data Subject also has other rights such as the right to request from us erasure of personal data or restriction of processing or to object to processing and the right to data portability. For information about how to get access to Personal Data and for exercising the rights set out above, please contact email@example.com.
The Data Subject also has the right to lodge a complaint with a supervisory authority established within the EEA. List of contact details of supervisory authorities within the EEA is available here.
Responsibility for overseeing compliance with the law and corporate Policy rests with Kora management (Kora’s Division Heads) and Kora’s Director of Compliance.
If any portion of this Policy is held to be invalid or unenforceable for any reason by a court or governmental authority of competent jurisdiction or by a supervisory authority, then such portion will be deemed to be stricken and the remainder of this Policy shall continue in full force and effect.
Further details about rights of Data Subjects under the GDPR can be accessed here.
The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personal data of individuals (formally called data subjects in the GDPR) inside the EEA, and applies to an enterprise established in the EEA or - regardless of its location and the data subjects' citizenship - that is processing the personal information of data subjects inside the EEA.