KORA FINANCIAL INC. PRIVACY POLICY

Last updated: April 2026

This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Service and tells you about your privacy rights and how the law protects you.

We use your Personal data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

I. Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

Account means a unique account created for you to access our Service or parts of our Service;

Company (referred to as either "the Company", "we", "us" or "our" in this Agreement) refers to Kora Financial Inc., 500 Madison Street, Suite 1000, Chicago, IL 60661;

Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses;

Country refers to: Illinois, United States;

Device means any device that can access the Service such as a computer, a cell phone or a digital tablet;

Personal Data is any information that relates to an identified or identifiable individual;

Service refers to the website;

Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used;

Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit);

Website refers to Kora, accessible from www.koramoney.com;

You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

II. Collecting and Using your Personal Data

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

Email address
First name and last name
Usage Data

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as your Device's Internet Protocol address ("IP address"), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device.

Mobile information or text messaging opt-in data and consent will not be sold or shared with third parties or affiliates for their marketing or promotional purposes.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service. The technologies we use may include:

Cookies or Browser Cookies. A cookie is a small file placed on your Device. You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of our Service. Unless you have adjusted your browser setting so that it will refuse Cookies, our Service may use Cookies.
Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
Behavior Analytics. Our website utilizes Mouseflow, a web analytics tool provided by Mouseflow ApS, to help us better understand and improve user interactions on our site. By analyzing behaviors such as clicks, mouse movements, and scroll activity, Mouseflow enables us to enhance site usability and the overall user experience.

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser. We use both Session and Persistent Cookies for the purposes set out below:

Necessary / Essential Cookies (Session Cookies, administered by us): These Cookies are essential to provide you with services available through the website and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts.
Cookies Policy / Notice Acceptance Cookies (Persistent Cookies, administered by us): These Cookies identify if users have accepted the use of cookies on the website.
Functionality Cookies (Persistent Cookies, administered by us): These Cookies allow us to remember choices you make when you use the website, such as remembering your login details or language preference.

Single Sign-On (SSO) for KoraConnect — Google and Microsoft

KoraConnect supports account creation and authentication through Google OAuth 2.0 and Microsoft Sign-In (collectively, "SSO Providers"). When you choose to sign in or register using one of these options, we collect and process certain data from the SSO Provider as described below.

Data Collected via SSO. When you authenticate through Google or Microsoft, we receive and store the following information from the SSO Provider:

Your name and email address as associated with your Google or Microsoft account;
A unique provider subject identifier ("subject ID" or "sub") issued by Google or Microsoft that is specific to your account and our application. This identifier is used solely to recognize and authenticate you on return visits — it cannot be used to access your Google or Microsoft account.

Purpose Limitation. We use Google and Microsoft account data exclusively to create and authenticate your KoraConnect account. Specifically:

We do not sell or rent your Google or Microsoft account data to third parties;
We do not use your Google or Microsoft account data to serve advertising, retarget you, or build advertising profiles;
We do not use your Google or Microsoft account data to train, fine-tune, or improve machine learning models.

Any personal information received through SSO is used only for the purposes described in this Privacy Policy and is subject to the same data protection standards that apply to all Personal Data we collect.

Retention of SSO Data. The provider subject ID and associated profile information collected via SSO are retained for as long as your KoraConnect account remains active. If you delete your KoraConnect account, we will delete or de-identify your SSO-derived data within 30 days, except where retention is required to comply with applicable legal obligations, resolve disputes, or enforce our agreements.

Revocation and Account Deletion. You have the following options to control or remove your SSO-linked data:

Revoke SSO access: You may revoke KoraConnect's access to your Google account at any time by visiting myaccount.google.com/permissions. For Microsoft accounts, you may manage application permissions through your Microsoft account security settings. Revoking SSO access will prevent future SSO-based logins but will not automatically delete your KoraConnect account or associated data.
Request account deletion: To request deletion of your KoraConnect account and all associated SSO-derived data, please contact us at privacy@koramoney.com. We will process your request within the timeframe required by applicable law.

Third-Party Privacy Policies. Your use of Google Sign-In is subject to Google's Privacy Policy (policies.google.com/privacy). Your use of Microsoft Sign-In is subject to Microsoft's Privacy Statement (privacy.microsoft.com). We encourage you to review those policies. We are not responsible for the data practices of Google or Microsoft.

Use of your Personal Data

The Company may use Personal Data for the following purposes:

To provide and maintain our Service, including to monitor the usage of our Service.
To manage your Account: to manage your registration as a user of the Service.
For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services you have purchased or of any other contract with us through the Service.
To contact you: To contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.
To manage your requests: To attend and manage your requests to us.
For business transfers: we may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets.
For other purposes: we may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

Sharing of your Personal Data

We may share your personal information in the following situations:

With Service Providers: we may share your personal information with Service Providers to monitor and analyze the use of our Service, to contact you.
For business transfers: we may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
With Affiliates: we may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Policy.
With business partners: we may share your information with our business partners to offer you certain products, services or promotions.
With other users: when you share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
With your consent: we may disclose your personal information for any other purpose with your consent.

Retention of your Personal Data

The Company will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those within your jurisdiction.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. The Company will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

Disclosure of your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law Enforcement

Under certain circumstances, the Company may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other Legal Requirements

The Company may disclose your Personal Data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of users of the Service or the public
Protect against legal liability

Our Contractors

We may contract with others to perform services on our behalf. If any of these service providers need access to your personal information, we require them to use it only to perform the services for us. We also require that they maintain the confidentiality of the information and/or return the information to us when they no longer need it.

III. Security of your Personal Data

The security of your Personal Data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

We have physical, administrative and technical security measures in place to protect personal information from loss, misuse or alteration while it is under our control. We are required to collect, process and maintain payment card information in accordance with the data security rules adopted by credit card companies such as Visa, MasterCard and American Express. This means that we do not retain debit card PINs or credit card security codes, and that any time we maintain a credit card number, such as when you create an online account, we must limit access to it and use strong encryption to protect it. Further, when you enter personal information online, that information is encrypted prior to transmission using a security protocol called SSL (Secure Sockets Layer).

Online account information is accessible only by using a password. You must keep your password confidential. You are responsible for all uses of the Service by anyone using your password. Please advise us immediately by calling 800-840-6604 if you believe your password has been misused.

IV. Children's Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

V. Email Communications

From time to time, we may send you emails regarding updates to our websites, mobile applications or products/services, notices about our organization, or information about products/services we offer (or promotional offers from third parties) that we think may be of interest to you. If you wish to unsubscribe from such emails, simply click the "unsubscribe" link provided at the bottom of the email communication. Note that you cannot unsubscribe from certain Services-related email communications (e.g., account verification, confirmations of transactions, technical or legal notices).

We are the owner of all email distribution lists distributed using our websites and applications, and we are solely responsible for the composition and membership of each list. We will not conduct any of the following activities to obtain email distribution lists: harvest emails from websites; purchase lists; have a pre-checked field on websites/forms; add an email address into a list without the consumer's express permission; send unsolicited mail; email a consumer who has requested to be removed from your list; or utilize a list older than six (6) months without reconfirming the recipients' subscriptions.

For Canadian recipients, CASL ("Canada's Anti-Spam Legislation") prohibits spam, malware, spyware, address harvesting, unauthorized alteration of transmission data as well as false and misleading electronic representations. Commercial electronic messages may be sent only to recipients who have given their prior consent (opt-in). When there is a business or non-business relationship, a recipient's implied consent applies for a period of 36 months.

VI. California Privacy Rights

Section 1798.83 of the California Civil Code permits California residents to request from a business, with whom the California resident has an established business relationship, certain information about the types of personal information the business has shared with third parties for those third parties' direct marketing purposes and the names and addresses of the third parties with whom the business has shared such information during the immediately preceding calendar year. You may request data access by emailing us at privacy@koramoney.com or writing us at:

Kora Financial Inc.

500 Madison Street, Suite 1000

Chicago, IL 60661

If you are a California resident under age 18 and a registered user of the Service, you may ask us to remove content or information that you have posted to the Service by emailing us at privacy@koramoney.com.

VII. Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

VIII. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

IX. Contact Us

If you have any questions about this Privacy Policy, you can contact us:

By email: privacy@koramoney.com
By phone number: 800.840.6604

EUROPEAN UNION CITIZENS AND RESIDENTS PRIVACY POLICY

Introduction

The purpose of this policy is to ensure compliance with the data privacy regulations as set forth by the EU General Data Protection Regulation (GDPR). This policy applies to personal data obtained and processed regarding individuals within the European Union and the European Economic Area (EEA).

Definitions

(a) Kora means Kora Financial Inc., a Delaware corporation, whose address is 500 Madison Street, Suite 1000, Chicago, IL 60661.

(b) GDPR means General Data Protection Regulation (EU) 2016/679, a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the EEA.

(c) Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information is, or is to be, processed.

(d) Data Processor means any natural or legal person who processes the data on behalf of the Data Controller.

(e) Data Subject is any living individual who is using our services and is the subject of Personal Data.

(f) Personal Data means any information relating to a Data Subject, whereby person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Compliance — Principles for Processing Personal Data

Our principles for processing personal data are:

(a) Fairness and lawfulness. When we process Personal Data, the individual rights of the Data Subjects must be protected. All Personal Data must be collected and processed in a legal and fair manner.

(b) Restricted to a specific purpose. The Personal Data of each Data Subject must be processed only for specific purposes.

(c) Transparency. The Data Subject must be informed of how his/her data is being collected, processed and used.

What Personal Data We Collect and Process

Kora collects several different types of Personal Data for various purposes. Personal Data Kora may collect may include, but is not limited to:

First name and last name
Phone number
Address, City, State, Province, ZIP/Postal code
Email address
Passport number
Provider subject ID (when authenticating via SSO)

How We Use the Personal Data

Kora uses the collected Personal Data for various purposes:

To provide the Data Subject with services;
To notify the Data Subject about changes to our services and/or products;
To provide customer support;
To facilitate compliance with government regulations;
To gather analysis or valuable information so that we can improve our services;
To detect, prevent and address technical issues.

Legal Basis for Collecting and Processing Personal Data

Kora's legal basis for collecting and using the personal data described in this privacy policy depends on the personal data we collect and the specific context in which we collect the information:

(a) Kora needs to perform a contract with you;

(b) You have given Kora permission to do so;

(c) Processing your personal data is in Kora's legitimate interests;

(d) Kora needs to comply with the law.

Security, Storage, and Transfer

We are committed to ensuring that Personal Data is secure at all times. We have in place suitable physical, electronic and managerial procedures to safeguard and secure the Personal Data we collect online. All of our employees and suppliers with access to Personal Data and/or who are associated with the processing of that data are contractually obliged to respect the confidentiality of such Personal Data.

The Personal Data that we collect from Data Subjects may be transferred to, and stored at, a destination outside the EU and EEA. It may also be processed by employees operating outside the EU and EEA who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that Personal Data is treated securely and in accordance with this Policy, the GDPR, and any data protection related laws that are applicable to Kora.

Retention of Personal Data

Kora will retain the Personal Data of a Data Subject only for as long as is necessary for the purposes set out in this Policy. Kora will retain and use the Data Subject's information to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our policies.

Data Protection Rights

Data Subjects have certain data protection rights. Any Data Subject who wishes to be informed what Personal Data we hold about such person and wishes such data to be removed from our systems is instructed to contact privacy@koramoney.com. In certain circumstances, Data Subjects have the following data protection rights:

The right to access, update or to delete the information we have on the Data Subject
The right of rectification
The right to object
The right of restriction
The right to data portability
The right to withdraw consent

Withdrawal of Consent

If a Data Subject withdraws consent to the processing of Personal Data of the Data Subject at any time, it may mean we will not be able to provide all or parts of the products or services the Data Subject may have requested from us.

How to Access, Review, Transfer and Delete Personal Data

We will make Personal Data available to a Data Subject upon request. If we are informed that the Personal Data that we hold about the Data Subject is incorrect or is used inappropriately, we will correct, update or delete such data as appropriate. For information about how to get access to Personal Data and for exercising the rights set out above, please contact privacy@koramoney.com.

Disputes

The Data Subject also has the right to lodge a complaint with a supervisory authority established within the EEA. List of contact details of supervisory authorities within the EEA is available at the European Commission website.

Accountability

Responsibility for overseeing compliance with the law and corporate Policy rests with Kora management (Kora's Division Heads) and Kora's Director of Compliance.

If any portion of this Policy is held to be invalid or unenforceable for any reason by a court or governmental authority of competent jurisdiction or by a supervisory authority, then such portion will be deemed to be stricken and the remainder of this Policy shall continue in full force and effect.