Privacy Policy

KORA ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the KORA platform ("Service").

By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Organization name (optional)
• Password (stored as a salted hash, never in plain text)
• Authentication tokens from OAuth providers (Google, GitHub)

2.2 Cloud Provider Data

When you connect your cloud accounts, we access and store:

• AWS Cost and Usage Report (CUR) data including service costs, usage types, resource identifiers, and associated tags
• Resource metadata such as instance types, regions, and configuration details
• CloudWatch metrics for recommendation analysis

We do not access your application data, database contents, S3 object contents, logs containing customer data, or any secrets/credentials stored in your cloud accounts.

2.3 Usage Data

We automatically collect:

• Browser type, operating system, and device information
• IP address and approximate geographic location
• Pages visited, features used, and interaction patterns
• Referring URLs and search terms

2.4 Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Authentication, session management, and security
• Analytics cookies: Understanding how you use the Service to improve it

We do not use advertising or third-party tracking cookies. You can control cookie preferences through your browser settings.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Analyze your cloud costs and generate recommendations
• Detect anomalies and send alerts
• Process transactions and manage your account
• Send transactional emails (account verification, password resets, alerts)
• Improve and develop new features
• Ensure security and prevent fraud
• Comply with legal obligations

We do not sell your personal information. We may share your information only in the following circumstances:

• Service providers: We use third-party services for infrastructure (AWS), email delivery (AWS SES), and analytics. These providers are contractually obligated to protect your data.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
• With your consent: We may share information for purposes you have explicitly agreed to.

We may share anonymized, aggregated data that cannot be used to identify you for benchmarking and industry analysis purposes.

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Passwords hashed with bcrypt using unique salts
• Row-level security (RLS) ensuring strict tenant isolation in our database
• Read-only cloud access via cross-account IAM roles — no credentials stored
• Regular security audits and vulnerability assessments
• Access controls limiting employee access to customer data

While we strive to protect your data, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

We retain your data as follows:

• Account data: Retained while your account is active and for 30 days after deletion
• Cost data: Retained for up to 6 months of historical data while your account is active
• Usage logs: Retained for 90 days for security and debugging purposes
• Aggregated analytics: May be retained indefinitely in anonymized form

You may request deletion of your data at any time by contacting us or through your account settings.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your personal data in certain circumstances
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@king-advisors.com. We will respond within 30 days.

Your data may be processed and stored in the European Union (EU) and the United States. When we transfer data outside the EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service
• Legitimate interests: Analytics, security, and service improvement
• Consent: Where you have explicitly opted in
• Legal obligation: Where required by law

Our Data Protection Officer can be reached at dpo@king-advisors.com.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete that information promptly.

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

• Email: privacy@king-advisors.com
• Address: Helsinki, Finland