California privacy notice
This notice supplements the KoraSafe privacy policy and applies to California residents whose personal information we collect under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). If any conflict exists between this notice and the privacy policy, this notice controls for California residents.
Categories of personal information we collect
In the preceding twelve months, KoraSafe has collected the following categories of personal information from consumers:
- Identifiers: Name, email address, IP address, account credentials, and organization name.
- Commercial information: Subscription plan, billing records, and transaction history.
- Internet or electronic network activity: Browser type, device information, pages visited, features used, session duration, and interaction logs within the KoraSafe platform.
- Professional or employment-related information: Job title, department, and organization details you provide during account creation or assessment workflows.
- Inferences: Risk profiles, compliance maturity scores, and governance recommendations generated from your use of the platform.
Sources of personal information
We collect personal information from these sources:
- Directly from you: When you create an account, submit assessments, contact support, or provide feedback.
- Automatically from your devices: Through server logs and analytics instrumentation when you use the platform.
- Third-party authentication providers: When you sign in through Google or another SSO provider, we receive your basic profile information as you authorized during the authentication flow.
Business purposes for collection
We collect and use personal information for the following business purposes:
- Providing, maintaining, and improving the KoraSafe platform.
- Authenticating your identity and managing your account.
- Processing your queries through our regulatory intelligence pipeline.
- Detecting, preventing, and responding to security incidents and fraud.
- Sending service communications such as security alerts and account notifications.
- Analyzing aggregated usage patterns to improve platform quality and develop new features.
- Complying with legal obligations.
Categories of third parties with whom we share personal information
We share personal information with the following categories of third parties strictly for business purposes:
- Database and authentication infrastructure providers: Process account data, session information, and assessment inputs.
- AI model providers: Process query text and document chunks to generate regulatory intelligence. These providers do not use inputs or outputs for model training.
- Embedding and search providers: Process document text and query text to generate vector embeddings for semantic search.
- Security and CDN providers: Process IP addresses and request metadata for DDoS protection and content delivery.
- Hosting providers: Process request data including IP addresses and request headers.
Sale and sharing of personal information
KoraSafe does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Because we do not sell or share personal information, we do not offer an opt-out mechanism for these activities.
Your rights under the CCPA
As a California resident, you have the following rights:
Right to know
You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we shared your information.
Right to delete
You may request that we delete any personal information we have collected from you. We will honor your request unless an exception applies, such as when the information is necessary to complete a transaction, detect security incidents, or comply with a legal obligation.
Right to correct
You may request that we correct inaccurate personal information we maintain about you.
Right to limit use of sensitive personal information
KoraSafe does not collect or process sensitive personal information as defined under the CCPA.
Right to non-discrimination
We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, provide a different quality of service, or suggest that you will receive any of these treatments for exercising your rights.
How to submit a request
To exercise any of your rights, contact us at privacy@korasafe.ai. Include "CCPA Request" in the subject line along with a description of the right you wish to exercise.
We will acknowledge your request within ten business days and respond within forty-five calendar days. If we need additional time, we will notify you of the extension and the reason for it.
Verification process
Before fulfilling your request, we must verify your identity. We will ask you to confirm information associated with your account, such as the email address you used to register. If we cannot verify your identity with reasonable certainty, we may request additional information. We will only use personal information provided in a verification request to verify your identity.
Authorized agents
You may designate an authorized agent to submit a request on your behalf. To do so, provide the agent with written permission signed by you and direct the agent to email privacy@korasafe.ai with a copy of that authorization. We may still require you to verify your own identity directly with us before we fulfill the request.
Retention
We retain personal information only as long as necessary for the purposes described in this notice. For specific retention periods, see the data retention section of our privacy policy.
Changes to this notice
We may update this notice to reflect changes in our practices or legal requirements. We will post the revised notice on this page with an updated effective date. Material changes will be communicated through the platform or by email.
Effective: April 2026