Privacy Policy

This privacy policy explains how KoraSafe collects, uses, stores, and protects your personal data when you use our AI governance intelligence platform. We are committed to safeguarding your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation.

1. Data controller

KoraSafe acts as the data controller for personal data collected through this platform. For all matters relating to data protection, you may contact us at privacy@korasafe.ai.

2. Data we collect

2.1 Account information

When you create an account, we collect your email address, name, and organization details. If you authenticate through a third-party provider (such as Google), we receive your basic profile information as authorised by you during the authentication flow.

2.2 Usage data

We automatically collect information about how you interact with the platform, including pages visited, features used, queries submitted, session duration, browser type, device information, and IP address. This data is collected through server logs and analytics instrumentation.

2.3 Assessment inputs

When you use KoraSafe's compliance assessment and gap analysis features, we process the queries, organizational context, and any additional information you provide to generate tailored regulatory intelligence. Assessment inputs may include descriptions of AI systems, deployment contexts, risk classifications, and compliance status information.

2.4 Communication data

If you contact us for support or provide feedback, we collect the contents of your communications along with any metadata associated with those communications.

3. How we use your data

3.1 Service delivery

We use your data to provide, maintain, and improve the KoraSafe platform, including authenticating your identity, processing your queries through our RAG pipeline, delivering personalised regulatory intelligence, and managing your account.

3.2 Platform improvement

We analyse aggregated and anonymised usage patterns to improve the quality and relevance of our regulatory intelligence, enhance our knowledge base coverage, optimise platform performance, and develop new features.

3.3 Security

We process certain data to detect, prevent, and respond to security incidents, fraud, and abuse of the platform. This includes monitoring for anomalous access patterns and enforcing rate limits.

3.4 Communications

We may use your contact information to send essential service communications (such as security alerts and account notifications) and, where you have opted in, product updates and regulatory news.

4. Legal basis for processing

We process your personal data on the following legal bases under the GDPR:

• Contractual necessity (Article 6(1)(b)): Processing that is necessary to perform our contract with you, including providing platform access and delivering regulatory intelligence services.
• Legitimate interest (Article 6(1)(f)): Processing for platform security, fraud prevention, service improvement through aggregated analytics, and direct marketing to existing customers. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights.
• Consent (Article 6(1)(a)): Where we rely on your consent, such as for optional marketing communications or non-essential cookies, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, such as responding to lawful requests from public authorities.

5. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your active account and for 30 days following account deletion to allow for account recovery.
• Usage data: Aggregated and anonymised within 90 days of collection. Anonymised data may be retained indefinitely for analytics purposes.
• Assessment inputs: Retained for the duration of your active account. You may delete individual assessments at any time through the platform interface.
• Server logs: Retained for 90 days for security and debugging purposes, then automatically purged.
• Communication records: Retained for 2 years following the last communication, or longer where required for legal compliance.

6. Third-party services

KoraSafe uses select third-party services to deliver the platform. Each provider processes data on our behalf under data processing agreements that ensure appropriate safeguards:

• Database Infrastructure Provider: Provides our database infrastructure, authentication services, and row-level security. Processes account data, assessment inputs, and session information in managed PostgreSQL instances.
• AI Synthesis Provider: Powers the AI synthesis component of our regulatory intelligence pipeline. When you submit a query, relevant document chunks and your query are sent to generate contextual regulatory intelligence. The provider does not use API inputs or outputs for model training.
• Embedding Provider: Provides vector embedding generation for our semantic search pipeline. Document text and query text are processed to generate vector embeddings that enable similarity-based retrieval from our knowledge base.
• Security & CDN Provider: Provides DNS management, DDoS protection, and content delivery network services. Processes IP addresses and request metadata as part of its security and performance services.
• Hosting Provider: Hosts the KoraSafe platform and serverless API functions. Processes request data including IP addresses and request headers.

7. International data transfers

Some of our third-party service providers process data outside the European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transfers to countries with an adequacy decision from the European Commission.
• The EU-U.S. Data Privacy Framework, where applicable.

8. Your rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to data portability: You may request a machine-readable copy of the personal data you have provided to us.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to restrict processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, please contact us at privacy@korasafe.ai. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

9. Cookies

KoraSafe uses cookies and similar technologies to maintain session state, remember authentication status, and collect analytics data. We categorise cookies as follows:

• Essential cookies: Required for the platform to function, including authentication tokens and session identifiers. These cookies cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with the platform. These cookies are only set with your consent.

You may manage your cookie preferences through your browser settings. Note that disabling essential cookies may prevent the platform from functioning correctly.

10. Children's privacy

KoraSafe is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete such data.

11. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice on the platform or by sending you an email. Your continued use of the platform after such notification constitutes acceptance of the updated policy.

12. Contact information

For questions, concerns, or requests regarding this privacy policy or our data practices, please contact:

KoraSafe Data Protection
Email: privacy@korasafe.ai

Password & authentication policy

KoraSafe enforces the following authentication standards:

• Minimum password length: 8 characters
• Multi-factor authentication (TOTP) available for all accounts
• Organizations can enforce MFA for all members
• Single Sign-On (SAML/OIDC) supported for enterprise organizations
• Sessions expire after the period configured by the organization administrator (default: 60 minutes)
• All authentication events are logged in the audit trail
• Brute-force protection via rate limiting (100 requests per minute per IP)
• Password reset via email with time-limited tokens

Last updated: April 2026