Privacy Policy
Effective date: January 1, 2026Version 1.0
1. Introduction
Koraly LLC (“Koraly”, “we”, “us”) is committed to protecting personal information in connection with the payment infrastructure services we provide to business customers worldwide. This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the choices and rights available to individuals whose information we process.
This Policy applies to information collected through our website, dashboard, APIs, support channels and other online and offline interactions. It is designed to comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA) and other US state privacy laws, as well as general US privacy norms. For EU/UK data subjects, additional protections under the General Data Protection Regulation and UK GDPR also apply.
2. Information We Collect
We collect the following categories of information:
- Identification information — name, email, phone number, business name, role, business address and other contact details provided when creating an account or contacting us.
- KYC / KYB documents — formation documents, beneficial-owner identification (government ID, proof of address), tax identifiers (EIN), bank account information, and any supporting documents requested during onboarding or ongoing due diligence.
- Browsing and access data — IP address, browser fingerprint, device type, operating system, language, pages viewed, referring URL and timestamps collected via cookies or similar technologies (see Cookie Policy).
- Transaction metadata — amounts, currencies, merchant categories, descriptors, customer billing details, payment method types, risk signals, fraud scores and dispute records. Full payment card numbers are processed by our PCI DSS Level 1 partners and never stored in plain text on Koraly systems.
- Communications — emails, chat transcripts and call recordings exchanged with our support and sales teams, including attachments.
- Inferences — risk scores, customer-segment attributes and analytics derived from the categories above.
3. How We Use Information
We use personal information for the following purposes, retaining it only as long as necessary for the indicated purpose or as required by law:
| Purpose | Description | Retention |
|---|---|---|
| Account management | Create and operate the account, authenticate users. | Lifetime of account + 7 years |
| Transaction processing | Process payments, payouts, refunds and reconciliation. | 10 years (financial record-keeping) |
| Fraud / AML | Detect, prevent and investigate suspicious activity; satisfy BSA, OFAC and equivalent obligations. | Minimum 5 years after closure |
| Customer support | Respond to questions, troubleshoot and improve service. | 3 years |
| Marketing | Send product updates and commercial communications. | Until opt-out + 3 years for opt-out records |
| Analytics | Measure usage, performance and improve features. | 13 months for cookie-based analytics |
| Legal & compliance | Comply with subpoenas, regulatory requests, tax filings and card network rules. | As required by law |
4. Legal Basis for Processing
For US residents, we process personal information to perform our contractual obligations, comply with legal requirements, pursue our legitimate interests (such as fraud prevention and product improvement), and with consent where required. For EU/UK data subjects, the lawful bases under Article 6 GDPR include contract, legal obligation, legitimate interests and consent for marketing and non-essential cookies.
5. Sharing and Disclosure
We share personal information only as needed and only with categories of recipients listed below:
- Koraly employees and affiliates bound by confidentiality obligations and accessing data on a least-privilege basis.
- Subprocessors providing cloud hosting, identity verification, fraud scoring, analytics, customer support and communications. A current list of subprocessors is available on request.
- Banking and card-network partners required to execute settlements, support disputes and comply with network operating rules.
- Regulators and law enforcement — including FinCEN, IRS, OFAC, state attorneys general, sectorial regulators, payment networks and tax authorities — when required by law, court order or good-faith determination of necessity.
- Successors and acquirers in connection with mergers, acquisitions or corporate reorganizations, subject to equivalent confidentiality protections.
We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising as defined under California law.
6. International Transfers
Personal information may be transferred to, stored or processed in the United States and other countries where our subprocessors are located. For transfers originating in the European Economic Area, the UK or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum and, where applicable, certification under the EU-U.S. Data Privacy Framework. Additional safeguards may be applied based on a transfer impact assessment.
7. Security Measures
Koraly implements administrative, physical and technical safeguards designed to protect personal information against unauthorized access, alteration, disclosure or destruction. These measures include:
- TLS 1.2+ in transit and AES-256 at rest for all sensitive data stores;
- PCI DSS Level 1 controls for cardholder data; full card numbers are tokenized and never stored on Koraly servers in plain text;
- role-based access control, multi-factor authentication for administrative consoles and least-privilege provisioning;
- environment separation between production, staging and development;
- comprehensive audit logging with tamper-evident retention and centralized SIEM monitoring;
- regular penetration testing performed by independent third parties and continuous vulnerability scanning;
- mandatory security awareness training, background checks for personnel handling sensitive data, and confidentiality obligations.
While we use industry-standard practices, no system is completely secure. In the event of a security incident affecting personal information, we will notify affected individuals and applicable regulators as required by law.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding personal information we hold about you:
- Right to know — request confirmation of processing and a copy of the personal information collected.
- Right to delete — request deletion of personal information, subject to applicable retention obligations.
- Right to correct — request correction of inaccurate personal information.
- Right to opt-out of sale/share — for California residents, request that we stop selling or sharing personal information for cross-context behavioral advertising. We do not sell or share personal information as defined under California law.
- Right to limit use of sensitive personal information — request that we limit the use of sensitive PI to purposes permitted by law.
- Right to non-discrimination — exercise these rights without receiving discriminatory treatment.
- Right to appeal — appeal a decision made under this Policy where required by state law.
Requests can be submitted by email to privacy@koraly.io or by mail to the address listed in Section 12. We will verify identity, respond within 45 days (extendable by an additional 45 days when reasonably necessary) and document the request as required by law.
9. Children's Privacy
Our services are intended for businesses and their authorized representatives. We do not knowingly collect personal information from children under 13 years of age, consistent with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will delete that information promptly.
10. Cookies
We use cookies and similar technologies to operate the website, improve performance and analyze usage. For full details, see our Cookie Policy. You can manage your preferences through the consent banner displayed on first visit and at any time via the “Manage cookies” link in the website footer.
11. Updates to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the dashboard or by email at least thirty (30) days before they take effect. The “Effective date” at the top of this page indicates when the most recent version became effective.
12. Contact Us
Questions, comments and requests regarding this Privacy Policy or Koraly's data practices can be directed to:
Koraly LLC — Data Protection Office
4900 240TH ST 5478, Ashton, IA 51232, USA
Data Protection Officer: dpo@koraly.io
Privacy requests: privacy@koraly.io
Phone: +1 (319) 323-7362