Privacy Policy

In short: we collect personal data that you provide to us.

We collect data that you voluntarily provide when you express interest in receiving information about us or our products and Services, when you participate in activities within the Services, or when you otherwise interact with us.

Personal data provided by you

The personal data we process depends on the context of your interaction with us, the choices you make, and the products and features you use. This may include:

• Name, email address, and contact phone number.
• Profile data and other materials you post in the App — including username, date of birth, gender, age, personal characteristics, demographic data, ideas, comments, testimonials, images, photographs, and videos.
• By providing this information you agree that it may be publicly available, unless otherwise explicitly stated.

We only request access to the minimum technically possible amount of data necessary to implement the existing functions or services of our application. Whenever possible, we request access to user data in context so that users understand why we need the data.

Sensitive information

We do not process sensitive (confidential) information.

Mobile device access

If you use our applications, we may also process the following information if you choose to give us access: camera access and other device features. You can change our access or permissions at any time in your device settings.

Push notifications

We may ask to send you push notifications regarding your account or certain app features. You can turn them off in your device settings at any time.

How we get access to your data

Access to your personal data may include filling in a checkbox in our app, choosing technical settings for Services, or behaviour that clearly indicates your consent to the proposed processing. All personal data you provide must be true, complete, and accurate.

In short: we use your personal data to provide, improve, and administer our Services, communicate with you, ensure security and fraud prevention, and comply with the law.

We process your personal data for various reasons, including:

• To provide services to you — enabling you to use the Services seamlessly and preventing or addressing App errors or technical issues.
• To evaluate and improve our Services, products, and marketing — determining usage trends, measuring advertising effectiveness, conducting surveys, research, and testing features under development.
• To enforce our Terms of Service and prevent, detect, investigate, and resolve disputes, malicious activities, fraud, and cybercrime, including verifying your identity and preventing fraudulent accounts.
• To comply with legal obligations — when the law requires it, including responding to requests from law enforcement agencies.

If we need to process personal data for a purpose other than the one for which it was obtained, we will inform you prior to processing.

Updating your personal data

We take all reasonable steps to ensure that inaccurate personal data is corrected or deleted without delay. You have the right to contact us to correct your data or fill in incomplete data.

Grounds for restricting processing

You have the right to request restriction of processing in the following circumstances:

• The accuracy of the personal data is contested by you.
• The processing is unlawful and you oppose erasure and request restriction instead.
• We no longer need the data for processing purposes, but you require it to form, exercise, or defend legal claims.
• You have objected to processing pending verification of whether our legitimate grounds override yours.

In short: we may share personal data in the specific situations described in this section.

Organisational processes

We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or part of our organisational activities by another company.

Banking institutions

When you use specific Services such as Loan Acquisition Assistance and Transaction and Account Management Services, your personal data may be transferred to banking institutions that facilitate these services. Upon transfer, those institutions become data controllers and are responsible for processing and protecting your data under GDPR. Full information about the recipient institution will be indicated in our application at the time of data submission.

KYC providers

When you use specific Services, your personal data may be transferred to third-party KYC (Know Your Customer) providers that assist in verifying your identity and ensuring compliance with legal and regulatory requirements. Upon transfer, KYC providers become independent data controllers.

International data transfers

We may transfer personal data to countries other than where it was originally collected in order to provide the Services. Any such transfer is carried out in compliance with applicable data protection laws, including the GDPR, with adequate safeguards in place.

In short: we take all necessary measures to ensure that the storage period is reduced to an absolute minimum.

The retention period is determined based on:

• The duration of your use of our Services.
• The necessity of the data for the purposes outlined at the time of collection.
• Legal obligations to which we are subject (e.g. tax, accounting, or regulatory requirements).
• Our legitimate business interests, such as maintaining security, preventing fraud, and improving our services.

When you delete your account, we will retain your personal data for a period of 1 month from the date of deletion. This period allows us to comply with legal obligations, resolve disputes, and enforce agreements. After this period, your data will be permanently deleted or anonymised unless we are required to retain it longer by law.

Data disposal

When your personal data is no longer needed we ensure it is securely disposed of through:

• Secure deletion — using methods that ensure data cannot be reconstructed or recovered.
• Anonymisation — where full deletion is not feasible, data is anonymised so it can no longer identify you.
• Third-party disposal obligations — service providers processing data on our behalf are contractually required to follow equivalent secure disposal practices.

Please be aware that we are subject to various legal obligations to retain certain data, including to assist in the identification and prevention of fraud and to comply with anti-money laundering regulations.

We store your personal data exclusively in compliance with the requirements for safety, integrity, and a special regime of access that prevents familiarisation or distribution by third parties.

Our data protection practices include:

• Encryption and secure storage — all personal data is encrypted in transit and at rest using industry-standard protocols.
• Access control — access is restricted to authorised personnel only, with multi-factor authentication enforced.
• Regular security audits and penetration testing — performed by qualified security professionals to identify and address potential vulnerabilities.
• Data minimisation and anonymisation — we collect and process only the data necessary for specified purposes.
• Incident response and breach notification — we have a comprehensive incident response plan and will notify the relevant supervisory authorities and affected individuals without undue delay, within the timeframes required by the GDPR.

We do not knowingly collect, process, or share personal data from children under the age of 18. If you are under 18, please do not use our Services or provide any personal data to us.

If we learn that we have collected personal data from a minor without verification of parental consent, we will take steps to remove that information promptly and deactivate the account. If you believe we may have collected data from a minor, please contact us at Compliance@theklara.com.

The right to delete personal data is preserved even when the user gave consent as a child and was not fully aware of the associated risks.

In short: you may review, modify, or cancel your account at any time.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may request that we correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") — you can request deletion of your data when it is no longer needed, when you withdraw consent, or when processing was unlawful.
• Right to restriction of processing — you can request that we limit how we use your data in certain circumstances.
• Right to data portability — you may receive your personal data in a structured, commonly used, machine-readable format.
• Right to object — you may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at Compliance@theklara.com. We will respond within 30 days in accordance with GDPR requirements.

If you are in the EEA or the UK, you also have the right to lodge a complaint with your local data protection authority. Contact details are available at: https://ec.europa.eu/justice/data-protection/

If you are in Switzerland, contact details are available at: https://www.edoeb.admin.ch/

Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) feature you can activate to signal your privacy preference not to have browsing data monitored and collected.

No uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

If a standard for online tracking is adopted that we must follow, we will inform you in a revised version of this Privacy Policy.

California Civil Code Section 1798.83 (the "Shine The Light" law) permits California residents to request, once a year and free of charge, information about the categories of personal data we disclosed to third parties for direct marketing purposes.

If you are a California resident and would like to make such a request, please submit your request in writing to Compliance@theklara.com.

If you are under 18, reside in California, and have a registered account with us, you have the right to request removal of unwanted publicly posted data.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this page.

We encourage you to review this Privacy Policy frequently to stay informed about how we protect your personal data. If we make material changes, we may notify you by prominently posting a notice or by sending you a direct notification.

If you have questions or comments about this policy, you may contact our Data Protection Officer by email at Compliance@theklara.com, by phone at +34 (612) 345 678, or by post at:

KLARA AI EUROPE, SOCIEDAD DE RESPONSABILIDAD LIMITADA, CL PALANGRE Num 13 39, 3540 Alicante, Alicante, Spain.

If you are a resident of the European Economic Area, you may also lodge a complaint with your local data protection supervisory authority.