Privacy Policy

Kosha, Inc. ("Kosha," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information obtained through our website, platform, and services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account Information: Name, email address, phone number, company name, job title, and password when you create an account or register for our Services.
• Business Information: Company details, billing information, payment card details, and transaction data necessary to provide our reconciliation services.
• Financial Data: Transaction records, account balances, payment information, and other financial data you upload or integrate with our platform for reconciliation purposes.
• Communications: Information you provide when you contact us for support, send us feedback, or otherwise communicate with us.
• Survey and Research Data: Responses to surveys, questionnaires, or research studies we may conduct.

1.2 Information Collected Automatically

When you access our Services, we automatically collect certain information, including:

• Usage Data: Information about how you use our Services, including features accessed, actions taken, time spent, and frequency of use.
• Device Information: IP address, browser type and version, operating system, device identifiers, and mobile network information.
• Log Data: Server logs, error reports, and diagnostic data generated during your use of our Services.
• Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to collect information about your browsing activities. See Section 7 for more details.

1.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Integration Partners: Financial institutions, payment processors, accounting software providers, and other third-party services you connect to our platform.
• Business Partners: Companies with whom we have marketing or business relationships.
• Publicly Available Sources: Information from public databases, social media platforms, and other publicly accessible sources.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Improving Services

• Deliver, operate, and maintain our reconciliation platform and services
• Process transactions and fulfill your requests
• Perform financial reconciliation, matching, and analysis
• Develop new features and improve existing functionality
• Conduct research and analytics to enhance service quality

2.2 Communications

• Respond to your inquiries and provide customer support
• Send transactional messages, service updates, and administrative notices
• Provide product announcements and feature updates
• Send marketing communications (with your consent where required)

2.3 Security and Compliance

• Detect, prevent, and address fraud, security incidents, and abuse
• Verify identity and authenticate users
• Enforce our Terms of Service and other policies
• Comply with legal obligations and regulatory requirements
• Maintain audit trails for compliance and internal controls

2.4 Business Operations

• Process payments and manage billing
• Conduct business planning and forecasting
• Manage vendor and partner relationships
• Facilitate mergers, acquisitions, or business transfers

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

3.1 Service Providers

We engage third-party service providers to perform functions on our behalf, including cloud hosting, data storage, payment processing, analytics, customer support, and marketing. These providers have access to personal information only as necessary to perform their functions and are contractually obligated to maintain confidentiality and security.

3.2 Integration Partners

When you connect third-party services to our platform (such as banking institutions, payment processors, or accounting software), we share necessary information to enable these integrations. Such sharing is governed by your agreements with those third parties and their respective privacy policies.

3.3 Business Transfers

In connection with a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar transaction, your information may be transferred to the acquiring entity, subject to this Privacy Policy.

3.4 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal process (subpoenas, court orders, or search warrants)
• Governmental or regulatory requests
• Investigations of potential violations of law or our Terms of Service
• Protection of rights, property, or safety of Kosha, our users, or the public

3.5 Aggregated or De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, marketing, analytics, or other business purposes.

4. Data Security

We implement industry-standard technical, administrative, and physical security measures designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption: Data encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring
• Security Audits: Regular security assessments, penetration testing, and third-party audits
• Incident Response: Established procedures for detecting, responding to, and mitigating security incidents
• Employee Training: Regular security awareness training for personnel with access to personal information

While we strive to protect your information, no security system is impenetrable. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods vary based on:

• The nature and sensitivity of the information
• Applicable legal, regulatory, tax, or accounting requirements
• The purposes for which we process the information
• Whether litigation, investigations, or disputes are pending or foreseeable

Generally, we retain account information for the duration of your account plus seven years thereafter to comply with financial record-keeping requirements. Transaction data and reconciliation records are retained in accordance with applicable financial regulations and our data retention schedule.

6. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information:

6.1 Access and Portability

You may request access to the personal information we hold about you and, in certain cases, request a copy of your data in a portable format.

6.2 Correction and Update

You may request correction of inaccurate or incomplete personal information. You can update certain information directly through your account settings.

6.3 Deletion

You may request deletion of your personal information, subject to certain exceptions (such as legal obligations to retain certain records).

6.4 Restriction and Objection

You may request restriction of processing or object to certain types of processing, including direct marketing.

6.5 Withdraw Consent

Where processing is based on consent, you may withdraw your consent at any time, though this will not affect the lawfulness of processing before withdrawal.

6.6 California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, disclosed, or sold, and the right to opt-out of sales (though we do not sell personal information).

6.7 European Economic Area Rights

Individuals in the EEA have rights under the General Data Protection Regulation (GDPR), including those described above, as well as the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at privacy@kosha.ai. We will respond to your request within the timeframe required by applicable law.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information. Types of cookies we use include:

• Essential Cookies: Required for the operation of our Services, including authentication and security
• Performance Cookies: Help us understand how visitors use our Services and improve performance
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Collect data about usage patterns and service performance
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies. Note that disabling cookies may affect the functionality of our Services.

8. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.

9. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws different from your jurisdiction.

When we transfer personal information internationally, we implement appropriate safeguards, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Binding corporate rules for intra-group transfers
• Other legally recognized transfer mechanisms

10. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected information from a child without parental consent, we will take steps to delete such information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date at the top of this policy
• Sending you an email notification (for material changes)
• Providing in-app notifications where appropriate

Your continued use of our Services after the effective date of the revised Privacy Policy constitutes acceptance of the changes.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

13. Compliance and Certifications

Kosha is committed to maintaining compliance with applicable data protection regulations and industry standards, including:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• SOC 2 Type II compliance
• Payment Card Industry Data Security Standard (PCI DSS) where applicable
• Other relevant federal and state privacy laws

We regularly review and update our privacy and security practices to ensure ongoing compliance with evolving regulations and best practices.