Privacy Policy

1. Introduction

Kliro LLC is a payment-infrastructure company organized in the State of Iowa, with its principal place of business at 620 NE 43RD AVE NUM 7457, Des Moines, IA 50313-2841, USA. We provide payment-aggregation, multi-currency, tax-compliance, fraud-detection, and analytics services to businesses operating worldwide.

This Privacy Policy is designed to satisfy the substantive disclosure requirements of the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other applicable US state privacy laws. For data subjects in the European Economic Area, United Kingdom, or Switzerland, we describe additional protections aligned with the EU General Data Protection Regulation (“GDPR”) and the EU-US Data Privacy Framework where applicable.

2. Information We Collect

We collect personal information directly from you, automatically through your use of the Services, and from third-party sources such as identity-verification vendors, payment networks, financial institutions, and public records. The categories of personal information we collect include:

• Identifiers — name, business name, email, phone number, postal address, IP address, user IDs, and account identifiers.
• KYC / KYB documentation — government-issued identification, beneficial-owner declarations, formation documents, tax identifiers (EIN), bank-account information, and proof of address.
• Browsing and access data — device type, browser, operating system, referring URLs, pages viewed, session timestamps, and similar telemetry.
• Transaction metadata — amounts, currencies, descriptors, timestamps, payment method types, merchant categories, geographic indicators, and fraud-signal data. We do not store full primary account numbers (PANs); these are tokenized through PCI DSS Level 1 vendors.
• Communications — emails, chat messages, support tickets, call recordings (with notice), and survey responses.
• Marketing data — preferences, campaign attribution, and engagement metrics where applicable.

3. How We Use Information

We use personal information for the purposes set out below. Retention periods reflect the longer of (a) the period necessary to fulfill the purpose and (b) the minimum period imposed by applicable law, including BSA/AML record-keeping rules.

4. Legal Basis for Processing

Where GDPR or comparable laws apply, we process personal information based on (i) performance of a contract with you, (ii) compliance with legal obligations such as AML and tax-reporting laws, (iii) our legitimate interests in operating, securing, and improving the Services, or (iv) your consent. Under US state privacy laws, we process personal information to provide the Services you have requested, to comply with law, and for our legitimate business purposes as described in this Policy.

5. Sharing and Disclosure

We share personal information with the following categories of recipients:

• Employees and authorized personnel on a need-to-know basis, subject to confidentiality obligations.
• Subprocessors and service providers — cloud hosting, identity verification, fraud-detection vendors, customer-support tooling, analytics, and email infrastructure. A current list is available on request.
• Regulators and law-enforcement authorities — including FinCEN, the IRS, OFAC, state attorneys general, state financial regulators, and sectorial regulators, in response to lawful requests and to fulfill our regulatory obligations.
• Payment networks and acquiring banks — Visa, Mastercard, American Express, Discover, and local equivalents; their affiliated processors and member banks.
• Professional advisors — auditors, lawyers, and accountants.
• Successors — in connection with a merger, acquisition, reorganization, or sale of assets.

We do not sell personal information for monetary consideration. We may share certain identifiers with advertising partners for cross-context behavioral advertising; you may opt out at any time using the procedures described in Section 8.

6. International Transfers

Kliro is headquartered in the United States, and personal information is primarily processed and stored in the United States. For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement, and, where applicable, our certification under the EU-US Data Privacy Framework. Additional safeguards include encryption in transit and at rest, role-based access controls, and supplementary measures as required by the data exporter's risk assessment.

7. Security Measures

We maintain a comprehensive information-security program that includes, without limitation:

• TLS 1.2+ for data in transit and AES-256 for data at rest;
• Role-based access control with least-privilege defaults and multi-factor authentication;
• Detailed audit logging and security-event monitoring;
• Segregated production, staging, and development environments;
• Annual third-party penetration testing and continuous vulnerability scanning;
• Mandatory security and privacy training for all personnel;
• PCI DSS Level 1 certification through our payment vendors;
• Documented incident-response plan with notification timelines aligned with applicable law.

8. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right to know the categories of personal information we collect, the sources, the purposes, and the categories of recipients;
• Right to access the specific pieces of personal information we hold about you;
• Right to correct inaccurate personal information;
• Right to delete personal information, subject to legal-retention exceptions (e.g., BSA/AML);
• Right to opt out of sale or sharing for cross-context behavioral advertising;
• Right to limit use of sensitive personal information to that which is necessary to provide the Services;
• Right to non-discrimination for exercising your privacy rights;
• Right to data portability in a structured, machine-readable format (where applicable);
• Right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at privacy@kliro.io or by mail at the address below. We respond to verifiable consumer requests within 45 days, with the possibility of a 45-day extension where reasonably necessary. We may decline requests where required or permitted by law (for example, where deletion would prevent us from complying with record-keeping obligations).

9. Children's Privacy

The Services are not directed to individuals under the age of thirteen (13). We do not knowingly collect personal information from children. If we learn that we have inadvertently collected such information, we will delete it promptly in accordance with the Children's Online Privacy Protection Act (“COPPA”).

10. Cookies

We use cookies and similar technologies as described in our Cookie Policy. You may manage your preferences through our cookie banner or your browser settings.

11. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-dashboard notice at least thirty (30) days before the effective date. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

12. Contact

Questions, requests, or complaints concerning this Privacy Policy may be directed to:

Data Protection Officer — Kliro LLC
Email: dpo@kliro.io
Privacy inbox: privacy@kliro.io
620 NE 43RD AVE NUM 7457
Des Moines, IA 50313-2841, USA
Phone: +1 (641) 221-4592