Privacy Policy
This Privacy Policy outlines the ways in which Kurudy Inc. ("Kurudy," "we," "us," or "our") collects, processes, shares, and protects your personal data. As a Regulation Crowdfunding (Reg CF) funding portal registered with the U.S. Securities and Exchange Commission (SEC) and a member of the Financial Industry Regulatory Authority (FINRA), Kurudy is committed to upholding your data rights while fulfilling our obligations under applicable U.S. and international laws, including the General Data Protection Regulation (GDPR).
1. Personal Data We Collect
When you interact with the Kurudy platform—whether by creating an account, exploring investment offerings, or completing transactions—we collect information necessary to ensure a secure and legally compliant experience. This includes data you provide directly, such as your full name, email address, date of birth, mailing address, KYC/AML documents, and financial details associated with your transactions. We also collect usage-based information, such as your IP address, browser type, login history, and platform activity.
We further collect biometric data through our identity verification systems, which may include facial recognition and ID scanning tools. This data is gathered in compliance with Rule 302(d) under Reg CF and the Bank Secrecy Act (BSA). Technical data, such as geolocation and device identifiers, may also be collected to detect unusual access patterns and ensure account security.
To optimize platform usability and maintain a record of investor education compliance, we track activity within our onboarding modules and investment disclosures. These records serve as evidence of user consent and understanding of campaign risks, as required by SEC Rule 203 and Rule 204.
| Category of Personal Data | Use of Personal Data | Disclosure of Personal Data |
|---|---|---|
| Identifiers (e.g. name, contact details, IP address) | To provide, analyze, and maintain our Services | Vendors, service providers, and affiliates under contract |
| Commercial information (e.g. transaction history) | To improve and develop our Services | Regulatory bodies and service vendors |
| Network activity (e.g. content engagement) | To communicate with you about services and events | Platform administrators, campaign issuers |
| Communication information | To prevent fraud, ensure platform security | Support systems, compliance and legal entities |
| Geolocation data | To comply with legal obligations, detect fraud | Regulators, analytics services if necessary |
2. Lawful Basis for Data Processing
Kurudy processes your personal data on several legal grounds. For example, we collect and use information to fulfill our contract with you when providing access to investment offerings. We are also obligated to process certain types of data under securities law, such as verifying identity, complying with KYC/AML rules, and filing disclosures.
Where necessary, we process your data based on our legitimate interests in preventing fraud, securing our systems, and improving our Services. In situations requiring your explicit agreement—such as consenting to cookies or receiving marketing communications—we rely on your informed consent in accordance with GDPR standards.
We ensure that all data collection is limited to what is necessary for specific purposes and that it is never sold or misused.
3. How We Use Personal Data
Your data is used to power critical aspects of the Kurudy platform. This includes verifying your identity and investor eligibility, matching you with appropriate investment opportunities, and securely processing payments through escrow. Additionally, we use your information to deliver campaign disclosures, automate compliance through smart contracts, and record your interactions for audit purposes.
We also leverage data to improve your experience through personalized educational content, tailored investor dashboards, and communication about material changes or milestones in your investments. When permitted by law and your preferences, we may also send you information about new offerings or platform features.
| Purpose | Examples of Use |
|---|---|
| Compliance & verification | Automating escrow workflows, verifying accreditation |
| Transparency & disclosure | Delivering Form C and risk acknowledgment confirmations |
| Security | Identifying abnormal logins and alerting users accordingly |
4. Disclosure of Your Information
Kurudy shares personal data only with trusted third parties who support the legal and operational integrity of our platform. These include our escrow provider North Capital, identity verification provider Persona, legal and compliance advisors, cloud infrastructure partners, and, in some cases, government agencies, when required by law.
We never sell or share your data with advertisers. In the case of a merger, acquisition, or asset transfer, your data may be transferred to the new entity, with proper notice. Similarly, if you invest through a business account or an enterprise agreement, your employer may receive access to limited account-level information.
| Data Recipient | Purpose |
|---|---|
| North Capital (Escrow) | Fund custody and return processing per Reg CF Rule 303(e) |
| Persona (KYC/AML) | Identity and fraud checks, OFAC screening |
| Legal advisors & regulators | SEC/FINRA disclosures, compliance reviews, disputes |
5. Use of Cookies and Tracking Technologies
Kurudy uses cookies and similar technologies to operate the platform, understand usage trends, and enhance your experience. Cookies help maintain your login state, remember your preferences, and present relevant educational content. We also use analytics tools that rely on these technologies to improve system performance and guide product development.
Where required by GDPR and similar laws, we ask for your consent before enabling non-essential cookies. You may modify cookie settings through your browser or device settings.
| Cookie Use | Description |
|---|---|
| Session management | Keeps you logged in, prevents CSRF attacks |
| Onboarding tracking | Logs interaction with investor education modules |
| Consent management | Records your acceptance of cookie banner preferences |
6. Data Retention Practices
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected. This includes regulatory obligations, dispute resolution, and audit trail preservation as required under SEC and FINRA rules. Typically, records related to investments, identity verification, and campaign disclosures are retained for a minimum of five years, consistent with FINRA Rule 4511.
Data associated with temporary sessions, such as chat transcripts or file uploads, is retained only briefly unless tied to regulatory records. Upon request or account closure, data is deleted unless retention is legally mandated.
| Factor | Impact on Retention |
|---|---|
| Regulatory filing timelines | Minimum 5-year record for disclosures and agreements |
| Dispute or audit needs | May extend retention if flagged for investigation |
| Consent withdrawal | Triggers deletion unless a legal obligation applies |
7. Your Rights and Choices
Kurudy supports your rights under GDPR and U.S. state data laws. You may request access to your data, correct errors, delete non-essential information, or restrict processing in certain cases. You may also withdraw previously given consent, such as for cookies or marketing emails.
If you are a resident of the European Economic Area, California, or other jurisdictions with specific data rights, you may have additional options such as the right to data portability or the right to appeal Kurudy’s handling of your data rights request.
To exercise any of these rights, please email us at privacy@kurudy.com. We may request identity verification before fulfilling requests.
8. Children's Privacy
Our services are intended for users 18 and older. Children under the age of 13 are not permitted to use Kurudy. If we discover that a minor has created an account or submitted data, we will take steps to delete the information and deactivate access. If you are a parent or guardian and believe your child has used our platform, please contact us immediately.
9. Security and Infrastructure Protections
Kurudy implements industry-standard technical and administrative safeguards, including AES-256 encryption, 2FA, secure biometric storage, and blockchain-based audit trails. We monitor our systems for vulnerabilities and review controls regularly to ensure compliance with SEC Regulation S-P and FINRA cyber readiness standards.
In the event of a data breach, we notify affected users and regulators in line with legal requirements and take appropriate remedial actions.
10. Cross-Border Data Transfers
Your data may be stored or processed in jurisdictions outside your home country, including the United States. We use Standard Contractual Clauses and other approved mechanisms to ensure international data transfers comply with GDPR and similar regulations.
11. Changes to This Privacy Policy
We periodically update this policy to reflect changes in law, technology, or platform features. The current version is always available at https://kurudy.com/privacy-policy. Significant updates will be communicated through the platform or via email.
12. Contacting Us
For questions or to submit a rights request, please contact:
Email: privacy@kurudy.com
Data Protection Officer:privacy@kurudy.com
13. Appendix: Regulatory Alignment Table
| Privacy Policy Element | Regulation or Requirement | Kurudy Compliance Reference |
|---|---|---|
| KYC/AML Data Handling | Reg CF Rule 302(d); BSA/Patriot Act | Persona biometric verification, OFAC screening |
| Escrow Fund Handling | Reg CF Rule 303(e) | North Capital integration |
| Disclosure & Risk Acknowledgment | Reg CF Rule 203, 204 | Smart contract delivery, signature tracking |
| Record Retention | FINRA Rule 4511 | 5+ years of encrypted document archives |
| GDPR Consent Management | GDPR Arts. 6 & 7 | Cookie banners, opt-out settings, withdrawal |
| Data Transfers | GDPR Chapter V | Standard Contractual Clauses (SCCs) |
| Data Minimization & Purpose Limiting | GDPR Art. 5 | Only necessary data collected, investor control |
| Right to Access/Rectification | GDPR Art. 15–16; US State Laws | Self-service dashboard & DPO support |
| Right to Delete | CCPA/CPRA; GDPR Art. 17 | Processed via verified request |
| Children’s Data Restrictions | COPPA; GDPR Art. 8 | 13+ restriction, parental controls enforced |