Karta Privacy Policy

KARTA'S PRIVACY POLICY

Version 2.0 — October 2025

1. Introduction

We are Karta Inc (“Karta”, “we”, “us”, or “our”), a U.S.-based company that provides financial services in partnership with issuing banks. We respect your privacy and are committed to protecting your personal data.

Role of Karta

Karta processes personal data:

as a data controller in relation to our website, communications, and direct interactions with customers, and
as a service provider (processor) to our issuing bank partners in connection with onboarding, account servicing, fraud monitoring, and regulatory compliance.

This Privacy Policy explains how we collect, use, share, and protect personal data when you interact with us, including when you visit our website, apply for our services, or use our products.

We aim to collect and process only the personal data that is necessary to provide our services, support onboarding, maintain account functionality, prevent fraud, and comply with applicable legal and regulatory obligations.

We make this Privacy Policy available on our website www.conkarta.com in its most recent version. Please review it carefully to understand how we handle your personal data.

By using our services, you acknowledge that your personal data will be processed in accordance with this Privacy Policy.

How We Use and Share Your Data (Summary)

We process your personal data to provide financial services, including onboarding, account servicing, fraud prevention, and legal compliance.

We share data only with our issuing bank partners and trusted service providers as necessary to operate our services.

We do not sell your personal data or share it for third-party marketing.

2. Information Collected

Whenever users visit our website https://www.conkarta.com/, servers providing functionality may automatically log the standard data provided by the user web browser. Such data is considered “non-identifying information”, as it does not contain anything that is capable of identifying any user personally. The standard data may include the user computer’s IP address, the type of browser used, the pages visited, the time and date of visit and the time spent on each page of our website.

In this Policy, “Personal Data” (or “personal information”) refers to information that identifies you or may identify you (e.g. your name, address, identification number). Processing of Personal Data refers to actions such as collecting, handling, storing and protecting personal data.

Please review our Privacy Notice for detailed information on how we process and disclose non-public personal information (“NPI”) we collect from and about you in connection with our Services.

We collect personal information when users request information about our services and products, request delivery of information, schedule an event or otherwise voluntarily provide such information through our website or otherwise. Various types of personal data are collected and processed in the context of the relationship arising between you and Karta, and according to the service/product used and your capacity.

Indicatively, the following are examples of categories and types of personal data that may be processed:

Individual personal information (such as name, date and place of birth).
Individual personal contact details (such as email address, phone number, home and work address).
Identity information (such as passport, nationality, tax ID).
Financial information (such as income, assets, source of wealth).

Generally, every user will have control over the amount and type of information he or she provides to us when using our website.

Do not provide us with any third party’s personal information unless you have obtained consent of these persons or you are sure the disclosure of the personal information is otherwise permitted by law or contract. You must inform all other persons whose information you share with us how we process personal information and all other terms of this Policy.

3. How Information is Collected

We collect information by lawful means, with user knowledge and consent. We also let users know why we are collecting information about users and how it will be used. Users are free to refuse our request, with the understanding that, if our request is refused, we may be unable to provide the refusing user with some of the Company’s Services and functionality available on our website.

4. How Information is Used

We use personal information to provide and maintain our services, including onboarding, account servicing, fraud detection and prevention, customer support, and compliance with legal and regulatory obligations.

When we use or process personal information about users, we do so only as necessary to provide the Company’s Services to users (e.g., to meet our contractual and legal obligations), or otherwise with user consent, to comply with applicable law, or as otherwise required or permitted by applicable law. Through our Website, all users are provided with the choice of which types of communications users will receive from us, and the ability to change those choices whenever users want. Some of the more common, specific uses of the information provided by users are described below.

5. Providing Services; Fulfilling Contractual Obligations

We may use personal information to provide the Company’s Services requested by users or to otherwise perform any contract we may have with users, including communicating with users about the scope of work, payment or other related topics. When a Company account is set up on our website or the user otherwise agrees to the Terms of Use of the website, a contract is formed between the particular company and us. In order to carry out that contract, we must process the information provided to us by the user.

Some of the information provided by users may contain personal information, and we may use it in order to do any of the following:

Verify the user’s identity for security purposes.
Provide the user with suggestions and advice concerning our services.
Provide our services, which includes updating, securing and troubleshooting, as well as providing support.
Improve, personalize and develop our services.

We will continue to process this information until the contract between the user and us ends or is terminated by either party under the terms of the contract.

6. Processing of Information Subject to User Consent

Through certain actions when otherwise there is no contractual relationship between user and us, such as when, after having browsed our website, user requests us to provide more information about our business, including about our services, we may request the user to provide consent to us in order to process information that may be personal information.

Wherever practicable, we aim to obtain explicit user consent to process personal information. Sometimes the user might give consent implicitly, such as when the user sends us a message containing personal information by email to which the user expects us to reply.

When we communicate with users about our business, we will use the contact information provided to us to discuss technical issues, services, and other information of interest to users. We may send you communications about our services and offerings. We do not share your personal data with third parties for their own marketing purposes. Except where a particular user has consented to our use of user information for a specific purpose, we will not use any of the user’s information in any way that would identify the user personally.

We will continue to process user information on this basis until the user withdraws consent or it can be reasonably assumed that user consent is no longer valid.

Each user may withdraw consent at any time by instructing us using the contact information at the end of this Notice, or changing user elections within our website. However, if a user does so, he or she may no longer be able to use our website or the Company’s Services.

7. Legally Required Disclosure of Information

We may be legally required to disclose user personal information, if such disclosure is:

Required by subpoena, law, or other legal process.
Necessary to assist law enforcement officials or governmental authorities.
Necessary to investigate violations of or otherwise enforce our Terms and Conditions of Use.
Necessary to protect us from legal action or claims from third parties including users.
Necessary to protect the legal rights, personal/real property, or personal safety of our company, customers, third party partners, employees, and affiliates.

8. Other Legitimate Interest

We may process personal data where necessary to support the operation of our services, provided such processing is consistent with the purposes described in this Policy.

9. Data Processing and Data Storage

The personal information we collect is stored and processed in the United States of America or any other country in which Karta, its subsidiaries, affiliates, or service providers operate. We only transfer user data within jurisdictions subject to data protection laws that reflect our commitment to protecting the privacy of our users.

We only retain personal information for as long as necessary to provide our services. While we retain personal information, we will protect it by applying commercially acceptable means to prevent loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. That having been said, we would like to remind users that no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security of personal information.

Whenever users request us to delete their personal information, or where user personal information is no longer relevant to our operations, we will erase it from our system within a reasonable timeframe.

10. Payment Processing

Payment processing services may use the personal information of our users solely for the purpose of performing specific tasks on our behalf. We share personal data with payment processors only as necessary to provide our services and in accordance with applicable law. We do not give payment processors permission to disclose or use any of our data for any other purpose.

We will refuse government and law enforcement requests for personal information if we believe a request is too broad or unrelated to its stated purpose. However, we may decide to cooperate if we believe the requested information is necessary and appropriate to comply with legal process, to protect our own rights and property, to protect the safety of the public and any person, to prevent a crime, or to prevent what we reasonably believe to be illegal, legally actionable, or unethical activity.

We do not otherwise share personal data beyond what is described in this Policy. We do not sell or rent personal information of our users to marketers or third parties.

Financial institutions

Karta uses Plaid Inc. (“Plaid”) to gather your data from financial institutions. By using the Service, you grant Karta the right, power, and authority to act on your behalf to access and transmit your personal and financial information from your relevant financial institution. You agree to your personal and financial information being transferred, stored, and processed by Plaid. Karta also uses financial institutions to process your ACH funds transfers from your funding source bank account to Karta for use of the Service.

11. Requesting, Amending or Deleting Personal Information

Any user may review certain information that we hold about him or her by signing in to the user account on our website. To obtain a copy of all information we maintain about a particular user, that user may send us a request using the contact information at the end of this Policy. After receiving a user request, we will tell when we expect to provide the user with the requested information.

If a user wishes us to remove or change personal information that he or she has provided us, the user may contact us at the contact information at the end of this Policy. However, the removal or change of user information may limit the service we can provide.

When we receive any request to access, edit or delete personal information, we will first take reasonable steps to verify user identity before granting access or otherwise taking any action. This is important to safeguard user information.

12. Retention Period for Personal Data

Our retention period is primarily determined by our obligations under applicable legislation to retain data for a specific period of time. Destruction will not be possible prior to the lapse of this period.

Except as otherwise mentioned in this Policy, we keep user personal information only for as long as required by us:

To provide a particular user with the services he or she has requested, or otherwise to perform or enforce our contract.
To continue to provide the best possible user experience to visitors who return to our website to collect information.
To comply with other laws, including for any period demanded by tax authorities.
To support a claim or defense in any court or in any legal, regulatory or administrative proceeding.

The retention period may be extended in case of other lawful reasons justifying longer retention (such as for complaints handling, legal proceedings, investigations, regulatory, tax, money laundering and crime and fraud prevention purposes).

13. Children’s Privacy

In order to protect the privacy of data for both the parent(s) and child(ren), we adopted and followed the guidelines and rules laid down by the Children’s Online Privacy Protection Act (‘COPPA’). COPPA requires us to notify parents or legal guardians and get their verifiable parental consent before we collect, use, or disclose personal information of children under the age of 13.

Our Services are intended to be accessed and used only by adults and are not directed to minors. We do not knowingly collect personally identifiable information from anyone under the age of 13 and you should not provide us with any information regarding any individual under the age of 13. If we learn that we have inadvertently gathered information from anyone under the age of 13, we will take reasonable measures to promptly remove that information from our records.

14. Who Receives Your Personal Data

We share personal data only as necessary to provide our services, operate our business, and comply with applicable legal and regulatory obligations.

We may share your personal data with the following categories of recipients:

Issuing banks and financial institution partners, in order to provide account services and fulfill program requirements
Identity verification, compliance, and risk management providers, to verify your identity, assess eligibility, and prevent fraud
Payment networks and card processors (such as Visa, Mastercard, and other payment systems), to enable transaction processing and card functionality
Fraud prevention and anti-money laundering service providers, to support security monitoring and regulatory compliance
Technology and infrastructure service providers, including cloud storage, data hosting, and customer support providers, who support the operation of our services
Professional advisors and service providers, including auditors, legal advisors, and consultants, where necessary to support our business operations and legal obligations
Regulators, courts, law enforcement agencies, and governmental authorities, where required to comply with applicable law, regulation, or legal process

All third parties with whom we share personal data are required to process such data only for specified purposes, maintain appropriate confidentiality, and implement adequate data protection safeguards in accordance with applicable law.

We do not sell your personal data and do not share your personal data with third parties for their own independent marketing purposes.

15. Information on Data Security

We have implemented appropriate technical and organizational security measures to protect the personal information of our users in our care, both during transmission and once we receive it. This includes physical and technical security measures to protect our data from accidental or unlawful destruction, loss, or alteration, and from unauthorized disclosure or access. However, users should be aware that no method of transmitting information over the Internet or storing information is completely secure.

Where you have access to our resources via user authentication means (e.g. user credentials), you are responsible for keeping your user credentials secure and confidential and not to disclose them to any persons. Please also consult our security tips available on our website.

16. Limits of This Notice

This Notice only covers our own collecting and handling of data. We only work with partners, affiliates and third-party providers whose privacy policies align with ours, however, we cannot accept responsibility or liability for their respective privacy practices.

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

17. Choices About How We Use and Disclose Information

Below are some mechanisms that provide you with control over the information we collect:

Cookies

Like many other websites, we use “cookies.” A cookie is a small piece of data stored on a user computer or mobile device by the user’s web browser. We may automatically record information when users visit our website, including the URL, IP address, browser type and language, visitor activity on our website, details of the websites visited before or after users visit our website, pages viewed and activities undertaken whilst using our services, the date and time of user visit.

We use this information to analyze trends among our users to help improve our website or customize communications and information that users receive from us. We also use cookies to enhance user online experience by eliminating the need to log in multiple times for specific content. We use “cookies” to collect information about our users and user activity on our website.

If you do not wish us to collect cookies, you may set your browser to refuse cookies or to alert you when cookies are being sent. If you do so, please note that some or all parts of our Services may then be inaccessible or may not function properly.

E-mail Offers

If you do not wish to receive email offers or other information or communications from us, you can opt-out of receiving such email offers or other information or communications from us (other than e-mails or other information or communications related to the completion of your registration, correction of user data, change of password and other similar communications essential to your transactions on or through our Services) by using the unsubscribe process at the bottom of the e-mail. Please be aware that it can take up to 15 business days to remove you from our marketing email lists. If you opt-out from receiving our marketing emails, you may continue to receive confirmation and shipping status emails.

Do Not Track

Do Not Track (DNT) is a privacy setting that users can enable in certain web browsers. Currently, Karta does not recognize or respond to DNT signals.

18. Privacy and Authorizations

Before any End User engages with Karta’s Application in a manner that uses the Services, Karta warrants and will ensure that it provides all notices and obtains all consents required under applicable law to enable Plaid to process End User data in accordance with Plaid’s privacy policy (currently available at https://plaid.com/legal/#end-user-privacy-policy). Karta will not (i) make representations or other statements with respect to End User data that are contrary to or otherwise inconsistent with Plaid’s privacy policy or (ii) interfere with any independent efforts by Plaid to provide End User notice or obtain End User consent.

19. Updating Your Information

Karta makes it easy for you to keep Your Information accurate, complete, and up to date. Specifically, if a portion of our Services allows you to create an account with us, then you can review and update some of Your Information by logging into that portion of our Services, visiting your account profile page, and making changes.

20. Changes to This Notice

At our discretion, we may revise or update our Privacy Policy from time to time to reflect current acceptable practices. In such a case, we make the most recent version of the Privacy Policy available on our website https://www.conkarta.com/, informing you accordingly by displaying the updated version and relevant date of update. Continued use by users of our website after any changes to this Notice will be regarded as acceptance of our practices around privacy and personal information.

You are advised to visit our website frequently to consult our Policy in its most recent version.

21. Contacting Us

If you have questions or concerns about our privacy practices or wish to make a request regarding the information we request or to opt-out of these policies, please contact us via email at info@conkarta.com.