Privacy Policy

Last updated: February 18, 2026

Service: Kareg (“Kareg”, “we”, “us”, “our”)

This Privacy Policy explains how Kareg collects, uses, shares, and protects personal data in connection with Kareg’s services, including our website, contact channels, and API. Kareg is intended for professional use by financial institutions and other organizations; accordingly, this policy focuses on personal data relating to authorized users, administrators, procurement contacts, and support contacts, plus limited technical/operational data generated by use of the Service.

Where a signed agreement (including a Data Processing Addendum) applies between Kareg and an institutional customer, that agreement may provide additional or more specific terms. In the event of a conflict, the signed agreement will generally govern the relationship with that customer.

1. Definitions

Customer: the organization that enters into a contract with Kareg.

Authorized User: an individual permitted by a Customer to access the Service.

Personal Data: information relating to an identified or identifiable natural person.

Customer Data: data submitted to the Service by or on behalf of a Customer (including through the API).

Usage Data: service-generated metadata such as request timestamps, endpoint calls, status codes, and latency.

Support Data: information provided in support requests, emails, or tickets.

2. Roles: Controller vs Processor

2.1 When Kareg is a Controller

Kareg acts as a data controller for personal data we process to operate our business and provide the Service, such as:

website inquiries and contact form submissions
account creation and administration
billing and procurement contacts
security, fraud prevention, and service telemetry

2.2 When Kareg is a Processor

When a Customer submits personal data into the Service (for example, in support messages or API payloads), the Customer typically acts as the controller and Kareg acts as a processor for that data, processing it only on the Customer’s documented instructions and as described in the applicable contract/DPA.

2.3 Service design note

Kareg is designed to operate without collecting or storing portfolio holdings, trading positions, orders, or investment decisions. The Service’s core outputs are market-regime signals and related audit fields; those outputs are not inherently personal data.

3. Information We Collect

3.1 Information you provide directly

We may collect:

Identity and contact details: name, business email, company/organization, role/title, phone number (if provided)
Account and access details: username, authentication method, user roles/permissions; SSO metadata where enabled by the Customer
Communications: contents of emails, contact forms, support tickets, and feedback
Billing/procurement information (if applicable): invoicing contact details, billing address, tax/VAT information, purchase order references

3.2 Information generated through your use of the Service

We may collect:

API Usage Data: request timestamps, endpoint names, request identifiers, status codes, rate-limit events, and response-time metrics
Security and audit logs: authentication events (successful/failed), API key creation/rotation, administrative actions, permission changes
Technical data: IP address, browser/device type, and user agent, used for security and reliability
Data minimization: Standard logging focuses on metadata (Usage Data). If diagnostic logging is used to investigate a service issue, access is restricted and applied only as necessary for troubleshooting.

3.3 Information we do not intentionally collect

We do not intentionally collect or store:

trading positions or orders
portfolio holdings
investment decisions
retail customer account data
payment card details (if payments are applicable, they are handled by a third-party payments provider)

If a Customer includes sensitive data in a support request, it will be treated as confidential Support Data and handled under access controls.

4. How We Use Personal Data

We process personal data for the following purposes:

4.1 Provide and maintain the Service

create and administer accounts
authenticate Authorized Users and enforce access controls
provide API connectivity and operational service delivery
provide customer support and service communications

4.2 Security, integrity, and abuse prevention

detect suspicious activity and unauthorized access attempts
investigate and mitigate abuse, fraud, or policy violations
maintain audit logs of administrative actions (important for institutional governance)

4.3 Service reliability and performance

monitor performance and availability
perform capacity planning and reliability engineering
improve operational resilience

4.4 Communications

respond to inquiries and support requests
send service-related communications (maintenance, security notices, policy updates)

Kareg does not sell personal data or share it with third parties for their marketing purposes.

4.5 Legal and compliance

comply with tax/accounting obligations
respond to lawful requests and enforce legal rights

5. Legal Bases for Processing (EEA/UK, where applicable)

Where GDPR/UK GDPR applies, we rely on:

Contract necessity: to provide the Service, support, and account management
Legitimate interests: to secure the Service, prevent abuse, maintain logs, and improve reliability (balanced against your rights)
Consent: where required by law (e.g., if non-essential cookies are introduced)
Legal obligation: where we must retain or disclose information under applicable law

6. Sharing and Disclosure

6.1 Service providers (sub-processors)

We may engage vetted third-party providers to support:

cloud hosting and infrastructure
monitoring and logging
email delivery/support tooling
payment processing (if applicable)

These providers are contractually required to:

process data only on our instructions
implement appropriate security controls
restrict access to authorized personnel
assist with deletion/return requests where applicable

A list of sub-processors can be provided to institutional Customers upon request and/or under contract.

6.2 Legal disclosures

We may disclose personal data if required to comply with law, regulation, or binding legal process, or to protect the security and integrity of Kareg and its users.

6.3 Business transfers

If Kareg undergoes a merger, acquisition, financing, reorganization, or asset sale, personal data may be transferred as part of the transaction, subject to appropriate confidentiality and safeguards.

7. Data Residency and International Transfers

Financial institutions may require explicit residency commitments. Kareg supports region-specific configurations where contracted.

Data residency commitments (processing region, storage region, and log region) are defined in the applicable Order Form and/or a Data Residency Schedule for institutional Customers.

If personal data is transferred outside the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) (and the UK addendum where applicable), along with supplementary measures where appropriate.

If strict residency is required (e.g., EU-only processing and storage), this should be specified contractually.

8. Data Security

Kareg implements technical and organizational measures designed to protect personal data and maintain service integrity. Measures may include:

encryption in transit (TLS)
encryption at rest for stored systems where appropriate
role-based access control (RBAC) and least-privilege access
administrative access logging
API key scoping and rotation mechanisms
monitoring for anomalous behavior and security events
change management and vulnerability management practices

8.1 Security incident notification

If we confirm a security incident affecting personal data, we will notify impacted Customers without undue delay, in accordance with applicable law and any contractual incident notification requirements.

Institutional Customers may contract for specific notification windows and operational procedures in a Security Addendum or incident response appendix.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required by law or contract.

Typical retention periods:

Account information: retained while the account is active; then deleted or anonymized within a reasonable period, subject to legal/contractual obligations
Contact form submissions / sales inquiries: retained up to 12 months
API usage logs (metadata): retained up to 90 days, unless extended for security investigations or contractual operational requirements
Security/audit logs: retained for a period appropriate to security and governance needs; access is restricted and logged
Billing records: retained as required by tax/accounting laws

Backups may persist for limited periods under a managed lifecycle before deletion.

You may request deletion of personal data as described below. Some data may be retained where necessary to comply with legal obligations or to protect Kareg’s security and integrity.

10. Cookies and Tracking

Kareg uses essential cookies only, such as:

session cookies needed for authenticated sessions
security cookies used for fraud and abuse prevention

We do not use:

third-party advertising trackers
social media pixels
cross-site marketing tracking

If we introduce non-essential cookies, we will update this policy and implement appropriate consent mechanisms where required.

11. Your Rights

Subject to applicable law, you may have the right to:

access your personal data
correct inaccurate or incomplete data
request deletion (where permissible)
restrict or object to processing in certain circumstances
request portability of data (where applicable)
withdraw consent (where processing is based on consent)

To exercise rights, contact: privacy@kareg.es.

We may verify your identity and/or your authority to act on behalf of an organization before responding.

Where the Customer is the controller (typical for enterprise use), requests may be routed through the Customer’s administrator or privacy team.

If you are in the EEA/UK, you may also have the right to lodge a complaint with your local data protection authority.

12. Children’s Privacy

Kareg is intended for professional use and is not directed to children. We do not knowingly collect personal data from children.

13. Automated Decision-Making

Kareg provides decision-support outputs designed for institutional governance and human oversight. Kareg does not make legally binding decisions about individuals, and the Service is not intended for automated decision-making that produces legal or similarly significant effects on individuals.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via appropriate channels (e.g., email notice to account contacts and/or a notice within our website/service). Continued use of the Service after the effective date constitutes acceptance where permitted by law.

15. Contact

For privacy-related questions or requests:

Privacy: privacy@kareg.es

General: hello@kareg.es