Privacy Policy

1. Introduction

Komo Systems ("Komo", "we", "us", or "our") operates the Komo platform at app.komosystems.com and the marketing site at komosystems.com (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our websites, use our platform, or otherwise interact with us.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.

2. Data Controller and Processor

For personal data related to your account, billing, and interactions with our website, Komo acts as the data controller — we determine the purposes and means of processing.

For trading data, deal records, cargo operations, and other business content that your organization enters into Komo, we act as a data processor on your behalf. Your organization remains the data controller for this information and is responsible for ensuring it has a lawful basis to provide such data to us.

3. Information We Collect

Information you provide directly

When you create an account, subscribe to a plan, or contact us, we collect your name, email address, company name, job title, phone number, and billing details. If you communicate with us via email or support channels, we collect the content of those communications.

Information collected automatically

When you access our Services, we automatically collect device and browser information (type, version, operating system, screen resolution), IP address, referring URL, pages viewed, features used, click patterns, session duration, and timestamps. This data is collected through server logs, cookies, and similar technologies.

Trading and business data

Deals, positions, cargo operations, market data, invoices, and other content you enter into Komo are stored solely to provide the service. This data belongs to your organization and is never used for purposes outside of delivering the platform.

Information from third parties

We may receive information about you from third-party sources such as your organization's administrator (when they add you to a team), payment processors (transaction confirmations), and analytics providers (aggregated usage trends).

4. Legal Basis for Processing

We process your personal data only when we have a valid legal basis to do so:

• Contract performance — processing necessary to provide the Services you have subscribed to, including account management, billing, and platform access
• Legitimate interest — processing necessary for our legitimate business interests, such as improving the platform, ensuring security, preventing fraud, and communicating product updates, where those interests are not overridden by your rights
• Legal obligation — processing necessary to comply with applicable laws, regulations, or valid legal processes
• Consent — where you have given us explicit consent, such as opting into marketing communications; you may withdraw consent at any time

5. How We Use Your Information

• Provide, operate, maintain, and improve the Komo platform
• Create and manage your account, authenticate access, and enforce role-based permissions
• Process transactions, invoices, and billing-related communications
• Respond to support requests, troubleshoot issues, and communicate product updates
• Monitor platform security, detect abuse, and prevent fraud
• Generate aggregated, anonymized analytics to improve our services
• Send marketing communications where you have opted in (you can unsubscribe at any time)
• Comply with legal obligations and enforce our terms of service

6. Data Sharing

We do not sell, rent, or trade your personal information. We do not share your data for third-party advertising purposes. We may share data with third parties only in the following circumstances:

• Service providers — hosting infrastructure, payment processing, email delivery, and analytics partners that help us operate the platform, each bound by data processing agreements and confidentiality obligations
• Your organization — account administrators within your organization may access user activity and account information
• Legal requirements — when required by law, regulation, subpoena, court order, or valid legal process
• Safety and fraud prevention — when we believe disclosure is necessary to protect the rights, safety, or property of Komo, our users, or the public
• Business transfers — in connection with a merger, acquisition, or sale of assets, with prior notice to you; your data will remain subject to this Privacy Policy

7. Cookies and Tracking Technologies

Essential cookies

Required for the platform to function. These handle authentication, session management, and security. They cannot be disabled without breaking core functionality.

Analytics cookies

Help us understand how visitors interact with our website and platform so we can improve the user experience. These collect aggregated, anonymized usage data.

Managing cookies

You can control cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling essential cookies may prevent you from using the platform. For more information, consult your browser's help documentation.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. There is currently no industry standard for how websites should respond to DNT signals. We do not currently respond to DNT signals, but we limit our tracking to the purposes described in this policy.

8. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption in transit (TLS) and at rest
• Role-based access controls and least-privilege principles
• Regular security assessments and vulnerability testing
• Infrastructure monitoring and incident response procedures
• Logical data isolation between organizations

While no system is perfectly secure, we are committed to protecting your information and promptly addressing any security incidents. You are responsible for maintaining the confidentiality of your account credentials.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account data — retained while your account is active and for up to 90 days after closure
• Trading and business data — retained until you delete it or close your account
• Usage and analytics data — retained in identifiable form for up to 24 months, then anonymized
• Billing records — retained as required by applicable tax and accounting laws
• Support communications — retained for up to 24 months after resolution

After the applicable retention period, we delete or irreversibly anonymize your data, unless retention is required by law.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data, subject to legal retention requirements
• Portability — request your data in a structured, machine-readable format
• Restriction — request that we limit processing of your data in certain circumstances
• Objection — object to processing based on legitimate interests or for direct marketing
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@komosystems.com. We will verify your identity and respond within 30 days. If we need additional time, we will notify you of the extension and the reasons for it.

11. European Economic Area (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• The right to lodge a complaint with your local data protection supervisory authority
• The right to request information about international data transfers and the safeguards in place
• The right to object to automated decision-making, including profiling — we do not currently engage in automated decision-making that produces legal effects

When we transfer personal data outside the EEA, we rely on European Commission-approved Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to ensure your data receives an adequate level of protection.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know — request the categories and specific pieces of personal information we have collected about you
• Right to delete — request deletion of your personal information, subject to certain exceptions
• Right to correct — request correction of inaccurate personal information
• Right to opt out — we do not sell or share your personal information for cross-context behavioral advertising
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights

In the preceding twelve months, we have collected the following categories of personal information: identifiers (name, email, IP address), commercial information (billing records, subscription details), internet activity (usage data, device information), and professional information (company name, job title). We do not sell personal information and have not done so in the preceding twelve months.

13. International Transfers

Your data may be processed in countries other than your own, including countries that may not offer the same level of data protection as your home jurisdiction. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all sub-processors
• Technical measures such as encryption to protect data during transfer

14. Third-Party Services and Links

Our Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those external services. We encourage you to review the privacy policies of any third-party services you access through or in connection with Komo. We are not responsible for the privacy practices of third parties.

15. Children's Privacy

Komo is a business-to-business platform designed for professional use. Our Services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at privacy@komosystems.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and — for significant changes — sending a notice to the email address associated with your account. Your continued use of Komo after changes constitutes acceptance of the revised policy.