GDPR Compliance

Data Controller Information

What Personal Data We Process

We process the following categories of personal data in connection with our SEC financial data API platform:

• Account data

  Email address, display name, and hashed password (for email/password accounts). We never store passwords in plain text.

• Authentication data

  JWT session tokens and Google OAuth tokens (for users who sign in with Google). Tokens are short-lived and automatically expire after 7 days.

• API usage data

  Request logs including endpoints accessed, timestamps, IP addresses, response codes, and daily usage counts tied to API keys.

• Payment data

  Payment processing is handled entirely by Stripe. We do not store credit card numbers or bank details. We retain only your subscription status, plan type, and Stripe customer ID.

• Technical data

  Browser user-agent string and device type, collected automatically from HTTP headers during requests to our services.

Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6(1) of the GDPR:

• Performance of contract — Art. 6(1)(b)

  Providing the API service, managing your account, generating and validating API keys, processing subscription billing, and delivering the services you have signed up for.

• Legitimate interest — Art. 6(1)(f)

  Security monitoring and abuse prevention, API rate limiting and quota enforcement, fraud detection, service reliability monitoring, and improving the performance and functionality of our platform. We have conducted balancing tests to ensure our interests do not override your fundamental rights.

• Consent — Art. 6(1)(a)

  Marketing emails and promotional communications are sent only with your explicit opt-in consent. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

• Legal obligation — Art. 6(1)(c)

  Retention of payment and transaction records as required by Swedish bookkeeping law (Bokfoeringslagen) and applicable EU tax regulations.

Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. We are committed to facilitating the exercise of these rights promptly and free of charge.

• Right of access — Art. 15

  You may request a full copy of all personal data we hold about you. We will provide this free of charge within 30 days of your request, in a commonly used electronic format.

• Right to rectification — Art. 16

  You can correct inaccurate or incomplete personal data at any time through your account settings, or by contacting us at admin@ko.io.

• Right to erasure — Art. 17

  You have the right to be forgotten. Account deletion removes all personal data within 30 days. Certain data may be retained longer where required by law — specifically, payment records are retained for 7 years in accordance with Swedish bookkeeping law.

• Right to data portability — Art. 20

  You can export your personal data in JSON format through your account settings. This includes your profile data, API key metadata, and usage history.

• Right to restrict processing — Art. 18

  You may request that we limit how we process your data while maintaining your account. For example, you can request that we stop processing your data for analytics purposes while continuing to provide the core API service.

• Right to object — Art. 21

  You may object to processing based on our legitimate interest. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

• Right to withdraw consent — Art. 7(3)

  Where processing is based on consent (such as marketing emails), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal and has no impact on your access to the service.

• Right to lodge a complaint

  You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se.

Data Processing Activities

The following table summarizes our data processing activities, the categories of data involved, the legal basis, and the retention period for each purpose.

Sub-Processors

We engage the following third-party sub-processors to deliver our services. Each has been vetted for GDPR compliance, and appropriate safeguards are in place for international transfers.

• Cloudflare Inc. — United States

  CDN, edge compute, D1 database (user accounts and API keys), KV storage (caching), and Pages (static site hosting). EU-US Data Privacy Framework certified. Standard Contractual Clauses (SCCs) in place.

• Stripe Inc. — United States

  Payment processing for API subscriptions. PCI DSS Level 1 certified. Standard Contractual Clauses (SCCs) in place. Stripe processes payment card data directly and ko.io never receives or stores card details.

• Oracle Corporation — United States / EU

  Cloud infrastructure hosting our API servers and databases. Primary processing occurs in the European Union. A secondary replica operates in Asia-Pacific for API latency optimization.

• Google LLC — United States

  OAuth authentication provider, used only when you choose to sign in with Google. We receive only your email address and display name. Standard Contractual Clauses (SCCs) in place.

International Data Transfers

• Primary processing: European Union (EU/EEA)
• Secondary processing: Asia-Pacific (API latency optimization)
• Transfer mechanisms: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR for all transfers to countries outside the EEA that lack an adequacy decision
• Cloudflare: EU-US Data Privacy Framework certified, with SCCs as supplementary safeguard

We ensure that all personal data transferred outside the European Economic Area receives an adequate level of protection through appropriate contractual and technical safeguards.

Data Breach Notification

We maintain comprehensive incident response procedures to detect, investigate, and respond to personal data breaches.

• The supervisory authority (IMY) will be notified within 72 hours of discovering a breach that is likely to result in a risk to individuals' rights and freedoms, as required by Art. 33.
• Affected users will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Art. 34.
• We maintain a record of all personal data breaches, including the facts, effects, and remedial actions taken, in accordance with Art. 33(5).

Data Protection by Design and Default

We embed data protection principles into every aspect of our platform:

• Minimal data collection — we only collect personal data that is strictly necessary for providing the service.
• Strong encryption — passwords are hashed using PBKDF2-SHA-512 with 100,000 iterations. All data in transit is encrypted via TLS.
• No tracking cookies — we do not use tracking cookies or third-party analytics services.
• Key management — API keys can be rotated or revoked at any time through your account dashboard.
• Self-service deletion — account deletion is available through your settings and results in permanent removal of all personal data, subject to legal retention requirements.

Automated Decision-Making

• API rate limiting is applied automatically based on your subscription plan tier. This is a technical measure and does not involve profiling or decisions with legal effects.
• We do not engage in automated decision-making that produces legal effects or similarly significant effects on data subjects as described in Art. 22.
• Automated abuse detection may temporarily restrict API access if anomalous patterns are detected. If your access is restricted, you can appeal by contacting admin@ko.io, and a human review will be conducted promptly.

Children's Data

Our services are intended for users aged 18 and older, particularly software developers and financial professionals. We do not knowingly collect or process personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it immediately and terminate the associated account.

How to Exercise Your Rights

• Self-service: Manage your data, export your information, or delete your account through your account settings.
• Email: Send your request to admin@ko.io. Please include sufficient detail so we can identify your account and understand your request.
• Response time: We will respond within 30 days. For particularly complex requests, this may be extended by up to 60 additional days, in which case we will notify you of the extension and the reasons for the delay.
• Identity verification: We may need to verify your identity before processing your request to protect against unauthorized access to personal data.
• No fee: Standard requests are processed free of charge. We reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.
• Supervisory authority: your local data protection authority. imy.se

Updates to This Policy

• Material changes: We will provide at least 30 days' advance notice via email before material changes take effect.
• Non-material changes: Updates will be reflected on this page with a revised “Last updated” date.
• Previous versions: Prior versions of this policy are available upon request by contacting admin@ko.io.