Privacy Policy

1. Introduction

ko.io is a financial intelligence platform operated from the European Union. We provide institutional holdings data, insider trading records, congressional trading disclosures, company financials, and stock price data through our REST API and website.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at ko.io, our API at api.ko.io, and any related services. By using our services, you acknowledge that you have read and understood this policy.

We are committed to protecting your privacy and handling your data transparently. We collect only the minimum data necessary to operate our service, and we never sell your personal information.

2. Information We Collect

Account Data

When you create an account, we collect your email address, display name, and password. Passwords are never stored in plain text — they are hashed using PBKDF2-SHA-512 with 100,000 iterations. If you sign in with Google OAuth, we receive your name, email address, and profile picture URL from Google. We do not access your Google contacts, calendar, or any other Google services.

API Usage Data

When you make API requests, we log the endpoint accessed, request timestamp, your IP address, response time, and HTTP status code. This data is used for rate limiting, abuse prevention, usage billing, and service reliability monitoring.

Payment Data

All payment processing is handled by Stripe. We never receive, process, or store your credit card number, CVV, or full card details. Stripe provides us with a customer ID, subscription status, and billing email for account management purposes.

Technical Data

We collect basic technical information from HTTP request headers, including browser type (User-Agent), device type, and operating system. This information helps us ensure compatibility and diagnose technical issues.

What We Do NOT Collect

• Precise geolocation or GPS data
• Social media profiles or activity
• Browsing history outside of ko.io
• Contacts or address books
• Biometric data

3. How We Use Your Information

• Provide and maintain the service — authenticate your identity, deliver API responses, and manage your subscription tier.
• Process payments — communicate with Stripe to handle subscription billing, upgrades, downgrades, and refunds.
• Enforce rate limits and prevent abuse — monitor API request volumes to enforce plan limits, detect automated scraping, and protect service availability for all users.
• Service communications — send account-related emails including security alerts, billing confirmations, API key notifications, and service disruption notices. These are transactional, not marketing.
• Improve our service — analyze aggregated, anonymized usage patterns to identify popular endpoints, optimize performance, and prioritize new features.

4. Legal Basis for Processing (GDPR)

As a service operated within the European Union, we process personal data in accordance with the General Data Protection Regulation (GDPR). Our legal bases for processing are:

• Contract performance (Article 6(1)(b)) — processing necessary to create your account, provide API access, manage your subscription, and handle billing.
• Legitimate interest (Article 6(1)(f)) — security monitoring, abuse prevention, fraud detection, and service improvement. We balance these interests against your rights and only process data that is proportionate to the purpose.
• Consent (Article 6(1)(a)) — optional marketing emails and product announcements. These are strictly opt-in. You can unsubscribe at any time via the link in any marketing email or through your account settings.
• Legal obligation (Article 6(1)(c)) — retention of payment records for tax compliance, and cooperation with law enforcement when legally required.

5. Data Storage & Security

We take the security of your data seriously. Here is how and where your data is stored:

• Account data is stored in Cloudflare D1, an edge-distributed SQLite database with built-in encryption at rest and automatic backups.
• API usage logs are stored in a high-performance analytical database optimized for time-series data.
• Passwords are hashed using PBKDF2-SHA-512 with 100,000 iterations and a unique salt per account. We never store or log plain-text passwords.
• Data in transit is encrypted using TLS 1.3 for all connections to our website, API, and internal services.
• Infrastructure is hosted on Oracle Cloud in Europe (primary) and Asia-Pacific (secondary), with Cloudflare's global edge network providing CDN, DDoS protection, and Web Application Firewall (WAF) capabilities.
• No local storage — production data is never stored on developer machines or local systems. All data resides in secured cloud infrastructure.

6. Data Retention

7. Cookies & Local Storage

We take a minimal approach to browser storage. We do not use third-party tracking cookies of any kind.

• Authentication token — a JSON Web Token (JWT) is stored in your browser's localStorage upon login. This token expires after 7 days, at which point you will need to sign in again. It is used solely for authenticating your requests.
• No third-party trackers — we do not use Google Analytics, Facebook Pixel, Hotjar, Mixpanel, or any similar tracking service. Your browsing activity on ko.io is not shared with advertising or analytics companies.
• Cloudflare security cookies — Cloudflare may set a small cookie (e.g., __cf_bm) for bot detection and DDoS mitigation. These are strictly functional and do not track you across websites.

8. Third-Party Services

We use a small number of trusted third-party services to operate ko.io. Each is chosen for its security practices, compliance posture, and minimal data footprint:

• Stripe — handles all payment processing. Stripe is PCI DSS Level 1 compliant, the highest level of certification in the payments industry. See Stripe's Privacy Policy.
• Cloudflare — provides CDN, edge compute (Workers, Pages, D1 database), DNS, and DDoS protection. Cloudflare processes request metadata at the edge. See Cloudflare's Privacy Policy.
• Google — provides OAuth authentication for users who choose to sign in with Google. We receive only your name, email, and profile picture. See Google's Privacy Policy.

We do not share your data with advertising networks, data brokers, social media platforms, or any other third party not listed above.

9. International Data Transfers

Our primary infrastructure is located within the European Union. This means your data is stored and processed under EU data protection law by default.

• Primary data center — Europe (EU). All account data and primary API processing occurs here.
• Secondary data center — Asia-Pacific. Used for API availability in Asia-Pacific. Contains replicated analytical data only; no user account data is stored in Asia-Pacific.
• Cloudflare edge network — global. Requests are processed at the nearest Cloudflare data center for performance. Cloudflare operates under Standard Contractual Clauses (SCCs) for EU data transfers.
• Stripe — processes payment data in compliance with EU-US Data Privacy Framework and maintains Standard Contractual Clauses for cross-border transfers.

10. Children's Privacy

ko.io is a professional financial data service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a user is under 18, we will promptly delete their account and all associated personal data. If you believe a minor has provided us with personal information, please contact us at admin@ko.io.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of access — request a complete copy of the personal data we hold about you.
• Right to rectification — correct any inaccurate or incomplete personal data.
• Right to erasure — request deletion of your personal data (“right to be forgotten”). We will remove all personal data within 30 days, except where retention is required by law.
• Right to data portability — export your data in a machine-readable format (JSON). Available through your account settings.
• Right to restriction — request that we limit processing of your data while a dispute is resolved.
• Right to object — object to processing of your data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

How to exercise your rights: You can manage most of these through your account settings. For any request, you can also email admin@ko.io. We will respond to all data rights requests within 30 days. For EU-specific details, see our GDPR page.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will provide at least 30 days' notice before the changes take effect.
• Registered users will be notified via email.
• The updated policy will be posted on this page with a revised “Last updated” date.
• Previous versions of this policy are available upon request by emailing admin@ko.io.

Continued use of ko.io after the effective date of a revised policy constitutes acceptance of the updated terms.