Privacy Policy

KORA

Privacy Policy

KoraGlobe OÜ — Effective March 4, 2026

Kora — Verified Digital Platform for International Cooperation and Development Professionals

Effective Date: March 4, 2026

Last Updated: March 4, 2026

1. Introduction

Welcome to Kora ("Platform," "we," "us," "our"). Kora is operated by KoraGlobe OÜ, a company registered in Estonia, European Union. We are committed to protecting your privacy and ensuring you have a positive experience on our Platform.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and mobile applications, and when you use our services. Please read this policy carefully. If you do not agree with our policies and practices, please do not use our Platform.

For international cooperation and development professionals, transparency is paramount. We do not sell your data, display advertisements, or use your information for ad targeting. This policy reflects that commitment.

2. Data Controller and Contact Information

Data Controller:

Entity: KoraGlobe OÜ

Registration: Estonia, European Union

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, Estonia

Privacy enquiries: legal@koraglobe.com

General support: support@koraglobe.com

Data Protection Officer (DPO): As of the effective date of this policy, KoraGlobe OÜ has not appointed a Data Protection Officer. If the volume and nature of processing so require under GDPR Article 37, we will appoint a DPO and notify users in this section.

Applicable Legislation

As an Estonian company established in the European Union, your data is protected under the General Data Protection Regulation (GDPR) (EU) 2016/679, which is our primary legal framework. We also comply with Estonian data protection laws and the laws of any jurisdiction in which you reside.

Where we use AI systems falling within the scope of Regulation (EU) 2024/1689 (AI Act), we also comply with that regulation, in particular with regard to high-risk AI systems used in the context of employment, workers management, and access to self-employment, pursuant to Annex III, point 4 of the AI Act.

3. What Data We Collect

We collect information in several ways. Here is a detailed breakdown of each category.

3.1 Registration and Account Data

When you create a Kora account, we collect:

• First name and family name
• Email address
• Password (stored using industry-standard hashing; we never store plain-text passwords)
• Account creation date and device information

If you sign up via Google OAuth:

• we collect a Google authentication token
• we do not store your Google password
• we use the token only to verify your identity and link your account to Google's single sign-on service

3.2 Verification Data

To verify your professional status, we collect:

• work/organisational email address (used only for domain verification to confirm employment legitimacy)

Important: Your work email address is not stored permanently in our system and is not used for communication after domain verification is complete.

We also collect:

• invitation codes (if you were invited to the Platform by another user or organisation)

3.3 Profile and Professional Data

To build your professional profile and enable meaningful connections and job matching, we collect:

• functional expertise (areas of professional specialisation)
• technical tools and software proficiencies
• transferable skills (e.g. project management, team leadership, conflict analysis)
• years of professional experience
• preferred contract types
• languages spoken and proficiency levels
• career history and professional roles
• location preferences and preferred duty stations

3.4 Curriculum Vitae (CV)

You may upload your CV in PDF or DOC format. When you do:

• we store the file on secure servers located within the European Union
• our AI systems automatically analyse the document to extract professional information such as skills, work experience, education, languages, and qualifications
• the extracted information is used to generate a "Professional Card" that constitutes your professional profile on the platform
• we run an automated sector-alignment classification based on the extracted data

You have full control over your data:

• you may view, edit, add, or delete any information automatically extracted in the Professional Card before publishing it
• you may choose which information is visible to other users
• you may request deletion of the uploaded CV and the generated Professional Card at any time
• you may exercise the right under GDPR Article 22(3) to obtain human intervention from Kora, to express your view, and to contest any automated decisions based on the analysis of your CV

Transparency about the AI system:

In accordance with GDPR Article 13(2)(f) and the transparency obligations of the AI Act, we provide the following information:

• Logic used: the AI system uses natural language processing (NLP) and machine learning techniques to identify textual patterns in the uploaded CV (e.g. qualifications, organisation names, employment periods, technical skills) and extracts this structured data to populate the fields of the Professional Card.
• Importance of processing: automated CV analysis speeds up the creation of the professional profile, reducing the need for manual data entry and improving the accuracy of job matching.
• Expected consequences: based on the generated Professional Card, the system may suggest job opportunities deemed compatible with your profile. However, no decision that produces legal effects or significantly affects you is made solely on an automated basis without your human oversight. You decide which information to validate, edit, or delete, and you actively apply to job listings.
• Accuracy and limitations: the AI system may make errors in extracting or classifying information (e.g. misinterpreting a qualification or a skill). For this reason, we always ask you to verify and validate the extracted data before publishing your Professional Card.

Third-party AI service providers we work with are contractually bound to:

• not use your data to train their own AI models
• not retain your data beyond the time strictly necessary to provide the service
• maintain security and confidentiality standards equivalent to those of Kora

Kora does not use user data to train proprietary AI models without your explicit and separate consent.

3.5 Job Preferences

We collect:

• preferred professional roles and functions
• preferred geographic areas
• preferred organisations
• salary expectations or contract terms (optional)

3.6 Community and Platform Activity Data

As an active member of the Kora community, we collect:

• posts and comments
• contributions to professional communities
• flags or reports you submit regarding content or users
• "likes" or reactions
• timestamps and associated metadata

3.7 Payment and Subscription Data

Kora offers multiple paid subscription tiers. Payment is processed by third-party providers: Paddle.

What we collect:

• subscription status
• transaction history
• billing email address
• country of billing address
• subscription tier combination

What we do NOT store:

• full credit card numbers
• CVV/security codes
• bank account details

3.8 Usage and Device Data

We automatically collect:

• log data
• device information
• IP address
• approximate geographic location (inferred from IP, not GPS)
• links clicked
• search queries entered on the Platform
• time spent on specific pages
• crash reports and performance data
• referrer information

3.9 Cookies and Similar Technologies

Strictly necessary cookies:

• session cookies
• security tokens
• preference cookies

Analytics cookies (with your consent):

• collect aggregated data about user behaviour

No advertising cookies: We do not use cookies for advertising or marketing tracking.

3.10 AI Processing and Automated Decision-Making

The Platform uses AI and machine learning.

Free/Premium AI — data processed:

• CV Analysis: automated extraction of structured data from the uploaded CV
• Professional Card Generation: automatic population of professional profile fields based on extracted data
• Sector-Alignment Classification: automated assessment of the likelihood that your professional background is consistent with the international cooperation and development sector
• Job Matching: automated recommendation of job listings based on compatibility between the Professional Card and the requirements of published positions

Outputs stored:

• sector-alignment classification scores
• job recommendations
• AI-generated profile suggestions

These systems do not produce automated decisions that legally affect you or similarly significantly affect you without human intervention. In particular:

• the sector-alignment classification is indicative only and does not affect verification status or platform access
• job recommendations are suggestions only; you decide whether to apply
• the automatically generated Professional Card must always be validated, edited, or completed by you before publication

In accordance with GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Kora ensures that all relevant decisions (e.g. account verification, suspension, feature access) are always subject to human supervision and intervention.

Power User AI (subscription) — data processed:

• target job listings (selected by the user)
• Professional Card data
• history of interactions with AI tools

Power User AI — outputs generated:

• tailored CVs for specific applications
• personalised cover letters
• application suggestions

Data protection safeguards in AI systems:

In accordance with the obligations of the AI Act and the GDPR:

• third-party AI providers are contractually prohibited from using your data to train their own models
• Kora does not use user data to train proprietary AI without explicit separate consent
• personal data processed by AI systems is protected by encryption in transit and at rest
• access to data processed by AI systems is limited to authorised personnel and strictly necessary systems
• we continuously monitor the accuracy and reliability of AI systems to reduce the risk of errors and bias

4. Legal Basis for Processing (GDPR Article 6)

4.1 Contract Performance (Article 6(1)(b))

• account creation
• job matching
• subscription management
• service delivery

Legal basis: processing is necessary for the performance of the contract to which you are a party, or to take steps at your request prior to entering into a contract.

4.2 Legitimate Interests (Article 6(1)(f))

• platform security
• fraud prevention
• platform improvement
• community moderation
• business analytics

Legal basis: processing is necessary for the purposes of the legitimate interests pursued by Kora or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a))

• marketing emails
• non-essential cookies
• optional AI features (e.g. Power User AI)

Legal basis: you have given your consent to the processing of your personal data for one or more specific purposes. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

• tax and financial records
• requests from authorities
• legally required retention obligations

Legal basis: processing is necessary for compliance with a legal obligation to which Kora is subject.

5. How We Use Your Data

We use your data for:

• account management
• service delivery
• professional verification
• communications
• AI and machine learning (CV analysis, job matching, Professional Card generation)
• AI career tools (Power User)
• platform analytics and improvement
• security and fraud prevention
• community moderation
• legal compliance
• aggregated sector analytics (anonymised)

Processing principles:

All processing takes place in accordance with the principles set out in GDPR Article 5:

• Lawfulness, fairness, and transparency
• Purpose limitation: data is collected for specified, explicit, and legitimate purposes
• Data minimisation: we process only data that is adequate, relevant, and limited to what is necessary
• Accuracy: we take reasonable steps to ensure data accuracy
• Storage limitation: we retain data only for as long as necessary
• Integrity and confidentiality: we ensure appropriate data security

6. Who We Share Your Data With

We share data only when necessary.

Essential Service Providers

• Google OAuth (authentication)
• Paddle (payment processing)
• cloud provider (hosting and infrastructure)
• AI providers (CV analysis and content generation)
• analytics provider (aggregated and anonymised data only)

All third-party providers with whom we share personal data are selected on the basis of adequate GDPR compliance guarantees. We have data processing agreements (DPAs) in place with each of them, binding them to:

• process data only on our instructions
• implement appropriate security measures
• ensure confidentiality
• assist Kora in fulfilling GDPR obligations, including respect for data subject rights

No Data Sales

We do not sell personal data, nor do we work with advertising networks or data brokers.

Legal and Law Enforcement

We may disclose data if required by law, court order, or competent authorities, subject to the safeguards provided by the GDPR.

Business Transfers

Data may be transferred in the event of a merger, acquisition, reorganisation, or sale of assets. In such cases, successors will be bound by this Privacy Policy and GDPR compliance.

7. International Data Transfers

Data may be transferred outside your country of residence.

For EU Users

In accordance with GDPR Chapter V, any transfer of personal data to third countries (outside the European Economic Area) takes place only if:

• the destination country is subject to an adequacy decision by the European Commission (e.g. Switzerland, post-Brexit UK, etc.)
• we have implemented appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, binding the recipient to GDPR compliance
• the transfer falls within one of the derogations provided by GDPR Article 49 (e.g. your explicit consent, necessity for contract performance)

Data processing takes place primarily within the EU. Where it is necessary to transfer data to third countries (e.g. when using cloud or AI services from non-EU providers), we ensure the application of Standard Contractual Clauses and additional security measures.

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy.

Upon expiry of the periods indicated, personal data is deleted or irreversibly anonymised, unless a legal obligation requires further retention.

9. Your GDPR Rights

In accordance with the GDPR, you have the following rights:

9.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, if so, to access that data and the following information:

• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients
• the envisaged retention period
• the existence of your rights
• the source of the data (if not collected directly from you)
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved

9.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain rectification of inaccurate personal data concerning you and to have incomplete personal data completed.

9.3 Right to Erasure — "Right to be Forgotten" (Article 17 GDPR)

You have the right to obtain erasure of personal data concerning you where one of the following grounds applies:

• the data is no longer necessary in relation to the purposes for which it was collected
• you withdraw consent and there is no other legal basis for processing
• you object to processing and there are no overriding legitimate grounds to continue
• the data has been unlawfully processed
• the data must be erased to comply with a legal obligation

Limitations: the right to erasure does not apply where processing is necessary to comply with a legal obligation, for the establishment, exercise, or defence of legal claims, or for the performance of the contract.

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where one of the following applies:

• you contest the accuracy of the data (for the period necessary to verify accuracy)
• processing is unlawful but you oppose erasure and request restriction instead
• Kora no longer needs the data but you require it for the establishment, exercise, or defence of legal claims
• you have objected to processing based on legitimate interests (pending verification of whether Kora's legitimate grounds override yours)

9.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance, where:

• processing is based on consent or contract
• processing is carried out by automated means

You also have the right to have data transmitted directly from Kora to another controller, where technically feasible.

9.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to processing of personal data concerning you based on legitimate interests (GDPR Art. 6(1)(f)), including profiling. Kora shall cease processing unless it demonstrates compelling legitimate grounds for processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

You also have the right to object at any time to processing for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent (GDPR Art. 6(1)(a)), you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

9.8 Rights Related to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This right does not apply where the decision:

• is necessary for the conclusion or performance of a contract
• is authorised by Union or national law
• is based on your explicit consent

In any case, Kora implements appropriate measures to safeguard your rights, freedoms, and legitimate interests, including at minimum the right to obtain human intervention, to express your view, and to contest the decision.

Right to human review of AI decisions: in accordance with GDPR Article 22(3) and the obligations of the AI Act, you have the right to request human review of any classification, recommendation, or automated decision based on the AI systems used by Kora. You may exercise this right by contacting us at legal@koraglobe.com.

9.9 How to Exercise Your Rights

To exercise your rights, you may:

• access your account settings on the platform (for access, rectification, account deletion)
• contact us by email at: legal@koraglobe.com
• write to us at the postal address provided in this policy

We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt.

No fee is charged for exercising your rights, except in the case of manifestly unfounded or excessive requests, for which we may charge a reasonable fee or decline to act.

9.10 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data violates the GDPR.

Estonian supervisory authority: Andmekaitse Inspektsioon — www.aki.ee

Italian supervisory authority (if you reside in Italy): Garante per la Protezione dei Dati Personali — www.garanteprivacy.it

10. Children and Minors

The Platform is intended for users aged 18 and older.

We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected data from a minor, we will delete it immediately. If you believe a minor has provided personal data to Kora, please contact us at legal@koraglobe.com.

11. Data Security

Technical Measures

• HTTPS/TLS encryption for all communications
• database encryption at rest
• password hashing using industry-standard algorithms (bcrypt, Argon2)
• role-based access controls (RBAC)
• periodic security audits
• intrusion and anomaly monitoring
• regular encrypted backups

Organisational Measures

• data processing agreements with all third-party providers
• staff training on data protection
• data minimisation (we collect only what is necessary)
• security incident response plan
• periodic review of security policies

Despite the measures implemented, no data transmission or storage system is completely secure. We cannot guarantee the absolute security of data transmitted or stored, but we are committed to implementing all appropriate technical and organisational measures pursuant to GDPR Article 32.

12. Data Breach Notification

In accordance with GDPR Articles 33 and 34:

In the event of a personal data breach that may present a risk to the rights and freedoms of individuals:

• we will notify the competent supervisory authority (Andmekaitse Inspektsioon, Estonia) within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
• if the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay, providing clear information on:
• the nature of the breach
• the contact point for further information
• the likely consequences of the breach
• the measures taken or proposed to address the breach and mitigate its adverse effects

Notification to data subjects is not required where:

• we have implemented appropriate technical and organisational protection measures (e.g. encryption) that render the data unintelligible to any unauthorised person
• we have subsequently taken measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
• notification would involve disproportionate effort, in which case we will instead make a public communication or take a similar measure

13. Third-Party Links and Services

The Platform may contain links to external websites.

We are not responsible for their privacy practices. We encourage you to read the privacy policies of each external website you visit.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know

You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out of Sale

You have the right to opt out of the sale of your personal information. Kora does not sell users' personal data. We have not sold personal data in the past 12 months and do not intend to do so.

Right to Non-Discrimination

You have the right not to be discriminated against for exercising your CCPA rights.

To exercise your CCPA rights, contact us at: legal@koraglobe.com

15. Other Regional Privacy Laws

Additional data protection laws may apply depending on your country of residence, including:

• LGPD (Brazil)
• PIPEDA (Canada)
• POPIA (South Africa)
• Privacy Act (Australia)

16. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time.

Material changes:

• we will notify you by email at least 30 days before the change takes effect
• we will publish the updated version on the platform with the date of last update clearly indicated
• if changes affect processing based on consent, we may request a new explicit consent

Non-material changes (e.g. editorial corrections, clarifications) will be published on the platform without prior notice.

We encourage you to review this policy periodically to stay informed about how we protect your data.

17. Contact Us

Privacy enquiries: legal@koraglobe.com

General support: support@koraglobe.com

KoraGlobe OÜ

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, Estonia

18. Data Protection Officer (DPO)

As of the effective date of this policy, KoraGlobe OÜ has not appointed a Data Protection Officer. If the volume and nature of processing so require under GDPR Article 37, we will proceed with appointment and notify users in this section with the relevant contact details.

19. Accountability and Compliance

We maintain:

• Records of Processing Activities pursuant to GDPR Article 30
• Data Protection Impact Assessments (DPIAs) for high-risk processing activities pursuant to GDPR Article 35, in particular for the AI systems used in matching and profiling
• Periodic audits of GDPR and AI Act compliance
• Governance oversight by KoraGlobe OÜ management

Appendix A — Legal Bases by Data Category

End of Privacy Policy

This Privacy Policy is effective as of March 4, 2026, and was last updated on March 4, 2026.