Terms of Service

Last updated May 18, 2026

Kiro Money Disclosure Statement

Mongo App Inc., doing business as Kiro Money, is an AI-powered financial coach that provides personalized financial guidance, education, and support to help users make better financial decisions. Through our consumer platform and our Financial Intelligence API for businesses, we deliver contextual financial assistance powered by artificial intelligence. It is important to understand that:

Non-Advisory Role: While we provide resources to aid financial decisions, Kiro is not a financial advisor. Our service is designed to help users find and access financial resources but should not be construed as offering financial advice.

IMPORTANT REGULATORY DISCLAIMERS:

Not a Registered Investment Advisor: Kiro Money is not a registered investment advisor (RIA) with the SEC or any state securities regulator. We do not provide investment advice or make investment recommendations.
Not FINRA Regulated: We are not a broker-dealer and are not regulated by FINRA (Financial Industry Regulatory Authority).
No Fiduciary Duty: Kiro Money does not act as a fiduciary and has no fiduciary duty to users. We do not have a legal obligation to act in your best financial interest.
Not Tax or Legal Advice: Our services do not constitute tax advice, legal advice, or accounting services. Consult a licensed CPA, tax professional, or attorney for tax and legal matters.
No Securities Offers: No content provided through our Services should be construed as an offer to buy or sell securities, investment products, or financial instruments.
No Suitability Determination: We do not determine whether any financial products, strategies, or guidance are suitable for your specific situation. You are solely responsible for evaluating the appropriateness of any information or guidance for your circumstances.

Accuracy of Information: Our chatbot is powered by our internal database and enterprise-grade AI models, and while we strive to provide accurate information, we cannot guarantee the completeness or correctness of the data provided. Users are encouraged to verify the information before making any decisions.

Professional Advice: We urge users to seek professional financial advice when necessary. Kiro is committed to supporting financial awareness but does not substitute for personalized advice from qualified professionals.

For any inquiries, please contact us at hello@joinkiro.com. We are dedicated to providing clarity and support regarding our offerings.

Agreement to Our Legal Terms

We are Mongo Inc., doing business as Kiro ("Company," "we," "us," "our").

We operate the website https://joinkiro.com (the "Site"), as well as any other related products and services that refer or link to these legal terms (the "Legal Terms") (collectively, the "Services").

You can contact us by email at hello@joinkiro.com.

These Legal Terms constitute a legally binding agreement made between you, whether personally or on behalf of an entity ("you"), and Mongo Inc., concerning your access to and use of the Services. You agree that by accessing the Services, you have read, understood, and agreed to be bound by all of these Legal Terms. IF YOU DO NOT AGREE WITH ALL OF THESE LEGAL TERMS, THEN YOU ARE EXPRESSLY PROHIBITED FROM USING THE SERVICES AND YOU MUST DISCONTINUE USE IMMEDIATELY.

The Services are intended for users who are at least 18 years old. Persons under the age of 18 are not permitted to use or register for the Services.

1. Our Services

1.1 Types of Services

Our Services include:

(a) Direct Consumer Services: Services provided directly to individual end users through our consumer-facing platform at app.joinkiro.com.

(b) API Services: Our Financial Intelligence API that allows businesses, educational institutions, and other organizations ("API Customers") to integrate Kiro Money's financial assistant capabilities into their own platforms, products, and services.

2. API Services Terms

Note: This section applies specifically to API Customers who integrate our API into their platforms. If you are an individual end user, you may skip to Section 3.

2.1 API Access and Use

If you are an API Customer, these additional terms apply to your use of our API Services:

(a) API Dashboard: You will receive access to our API dashboard where you can configure your financial assistant, including setting up knowledge bases, defining prompts, configuring products, and managing settings.

(b) Integration: You may integrate our API into your platform to provide AI-powered financial guidance to your end users. You are responsible for implementing the API according to our documentation.

(c) Usage Limits: Your use of the API is subject to the message limits and rate limits associated with your selected pricing tier as described on our pricing page at https://joinkiro.com/#pricing. These limits are subject to change, and we will provide reasonable notice of material changes.

(d) Overage Charges: If you exceed your plan's message limits, overage charges will apply as specified in your pricing tier.

2.2 API Customer Responsibilities

As an API Customer, you agree to:

(a) Comply with Laws: Ensure that your use of the API and your platform complies with all applicable laws, regulations, and industry standards, including but not limited to data protection laws (GDPR, CCPA, etc.), financial services regulations, and consumer protection laws.

(b) End User Consent: Obtain all necessary consents, permissions, and authorizations from your end users before transmitting their data through our API. You must have a lawful basis for processing their data.

(c) Data Minimization — NO PII:

CRITICAL: You must NOT send Personally Identifiable Information (PII) or sensitive personal data through our API, including:

Social Security Numbers, Tax ID Numbers, or other government identification numbers
Bank account numbers, credit card numbers, or payment card information
Driver's license numbers or passport numbers
Precise geolocation data (city/state level is acceptable)
Biometric data (fingerprints, facial recognition data, etc.)
Health or medical information
Login credentials or passwords
Full dates of birth (year is acceptable for age calculation)
Any other sensitive personal information not necessary for providing financial guidance

You may only send anonymized or aggregated financial data necessary for the AI assistant to provide guidance, such as income ranges, expense categories, general financial goals, and similar non-identifying information.

(d) Data Accuracy: Ensure that any data you transmit through the API is accurate, current, and properly formatted according to our documentation.

(e) Transparency to End Users: You must clearly disclose to your end users that:

An AI-powered financial assistant is being used
The assistant is powered by Kiro Money technology
Their data may be processed through third-party AI service providers
The nature and limitations of the financial guidance provided (not a substitute for professional financial advice)
How their data will be used, stored, and protected

(f) Security Obligations: You must:

Implement and maintain appropriate technical and organizational security measures
Protect all API keys, credentials, and authentication tokens
Use secure transmission protocols (HTTPS/TLS)
Promptly notify us at hello@joinkiro.com of any security incidents or data breaches
Not share API credentials with unauthorized third parties

(g) Monitoring and Maintenance: You must monitor your integration for errors, misuse, performance issues, or security concerns and promptly address any problems.

(h) Your Own Terms: You must maintain your own terms of service and privacy policy that govern your relationship with your end users. Your terms must not conflict with these Terms and must adequately inform users about the use of AI services.

2.3 Acceptable Use Policy for API

Prohibited Uses: API Customers must NOT use the API for any of the following purposes:

(a) Illegal or Harmful Activities:

Any illegal purposes or activities
Fraudulent financial schemes, scams, or deceptive practices
Predatory lending practices or loan sharking
Pyramid schemes, Ponzi schemes, or multi-level marketing
Unlicensed gambling, betting, or gaming activities
Money laundering, terrorist financing, or sanctions evasion
Tax evasion schemes or illegal tax shelters

(b) Discriminatory or Harmful Content:

Discriminating based on race, ethnicity, religion, gender, sexual orientation, age, disability, or other protected characteristics
Generating harassing, threatening, or abusive content
Creating sexually explicit or inappropriate content
Promoting violence, self-harm, or illegal activities
Generating content that targets or harms minors

(c) Unauthorized Financial Activities:

Providing regulated investment advice without proper licensing
Making specific stock picks or investment recommendations without authorization
Guaranteeing specific financial returns or outcomes
Claiming to predict market movements with certainty
Representing the service as a licensed financial advisor, broker, or investment advisor (unless you are properly licensed)
Facilitating insider trading or market manipulation

(d) Technical Misuse:

Reverse engineering, decompiling, or attempting to extract our source code or algorithms
Circumventing usage limits, rate limits, or billing systems
Bypassing security measures, authentication systems, or access controls
Overloading or attempting to disrupt our systems (DDoS attacks, etc.)
Using the API to train competing AI or machine learning models
Scraping or systematically downloading our content
Sharing or reselling API access to third parties without authorization

(e) Privacy Violations:

Transmitting data without proper end user consent
Collecting or using personal data beyond what users have authorized
Sharing end user data with third parties without consent
Using end user data for purposes beyond providing the financial assistant service

(f) Misrepresentation:

Misrepresenting the capabilities or limitations of the service
Falsely claiming affiliation with or endorsement by Kiro Money
Presenting AI-generated content as human-created financial advice
Making false or misleading statements about financial products or services

2.4 Data Processing for API Services

(a) Data Ownership: As an API Customer, you retain ownership of:

Your account data and configurations
Knowledge base content you upload
Custom prompts and settings you create
Any end user data you transmit through the API (subject to your compliance with data minimization requirements)

(b) How We Process End User Data: When your end users interact with the financial assistant through your platform:

Data flows through our systems for real-time processing and response generation
We process this data solely to provide the API Services to you and your end users
We use industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256)
NO MODEL TRAINING ON YOUR DATA: We operate under enterprise contracts with our AI providers (OpenAI, Google Cloud AI, Anthropic) that explicitly prohibit training on customer data. All data sent to AI providers has zero-retention and training opt-out enabled by default. Your data and your end users' data is never used to train, improve, or fine-tune AI models.
We do NOT sell, rent, or share end user data with third parties for marketing or advertising purposes
We do NOT use end user data for purposes beyond providing the contracted services

(c) Data Breach Notification:

In the event of a data breach that affects API Customers or their end users, we will notify affected API Customers within 72 hours of becoming aware of the breach
Notification will be sent to the email address associated with your account
We will provide information about the nature of the breach, data affected, and steps being taken to address it
API Customers are responsible for notifying their own end users as required by applicable law
We maintain incident response procedures and work with law enforcement and regulators as required

(d) Third-Party AI Service Providers: You acknowledge and agree that:

We use third-party AI service providers (including but not limited to OpenAI, Google Cloud AI, and Anthropic) to power our Services
We operate under enterprise contracts with these providers that include zero-retention and no-training provisions
Data transmitted through the API is processed by these providers in accordance with their enterprise terms and privacy policies
These providers have their own security measures and data handling practices
We select providers based on their security, compliance, and privacy standards

(e) Data Retention:

We retain interaction logs and conversation data for operational purposes and service improvement
Retention periods vary based on the purpose and applicable legal requirements
We implement data minimization practices and delete data when no longer necessary

(f) Data Deletion Rights:

API Customers may request deletion of their account data and associated end user data by emailing hello@joinkiro.com
We will process deletion requests within 30 business days
Some data may be retained longer if required by law, for accounting purposes, to resolve disputes, or to enforce our agreements
Deleted data may persist in backups for up to 90 days before permanent deletion
Upon account termination, all associated data will be scheduled for deletion according to our standard retention policies

(g) Data Location: Our Services are hosted in the United States and United Kingdom. By using the API, you consent to data being transferred to and processed in these jurisdictions.

2.5 Service Levels and Support

(a) Availability:

We strive to provide high availability and reliability of our API Services
We do not guarantee uninterrupted or error-free access
We may perform scheduled maintenance with advance notice when possible
Emergency maintenance may be performed without notice

(b) Support:

Support levels vary by pricing tier as described at https://joinkiro.com/#pricing
All support is provided via email at hello@joinkiro.com
Documentation is available through our developer portal
Response times vary: Basic (72hr), Standard (48hr), Enterprise (24hr)

(c) Changes to API:

We reserve the right to modify, update, or improve the API at any time
We will provide reasonable advance notice of material changes that may affect your integration
Backward compatibility is maintained when possible
Deprecated features will be supported for a reasonable transition period
We may introduce new features that are available only to certain pricing tiers

2.6 API Customer Liability and Indemnification

API Customers agree to defend, indemnify, and hold harmless Kiro Money, Mongo Inc., and our officers, directors, employees, agents, and partners from and against any claims, liabilities, damages, losses, costs, or expenses (including reasonable attorneys' fees) arising from or related to:

Your implementation, integration, or use of the API Services
Your end users' use of your platform or services
Any violation of these Terms by you or your end users
Any data you transmit through the API, including any prohibited PII
Any representations, warranties, or commitments you make to your end users
Your failure to obtain necessary consents from end users
Your failure to comply with applicable laws, regulations, or industry standards
Any security breach or data incident related to your platform
Intellectual property infringement claims related to your use of the Services
Your violation of the Acceptable Use Policy

You acknowledge that you are solely responsible for your relationship with your end users and any disputes that may arise from your provision of services to them.

2.7 API Keys and Security

(a) Credential Management:

API keys and authentication credentials are confidential and proprietary to your account
You must store API keys securely and never expose them in client-side code, public repositories, or unsecured locations
Use environment variables or secure credential management systems
Rotate API keys periodically as a security best practice

(b) Responsibility for Use:

You are fully responsible for all activity that occurs using your API credentials
You are liable for any unauthorized use resulting from failure to secure your credentials
Monitor your API usage regularly for suspicious activity

(c) Security Incidents:

You must immediately notify us at hello@joinkiro.com if you suspect unauthorized access to your API keys, compromise of your account or credentials, any security breach or vulnerability, or unusual usage patterns or suspected misuse
We will work with you to investigate and respond to security incidents

(d) Key Revocation:

We may revoke, suspend, or regenerate API keys at any time if we detect misuse, abuse, or violation of Terms; identify security concerns or vulnerabilities; receive reports of unauthorized use; or determine it necessary to protect our Services or other customers
You may regenerate your own API keys through the dashboard at any time

2.8 Fees and Payment (API Services)

(a) Pricing: API Services are billed according to the pricing tiers available at https://joinkiro.com/#pricing.

(b) Billing:

Fees are billed monthly in advance for your selected plan
Overage charges are billed in arrears in the following billing cycle
All fees are in U.S. Dollars unless otherwise specified
Payment is due upon receipt of invoice
Payments are processed through Stripe, Inc. ("Stripe"), our third-party payment processor. By providing payment information, you agree to Stripe's terms and authorize us to charge your payment method

(c) Price Changes:

We reserve the right to modify pricing with 30 days' advance notice
Price changes will take effect at the start of your next billing cycle
If you do not agree to a price increase, you may terminate your account before the change takes effect

(d) Taxes: Fees do not include any applicable taxes, levies, duties, or similar governmental assessments. You are responsible for all applicable taxes.

(e) Late Payment:

Accounts with payment overdue by more than 15 days may have API access suspended
We reserve the right to charge late fees or interest on overdue amounts
Continued non-payment may result in account termination

2.9 API Termination

(a) Termination by You:

You may terminate your API Services at any time by providing written notice to hello@joinkiro.com
Termination will be effective at the end of your current billing period unless otherwise agreed
No refunds will be provided for unused portions of prepaid services

(b) Termination by Us:

We may immediately suspend or terminate your API access if you violate these Terms or the Acceptable Use Policy; your account payment is overdue by more than 15 days; we detect misuse, abuse, or security concerns; you transmit prohibited PII or sensitive data; we are required to do so by law, court order, or government authority; or we discontinue the API Services (with reasonable notice)
We will provide notice when possible, but may terminate immediately in cases of severe violations

(c) Effect of Termination:

Your API access will be immediately revoked
You must cease all use of the API in your platform or services
Outstanding fees and overage charges remain due and payable
Your data will be handled according to our data retention and deletion policies (Section 2.4)
We are not liable for any damages resulting from termination
Provisions that by their nature should survive termination will remain in effect (including indemnification, limitations of liability, and dispute resolution)

(d) Data Retrieval:

Upon termination, you will have 30 days to retrieve your configuration data and settings
After 30 days, we may delete all data associated with your account
We are not obligated to provide data in any specific format

3. Intellectual Property Rights

Our intellectual property

We are the owner or the licensee of all intellectual property rights in our Services, including all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics in the Services (collectively, the "Content"), as well as the trademarks, service marks, and logos contained therein (the "Marks").

Our Content and Marks are protected by copyright and trademark laws (and various other intellectual property rights and unfair competition laws) and treaties in the United States and around the world.

The Content and Marks are provided in or through the Services "AS IS" for your personal, non-commercial use or internal business purpose only.

Your use of our Services

Subject to your compliance with these Legal Terms, we grant you:

For Individual Users: A non-exclusive, non-transferable, revocable license to access the Services and download or print a copy of any portion of the Content to which you have properly gained access, solely for your personal, non-commercial use.

For API Customers: A limited, non-exclusive, non-transferable, revocable license to integrate and use the API Services within your platform solely for the purpose of providing AI-powered financial assistant services to your end users in accordance with these Terms.

Except as set out in this section, no part of the Services and no Content or Marks may be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

4. User Representations

By using the Services, you represent and warrant that: (1) all registration information you submit will be true, accurate, current, and complete; (2) you will maintain the accuracy of such information and promptly update such registration information as necessary; (3) you have the legal capacity and you agree to comply with these Legal Terms; (4) you are not a minor in the jurisdiction in which you reside; (5) you will not access the Services through automated or non-human means, whether through a bot, script or otherwise, except as expressly permitted for API integration; (6) you will not use the Services for any illegal or unauthorized purpose; and (7) your use of the Services will not violate any applicable law or regulation.

If you provide any information that is untrue, inaccurate, not current, or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future use of the Services (or any portion thereof).

5. Prohibited Activities

You may not access or use the Services for any purpose other than that for which we make the Services available. As a user of the Services, you agree not to:

Systematically retrieve data or other content from the Services to create or compile a collection, compilation, database, or directory without written permission from us
Trick, defraud, or mislead us and other users, especially in any attempt to learn sensitive account information such as user passwords
Circumvent, disable, or otherwise interfere with security-related features of the Services
Use any information obtained from the Services in order to harass, abuse, or harm another person
Make improper use of our support services or submit false reports of abuse or misconduct
Use the Services in a manner inconsistent with any applicable laws or regulations
Upload or transmit viruses, Trojan horses, or other material that interferes with any party's uninterrupted use
Engage in any automated use of the system, except as expressly permitted for API integration
Attempt to impersonate another user or person
Interfere with, disrupt, or create an undue burden on the Services
Attempt to bypass any measures of the Services designed to prevent or restrict access to the Services
Decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Services
Use the Services as part of any effort to compete with us or otherwise use the Services for any revenue-generating endeavor or commercial enterprise except as expressly authorized through API Customer agreements

6. Services Management

We reserve the right, but not the obligation, to: (1) monitor the Services for violations of these Legal Terms; (2) take appropriate legal action against anyone who, in our sole discretion, violates the law or these Legal Terms; (3) refuse, restrict access to, limit the availability of, or disable any of your Contributions or any portion thereof; (4) remove from the Services or otherwise disable all files and content that are excessive in size or are in any way burdensome to our systems; and (5) otherwise manage the Services in a manner designed to protect our rights and property and to facilitate the proper functioning of the Services.

7. Privacy Policy

We care about data privacy and security. By using the Services, you agree to be bound by our Privacy Policy, which is incorporated into these Legal Terms. Please be advised the Services are hosted in the United States and United Kingdom. If you access the Services from any other region of the world with laws or other requirements governing personal data collection, use, or disclosure that differ from applicable laws in the United States and United Kingdom, then through your continued use of the Services, you are transferring your data to the United States and United Kingdom, and you expressly consent to have your data transferred to and processed in the United States and United Kingdom.

8. Term and Termination

These Legal Terms shall remain in full force and effect while you use the Services. WITHOUT LIMITING ANY OTHER PROVISION OF THESE LEGAL TERMS, WE RESERVE THE RIGHT TO, IN OUR SOLE DISCRETION AND WITHOUT NOTICE OR LIABILITY, DENY ACCESS TO AND USE OF THE SERVICES (INCLUDING BLOCKING CERTAIN IP ADDRESSES), TO ANY PERSON FOR ANY REASON OR FOR NO REASON, INCLUDING WITHOUT LIMITATION FOR BREACH OF ANY REPRESENTATION, WARRANTY, OR COVENANT CONTAINED IN THESE LEGAL TERMS OR OF ANY APPLICABLE LAW OR REGULATION. WE MAY TERMINATE YOUR USE OR PARTICIPATION IN THE SERVICES OR DELETE YOUR ACCOUNT AND ANY CONTENT OR INFORMATION THAT YOU POSTED AT ANY TIME, WITHOUT WARNING, IN OUR SOLE DISCRETION.

9. Modifications and Interruptions

We reserve the right to change, modify, or remove the contents of the Services at any time or for any reason at our sole discretion without notice. However, we have no obligation to update any information on our Services. We will not be liable to you or any third party for any modification, price change, suspension, or discontinuance of the Services.

10. Governing Law

These Legal Terms and your use of the Services are governed by and construed in accordance with the laws of the State of Louisiana applicable to agreements made and to be entirely performed within the State of Louisiana, without regard to its conflict of law principles.

11. Dispute Resolution

Informal Negotiations

To expedite resolution and control the cost of any dispute, controversy, or claim related to these Legal Terms, the Parties agree to first attempt to negotiate any Dispute informally for at least thirty (30) days before initiating arbitration.

Binding Arbitration

If the Parties are unable to resolve a Dispute through informal negotiations, the Dispute will be finally and exclusively resolved by binding arbitration under the Commercial Arbitration Rules of the American Arbitration Association ("AAA"). The arbitration will take place in Jefferson, Louisiana.

12. Disclaimer

THE SERVICES ARE PROVIDED ON AN AS-IS AND AS-AVAILABLE BASIS. YOU AGREE THAT YOUR USE OF THE SERVICES WILL BE AT YOUR SOLE RISK. TO THE FULLEST EXTENT PERMITTED BY LAW, WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, IN CONNECTION WITH THE SERVICES AND YOUR USE THEREOF.

13. Limitations of Liability

IN NO EVENT WILL WE OR OUR DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFIT, LOST REVENUE, LOSS OF DATA, OR OTHER DAMAGES ARISING FROM YOUR USE OF THE SERVICES. OUR LIABILITY TO YOU FOR ANY CAUSE WHATSOEVER WILL AT ALL TIMES BE LIMITED TO THE AMOUNT PAID, IF ANY, BY YOU TO US DURING THE SIX (6) MONTH PERIOD PRIOR TO ANY CAUSE OF ACTION ARISING.

14. Indemnification

You agree to defend, indemnify, and hold us harmless, including our subsidiaries, affiliates, and all of our respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys' fees and expenses, made by any third party due to or arising out of: (1) your use of the Services; (2) breach of these Legal Terms; (3) any breach of your representations and warranties set forth in these Legal Terms; (4) your violation of the rights of a third party, including but not limited to intellectual property rights; or (5) any overt harmful act toward any other user of the Services with whom you connected via the Services.

15. Third Party Services

Use of Plaid to Access Your Financial Information

16. Contact Us

In order to resolve a complaint regarding the Services or to receive further information regarding use of the Services, please contact us at:

Mongo App Inc.
Email: hello@joinkiro.com

Privacy Policy

Last updated May 18, 2026

This Privacy Notice for Mongo App Inc. (doing business as Kiro) ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Visit our website at joinkiro.com, or any website of ours that links to this Privacy Notice
Use Mongo App Inc. An AI financial coach that helps users understand their financial position and set up a financial plan
Use our Financial Intelligence API as a business, educational institution, or organization ("API Customer") to provide AI-powered financial assistant services to your end users
Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at hello@joinkiro.com.

IMPORTANT REGULATORY DISCLAIMERS:

Not a Registered Investment Advisor: Kiro Money is not a registered investment advisor (RIA) with the SEC or any state securities regulator.
Not FINRA Regulated: We are not a broker-dealer and are not regulated by FINRA.
No Fiduciary Duty: Kiro Money does not act as a fiduciary and has no fiduciary duty to users.
Not Tax or Legal Advice: Our services do not constitute tax advice, legal advice, or accounting services.
No Securities Offers: No content should be construed as an offer to buy or sell securities.
No Suitability Determination: We do not determine whether any financial products or guidance are suitable for your specific situation.

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law, such as financial data necessary to provide our Services.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

In what situations and with which parties do we share personal information? We may share information with third-party service providers who assist us in providing the Services, such as AI service providers (OpenAI, Google Cloud AI, Anthropic) and financial data aggregators (Plaid).

How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information, including encryption, access controls, and security monitoring.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information, including the right to access, correct, or delete your data.

IMPORTANT FOR API CUSTOMERS: If you are a business using our API Services, this Privacy Policy explains how we process data on behalf of you and your end users. You are responsible for providing appropriate privacy notices to your end users about how their data is processed through our Services.

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

For Individual Users: The personal information we collect may include:

Names
Email addresses
Phone numbers
Usernames and passwords
Contact preferences
Financial information (income, expenses, debt, assets, financial goals)
Education level
Age
Location (city/state level)

For API Customers: The information we collect includes:

Business name and contact information
Billing and payment information
API configuration data (knowledge bases, prompts, settings)
Usage data and analytics
End user interaction data (as transmitted through your API integration)

Sensitive Information: When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information: financial data necessary to provide financial guidance services.

CRITICAL — PII RESTRICTIONS FOR API CUSTOMERS:

API Customers must NOT send the following types of Personally Identifiable Information (PII) or sensitive personal data through our API:

Social Security Numbers or Tax ID Numbers
Bank account numbers or credit card numbers
Government-issued identification numbers (driver's license, passport)
Precise geolocation data (beyond city/state)
Biometric data
Health or medical information
Login credentials or passwords
Full dates of birth (year for age calculation is acceptable)

Only anonymized or aggregated financial data necessary for providing AI financial guidance should be transmitted.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include:

Log and Usage Data: Service-related, diagnostic, usage, and performance information including IP address, device information, browser type, pages viewed, and actions taken
Device Data: Information about your computer, phone, tablet, or other device including IP address, device and application identification numbers, browser type, operating system
Location Data: Information about your device's location based on IP address (city/state level)

Information collected through our API Services

When API Customers integrate our Services into their platforms, we collect:

API requests and responses
End user queries and interactions with the AI assistant
Session data and conversation context
Performance and error logs
Usage metrics (message counts, response times, etc.)

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To provide the Services: Deliver AI-powered financial guidance and assistance
To facilitate account creation and authentication: Manage user accounts and keep them in working order
To enable API functionality: Process requests from API Customers and their end users
To personalize experience: Ensure the AI coach can personalize its guidance based on user-specific financial context
To improve our Services: Identify usage trends and understand how our Services are being used
To ensure security: Monitor for fraud, abuse, and security threats
To communicate with you: Send service-related notifications, respond to inquiries, and request feedback
To comply with legal obligations: Fulfill our legal and regulatory requirements

How We Process Data in API Services

When processing data through our API Services, we operate under a three-party model:

End User — The individual using the API Customer's platform
API Customer (You) — The business/organization integrating our API
Kiro Money (We) — The API service provider

Data Processing Roles:

For Individual User Data: We are the data controller, making decisions about how personal information is processed
For API Customer End User Data: We act as a data processor on behalf of the API Customer. The API Customer remains the data controller for their end users and is responsible for obtaining necessary consents from end users, providing appropriate privacy notices, ensuring lawful processing of personal data, and responding to end user rights requests.

3. What Legal Bases Do We Rely on to Process Your Personal Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

If you are located in the EU or UK, we may rely on the following legal bases:

Consent: You have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
Contract Performance: Processing is necessary to perform our contract with you (e.g., providing the AI financial assistant service).
Legitimate Interests: We may process your information when reasonably necessary to achieve our legitimate business interests, such as improving our Services, ensuring security, or analyzing usage patterns.
Legal Obligations: We may process your information where necessary for compliance with our legal obligations.

For API Customers: Our processing of end user data is based on our contract with you to provide API Services. You are responsible for ensuring you have a lawful basis to share end user data with us.

4. When and With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations described in this section and/or with the following third parties.

Third-Party Service Providers

We share information with service providers who assist us in providing the Services:

AI Service Providers: We use third-party AI providers including OpenAI (ChatGPT and related models), Google Cloud AI (Vertex AI, Gemini models), and Anthropic (Claude models). These providers process user queries and conversation data to generate AI responses. Data is processed according to their respective privacy policies and terms of service.
Financial Data Aggregation: We use Plaid Inc. to securely connect to users' financial institutions and retrieve account data with user consent.
Cloud Infrastructure: We use MongoDB Atlas and Google Cloud Platform for secure data storage and processing.
Payment Processors: For API Customers, we use Stripe, Inc. to handle billing and payments securely.
Analytics Services: We use Google Analytics to understand how our Services are used.

API Customer Relationships

When you use our Services through an API Customer's platform:

Your interaction data is shared with the API Customer who integrated our services
The API Customer may have their own privacy policy governing their use of your data
We process your data on behalf of the API Customer to provide the Services

Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Legal Requirements

We may disclose your information when required to:

Comply with applicable laws or respond to valid legal processes
Protect the rights, property, or safety of Kiro Money, our users, or others
Detect, prevent, or address fraud, security, or technical issues
Enforce our Terms of Service or other agreements

What We Do NOT Do

We do NOT sell your personal information to third parties
We do NOT share your data with third parties for their own marketing purposes
We do NOT use your personal financial data to train AI models without explicit consent
We do NOT share API Customer end user data with other API Customers

5. Do We Use Cookies and Other Tracking Technologies?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

Google Analytics

We may share your information with Google Analytics to track and analyze the use of the Services. To opt out of being tracked by Google Analytics, visit https://tools.google.com/dlpage/gaoptout.

6. Do We Offer Artificial Intelligence-Based Products?

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, "AI Products"). These tools are designed to provide AI-powered financial guidance and assistance.

Use of AI Technologies

We provide the AI Products through third-party service providers ("AI Service Providers"), including:

OpenAI
Google Cloud AI
Anthropic

Enterprise Contracts & No Training on Your Data: We operate under enterprise contracts with all AI service providers that explicitly prohibit training on customer data. All data sent to AI providers has zero-retention and training opt-out enabled by default. Your data is never used to train, improve, or fine-tune AI models.

Your input, output, and personal information will be shared with and processed by these AI Service Providers to enable your use of our AI Products for real-time response generation only.

Our AI Products

Our AI Products are designed for the following functions:

AI-powered financial coaching and guidance
Personalized financial insights and recommendations
Financial question answering and education
Financial goal planning and tracking

How We Process Your Data Using AI

All personal information processed using our AI Products is handled in line with our Privacy Notice and our enterprise agreements with third parties. Key safeguards include:

Data transmitted to AI providers is encrypted in transit using TLS 1.3
We use AI providers with strong privacy and security commitments
Zero-retention enterprise contracts: We operate under enterprise agreements that prohibit AI providers from retaining or training on your data
Training opt-out enabled by default: All data sent to AI providers has training disabled and zero-retention configured
We do not use your personal data to train AI models without explicit consent (and our enterprise contracts prevent AI providers from doing so)
AI providers process data solely to provide our Services with real-time responses

Data Sent to AI Service Providers

When you interact with our AI financial assistant, the following data may be sent to AI service providers:

Your questions and queries
Financial context you provide (income ranges, expense categories, goals)
Conversation history (to maintain context)
Configuration and customization settings (for API Customers)

We do NOT send to AI providers:

Social Security Numbers or government ID numbers
Bank account numbers or credit card numbers
Login credentials
Precise geolocation data
Any other sensitive PII beyond what's necessary for financial guidance

7. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law.

Retention Periods:

Active Accounts: We retain your data while you have an active account with us
Conversation Logs: Stored for operational purposes and service improvement for up to 2 years
API Usage Logs: Retained for up to 1 year for billing, support, and troubleshooting purposes
Financial Records: Billing and payment records retained for 7 years to comply with tax and accounting requirements
Backup Data: May persist in backups for up to 90 days after deletion

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible, we will securely store your personal information and isolate it from any further processing until deletion is possible.

Deletion Requests

For Individual Users: You can request deletion of your data at any time by contacting us at hello@joinkiro.com.

For API Customers: You can request deletion of your account data and associated end user data by emailing hello@joinkiro.com. We will process deletion requests within 30 business days, subject to legal retention requirements.

8. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process:

Technical Security Measures

Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption
Access Controls: Role-based access controls ensure only authorized personnel can access data
Authentication: Multi-factor authentication for administrative access
Network Security: Firewalls, intrusion detection, and network segmentation
API Security: API keys, rate limiting, and request validation
Monitoring: Continuous security monitoring and logging

Organizational Security Measures

Security Training: Regular security awareness training for employees
Access Restrictions: Strict policies limiting employee access to personal data
Incident Response: Documented incident response procedures
Vendor Management: Due diligence on third-party service providers
Regular Audits: Periodic security assessments and reviews

Infrastructure Security

We use MongoDB Atlas and Google Cloud Platform, which are certified under:

ISO 27001 (Information Security Management)
ISO 27017 (Cloud Security)
ISO 27018 (Cloud Privacy)
SOC 2 Type II
SOC 3

Data Breach Notification

In the event of a data breach that affects your personal information:

Individual Users: We will notify affected users within 72 hours of becoming aware of a breach affecting their personal information
API Customers: We will notify API Customers within 72 hours of becoming aware of any breach affecting their data or their end users' data
Notifications will be sent to the email address associated with your account
We will provide information about the nature of the breach, data affected, and steps being taken to address it
We maintain documented incident response procedures and cooperate with law enforcement and regulatory authorities as required

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

9. Do We Collect Information from Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

10. What Are Your Privacy Rights?

In Short: Depending on your state of residence in the US or in some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Switzerland, you have rights that allow you greater access to and control over your personal information.

Your Rights Include:

Right to Access: Request a copy of the personal information we hold about you
Right to Correction: Request that we correct inaccurate or incomplete personal information
Right to Deletion: Request that we delete your personal information (subject to legal retention requirements)
Right to Data Portability: Receive your data in a portable format
Right to Withdraw Consent: Withdraw consent for processing based on consent
Right to Object: Object to certain types of processing
Right to Restrict Processing: Request that we limit how we use your data

How to Exercise Your Rights

To exercise these rights, you can:

Email us at hello@joinkiro.com
Log into your account settings
Visit joinkiro.com

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

For API Customer End Users

If you are an end user of an API Customer's platform:

Contact the API Customer directly for most requests related to your data
The API Customer is responsible for responding to your rights requests
We will assist the API Customer in fulfilling their obligations to you
For questions specifically about Kiro Money's processing, you may contact us at hello@joinkiro.com

11. Do United States Residents Have Specific Privacy Rights?

In Short: If you are a resident of California, Colorado, Connecticut, Virginia, or other states with privacy laws, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it.

Categories of Personal Information We Collect

Category	Examples	Collected
A. Identifiers	Name, email, phone, username, online identifiers, IP address	YES
B. Personal information (CA Customer Records)	Name, contact information, education, employment, financial information	YES
C. Protected classification characteristics	Age, gender, demographic data	YES
D. Commercial information	Transaction information, purchase history (for API Customers)	YES (API Customers only)
E. Biometric information	Fingerprints, voiceprints	NO
F. Internet/network activity	Browsing history, interactions with Services	YES
G. Geolocation data	City/state level location	YES
H. Sensory information	Audio, video, images	NO
I. Professional/employment information	Job title, work history (for job applicants)	NO
J. Education information	Student records	NO
K. Inferences	Preferences, characteristics, behavior patterns	YES
L. Sensitive personal information	Financial data, account credentials	YES

How We Use and Share Personal Information

We use personal information for the purposes described in "HOW DO WE PROCESS YOUR INFORMATION?"

We share personal information with service providers as described in "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

We do NOT sell or share personal information for cross-context behavioral advertising.

Your California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information
Right to opt-out of the sale or sharing of personal information (we don't sell or share)
Right to non-discrimination for exercising your rights
Right to correct inaccurate personal information
Right to limit use and disclosure of sensitive personal information

12. Do We Make Updates to This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

13. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at hello@joinkiro.com.

Mongo App Inc.
Email: hello@joinkiro.com
Doing business as: Kiro Money

14. How Can You Review, Update, or Delete the Data We Collect from You?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information.

To request to review, update, or delete your personal information, please:

Email us at hello@joinkiro.com
Log into your account settings and update your information
Visit joinkiro.com

We will respond to your request in accordance with applicable data protection laws.

Third Party Services — Additional Information

Use of Plaid to Access Your Financial Information

To provide certain features of the Services, we use Plaid Inc. ("Plaid") to gather your data from financial institutions. By using our Services, you grant Kiro and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from relevant financial institutions. This may include information such as your account balances, transaction history, account numbers, liabilities, and investment holdings. We only access this information with your explicit consent and solely for the purposes of delivering our financial coaching services to you.

Plaid Privacy Policy

The information we receive from Plaid is governed by Plaid's privacy policy. You can review their policy at: https://plaid.com/legal/#end-user-privacy-policy

Your Consent and Revocation

Before we access your financial account information through Plaid, you will be asked to provide your explicit consent. You may revoke your consent at any time by contacting us at hello@joinkiro.com or using any in-app settings provided for this purpose. Upon revocation, we will stop accessing your financial data, and you may request that we delete any previously collected data (subject to any legal retention requirements).

How We Use Your Financial Data

We only use the financial data we collect through Plaid for the specific purposes described in this Policy and your consent. These purposes include providing personalized insights, budgeting tools, and recommendations to help you manage your finances. We do not sell your financial information to third parties or use your data for any unauthorized purpose.