Privacy Policy
Effective Date: 5 April 2026 |
Last Updated: 5 April 2026 |
Version: 1.0
Applicable Laws: Nigeria Data Protection Act 2023 (NDPA); Nigeria Data Protection Regulation 2019 (NDPR);
Kenya Data Protection Act 2019 (Cap. 411C); Kenya Data Protection (General) Regulations 2021
Summary: Kori AML is a B2B compliance intelligence platform. We collect data about your institution and its authorised personnel to provide AML/CFT/CPF monitoring services. We do not sell your data, display advertising, or share personal data with third parties except as necessary to deliver the platform and comply with legal obligations. You have rights over your data under Nigerian and Kenyan law.
1. Who We Are
The Kori AML Platform ("Kori", "we", "us") is a product of Seamount.io. We operate as a data processor on behalf of financial institutions (our clients) and as a data controller for data relating to our client contacts, platform users, and demo enquirers.
Our registered contact for privacy matters:
2. Scope of This Policy
This Policy applies to:
- Personal data of authorised platform users (compliance analysts, CCMLOs, administrators) at client institutions
- Contact information of individuals who submit demo requests or contact us for sales enquiries
- Data we process on behalf of client institutions under their transaction monitoring mandates
This Policy does not apply to the personal data of end-customers of our client institutions, which is governed by the data processing agreement between Kori and each client institution.
3. Legal Basis for Processing
We process personal data under the following legal bases, consistent with the NDPA 2023 and Kenya DPA 2019:
| Purpose | Legal Basis |
|---|
| Providing platform access and authentication | Performance of contract (§25 NDPA / S.30 KE DPA) |
| AML/CFT processing on behalf of client institutions | Legal obligation — compliance with CBN/CBK regulatory mandates |
| Demo requests and sales enquiries | Legitimate interest / consent |
| Audit logging and platform security | Legitimate interest; compliance with CBN §5.1.6 |
| Billing and subscription management | Performance of contract |
| Service communications | Legitimate interest / performance of contract |
4. Data We Collect
4.1 Platform Users (Institutional Personnel)
- Name and work email address
- Role / job title within the institution
- Login timestamps and IP addresses (for audit and security)
- Actions taken within the platform (alert investigations, blocklist modifications, report exports)
- Session tokens (managed by Supabase Auth)
4.2 Demo and Sales Enquirers
- Name, work email, role, institution name, and institution type
- Description of compliance requirements provided voluntarily
4.3 Transaction Data (Processed on Behalf of Client Institutions)
When institutions submit transactions for monitoring, we process:
- Transaction identifiers, amounts, timestamps, and channels
- Hashed or pseudonymised identifiers (BVN hash, NIN hash, phone numbers, IP addresses)
- Wallet addresses and merchant identifiers
- NIBSS session IDs and other payment rail references
We process this data strictly as a data processor acting on the instructions of the client institution. The institution is the data controller for this category of data.
5. How We Use Your Data
- Authentication and access control: Verify identity, maintain session security, and enforce role-based access
- AML/CFT/CPF monitoring: Risk score transactions, detect fraud rings, generate alerts, and produce evidence for regulatory submissions
- Audit compliance: Maintain immutable audit logs as required by CBN Baseline Standards §5.1.6 and equivalent Kenyan regulations
- Support and communication: Respond to technical and compliance support requests
- Billing: Process subscription payments via Paystack (Nigeria) and Flutterwave (Kenya)
- Product improvement: Anonymised, aggregated analytics to improve detection accuracy
6. Data Sharing and Disclosure
We do not sell or rent personal data. We may share data with:
- Sub-processors: Supabase (database and auth), Render (cloud hosting), Neo4j (graph database), Upstash (Redis queue), Vercel (frontend hosting), Paystack/Flutterwave (payments). All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security standards.
- Regulatory authorities: CBN, NFIU, CBK, or other competent authorities in Nigeria and Kenya, where required by law or valid legal process
- Client institutions: Audit data and reports generated from their transactions are shared back with the respective institution only
7. Consortium Blocklist Sharing
Our platform includes an optional consortium blocklist feature. When enabled, an institution may share hashed indicators of compromise (hashed phone numbers, IP addresses, wallet addresses) with other participating institutions. No plaintext personal data is shared through this mechanism. Participation is opt-in and governed by a separate data sharing agreement.
8. International Data Transfers
Your data may be processed on servers located in the European Union (Supabase EU region) or the United States (Render, Vercel). Where data is transferred outside Nigeria or Kenya, we ensure appropriate safeguards are in place, including standard contractual clauses and, where required, notification to the Nigeria Data Protection Commission (NDPC) or the Office of the Data Protection Commissioner of Kenya (ODPC).
9. Data Retention
| Data Category | Retention Period |
|---|
| Platform user accounts | Duration of subscription + 12 months |
| Audit logs | 7 years (consistent with CBN record-keeping requirements) |
| Transaction monitoring data | 5 years from transaction date (CBN AML/CFT guidelines) |
| Suspicious Transaction Reports | 10 years (NFIU requirements) |
| Demo/sales enquiry data | 24 months from last contact |
| Payment records | 7 years (financial records obligation) |
10. Your Rights
Under the NDPA 2023 (Nigeria) and Kenya DPA 2019, you have the following rights:
- Right of access: Request a copy of personal data we hold about you
- Right to rectification: Correct inaccurate data
- Right to erasure: Request deletion where data is no longer necessary (subject to legal retention obligations)
- Right to data portability: Receive your data in a machine-readable format
- Right to object: Object to processing based on legitimate interest
- Right to restrict processing: Limit how we process your data pending a dispute
- Right to withdraw consent: Where processing is based on consent
To exercise any right, email privacy@kori.seamount.io. We will respond within 30 days. You may also lodge a complaint with:
- Nigeria: National Information Technology Development Agency (NITDA) / Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
- Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke
11. Security Measures
We implement appropriate technical and organisational measures including:
- AES-256 encryption at rest for all data stored in Supabase
- TLS 1.3 encryption in transit on all platform endpoints
- SHA-256 hashing of API keys before storage (keys never stored in plaintext)
- Row-Level Security (RLS) enforced at database level
- JWT-based authentication with configurable session expiry
- Immutable audit logs with insert-only access controls
- Regular security reviews and access control audits
12. Cookies and Tracking
The Kori platform uses only essential session cookies required for authentication. We do not use advertising cookies, tracking pixels, or third-party analytics. The public landing page does not place any cookies without your consent.
13. Changes to This Policy
We may update this Policy to reflect changes in law or our practices. Material changes will be notified to registered platform users by email at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.
14. Contact
For any privacy-related questions, requests, or complaints: