Privacy Policy

Effective: see document

Privacy Policy

Katharos Technologies, Inc.

Last Updated: March 6, 2026

Effective Date: March 6, 2026

Introduction

Katharos Technologies, Inc. ("Katharos," "we," "us," or "our") provides an AI-powered anti-money laundering (AML), know-your-customer (KYC), and sanctions compliance screening platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.

By accessing or using Katharos, you agree to this Privacy Policy. If you do not agree, please do not use our Service.

1. Information We Collect

1.1 Information You Provide

Account Information

  • Email address (required)
  • Name (optional)
  • Company name (optional)

Case and Screening Data

  • Entity names, individuals, companies, and vessels you screen
  • Documents you upload for analysis
  • Chat messages and queries you submit
  • Investigation notes and case files you create

Payment Information

  • Payment processing is handled by Stripe. We do not store your credit card numbers or banking information directly. Please see Stripe's privacy policy at https://stripe.com/privacy.

1.2 Information Collected Automatically

Usage Data

  • Pages viewed and features used
  • Screening events (entity type, risk level, timestamp)
  • PDF exports and report generation
  • Session duration and frequency of use

Device and Technical Data

  • Browser type and version
  • IP address
  • Device identifiers
  • User agent string

Cookies and Local Storage

  • Session identifiers
  • User preferences
  • Daily screening counts

1.3 Information from Third-Party Sources

When you conduct screenings, we query external databases on your behalf and store the results. These sources include sanctions lists, corporate registries, news sources, and public records.

2. How We Use Your Information

We use the information we collect to:

Provide and Operate the Service

  • Process your screening requests against sanctions lists and other data sources
  • Generate risk assessments using AI-powered analysis
  • Store your cases, screenings, and investigation history
  • Generate reports and export documents

Improve and Develop the Service

  • Analyze usage patterns to improve features
  • Debug issues and monitor performance
  • Develop new capabilities

Communicate with You

  • Respond to your inquiries and support requests
  • Send service-related notifications
  • Provide updates about the Service (with your consent for marketing)

Security and Compliance

  • Maintain audit logs for compliance and security purposes
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

3. AI Processing and Anthropic

3.1 How We Use AI

Katharos uses Claude, an AI assistant developed by Anthropic, to analyze screening data, assess risk, and generate reports. When you use our Service:

  • Your queries, entity names, document contents, and screening results are sent to Anthropic's API for processing
  • Claude may access web search capabilities to retrieve current information
  • Claude queries our regulatory knowledge base (stored in Pinecone) for relevant guidance

3.2 Anthropic's Data Practices

Anthropic does not train its AI models on data submitted through its commercial API. Per Anthropic's API Terms of Service, customer inputs and outputs are not used to train or improve Anthropic's models.

For more information, see Anthropic's privacy policy at https://www.anthropic.com/privacy and usage policy at https://www.anthropic.com/policies.

3.3 AI Limitations

AI-generated analysis may contain errors. Katharos outputs are not legal advice and should be reviewed by qualified compliance professionals before use in official decisions or client deliverables.

4. Data Retention

4.1 Retention Periods

Data TypeRetention Period
Account informationDuration of account + 30 days after deletion
Cases and screeningsDuration of account or until deleted by user
Audit logs7 years (for compliance purposes)
Analytics data2 years
Cached OFAC data6 hours (in-memory only)

4.2 Deletion

You may delete individual cases within the Service. Deleted cases are removed from our primary database. Audit log entries referencing deleted cases are retained for compliance purposes.

To delete your account, go to Settings and select "Close Account." This removes your cases, screenings, audit logs, and account information from our primary database.

5. Data Security

We implement technical and organizational measures to protect your information:

In Transit

  • All data transmitted between your browser and our servers uses TLS 1.2+ encryption (HTTPS)
  • All API calls to third-party services use encrypted connections

At Rest

  • Primary database (Supabase/PostgreSQL): Encrypted at rest using AES-256
  • Vector database (Pinecone): Encrypted at rest (vendor-managed)
  • Backups: Encrypted using industry-standard methods

Access Controls

  • Role-based access control (admin, analyst, reviewer, viewer)
  • API keys stored as server-side environment variables
  • Only anonymized public keys exposed client-side

Monitoring

  • Comprehensive audit logging of user actions
  • Security event monitoring

Local Storage Notice

  • Some session data is stored in your browser's localStorage in plaintext for performance. This includes your current session identifier and cached case data. Clear your browser data to remove this information.

For more details, see our Security page at https://katharos.co/security.

6. Your Rights and Choices

6.1 Access and Portability

You may access your data at any time through the Service. To request a machine-readable export of your data, contact patrick@katharos.co.

6.2 Correction

To request correction of your data, contact patrick@katharos.co.

6.3 Deletion

You may delete cases and screenings within the Service. To delete your account, go to Settings and select "Close Account." For additional deletion requests, contact patrick@katharos.co. We will process deletion requests within 30 days.

6.4 Restriction and Objection

You may request that we restrict processing of your data or object to certain processing activities by contacting patrick@katharos.co.

6.5 Withdrawal of Consent

Where processing is based on consent, you may withdraw consent at any time by contacting us or adjusting your settings.

6.6 Regulatory Complaints

If you believe we have violated your privacy rights, you may file a complaint with your local data protection authority.

7. International Data Transfers

Katharos is based in the United States. If you access our Service from outside the United States, your information will be transferred to and processed in the United States.

Our service providers may process data in various locations. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

8. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out: We do not sell personal information as defined by the CCPA.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact patrick@katharos.co.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal Bases for Processing

  • Contract: Processing necessary to provide the Service you requested
  • Legitimate Interests: Analytics, security, and service improvement
  • Consent: Marketing communications (where applicable)
  • Legal Obligation: Compliance with applicable laws

Your Rights

  • Access, rectification, erasure, and portability (as described in Section 6)
  • Restriction of processing and objection to processing
  • Withdrawal of consent
  • Complaint to a supervisory authority

Data Controller

Katharos Technologies, Inc. is the data controller for information collected through the Service.

Contact

For GDPR-related inquiries, contact patrick@katharos.co.

11. Cookies and Tracking Technologies

11.1 Cookies We Use

Cookie/TechnologyPurposeDuration
Session identifierMaintain your login sessionSession
localStorageCache user preferences and session dataPersistent
PostHogProduct analytics1 year
Vercel AnalyticsPerformance monitoringSession

11.2 Managing Cookies

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Service.

11.3 Do Not Track

We do not currently respond to "Do Not Track" browser signals.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

Katharos Technologies, Inc.

Email: patrick@katharos.co

For security-related concerns: patrick@katharos.co