Privacy Policy

Last updated: 1 July 2026

Pursuant to EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"), this Privacy Notice describes how we collect and process your personal data when you register and / or access the Kleos application and request the services provided by us (the "Service"), or benefit from this Service.

To the extent that you are a customer of our services, or a simple user of this website, this Privacy Notice applies together with any terms of business and other contractual documents, including but not limited to any agreements we may have with you.

Regarding the terms used in this Privacy Notice, such as "processing" or "controller" or "personal data", we refer to the definitions of the GDPR.

1. Who is the data controller?

The data controller of the personal data is Kleos Ireland SR Limited, with registered office at The Black Church, St. Mary's Place, Dublin 7, Ireland D07 P4AX, operating under the brand name Kleos (hereinafter referred to as "Kleos" or "we").

2. How do we obtain your personal data?

We collect your personal data directly from you at the time you (i) register with Kleos (via website or application); (ii) access and/or use; (iii) contact us via the website or our support center.

3. What personal data does Kleos process, what are the legal grounds and the scope of processing?

We may collect and process the following categories of personal data:

Processed Data Legal Grounds Scope of Processing
Identity Data First name, last name, title, date of birth, ID documents (national ID card, passport, driver's licence) Art. 6(1)(b) GDPR — Performance of contract Art. 6(1)(c) GDPR — Legal obligation Registration and onboarding; compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations
Contact Data Residence details, billing and delivery address, email address, telephone number Art. 6(1)(b) GDPR — Performance of contract Delivery of the Services (card)
Financial Data Payment card details, amounts associated with accounts, external account details, source of funds and related documentation Art. 6(1)(b) GDPR — Performance of contract Art. 6(1)(c) GDPR — Legal obligation Payment processing; AML/tax compliance; verification of the source of funds
Transactional Data Details about incoming and outgoing operations Art. 6(1)(b) GDPR — Performance of contract Art. 6(1)(c) GDPR — Legal obligation Service execution; AML monitoring; regulatory reporting
Technical Data IP address, device data, browser type and version, location data, time zone, language, operating system, diagnostics Art. 6(1)(f) GDPR — Legitimate interest Statistical analysis of service usage; technical diagnostics; monitoring of service functioning
Access Data Username, password, unique file number (provided when accessing customer support) Art. 6(1)(b) GDPR — Performance of contract Art. 6(1)(f) GDPR — Legitimate interest Account access and security; management of the customer support services
Biometric Data Selfie picture Art. 6(1)(c) GDPR — Legal obligation Art. 9(2)(g) GDPR — Substantial public interest (AML legislation) Identity verification as required by AML European regulations — retained only until verification is complete, and no longer than 1 year from the registration date
Marketing Data Email address Art. 6(1)(a) GDPR — Consent Sending newsletters, promotional communications and updates regarding Kleos services, as well as analysing the effectiveness of such communications

4. Is the provision of data mandatory or optional?

The collection and the processing of your personal data above is optional but failing to provide the data would prevent the possibility for you to enter into the Terms of Service and be provided with the Service.

The provision of your Biometric Data (selfie picture) is mandatory to the extent required by applicable anti-money laundering legislation. Failure to provide such data will prevent us from completing the legally required identity verification process and, consequently, from providing you with the Service. Also, please note that this biometric data is being processed by a compliant AI system for identity verification.

The provision of personal data for marketing purposes is optional and based on your consent. Refusal to provide such data, or withdrawal of consent at any time, will not affect your ability to register for or use the Service.

5. How will the personal data be processed and for how long will they be stored?

Your personal data will be processed using automated and non-automated means. Specific security measures are put in place to prevent data loss, illicit or incorrect use and unauthorized access. Your personal data will be retained for 5 years from the date on which the contract between us has terminated or from the date of the last event interrupting the statutory prescription period.

The same retention period applies for data processed through the rejected applications.

Notwithstanding the above, your Biometric Data (selfie picture) is subject to a specific and more limited retention period, in accordance with the principle of storage limitation. Your biometric data will be retained only for as long as strictly necessary to complete the identity verification process and, in any event, for no longer than the retention period required by applicable law (which currently does not exceed 12 months from the date of registration with Kleos). Upon expiry of such retention period, biometric data will be securely deleted or anonymized.

Personal data processed for marketing purposes will be retained until you withdraw your consent or, where applicable, for a period of 12 months from your last interaction with a marketing communication, whichever occurs first.

6. Will the personal data be disclosed to third parties?

Your personal data may be disclosed to third parties belonging to the following categories: companies within our group to the extent required to provide and improve our Services; banks and payment institutions, to the extent necessary to make or receive payments in connection with the Services; taxation public authorities, to the extent required by the law; judicial authorities and/or police forces, when required by the law; lawyers and law firms, where necessary to pursue our legitimate interest in exercising or defending a right in court and out of court; consultants and IT service providers, to the extent required by them to fulfil their contractual obligations towards us.

7. Third Party Data Controllers

Through the Kleos website and application, you may access platforms (e.g. Instagram, LinkedIn, Facebook) which are provided by third-party service providers acting as independent data controllers for their own purposes. The third-party service providers rely on legal basis for data processing as disclosed in their respective privacy notices, provided to you directly by them or accessible from their websites.

8. Will the personal data be transferred outside the European Economic Area?

In general, your personal data is processed and stored within the European Union. However, certain personal data may be transferred within our group of companies in the United Kingdom (UK), to the extent necessary for the provision of the Service, or compliance with applicable legal obligations.

The United Kingdom, following its withdrawal from the European Union, has been granted an adequacy decision by the European Commission, pursuant to article 45 of the GDPR. This means that the UK is recognised as providing an equivalent level of protection for personal data as that guaranteed within the EEA, and transfers to the UK may take place without the need for additional safeguards.

Certain personal data may be transferred to recipients in the United States of America, in particular IT service providers supporting the provision of the Service. Such transfers shall take place either (i) to recipients certified under the EU–U.S. Data Privacy Framework, covered by the European Commission's adequacy decision of 10 July 2023, or (ii) on the basis of appropriate safeguards pursuant to Article 46 of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission, supplemented, where necessary, by additional technical and organisational measures following a transfer impact assessment.

Further information on the safeguards applied may be obtained by contacting the Data Protection Officer.

In the event that the adequacy decision is suspended, repealed or amended, or in the event that transfers made to UK or US based recipients are not covered by the adequacy decision, Kleos will ensure that appropriate safeguards are in place in accordance with article 46 of the GDPR, including, where applicable, the use of Standard Contractual Clauses adopted by the European Commission.

9. What are your rights in relation to us processing your data?

a) Right of access

You have the right to obtain information from us concerning whether and to what extent we process your data.

b) Right to rectification

If we process data that is incomplete or incorrect, you shall have the right to obtain rectification or completion of this data from us at any time.

c) Right to erasure

You have the right to obtain from us the erasure of your data in the event that we have unlawfully processed this data or if processing this data constitutes a disproportionate infringement of your legitimate interests. Please note that immediate erasure may be barred on some grounds, e.g. statutory retention provisions, legal grounds.

d) Right to restriction of processing

You have the right to obtain restriction of processing your data if:

  • you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data,
  • the processing is unlawful, and you however oppose the erasure of the data and request the restriction of their use instead,
  • we no longer need the data for the intended purposes, but you require these data for the establishment, exercise or defense of legal claims, or
  • you have objected to the processing of the data.

e) Right to data portability

You have the right to receive the data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit these data to another responsible party without hindrance from us, provided that the processing is carried out by automated means. If technically feasible, you have the right to have your data transmitted directly to another responsible party by us.

f) Right to object

If we process your data on the basis of legitimate interests, you have the right to object to this processing, on grounds relating to your particular situation, at any time. We shall then no longer process your data unless we can demonstrate compelling, legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

g) Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You may withdraw your consent by contacting us using the details provided in Section 10 or by using the unsubscribe link included in each marketing communication.

h) Right to file a complaint

Should you deem that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority of the EU Member State where you live or work, or where the alleged breach has occurred (Article 77 of the GDPR), or to take legal action before a court (Article 79 of the GDPR).

10. How can you exercise the above-mentioned rights?

To exercise your rights, please contact us by mail at "Kleos Ireland SR Limited, with registered office at The Black Church, St. Mary's Place, Dublin 7, Ireland D07 P4AX – to the kind attention of Data Protection Officer", or by email at dpo@kleos-capital.com.

11. The Data Protection Officer

We have appointed a DPO, who can be contacted directly by email at dpo@kleos-capital.com.

Last updated: 1 July 2026