Privacy Policy

  1. Introduction
    1. 1.1.In order to service our clients, Kudy Financials Sàrl (hereinafter “Kudy Financials Sàrl” “we” or “us”) needs to collect personal data from our clients and /or potential clients and employees.

      In light of the above, Kudy Financials Sàrl wants to ensure a high level of data protection as privacy is a cornerstone in gaining and maintaining the trust of our clients, employees and suppliers and thus, ensuring Kudy Financials Sàrl’s business in the future.

      The protection of personal data requires that appropriate technical and organisational measures are taken to demonstrate a high level of data protection. Kudy Financials Sàrl has adopted a number of internal and external data protection policies, which must be adhered to by employees of Kudy Financials Sàrl.

      Additionally, Kudy Financials Sàrl will monitor, audit and document internal compliance with the data protection policies and applicable statutory data protection requirements, including theGeneral Data Protection Regulation (“GDPR”)of the European Union/European Economic Area (“EU/EEA”) where some or all of our servers and other communication technology assets are domiciled.

      Kudy Financials Sàrl will also take the necessary steps in order to enhance data protection compliance within the organization. These steps include the assignment of responsibilities, raising awareness and training of staff involved in processing operations. Please note that this Privacy Policy will be reviewed from time to time to take into account any new obligations and that any personal data we hold will be governed by our most recent policy.

      This Privacy Policy, along with guidelines for processing of personal data, constitutes the overall framework for processing of personal data within Kudy Financials Sàrl.
    2. 1.2.“Personal Data” is any information which may be related to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, phone number, age, gender, an employee, a job applicant, clients, suppliers and other business partners. This also includes special categories of personal data (sensitive personal data) and confidential information such as health information, account number, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    3. 1.3.Although, information regarding companies/businesses is not as such, personal data, please note that information relating to contacts within such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered personal data.
    4. 1.4.Kudy Financials Sàrl collects and uses personal data for a variety of legitimate business purposes, including establishment and management of customer and supplier relationships, completion of purchase orders, recruitment and management of all aspects of terms and conditions of employment, communication, fulfillment of legal obligations or requirements, performance of contracts, providing services to clients, etc.
    5. 1.5.Personal data shall always be:
      • processed lawfully, fairly and in a transparent manner in relation to the data subject,
      • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,
      • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay,
      • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed,
      • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
    6. 1.6. Kudy Financials Sàrl shall be responsible for and be able to demonstrate compliance with the above as part of Kudy Financials Sàrl’s accountability.
  2. Legal Basis For Processing Personal Data
    1. 2.1. Processing of personal data requires a legal basis. The most predominant legal basis for processing personal data within Kudy Financials Sàrl are:
      • consent from the data subject for one or more specific purposes,
      • the performance of a contract to which the data subject is party,
      • a legal obligation or requirement,
      • legitimate interests pursued by Kudy Financials Sàrl
    2. 2.2.Consent
      1. 2.2.1.If the collection, registration and further processing of personal data on clients, suppliers, other business relations and employees are based on such a person’s consent to the processing of personal data for one or more specific purposes, Kudy Financials Sàrl shall be able to demonstrate that the data subject has consented to processing of such personal data.
      2. 2.2.2. Consent shall be: freely given, specific, informed and unambiguous. The data subject must actively consent to the processing of personal data by a statement or by a clear affirmative action, to him/her.
      3. 2.2.3. A request for consent shall be presented in a manner, which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
      4. 2.2.4. To process special categories of personal data (sensitive personal data) the consent shall also be explicit.
      5. 2.2.5.The data subject is entitled to withdraw his/her consent at any time and upon such withdrawal, we will stop collecting or processing personal data about that person unless we are obligated or entitled to do so based on another legal basis.
    3. 2.3.Necessary for the performance of a contract
      • 2.3.1.It will be legitimate to collect and process personal data relevant to the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This applies to all contractual obligations and agreements signed with Kudy Financials Sàrl, including the pre-contractual phase irrespective of the success of the contract negotiation or not.
    4. 2.4.Comply with a legal obligation
      • 2.4.1.Kudy Financials Sàrl has to comply with various legal obligations and requirements, which have basis in the European Union or European Economic Area Member State law. Such legal obligation, to which Kudy Financials Sàrl is subject, may be sufficient as a legitimate basis for processing of personal data.
      • 2.4.2.Such legal obligations include obligations to collect, register and/or make available certain types of information relating to employees, clients, etc. Such legal requirements will then form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring Kudy Financials Sàrl to process certain personal data also set out requirements in relation to storage, disclosure and deletion.
    5. 2.5.Legitimate Interests
      • 2.5.1.Data will only be processed where it is necessary for the purposes of the legitimate interests pursued by Kudy Financials Sàrl, and these interests or fundamental rights are not overridden by the interests of the data subject. Kudy Financials Sàrl will, when deciding to process data ensures that the legitimate interests override the rights and freedoms of the individual and that the processing would not cause unwarranted harm. For instance, it is a legitimate interest of Kudy Financials to process personal data on potential client in order to expand the business and develop new business relations. The data subject must be given information on the specific legitimate interest if a processing is based on this provision, cf. section 4.1 below.
    6. 2.6.Processing Personal Data for Machine Learning and Artificial Intelligence Training
      • 2.6.1. Key Definitions
        • Artificial Intelligence (AI): Systems developed to simulate human reasoning in tasks such as detecting fraudulent activities, analysing support communications, and predicting behaviour patterns.
        • Machine Learning (ML): A subset of AI involving the use of data-driven models that autonomously adjust and improve without explicit programming.
        • AI/ML Training: The process of using de-identified or pseudonymised client data (e.g., transaction logs, device usage, anonymised chats) to improve the accuracy, fairness, and efficiency of ML models.
        • Inference: The application of a trained model to new input data to generate outputs like risk scores, alerts, or automated recommendations.
        • Profiling: Any automated processing of personal data to evaluate personal aspects of individuals, including behaviours, preferences, and reliability.
      • 2.6.2. Purpose and Scope
        Kudy processes pseudonymised and anonymised personal data for the purpose of:
        • Improving fraud detection models.
        • Powering AI-driven customer support tools (e.g., intelligent chatbot).
        • Personalising user experience and financial recommendations.
        • Piloting and testing new financial technologies.
        All processing is aligned with the GDPR and anticipated requirements of the EU AI Act, including high-risk AI classification where applicable (e.g., fraud detection).
      • 2.6.3. Legal Basis for Processing
        1. Consent (Article 6(1)(a)): Where AI/ML training exceeds the scope of core service delivery or where experimental features are being tested, we request explicit and informed consent from the data subject. Consent is voluntary and can be withdrawn at any time without service disruption.
        2. Contractual Necessity & Legal Obligation (Article 6(1)(b) &(c): Where AI is necessary for delivering financial services, managing security, or complying with regulations (e.g. anti-money laundering), processing is based on contractual necessity and legal requirements.
        3. Legitimate Interests (Article 6(1)(f): For use cases such as ongoing model refinement and internal analytics, processing is conducted under a legitimate interest basis and justified through a completed and recorded balancing test ensuring data subjects’ rights are not overridden.
      • 2.6.4. Profiling & Automated Decision-Making
        If AI models are used for profiling or automated decisions that produce legal or similarly significant effects (e.g., denying a service or assessing risk), Kudy ensures:
        • Human oversight and appeal mechanisms
        • A right not to be subject to purely automated decision-making (Article 22 GDPR)
        • Explainability of the model logic in a meaningful, understandable form
      • 2.6.5. Data Protection Impact Assessments (DPAI)
        A DPIA is mandatory for all AI/ML projects involving high-risk processing or profiling. These assessments are reviewed every six months and documented following Article 35 GDPR and the AI Act's lifecycle governance principles.
      • 2.6.6. Data Minimisation & Security
        • Data is collected only for the purposes defined above and is limited to what is strictly necessary.
        • Personal identifiers are pseudonymised using advanced tokenisation techniques
        • Encryption is applied to all training datasets at rest and in transit.
        • Access is role-based and restricted to authorised personnel only.
      • 2.6.7. Transparency & Data Subject Rights
        We ensure transparency by:
        • Disclosing categories of data used, model objectives, and logic involved in profiling
        • Providing access, correction, deletion, restriction, objection, and portability rights
        • Ensuring timely responses (within 30 days) via our Data Protection Officer (DPO)
      • 2.6.8. Processor Management & International Transfers
        • All vendors involved in AI processing are bound by data protection agreements under Article 28 GDPR.
        • Cross-border transfers are permitted only where valid safeguards (e.g., Standard Contractual Clauses) are in place or with explicit user consent, in line with Chapter V GDPR.
      • 2.6.9. Data Retention & Deletion
        • Training datasets are retained only for as long as they contribute to active model improvement.
        • Upon withdrawal of consent or project conclusion, data is securely deleted or irreversibly anonymised using industry best practices.
  3. Processing And Transfer Of Personal Data
    1. 3.1.Kudy as a Data Controller
      • 3.1.1.Kudy Financials Sàrl will be considered a data controller to the extent that we decide by which means the data subject’s personal data shall be processed e.g. when a data subject signs an agreement with Kudy Financials Sàrl. 3.2 Use of data processors
    2. 3.2.Use of Data Processors
      • 3.2.1.An external data processor is a company, which processes personal data on behalf of Kudy Financials Sàrl and in accordance with Kudy Financials Sàrl’s instructions, e.g. in relation to HR systems, third party IT providers, etc. When Kudy Financials Sàrl outsources the processing of personal data to data processors, Kudy Financials Sàrl ensures that said company as a minimum applies the same degree of data protection as Kudy Financials Sàrl. If this cannot be guaranteed, Kudy Financials Sàrl will choose another data processor.
    3. 3.3.Data processing agreements
      • 3.3.1.Before the transfer of personal data to the data processor, Kudy Financials Sàrl shall enter into a written data processing agreement with the data processor. The data processing agreement ensures that Kudy Financials Sàrl controls the processing of personal data, which takes place outside Kudy Financials Sàrl for which Kudy Financial Sàrl is responsible.
      • 3.3.2.If the data processor/sub-data processor is located outside the EU/EEA, the conditions of clause 3.4.4 below will apply.
    4. 3.4.Disclosure of personal data
      • 3.4.1.Before disclosing personal data to others, it is the responsibility of Kudy Financials Sàrl to consider whether the recipient is employed by us or not. Furthermore we may only share personal data within Kudy Financials Sàrl, if we have a legitimate business purpose in the disclosure.
      • 3.4.2.It is Kudy Financials Sàrl’s responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and to ensure that sharing of personal data is restricted and kept to a minimum.
      • 3.4.3.Kudy Financials Sàrl must show caution before sharing personal data with persons, data subjects or entities outside of Kudy Financials Sàrl. Personal data shall only be disclosed to third parties acting as individual data controllers if a legitimate purpose for such transfer exists. If the recipient is acting as a data processor, please refer to clause 3.2 above.
      • 3.4.4.If the third party recipient is located outside the EU/EEA or in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between Kudy Financials Sàrl and the third party. The transfer agreement shall be based on EU Standard Contractual Clauses.
  4. Rights Of The Data Subject
    1. 4.1.Duty of Information
      • 4.1.1.When Kudy Financials Sàrl collects and registers personal data on data subjects Kudy Financials Sàrl is obligated to inform such persons about:
        • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
        • the legitimate interests pursued by Kudy Financials Sàrl, if the processing is based on a balancing of interests;
        • the recipients or categories of recipients of the personal data, if any
        • where applicable, the fact that Kudy Financials Sàrl intends to transfer personal data to a third country and the legal basis for such transfer
        • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
        • the existence of the right to request from Kudy Financials Sàrl access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
        • where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
        • the right to lodge a complaint with Kudy Financials Sàrl via the correct procedure or with a supervisory authority
        • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of possible consequences of failure to provide such data
      The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This information will in most cases be provided via a privacy notice on Kudy Financials’ home page.
    2. 4.2.Right to access
      • 4.2.1.Any person whose personal data Kudy Financials Sàrl is processing, including, but not limited to, Kudy Financials Sàrl employees, job applicants, external suppliers, clients, potential clients, business partners, etc. has the right to request access to the personal data which Kudy Financials Sàrl processes or stores about him/her.
      • 4.2.2. If Kudy Financials Sàrl processes or stores personal data about the data subject, the data subject shall have the right to access the personal data and the reasons for the data to be processed in relation to the criteria set out in 4.1.1.
      • 4.3.The data subject shall have the right to obtain from Kudy Financials without undue delay the rectification of inaccurate personal data concerning him or her.
      • 4.4.The data subject shall have the right to obtain from Kudy Financials the erasure of personal data concerning him or her and Kudy Financials Sàrl shall have the obligation to erase personal data without undue delay, unless required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.
      • 4.5.The data subject shall have the right to obtain from Kudy Financials restriction of processing, if applicable.
      • 4.6.The data subject shall have the right to receive the personal data registered in a structured and commonly used and machine-readable format, if applicable.
      • 4.7.The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on a balancing of interests, including profiling.
      • 4.8.Any requests received from a data subject to exercise the rights in this clause will be answered as soon as reasonably possible, and no later than 30 days from receipt. Requests shall be forwarded without delay to Kudy Financials Sàrl’s Service Center. The Service Center will be supported by the Kudy Financials Sàrl’s Data Protection Officer to process the request to meet the reply deadline.
  5. Data Protection By Design And Data Protection By Default
    1. 5.1. New products, services, technical solutions, etc. must be developed so that they meet the principles of data protection by design and data protection by default.
      1. 5.1.1.Data protection by design means that when designing new products or services due consideration to data protection is taken.
        • Kudy Financials Sàrl will take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
        • Kudy Financials Sàrl shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet data protection requirements and protect the rights of data subjects.
      2. 5.1.2.Data protection by default requires that relevant data minimization techniques are implemented.
        • Kudy Financials Sàrl shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
        • This minimisation requirement applies to the amount of personal data collected, the extent of their . processing, the period of their storage and their accessibility.
        • Such measures shall ensure that by default personal data is not made accessible without careful consideration.
  6. Records Of Processing Activities
    1. 6.1. Kudy Financials Sàrl shall as data controller maintain records of processing activities under Kudy Financials Sàrl’s responsibility. The records shall contain the following information:
      • the name and contact details of data subject,
      • the purposes of the processing,
      • a description of the categories of data subjects and of the categories of personal data,
      • the recipients to whom the personal data have been or will be disclosed,
      • including recipients in third countries or international organizations,
      • where applicable, transfers of personal data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards,
      • where possible, the envisage time limits for erasure of the different categories of data,
      • where possible, a general description of the applied technical and organisational security measures.
    2. 6.2. Kudy Financials Sàrl shall make the records available to relevant data protection authorities upon request.
  7. Deletion Of Personal Data
    1. 7.1.Personal data shall be deleted when Kudy Financials Sàrl no longer has a legitimate purpose for the continuous processing or storage of the personal data, or when it is no longer required to store the personal data in accordance with applicable legal requirements.
    2. 7.2. Detailed retention periods with respect to various categories of personal data are specified in Kudy Financials Sàrl’s Data Retention and Information Sharing policy.
  8. Risk Assessment Of Risk
    1. 8.1.If Kudy Financials Sàrl processes personal data that is likely to result in a high risk for the persons whose personal data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be carried out.
    2. 8.1.1. A DPIA implies that Kudy Financials Sàrl will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection requirements.
    3. 8.2.The technical and organisational measures shall be reviewed and updated where necessary and no later than every 6 months.
    4. 8.2.1.Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the appropriate technical and organisational measures pursuant to this clause.
  9. National Requirements
    1. 9.1. Kudy Financials Sàrl shall comply with the GDPR.
    2. 9.2.If applicable Data Protection Law requires a higher level of protection for personal data than such policies/guidelines, such stricter requirements are to be complied with. If Kudy Financials Sàrl’s policies/guidelines are stricter than the local legislation, our policies/guidelines must be complied with.
  10. Contact and Complaints
    1. 10.1.If you have any questions regarding the content of this policy, please contact Kudy Financials Sàrl’s Data Protection officer at dpo@kudy.io.
    2. 10.2. If you would like to file a complaint about Kudy Financials Sàrl’s processing of personal data, please contact the European Data Protection Supervisor (the European Union’s independent data protection authority).

Have any questions?

Need more information about our Funds and other services we offer?

Say Hi

[email protected]

© 2026 Kudy Financials S.à.r.l. All Rights Reserved.