TL;DR
Kubera uses your data to provide and improve the service.
Kubera does not own your data.
Kubera does not sell your data to 3rd parties or for advertising

Terms of Service

Last updated: Sep 1, 2024

Please read these terms and conditions carefully before using Our Service.

Interpretation and Definitions

The words of which the initial letter is capitalized have meanings defined under the following conditions.

The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of these Terms and Conditions:

  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Account means a unique account created for You to access our Service or parts of our Service.
  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Kubera Apps, Inc., 251 Little Falls Drive, Wilmington, New Castle County, DE 19808.
  • Content refers to content such as text, images, or other information that can be posted, uploaded, linked to or otherwise made available by You, regardless of the form of that content.
  • Country refers to: Delaware, United States
  • Feedback means feedback, innovations or suggestions sent by You regarding the attributes, performance or features of our Service.
  • Promotions refer to contests, sweepstakes or other promotions offered through the Service.
  • Service refers to the Kubera Portfolio Management application.
  • Subscriptions refer to the services or access to the Service offered on a subscription basis by the Company to You.
  • Trial refers to a limited period of time the user can use the product by paying a one time non refundable fee before purchasing a Subscription.
  • Terms and Conditions (also referred as "Terms") mean these Terms and Conditions that form the entire agreement between You and the Company regarding the use of the Service.
  • Third-party Social Media Service means any services or content (including data, information, products or services) provided by a third-party that may be displayed, included or made available by the Service.
  • Website refers to the Kubera website, accessible from https://www.kubera.com
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Financial Advice Disclaimer

Kubera isn't a registered financial advisor or broker-dealer and doesn't provide personalized financial, investment, tax, or legal advice. Our information is intended for informational purposes only and should not be considered as specific advice or recommendations. Your investment decisions should be based on your own risk tolerance and financial situation.

Acknowledgement

These are the Terms and Conditions governing the use of this Service and the agreement that operates between You and the Company. These Terms and Conditions set out the rights and obligations of all users regarding the use of the Service.

Your access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms and Conditions. These Terms and Conditions apply to all visitors, users and others who access or use the Service.

By accessing or using the Service You agree to be bound by these Terms and Conditions. If You disagree with any part of these Terms and Conditions then You may not access the Service.

Your access to and use of the Service is also conditioned on Your acceptance of and compliance with the Privacy Policy of the Company. Our Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your personal information when You use the Application or the Website and tells You about Your privacy rights and how the law protects You. Please read Our Privacy Policy carefully before using Our Service.

Subscriptions

Subscription period

The Service or some parts of the Service are available only with a paid Subscription. You will be billed in advance on a recurring and periodic basis (monthly or annually), depending on the type of Subscription plan you select when purchasing the Subscription.

At the end of each period, Your Subscription will automatically renew under the exact same conditions unless You cancel it or the Company cancels it.

Subscription cancellations

You may cancel Your Subscription renewal either through Your Account settings page or by contacting the Company.

You will not receive a refund for the fees You already paid for Your current Subscription period and You will be able to access the Service until the end of Your current Subscription period.

Billing

You shall provide the Company with accurate and complete billing information including full name, address, state, zip code, telephone number, and a valid payment method information.

Should automatic billing fail to occur for any reason, the Company will issue an electronic invoice indicating that you must proceed manually, within a certain deadline date, with the full payment corresponding to the billing period as indicated on the invoice.

Fee Changes

The Company, in its sole discretion and at any time, may modify the Subscription fees. Any Subscription fee change will become effective at the end of the then-current Subscription period.

The Company will provide You with reasonable prior notice of any change in Subscription fees to give You an opportunity to terminate Your Subscription before such change becomes effective.

Your continued use of the Service after the Subscription fee change comes into effect constitutes Your agreement to pay the modified Subscription fee amount.

Refunds

Except when required by law, paid Subscription fees are non-refundable.

Certain refund requests for Subscriptions may be considered by the Company on a case-by-case basis and granted at the sole discretion of the Company.

Trial

The Company may, at its sole discretion, offer a trial period for a limited period of time for a one time fee.

You may be required to enter Your billing information (Payment Card details) in order to start the trial. The card will be charged for the one time fee before starting the trial.

The subscription does not automatically start after the trial. It may only commence when You actively choose a subscription plan and confirm your choice by clicking the 'Subscribe' button in the Settings screen.

You have the freedom to subscribe at any point during your trial. But your card will be charged only after the trial period concludes.

Additionally, if you have any credits in your account, these will be applied as a discount when your card is charged.

If You decide not to subscribe, please be aware that for security reasons, your connections to banks, brokerages, wallets, nest portfolios, shared users will be severed after the trial period. For a seamless continuation of usage, it is advisable to subscribe before the trial ends.

At any time and without notice, the Company reserves the right to (i) modify the terms and conditions of the Trial offer, or (ii) cancel such Trial offer.

Promotions

Any Promotions made available through the Service may be governed by rules that are separate from these Terms.

If You participate in any Promotions, please review the applicable rules as well as our Privacy policy. If the rules for a Promotion conflict with these Terms, the Promotion rules will apply.

User Accounts

When You create an account with Us, You must provide Us information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of Your account on Our Service.

You are responsible for safeguarding the password that You use to access the Service and for any activities or actions under Your password, whether Your password is with Our Service or a Third-Party Social Media Service.

You agree not to disclose Your password to any third party. You must notify Us immediately upon becoming aware of any breach of security or unauthorized use of Your account.

You may not use as a username the name of another person or entity or that is not lawfully available for use, a name or trademark that is subject to any rights of another person or entity other than You without appropriate authorization, or a name that is otherwise offensive, vulgar or obscene.

Fair Usage Policy

Kubera is committed to providing a seamless and efficient experience for managing and tracking your financial portfolios. To ensure optimal performance and data accuracy, we have established the following Fair Usage Policy as part of our Terms of Use:

Unique Connections for Bank and Brokerage Logins

  • Users are allowed to add multiple connections from the same bank or brokerage, provided they use different login credentials (e.g., personal and business accounts, or accounts belonging to family members).
  • Duplicate logins—where the same bank or brokerage login is added more than once—are not permitted and can lead to data discrepancies and synchronization issues.
  • Kubera’s platform is designed to handle each bank or brokerage login as a unique instance. Adding the same login more than once can disrupt the accuracy and efficiency of the service.

Recommended Practices

  • When managing multiple accounts from the same institution, use separate logins for each account type (e.g., personal vs. business) instead of duplicating the same login credentials.
  • Organize your financial accounts into distinct portfolios based on their purpose or ownership, without duplicating the same login across multiple portfolios.

Handling and Resolution of Issues

  • Errors or discrepancies arising from the use of duplicate logins across multiple portfolios may not be resolvable by Kubera's support team.
  • To maintain data accuracy and avoid synchronization issues, users are advised to remove any duplicate logins and ensure that each login is only used once within Kubera.

Account Limitations

  • Kubera reserves the right to monitor and limit the number of duplicate logins associated with an account to ensure service quality and performance.

Violation of Fair Usage

  • Repeated violations of this Fair Usage Policy may result in restricted access to certain features or, in extreme cases, suspension of the account.

By adhering to this Fair Usage Policy, users can ensure the smooth functioning of their financial tracking and management experience with Kubera.

Content

Your Right to Post Content

Our Service allows You to post Content. You are responsible for the Content that You post to the Service, including its legality, reliability, and appropriateness.

You represent and warrant that: (i) the Content is Yours (You own it) or You have the right to use it, and (ii) the posting of Your Content on or through the Service does not violate the privacy rights, publicity rights, copyrights, contract rights or any other rights of any person.

Content Restrictions

The Company is not responsible for the content of the Service's users. You expressly understand and agree that You are solely responsible for the Content and for all activity that occurs under your account, whether done so by You or any third person using Your account.

You may not transmit any Content that is unlawful, offensive, upsetting, intended to disgust, threatening, libelous, defamatory, obscene or otherwise objectionable. Examples of such objectionable Content include, but are not limited to, the following:

  • Unlawful or promoting unlawful activity.
  • Defamatory, discriminatory, or mean-spirited content, including references or commentary about religion, race, sexual orientation, gender, national/ethnic origin, or other targeted groups.
  • Spam, machine – or randomly – generated, constituting unauthorized or unsolicited advertising, chain letters, any other form of unauthorized solicitation, or any form of lottery or gambling.
  • Containing or installing any viruses, worms, malware, trojan horses, or other content that is designed or intended to disrupt, damage, or limit the functioning of any software, hardware or telecommunications equipment or to damage or obtain unauthorized access to any data or other information of a third person.
  • Infringing on any proprietary rights of any party, including patent, trademark, trade secret, copyright, right of publicity or other rights.
  • Impersonating any person or entity including the Company and its employees or representatives.
  • Violating the privacy of any third person.
  • False information and features.

The Company reserves the right, but not the obligation, to, in its sole discretion, determine whether or not any Content is appropriate and complies with this Terms, refuse or remove this Content. The Company further reserves the right to make formatting and edits and change the manner any Content. The Company can also limit or revoke the use of the Service if You post such objectionable Content.

As the Company cannot control all content posted by users and/or third parties on the Service, you agree to use the Service at your own risk. You understand that by using the Service You may be exposed to content that You may find offensive, indecent, incorrect or objectionable, and You agree that under no circumstances will the Company be liable in any way for any content, including any errors or omissions in any content, or any loss or damage of any kind incurred as a result of your use of any content.

Content Backups

Although regular backups of Content are performed, the Company does not guarantee there will be no loss or corruption of data.

Corrupt or invalid backup points may be caused by, without limitation, Content that is corrupted prior to being backed up or that changes during the time a backup is performed.

The Company will provide support and attempt to troubleshoot any known or discovered issues that may affect the backups of Content. But You acknowledge that the Company has no liability related to the integrity of Content or the failure to successfully restore Content to a usable state.

You agree to maintain a complete and accurate copy of any Content in a location independent of the Service.

Copyright Policy

Intellectual Property Infringement

We respect the intellectual property rights of others. It is Our policy to respond to any claim that Content posted on the Service infringes a copyright or other intellectual property infringement of any person.

If You are a copyright owner, or authorized on behalf of one, and You believe that the copyrighted work has been copied in a way that constitutes copyright infringement that is taking place through the Service, You must submit Your notice in writing to the attention of our copyright agent via email at hello@kubera.com and include in Your notice a detailed description of the alleged infringement.

You may be held accountable for damages (including costs and attorneys' fees) for misrepresenting that any Content is infringing Your copyright.

DMCA Notice and DMCA Procedure for Copyright Infringement Claims

You may submit a notification pursuant to the Digital Millennium Copyright Act (DMCA) by providing our Copyright Agent with the following information in writing (see 17 U.S.C 512(c)(3) for further detail):

  • An electronic or physical signature of the person authorized to act on behalf of the owner of the copyright's interest.
  • A description of the copyrighted work that You claim has been infringed, including the URL (i.e., web page address) of the location where the copyrighted work exists or a copy of the copyrighted work.
  • Identification of the URL or other specific location on the Service where the material that You claim is infringing is located.
  • Your address, telephone number, and email address.
  • A statement by You that You have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law.
  • A statement by You, made under penalty of perjury, that the above information in Your notice is accurate and that You are the copyright owner or authorized to act on the copyright owner's behalf.

You can contact our copyright agent via email at hello@kubera.com.

Upon receipt of a notification, the Company will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Service.

Intellectual Property

Kubera® is a registered trademark of the Company, in the United States of America.

All company, product and service names, logos, and brands used in this website are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

The Service and its original content (excluding Content provided by You or other users), features and functionality are and will remain the exclusive property of the Company and its licensors.

The Service is protected by copyright, trademark, and other laws of both the Country and foreign countries.

Our trademarks and trade dress may not be used in connection with any product or service without the prior written consent of the Company.

Your Feedback to Us

You assign all rights, title and interest in any Feedback You provide the Company. If for any reason such assignment is ineffective, You agree to grant the Company a non-exclusive, perpetual, irrevocable, royalty free, worldwide right and licence to use, reproduce, disclose, sub-licence, distribute, modify and exploit such Feedback without restriction.

Links to Other Websites

Our Service may contain links to third-party web sites or services that are not owned or controlled by the Company.

The Company has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that the Company shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods or services available on or through any such web sites or services.

We strongly advise You to read the terms and conditions and privacy policies of any third-party web sites or services that You visit.

Termination

We may terminate or suspend Your Account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if You breach these Terms and Conditions.

Upon termination, Your right to use the Service will cease immediately. If You wish to terminate Your Account, You may simply discontinue using the Service.

Limitation of Liability

Notwithstanding any damages that You might incur, the entire liability of the Company and any of its suppliers under any provision of this Terms and Your exclusive remedy for all of the foregoing shall be limited to the amount actually paid by You through the Service or 100 USD if You haven't purchased anything through the Service.

To the maximum extent permitted by applicable law, in no event shall the Company or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits, loss of data or other information, for business interruption, for personal injury, loss of privacy arising out of or in any way related to the use of or inability to use the Service, third-party software and/or third-party hardware used with the Service, or otherwise in connection with any provision of this Terms), even if the Company or any supplier has been advised of the possibility of such damages and even if the remedy fails of its essential purpose.

Some states do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply. In these states, each party's liability will be limited to the greatest extent permitted by law.

"AS IS" and "AS AVAILABLE" Disclaimer

The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.

Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.

Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.

Governing Law

The laws of the Country, excluding its conflicts of law rules, shall govern this Terms and Your use of the Service. Your use of the Application may also be subject to other local, state, national, or international laws.

Disputes Resolution

If You have any concern or dispute about the Service, You agree to first try to resolve the dispute informally by contacting the Company.

For European Union (EU) Users

If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.

United States Federal Government End Use Provisions

If You are a U.S. federal government end user, our Service is a "Commercial Item" as that term is defined at 48 C.F.R. §2.101.

United States Legal Compliance

You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a “terrorist supporting” country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.

Severability and Waiver

Severability

If any provision of these Terms is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.

Waiver

Except as provided herein, the failure to exercise a right or to require performance of an obligation under this Terms shall not effect a party's ability to exercise such right or require such performance at any time thereafter nor shall be the waiver of a breach constitute a waiver of any subsequent breach.

Translation Interpretation

These Terms and Conditions may have been translated if We have made them available to You on our Service.

You agree that the original English text shall prevail in the case of a dispute.

Changes to These Terms and Conditions

We reserve the right, at Our sole discretion, to modify or replace these Terms at any time. If a revision is material We will make reasonable efforts to provide at least 30 days' notice prior to any new terms taking effect. What constitutes a material change will be determined at Our sole discretion.

By continuing to access or use Our Service after those revisions become effective, You agree to be bound by the revised terms. If You do not agree to the new terms, in whole or in part, please stop using the website and the Service.

Contact Us

If you have any questions about these Terms and Conditions, You can contact us by email hello@kubera.com.

Privacy Policy

Last updated: Mar 10, 2022

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions.

The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
    Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.
  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Kubera Apps, Inc., 251 Little Falls Drive, Wilmington, New Castle County, DE 19808.
    For the purpose of the GDPR, the Company is the Data Controller.
  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Account means a unique account created for You to access our Service or parts of our Service.
  • Website refers to the Kubera website, accessible from https://kubera.com
  • Service refers to the Kubera Portfolio Management application.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service, to assist the Company in analyzing how the Service is used or to assist the Company in promoting the Service.
    For the purpose of the GDPR, Service Providers are considered Data Processors.
  • Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
  • Personal Data is any information that relates to an identified or identifiable individual.
    For the purposes for GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
    For the purposes of the CCPA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You.
  • Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
  • Do Not Track (DNT) is a concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
  • Business, for the purpose of the CCPA (California Consumer Privacy Act), refers to the Company as the legal entity that collects Consumers' personal information and determines the purposes and means of the processing of Consumers' personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California.
  • Consumer, for the purpose of the CCPA (California Consumer Privacy Act), means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
  • Sale, for the purpose of the CCPA (California Consumer Privacy Act), means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal information to another business or a third party for monetary or other valuable consideration.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Display picture
  • Files you’ve uploaded
  • Phone number
  • Mailing Address
  • Home address
  • Vehicle VIN number
  • Internet Domain Names
  • Assets, Debts - Details and Value
  • Net Worth
  • Insurance details
  • Beneficiary Name, Email and Phone
  • Backup beneficiary (Trusted Angel) Name, Email and Phone
  • Credit Card Details

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service.

You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.

Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.

We use both session and persistent Cookies for the purposes set out below:

Necessary / Essential Cookies

Type: Session Cookies

Administered by: Us

Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

Tracking and Performance Cookies

Type: Persistent Cookies

Administered by: Third-Parties

Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To provide You with news, special offers and general information about services we offer, unless You have opted not to receive such information.
  • To manage Your requests: To attend and manage Your requests to Us.
  • To send You rewards: We may collect your Mailing Address by contacting You outside the app and by explaining the purpose, for example, for sending rewards based on Our loyalty programs.

We may share your personal information in the following situations:

  • With Service Providers: We may share Your personal information with Service Providers for connecting Your online financial accounts, fetching latest asset value, processing payments, monitoring usage, report bugs, customer support, email marketing and for targeting the Company's promotional campaigns.
  • For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
  • With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
  • With 'White Label Customers': We may share Your personal information with our 'White-Label Customers', ONLY if You signed up to the Service as their client.

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users of the Service or the public
  • Protect against legal liability

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Detailed Information on the Processing of Your Personal Data

Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.

Fetch latest asset value

The Users may link their bank, brokerage, crypto wallet accounts for the Service to automatically fetch their financial information. They may also provide their house address, car's VIN or domain names to automatically fetch their latest price. We may use third-party Service providers to power the automatic fetching of account balances and asset values.

Finicity by Mastercard provides account aggregation to top financial institutions in USA, Canada, Australia, and Canada. Finicity collects and securely stores the credentials you share, such as User name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://www.finicity.com/privacy/

Plaid provides account aggregation to top financial institutions in USA, Canada, UK, Spain, France, Ireland and Netherlands. Plaid collects and securely stores the credentials you share, such as User name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://plaid.com/legal/#end-user-privacy-policy.

Yodlee provides account aggregation to top financial institutions in USA, Canada, UK, South Africa, UAE, India, Malaysia, Hong Kong, Singapore, Australia and New Zealand. Yodlee collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://www.yodlee.com/legal/privacy-notice.

MX provides account aggregation to top financial institutions in USA and Canada. MX collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://www.mx.com/privacy-policy/

Salt Edge provides account aggregation to top financial institutions mainly in Europe, and also in South Africa, UAE, India, Malaysia, Hong Kong, Singapore, Australia, New Zealand among others. Salt Edge collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://www.saltedge.com/pages/privacy_policy.

Kubera users who connect to European banks using Salt Edge may sign up to the Salt Edge Dashboard to manage the connections in a consolidated way. By accessing the Salt Edge Dashboard and using the Services, you agree to Salt Edge Dashboard Terms and Conditions and Salt Edge Dashboard Privacy Policy.

SnapTrade provides account aggregation to top stock brokerages in USA, Canada, UK, Netherlands, India, and Australia . SnapTrade collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us.

Akahu is an open finance platform, focussed on New Zealand. Akahu makes it simple to connect your accounts to trusted products. Akahu collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us. If you choose to connect accounts via Akahu, you can manage those connections at my.akahu.nz. Their Privacy Policy can be viewed at https://www.akahu.nz/privacy-notice. Find out more about Akahu here.

Lean provides account aggregation to top financial institutions in the Middle East. Lean collects and securely stores the credentials you share, such as user name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at https://www.leantech.me/legal/privacy

Zillow is the leading real estate and rental marketplace dedicated to empowering consumers with data, inspiration and knowledge around the place they call home, and connecting them with the best local professionals who can help. Zillow allows Kubera customers to enter their US home address to get a no‑obligation estimated market value. Their Privacy Policy can be viewed at https://www.zillowgroup.com/zg-privacy-policy/

VinAudit partners with government agencies, non-profit organizations, and industry sources across US & Canada to offer a vehicle history report. VinAudit allows Kubera customers to enter their vehicle's VIN number and get a no‑obligation estimated market value. Their Privacy Policy can be viewed at https://www.vinaudit.com/privacy-policy.

EstiBot is the world's most trusted domain appraisal service. It is used by registrars, financial institutions, domain brokers and individual domain investors. Estibot allows Kubera customers to enter their domain names to get a no‑obligation estimated market value. Their Privacy Policy can be viewed at https://www.estibot.com/privacy.

Analytics

We may use third-party Service providers to monitor and analyze the use of our Service.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en

Email Marketing

We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.

We may use Email Marketing Service Providers to manage and send emails to You.

Advertisements

Some Personal Data may be shared with advertising services in order to promote the Company's brand and Services to Our target audience.

Payments

We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).

We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

Stripe's Privacy Policy can be viewed at https://stripe.com/us/privacy

Accessing the Service through Our 'White-Label Customers'

The Service can also be accessed through our 'White-Label Customers', such as Registered Investment Advisors, who have licensed the Service to apply their brand and offer it to their clients as part of their services. Under these circumstances Kubera is the Data Processor and the 'White-Label Customer' is the Data Controller for legal and regulatory purposes. Kubera’s obligation to the User is therefore limited to its role as Processor and the User must contact the 'White Label Customer' for more information about their Terms of Use and Privacy Policies.

If You are accessing the Service through such 'White Label Customer', they may be able to access, add, edit and retain information shown on your portfolio. However, they will not be able to access information regarding your bank/brokerage/crypto account credentials unless you provide them such assess or they access it through other means. 

'White Label Customers' may also be able to suspend or terminate your account access.

Children's Privacy

Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, You can contact us by email hello@kubera.com.

GDPR

Last updated: November 4, 2020

For our European users we can confirm that we comply with the European General Data Protection Regulation (“GDPR”). Please see our Data Protection Impact Assessment  (“DPIA”) which demonstrates the measures we have taken to comply with our Data Protection obligations.

Data Protection Impact Assessment – Report.

Step 1 – Identify the need for a DPIA.

Kubera as a data controller for a web page (and potentially a mobile app in the future) that processes data directly from user accounts and also from the synchronisation of other platforms, such as banks and other financial institutions, is undertaking a DPIA in order to identify any areas of risk in the collection and processing of its user data.

Kubera will be collecting personal data of data subjects who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”) in order to provide them with services through the Kubera web and mobile app. It is therefore appropriate to use a DPIA to identify any risks associated with the collection, processing, transmission, retention, review and deletion of all personal data being collected for the purposes of providing a service to its users.

Step 2 – Data Processing.

Responsibilities and Standards Applicable to the Processing:

Kubera is collecting personal data directly from its users when they create an account, including personal data of “beneficiaries” and “trusted angels”. Some data is collected when users synchronise 3rd party platforms (e.g. bank accounts, brokerages, crypto exchanges, etc) with their Kubera account. This information may contain personal data, e.g. contents of bank statements and transaction histories, however it will not contain information such as bank account login information or sort codes and account numbers.

Some personal data is also collected from Google if the user decides to create a Kubera account using an existing Google account. However, the data collected is limited to only that Kubera requests. This includes the users profile picture, name and email address. Given that Google routinely collects a large volume personal data from users including date of birth, gender, email address and mobile phone number it is important to identify if all of this information is shared by Google with Kubera. This does not appear to be the case at the moment however, Kubera will monitor this.

The applicable standards are the European General Data Protection Regulation (“GDPR”) in relation to all personal data collected from EU citizens and associated implementing legislation, including the UK Data Protection Act 2018 (“DPA’18”). As personal data is being stored on infrastructure located in the United States reference may be made to the California Consumer Privacy Act. Furthermore, at the time of writing this assessment, the EU-US privacy shield has been ruled invalid by the Court of Justice of the European Union (“CJEU”). In the absence of the privacy shield, data controllers must rely on the presence of Standard Contractual Clauses (“SSC’s”) in all of their third party data processing agreements. Responsibility for ensuring compliance with all applicable standards rests with the directors of Kubera.

Describe the Nature and Scope of the Processing:

Kubera is processing the personal data of their users. This includes first name, last name, email address, password, profile picture and any information uploaded to the virtual “safe deposit box”. This could include special category data including the users ID, passport, driving license, share certificates and details of any possible investments or liabilities. We should also consider that users could upload highly sensitive special category data including details of divorce proceedings, child custody arrangements, court mandated division of estates and assets, wills and trusts, details of medical histories and potentially ongoing medical details relating to the dependents of the user and literally anything else that the user considers to be of sufficient importance to store on the system. This could inadvertently lead to the processing of data of dependents defined as children/minors under GDPR (defined under DPA’18 as below the 13 years of age). To ensure that Kubera does not collect and process the data of those who are defined as a minor under relevant law Kubera has a short message on the page where the user inserts this information making it clear that information in relation to minors should not be inputted into the system.

Kubera also processes the personal data of others, known as “beneficiaries” or “trusted angels”. These data subjects aren’t direct users of the app but their personal data is inputted by a direct user. This information is not verified by the beneficiary and/or trusted angel however, the direct users is prompted to make sure the information entered is correct. This is in case the user does not access their account for a lengthy period of time. In this situation, all of the data stored on the users account will then be sent to the beneficiary or trusted angel. It will be necessary to ensure that no minors are appointed as beneficiaries or trusted angels on the system for the same reasons as outlined above.

Personal data is processed solely for the purpose of providing the user with a modern-day wealth tracker and consequently it is necessary to ensure that when a user ceases to login to the app and use the services provided or choose to delete their account, that all processing of personal data of such user is ceased and deleted from Kubera’s systems in line with their data retention policy.

Describe the Context and Purpose of the Processing:

Personal data of Kubera users is collected and retained for the purposes of providing the user with a modern-day wealth tracker.

Personal data is shared with third parties by Kubera solely for the purpose of facilitating the provision of the service.

Some personal data may be shared with advertising services in order to target and promote Kubera's own services and brand. However, Kubera will not be sharing data of users who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”).  

Personal data shared with third parties will not be subject to any onward data transfer either to additional third parties or third countries.

Step 3 – Types of Personal Data Collected.

Consultation Process:

In a series of meetings the co-founders of Kubera have facilitated the provision of information relating to the types of personal data collected during the operating of the Kubera mobile app and web page.

For the avoidance of doubt, the types of personal data collected include:

  • First name;
  • Last name;
  • Email address;
  • Password;
  • Phone number;
  • Profile image; and
  • Any information uploaded to the virtual “safe deposit box” (including, but not limited to, the users ID, passport, driving license, share certificates and details of any possible investments or liabilities – this could include literally anything uploaded by the user).

Step 4 – Life Cycle of the Personal Data Collected.

Acquiring of Personal Data:

Kubera acquire personal data in 2 ways, directly from the user through the Kubera app or web page when the user sets up an account or via Google if the user chooses to create a Kubera account using an existing Google account.

When a user downloads the Kubera app or goes onto the Kubera website the user is given 2 options on how they can create account – directly through the Kubera app by entering their full name, email address and password, or through Google.

Data Processing:

In order to provide the service, Kubera use the following third parties who act as data processors: AWS, Finicity by Mastercard, Yodlee, Plaid, Salt Edge, SnapTrade, MX, Akahu, Lean, Log Rocket, Sentry, Help Scout, Google Analytics and Mailerlite.

It is Kubera’s responsibility to ensure that any third party data processors are processing the personal data of Kubera’s users safely and securely. For this reason, Kubera must ensure that Standard Contractual Clauses are in all of their third party processing agreements and that personal data is not retained on third party servers for longer than is necessary. Kubera must also ensure that data processors do not share the personal data of Kubera’s users with any other 3rd parties or third countries.

Data Storage:

Kubera’s severs are operated by Amazon Web Services (“AWS”). All data collected and processed by Kubera, including personal data, is stored on AWS facilities in North Virginia, US (US East Region).

By using AWS servers in the US Kubera is processing and transferring the personal data of EU citizens outside of the EEA. Previously, Kubera could have relied on the EU-US privacy shield framework in order to facilitate the processing and transfer of EU personal data outside of the EEA however, due to the recent European court decision this framework is no longer valid. Therefore, Kubera will ensure that Standard Contractual Clauses are in all of their third party processing agreements where the personal data of EU citizens is stored and processed outside of the EEA.

All data that is stored on Kubera’s AWS servers is encrypted using AES encryption at 256 bit. Other security measures such as 2 factor authentication is in place.

Backup servers – Kubera will confirm details of the provision, location and security measures in place on the backup system along with the testing regime operated to validate the integrity of the backups that are taken.

Data Retention:

Personal data is retained on the system on the basis that if a user fails to login to the system for a period of 45 days (or as set by the user) a series of 5 reminder emails/notifications, known as the “Life Beat Check”, will be sent to the user. These emails will contain a link/button that the user can click on and say “I’m okay”. The user is not required to login to their Kubera account. Just clicking on the link and visiting a webpage is enough to reset the “inactive timer”. In the event that all 5 reminders, sent over a period of 10 days, are unanswered the beneficiaries and/or trusted angels would be contacted via email and supplied with a copy of the users data in a downloadable format. As a final “longstop”, 12 months after the last user activity on the account a further reminder will be sent to the user and/or beneficiaries/trusted angels and in the event of no response after a period of an additional month (30 days) the user account will then be deleted from Kubera’s systems including backups in its entirety.

Deletion of Data:

Deletion of data should take place in line with the data retention policy outlined above. Any specific programs or systems to be used in the deletion of data may be detailed here.

Assess the Necessity and Proportionality:

The personal data collected represented the totality of the personal data required from the user to deliver the service requested by the user. No additional data is acquired apart from the minimum necessary to provide the service. This is subject to the information acquired from a user’s Google account being limited solely to information that is necessarily required for the provision of the service. If Google were to provide any additional personal data over and above the profile and contact information detailed above, such as details of the users location and travel history based on mobile device GPS data, search history information or purchasing history, such information would constitute far more personal data than is strictly required for the provision of service to the user. Under the terms of GDPR controllers are encouraged to adopt the principles of data minimisation and only to collect the bare minimum of data required for the performance of the service.

Any data supplied to Kubera through the safe deposit box function is at the users discretion. Any data uploaded by a user is supplied on the implicit understanding that it could be disclosed in full to a beneficiary or trusted angel in the event of a user’s incapacity. Consequently, all users should have it made clear to them that any information they would not be comfortable sharing with a beneficiary or trusted angel should not be uploaded to the system.

Step 5 – Legal Basis for Processing such Personal data.

Under article 6 of GDPR Kubera is acquiring and processing the personal data of users for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.  

Step 6 – Data Subject Rights.

Right of Access (under Article 15 of the GDPR):

All data subjects who are resident in the European Union and whose personal data is processed by Kubera are entitled to make a subject access request regarding how their personal data is processed.

Under this right a data subject is entitled to receive details as to what items of their personal data are being processed and retained, the systems being used for this purpose and the basis upon which such systems are being used by Kubera. A statutory 30 day deadline applies for Kubera to respond to any Data Subject Access Request (“DSAR”) that may be received.

Kubera has an option in the application that ensures that users are able to download a full copy of the personal data that Kubera processes. This option is provided to the user via the webpage. Users can contact Kubera should they have any issues accessing this system by writing to hello@kubera.com. Their request will responded to within the 30 day deadline.

Right to Rectification (under Article 16 of the GDPR):

Under GDPR data subjects are able to request that all personal data held by an organisation may be updated and corrected as necessary.

While the personal data collected by Kubera is primarily supplied at the point of registration as a new user, or in the process of using the app, it is important that the user retains the right to be able to change any of this information during their life time as a user of the Kubera app. It currently appears to be the case that a user has the ability to change or update any of their personal information via the settings in the app. It is important that the feature is retained.

Right to Erasure (under Article 17 of the GDPR):

Each data subject has the right under GDPR to request that their personal data can be erased and in effect be “forgotten” by a data controller or processor. In making such a request the data subject will except that their personal data is deleted from all relevant systems such as user accounts, marketing information, any third party processing and any long term data retention. Under the right to erasure a data subject has the statutory right to expect this to be undertaken within 30 days.

In practice it is common for some personal data of the data subject to be maintained for professional or regulatory purposes, for example in order to guard against a professional conflict of interest or in order to comply with statutory limitation. However, in this instance it is difficult envisage a scenario where any personal data relating to a data subject making a request under the right to erasure should be retained by Kubera.

Consequently it will be necessary to ensure that a suitably robust system is in place to ensure that any such requests made by a data subject may be processed within 30 days and to ensure that their data is securely eradicated from all Kubera systems including marketing email communications, server backups and any third party data processing.

Data subjects resident in the European Union have the right to exercise the erasure of their personal data from Kubera’s systems. Part of this process can be completed by the user themselves via Kubera settings. To make sure there is no more data saved in the backups, they can contact Kubera and facilitate a request under the right to erasure and  Kubera has 30 days in which to comply.

Right to Restriction of Processing (under Article 18 of the GDPR):

Each data subject resident in the EU has the right to request that Kubera as data controller shall restrict the processing of personal data in the event that the accuracy of any personal data is contested, where the processing may be unlawful, where Kubera no longer needs the personal data to supply its service or where the data subject has objected to the processing of the personal data. In the event of such as restriction being exercised by a data subject, the processing of personal data would only be able to recommence with the consent of the data subject.

Consequently, it is important that, as with the right to erasure, Kubera has the ability to identify individual personal data records and restrict the processing of such data in the event if such a request by the data subject.

All data subjects resident in the EU has the right under GDPR to request a restriction of processing by writing to hello@kubera.com.

Right to Data Portability (under Article 20 of the GDPR):

Data subjects located in the EU are entitled to a right to receive a copy of the personal data that they have provided to Kubera or to request that their data be transmitted to another data controller on the condition that their personal data is being processed on the basis of consent or pursuant to a contract. As identified at step 5 of this assessment, Kubera is processing the personal data of its users for the performance of a contract to which the data subject is party to therefore users of Kubera have the right to data portability.

Consequently, the Kubera privacy policy must identify that all data subjects resident in the EU has the right under GDPR to request a portable copy of their information to and provide a means for data subjects to be able to contact Kubera and facilitate such a request.

Step 7 – Risks Associated with the Processing.

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary:
Likelihood of harm (remote, possible or probable), severity of harm (minimal, significant or severe) and overall risk:
Measures currently in place to mitigate risks associated with the processing:
1. The inadvertent disclosure of account access to beneficiaries and/or trusted angels where for whatever reason the user has failed to respond to reminders but is not incapacitated but for some reason may not have the ability to get online or login to their account. Users are only given a period of 10 days to check in and confirm they are “okay” which is considered to be a short period of time (probable).
Users of the Kubera system are informed about the “Life Beat Check” process, including the flow of data from the users account to the beneficiaries and/or trusted angels, from the offset using a clear flowchart.
2. The system is at risk of being subject to a cyber-attack including Denial of Service (possible).
Kubera periodically audits their infrastructure for any security issues. Any security issues found will be fixed/patched as soon as is reasonably possible.

Kubera use Amazon GuardDuty to detect and monitor incidents that may impact the security of their assets, for example malicious activity and unauthorised behavior.

Kubera prevents access to user assets by using AWS Identity and Access Management (“IAM”).  
All employees of Kubera are given training on cyber security principles.

Backups of the main server are taken regularly.
Access to user data is limited to a small amount of employees.

Passwords on corporate accounts, for example the corporate google accounts that can be used to access the main AWS server, are changed frequently. 2 factor authentication is also applied where possible.

It is advised to implement advanced persistent threat detection system to track user behavior and potential attempts at unauthorised access such as Distributed Denial of Service (“DDOS”). This can be considered a lower priority to be implemented once the system has a high volume of daily users and presents a more valuable target to cyber criminals.
3. As part of this exercise Kubera explained that they do not view any of the personal data that is connected to the users account or is stored in the users safe deposit box. However, for the avoidance of doubt it is necessary to confirm the security measures that are in place to ensure that no Kubera employee is in the position to access any personal data stored by Kubera or any of the accounts that the user has synchronised with their Kubera account (probable).
Database administrators have access to the database encryption keys and therefore can view any user data that is processed and retained by Kubera on their systems. This is because there is no end-to-end encryption. However, internal tools are in place to ensure that all personally identifiable information viewed by operational staff is masked. This still means that an employee of Kubera could access an users personal data however, access to the servers where data is stored is given on a need-to-know basis and is limited to a small number of employees.

If an employee does need to access user data for any such reason, for example routine server maintenance, debugging etc, they are required to state a valid reason for that specific access session.

An audit trail/record is maintained for all data access sessions which are reviewed periodically.
Advise is given to users informing them that they should not store any information that is highly risky when fallen into the wrong hands, for example passwords, credit card numbers, crypto wallet private keys, etc.
4. The risk of a Kubera employee being able to access and potentially distribute (intentionally or unintentionally) any user account login and password information (probable).  
User accounts are managed through AWS Cognito. Therefore, Kubera employees do not have access to any user account passwords.
5. The risk of the synchronisation of the users financial accounts that are linked with their Kubera account being compromised by a malicious third party (possible).
Kubera syncs financial institutions accounts using their own keys which are kept in AWS Secrets. This reduce the chance of the keys being compromised. These keys are also rotated frequently.
6. The risk of a data breach by any third parties acting as data processors (possible).
Kubera ensures valid contracts are in place with all third party data processors. Regularly checks for any updated terms, any change as to legal status of third party (e.g. takeover/buyout) or any other substantial variation in service.

‍Institute regular coordination with third party processors e.g. half yearly or quarterly management calls to review operations, receive updates on any legislative or security changes and to feedback any issues or problems that may have occurred on the Kubera side.
7. The risk of users being overseen when accessing the app or web page (probable).
Establish a code or guide for Kubera users bringing to their attention possible risks as to how and where they access the app.

1. Do not use free public Wi-Fi when the accessing the app or web page.

2. When accessing the app or web page via a new Wi-Fi system for the first time (e.g. hotel or airport) consider access via a VPN.

3. Do not access the app or web page when travelling on public transport or in a crowded area where the device screen may be overseen. Consider the purchase and use of a privacy screen for your mobile device.

4. Ensure the security of your mobile device when used at home by putting all of your personal devices as well as important home systems such as digital media, TV and IOT on a secure password protected home network partitioned from a separate quest network provided to guests when requested.

5. Ideally access the app or web page using a secure 4G or 5G data connection for safe and speedy use.

7. The users are advised that due to the sensitivity of the data held by Kubera and accessed via the app that users may wish to ensure they dispose of their mobile devices securely rather than passing them to friends or family members or donating them due to the risk of inadvertent access to the system by an unauthorised user
8. The risk of beneficiary and/or trusted angel not being up to date, which could mean that user data remains on the server after all of the multiple reminders have been exhausted in which it is essential that the “longstop” deletion of data after 1 year and 1 month is confirmed as being effective (probable).
An email/notification is sent to the user each year prompting them to confirm their information. This includes confirming that the contact details of their beneficiaries and/or trusted angels is accurate.
9. It is a significant risk that if a user has access to the app on a mobile device and passes the use of that device temporarily or permanently to another user, that user may be able to gain access to the account including the wealth tracker and safe deposit documents (probable).
The users are advised that due to the sensitivity of the data held by Kubera and accessed via the app that users may wish to ensure they dispose of their mobile devices securely rather than passing them to friends or family members or donating them due to the risk of inadvertent access to the system by an unauthorised user
10. Contrary to the principles of necessity, proportionality and data minimisation, Google may be sharing more information with Kubera than is strictly necessary for the provision of services to the users such as GPS location data, search histories, subscriptions or purchase histories. The provision of any such data by Google would be far in excess of the personal data required from a Google account (remote).
Kubera only basic information from Google, i.e. email address, name and profile photo.
11. The risk that backups are not being taken regularly (remote).
Automated backups are taken. This process is managed by AWS.
12. The risk that backups are not being regularly tested for effectiveness (probable).
It is advised as to the importance of ensuring an independent third party backup of the system is available for Kubera to access and utilise independently of the AWS system. This is to protect Kubera from any outage in AWS provision. While this may appear unlikely it still remains a significant risk. While Kubera appreciates the risk, the difficulty in facilitating an independent backup means that this is a goal that Kubera will work towards after the first 12 months of operation once resources are available in order to arrange such a facility.
13. The risk that backups are not being taken on secure system totally separate from the AWS primary infrastructure (probable).
Backups are stored on AWS servers located in multiple geographically distant zones and are encrypted using AES-256 bit encryption.
14. The risk that backup is operated outside of the data retention policy outlined above (possible).
Backup and log files are configured to rotate every 30 days. Kubera constantly verify that this process is working as expected.
15. For the avoidance, in the absence of the EU-US privacy shield it is necessary to ensure that all contracts with data processors on behalf of Kubera contain the necessary Standard Contractual Clauses (“SCC’s”).
Ensuring that all third parties undertaking any data processing on behalf of Kubera has valid contracts in place containing the necessary Standard Contractual Clauses that allow for the processing of the personal data of EU citizens. Furthermore, the SCC’s will be changed by the EU before 31 December 2020 and it will be necessary to ensure all relevant contracts contain the correct updated and valid SCC’s.
16. Reviewing and updating any third party processor contracts to ensure they contain the appropriate updated SCC’s. The European Union has confirmed its intention to update SCC’s before 31 December 2020.
Maintaining a watching brief for publication of new updated SCC’s by the European Union.

Go to top