Privacy Policy

Last updated: May 2, 2026

KlarFort is built on a single privacy principle: we do not collect your financial data. The records you create live on your device. The only information stored on our servers is the limited set of account and billing details required to deliver paid subscriptions.

Summary of data practices

This summary is provided to align with the disclosure formats used by Apple's App Privacy Details and Google Play's Data Safety section. The detailed sections below are authoritative.

• Data collected and stored, linked to you: sign-in identifier, an authentication credential, the store-issued subscription purchase token, and (only if you enable notifications) an operating-system push delivery token.
• Data transmitted but not stored, linked to you: when you opt into AI features and choose to send a question, document, image, or portfolio context, that payload is transmitted through our backend to the AI provider for processing. The payload may include user-content categories such as financial information, files or documents, and photos or images that you yourself attach. The exchange is not retained on KlarFort servers.
• Data not linked to you: none.
• Data used to track you across other companies' apps and websites: none.
• Data shared for sale, advertising, or cross-context behavioural advertising: none. KlarFort does not sell or share user data in the senses defined by the CCPA, the CPRA, or comparable laws.
• Service providers we use to deliver the product: Apple App Store and Google Play (subscription billing); the AI provider that fulfils opt-in AI requests; Apple Push Notification service and Firebase Cloud Messaging (delivery transport for opted-in notifications). Each acts as a processor on our behalf for the specific purpose listed.

What we store

Our servers retain only the information required to manage your account, deliver your subscription, and (if you enable it) send the notifications you opted into:

• Account credentials. Your sign-in identifier and a credential used to authenticate you. Used for authentication and account recovery only.
• Subscription records. The store purchase token issued by Apple App Store or Google Play, which we use to confirm your subscription tier. Used solely for entitlement verification.
• Notification delivery token (optional). If you enable push notifications, the operating-system token required to deliver them. Used only for delivery and invalidated when you turn notifications off.

That is the entire data set we keep on our servers. Your portfolio (assets, liabilities, cash flows, custom rules, projects) is not stored on our servers. We do not collect device fingerprints, advertising identifiers, precise or coarse location, contact lists, microphone data, health or fitness data, biometric data, or financial-account credentials. Anything you transmit through opt-in AI features (questions, documents, images, or portfolio context you attach) flows through our backend to the AI provider for processing and is not retained server-side; see AI features are opt-in below.

AI features are opt-in

KlarFort offers optional AI assistance: chat with the in-app assistant, daily insight notes, document import, and continuous monitoring on paid tiers. These features are available only when you choose to enable them. When you do, the app transmits a payload through our backend to a third-party AI provider for processing, and the response is returned to you. The payload may contain:

• The text of the question or prompt you wrote.
• A redacted snapshot of the relevant portfolio context.
• Any document, image, or other file you yourself attach to the request.

The payload and the response are not retained on KlarFort servers: the backend forwards them to the AI provider for the lifetime of the request and then drops them. Your AI exchanges are not used to train models. The AI provider processes the request as a service provider under its own privacy and data-handling terms, and we choose providers that align with the privacy posture of this product.

Third-party services

The only third parties involved in delivering KlarFort are:

• Apple App Store and Google Play, who handle the entire payment flow for paid subscriptions and provide us with a purchase token we use to verify your tier. We do not see your payment-card details.
• The AI provider used for opt-in features, which receives a redacted snapshot only when you actively use those features.
• Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM), used only as transport for the notifications you opted into.

The app contains no advertising SDKs and no social-login SDKs.

What we do not do

• No advertising. The product has no ad surfaces and no advertising integrations.
• No social sign-in providers. We do not request access to third-party identity profiles.
• No data selling. Your information is not for sale and never will be.

Subscriptions and in-app purchases

If you subscribe, billing is handled by Apple App Store or Google Play. Their terms govern your purchase, including auto-renewal, billing cycles, family sharing, and any price changes. Our servers verify the store-issued purchase token to confirm your tier. We do not see, store, or process your payment-card details; Apple and Google do. Cancellation is performed in the same store account that originated the purchase, not from within KlarFort.

Data retention

We retain account information for as long as your account is active. When you delete your account, we remove the account credentials, subscription records, and any push delivery token from our active systems within 30 days. Backup copies are purged on the next routine retention cycle (no later than 90 days). We may retain a minimal record of the deletion event itself (timestamp and a hashed identifier with no recoverable PII) for up to 12 months to comply with audit, fraud-prevention, and legal-hold obligations.

Data deletion

You can delete your account at any time:

• From inside the app: open Settings, choose Delete Account, and confirm. Deletion removes the account credentials and subscription records held on our servers and severs the active session.
• From the web: use the public deletion-request page at klarfort.com/delete-account. You do not need to install the app to submit a request.
• By email: write to [email protected] from the address tied to your account; we will confirm and process the request within statutory timelines.

Active store subscriptions must be cancelled separately in the App Store or Google Play account that originated the purchase. Deletion is permanent and not recoverable.

Children

KlarFort is not directed at children under 13 and we do not knowingly retain account information for anyone under 13. If you are a parent or guardian and believe a minor has created an account, please contact us and we will delete it. KlarFort does not knowingly collect personal information in violation of the Children's Online Privacy Protection Act (COPPA).

International transfers

Our infrastructure operates from facilities that may be located outside your country of residence. By using KlarFort you consent to your account information being processed in those jurisdictions, subject to the protections in this policy. Where required, transfers from the European Economic Area, the United Kingdom, or Switzerland are made under appropriate safeguards such as the Standard Contractual Clauses.

Your rights (GDPR, UK GDPR, EEA, Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to access, correct, restrict, port, and erase your personal data, and to object to processing or withdraw consent at any time. The lawful bases on which we process the limited account data described above are: contract (to deliver the subscription you purchased) and, for opt-in AI features and notifications, consent. To exercise any of these rights, email [email protected] from the address tied to your account. You also have the right to lodge a complaint with your local supervisory authority.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you the right to know what personal information we collect, the right to delete it, the right to correct it, the right to limit the use of sensitive personal information, the right to opt out of "sale" or "sharing", and the right not to be discriminated against for exercising these rights.

Notice at collection. The categories of personal information involved in KlarFort, the purposes for which they are used, whether they are stored on our servers or transmitted ephemerally, and the retention period for each are:

• Identifiers (sign-in identifier and an authentication credential treated as sensitive personal information used solely for security and account access): used for authentication and account recovery; stored while the account is active and during the post-deletion windows in Data retention.
• Commercial information (the store-issued subscription purchase token): used for entitlement verification; stored while the account is active and during the post-deletion windows in Data retention.
• Internet or other electronic network activity information (operating-system push delivery token, only if you enable notifications): used solely to deliver the notifications you opted into; invalidated when notifications are turned off.
• User-attached content for opt-in AI features (your prompt text, redacted portfolio context, and any document, image, or other file you yourself attach to a request, which may include financial information, files, photos, or images): used solely to fulfil the AI request you sent; not retained on KlarFort servers; processed by the AI provider as a service provider under its own privacy and data-handling terms.

Sale and sharing. KlarFort does not sell personal information and does not share personal information for cross-context behavioural advertising, as those terms are defined in the CCPA and CPRA. The third parties listed in Third-party services act as service providers processing data on our behalf for the limited purposes listed; that is not "sale" or "sharing".

Sensitive personal information. The only category we treat as sensitive is your account authentication credential, which we use only for the security and account-access purposes for which it was provided. We do not use it to infer characteristics about you. You do not need to file a request to limit our use of sensitive personal information; that limitation is the default.

Right of non-discrimination. We will not deny you the Service, charge you a different price, or provide a different level of quality for exercising any of these rights.

To exercise your CCPA rights, use the deletion-request page or email [email protected]. We respond to verifiable requests within 45 days, with a single 45-day extension where reasonably necessary, in line with the timelines set by California law.

Other US state privacy rights

Residents of other US states with comprehensive consumer-privacy laws (including but not limited to Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia) may have rights similar to those described in the GDPR and CCPA sections above. The same email and deletion-request channels apply.

Security

We apply current industry-standard practices to protect the limited account data we hold and to secure communication between the app, our servers, and the AI provider used for opt-in features. Data is transmitted over TLS, sensitive credentials are stored as one-way hashes, and access to production systems is restricted to a small number of operators. No system is perfectly secure, but we treat your account with the same care we would expect for our own. To report a security concern, please use the responsible-disclosure channel.

Changes to this policy

If we materially change how we handle your data, we will update this page, revise the Last updated date, and surface a notice in the app on next launch. Your continued use of the Service after a change becomes effective constitutes acceptance of the revised policy. We will not retroactively make material changes that reduce your privacy rights without your consent.

Contact

Questions, requests, or concerns about this policy: