Skip to content
Get started

Kerdora Privacy Policy

Last updated: April 28, 2026 Effective: April 28, 2026

Kerdora Inc. ("Kerdora," "we," "us," or "our") provides software that helps financial advisors plan for their clients. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

This Policy applies to:

  • Advisors and firm users who create accounts and use the Kerdora platform (the "Service").
  • End clients of those advisors, whose financial information is held in the Service. End clients may interact with limited parts of the Service to connect their financial accounts at their advisor's request.
  • Website visitors to kerdora.com, go.kerdora.com, trust.kerdora.com, and related Kerdora properties.

By using the Service or our websites, you agree to this Policy. If you do not agree, do not use the Service.

1. Information We Collect

We collect the following categories of information.

Account information. When an advisor signs up, we collect name, email address, firm name, role, and login credentials.

Billing information. When an advisor subscribes, payment is processed by Stripe. We do not store full payment card numbers. We retain billing records (plan, amount, invoice history, last four digits of card, billing address) as provided by Stripe.

Client and financial data. Advisors enter or upload information about their end clients into the Service, including but not limited to: names, contact details, household composition, income, expenses, assets, liabilities, goals, risk tolerance, tax information, estate documents, insurance, and notes. Advisors may also upload supporting documents.

Connected account data. When an end client connects financial accounts through our account aggregation provider, Array, at the advisor's request, we receive account-level information from connected institutions, including account names, account types, balances, holdings, positions, and transaction history. See Section 4 for details.

AI feature inputs and outputs. When advisors use AI-assisted features, we process the inputs they provide and the outputs returned by our AI subprocessors. See Section 5 for details.

Usage data. We automatically collect information about how the Service is used, including IP address, browser type, device identifiers, operating system, referring URLs, pages and features accessed, timestamps, and session activity.

Cookies and similar technologies. We use cookies and similar technologies for authentication, security, preferences, and product analytics. See Section 7.

Communications. When you contact us by email, in-app chat, or through our support tools (e.g. Intercom), we retain those communications and any information you provide.

Marketing and CRM data. If you visit our marketing site, request a demo, or sign up for our mailing list, we collect the information you submit (e.g. name, email, firm) and how you interact with our marketing emails and pages.

We do not knowingly collect information from anyone under the age of 18.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, maintain, and secure the Service.
  • Authenticate users and prevent fraud and abuse.
  • Process payments and manage subscriptions.
  • Deliver AI-assisted features requested by advisors.
  • Retrieve and display data from connected financial accounts at the advisor's direction.
  • Provide customer support and respond to inquiries.
  • Communicate with users about the Service, including updates, security notices, and administrative messages.
  • Send marketing communications, where permitted, with the ability to opt out at any time.
  • Improve the Service, develop new features, and analyze usage trends.
  • Generate aggregated or de-identified data that does not identify any individual.
  • Comply with legal obligations and enforce our agreements.

We do not sell personal information.

We do not use end-client financial data to train generative AI models. AI subprocessors process inputs and outputs solely to deliver the requested feature, under contractual terms that prohibit using Kerdora customer data to train their models. See Section 5.

3. How We Share Information

We share information only as described below.

Service providers and subprocessors. We share information with vendors that help us operate the Service, including hosting, infrastructure, payments, analytics, customer support, communications, account aggregation, and AI processing. A current list of subprocessors is maintained at trust.kerdora.com/subprocessors and is incorporated into this Policy by reference.

Within the advisor's firm. Where an advisor's firm has multiple users on the Service, client and account data is accessible to authorized users within that firm according to the firm's permissions.

At advisor direction. We share data with third parties when an advisor instructs us to (for example, when an advisor connects an integration or exports data).

Legal, safety, and compliance. We may disclose information when we reasonably believe disclosure is required to comply with law, regulation, legal process, or government request; to enforce our terms; to protect the rights, property, or safety of Kerdora, our users, or others; or to investigate fraud or security issues.

Business transfers. If Kerdora is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction. We will provide notice consistent with this Policy and applicable law.

Aggregated or de-identified data. We may share aggregated or de-identified information that cannot reasonably be used to identify any individual.

We do not sell or rent personal information, and we do not share personal information for cross-context behavioral advertising.

4. Account Aggregation (Array)

Kerdora uses Array as our account aggregation provider. Account connections are always initiated by the end client at the advisor's request. The flow works as follows:

  • The end client receives a request from their advisor to connect one or more financial accounts.
  • The end client is directed to Array's authentication flow to select an institution and provide credentials directly to Array. Kerdora does not see or store institution login credentials.
  • Array establishes the connection on the end client's behalf and returns account, holding, and transaction data to Kerdora.
  • Kerdora stores that data within the advisor's workspace and refreshes it on a recurring basis while the connection is active.
  • Connections can be revoked at any time by the end client or the advisor. Revocation stops further refreshes; previously retrieved data is retained subject to Section 8.

Array's handling of connected account data is governed by Array's own privacy policy and terms. By connecting an account, the end client authorizes Kerdora and Array to access, retrieve, and process that account information for the purposes described above.

5. AI Features

Kerdora offers AI-assisted features that use third-party large language models. AI features are available only to advisors and firm users; end clients do not interact with AI features. Our AI subprocessors are Anthropic and Google, listed on our subprocessors page.

When an advisor uses an AI feature:

  • The relevant inputs (which may include client and financial data the advisor selects) are sent to the AI subprocessor through their API.
  • The AI subprocessor returns an output that is delivered back to the advisor in the Service.
  • Inputs and outputs are processed under enterprise API terms that prohibit the AI subprocessor from using Kerdora customer data to train their models and that limit retention to what is necessary to deliver and secure the service.

Kerdora may retain inputs and outputs to display them to the advisor, support the feature, debug issues, and improve the Service. We do not use end-client financial data to train AI models.

Advisors are responsible for the inputs they choose to submit to AI features and for reviewing AI-generated outputs before relying on them with clients.

6. Our Role: Controller and Processor

Kerdora plays different roles depending on the data involved.

Advisor and firm data. Kerdora is the controller of personal information about advisors, firm users, and website visitors (for example, account information, billing information, marketing data, and usage data). We determine the purposes and means of processing this data.

End-client data. Kerdora acts as a processor (or service provider) on behalf of the advisor for personal information about the advisor's end clients that is entered into or connected to the Service. The advisor is the controller of that data and is responsible for determining what to collect, what notices to provide, what consents to obtain, and what rights to honor.

If you are an end client and want to exercise rights regarding your personal information, please contact your advisor first. We will work with the advisor to honor verified requests.

7. Cookies and Tracking

We use cookies, local storage, and similar technologies to:

  • Keep users signed in and secure their sessions.
  • Remember preferences and settings.
  • Understand how the Service and our websites are used (product and marketing analytics).
  • Measure the effectiveness of our marketing.

We use PostHog for product analytics and Google Analytics for website analytics.

You can control cookies through your browser settings. Disabling cookies may break parts of the Service. We do not currently respond to "Do Not Track" browser signals, because there is no industry consensus on how to interpret them, but we honor opt-out preference signals where required by law.

8. Data Retention

We retain personal information for as long as needed to provide the Service, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements.

  • Account and client data: retained while the advisor's account is active and for a reasonable period after termination to allow for export, dispute resolution, and legal compliance.
  • Billing records: retained as required by tax and accounting laws, generally up to seven years.
  • Backups: retained on a rolling basis and overwritten according to our standard backup schedule.
  • Aggregated or de-identified data: may be retained indefinitely.

After termination, advisors may request export and deletion as described in Section 10. We may retain limited residual information where required by law or for legitimate business purposes (for example, audit trails, security logs, anti-fraud records).

9. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including:

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls and least-privilege access.
  • Multi-factor authentication on administrative systems.
  • Logging and monitoring.
  • Regular review of subprocessors and security practices.

The Service is hosted in the United States on Render and Amazon Web Services (AWS).

No system is perfectly secure. If we discover a security incident affecting your personal information, we will notify affected users without unreasonable delay and no later than 30 days after discovery, consistent with applicable law. If you believe your account or data has been compromised, contact us immediately at taylor@kerdora.com.

10. Your Rights and Choices

Subject to applicable law and verification of your identity, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete personal information.
  • Delete your personal information.
  • Export a copy of your personal information in a portable format.
  • Opt out of marketing communications (use the unsubscribe link in any marketing email or contact us).
  • Withdraw consent where processing is based on consent.
  • Appeal a denial of a rights request, where applicable law provides for an appeal.

To make a request, advisors and other Kerdora-controlled users may email taylor@kerdora.com. End clients should contact their advisor first; we will work with the advisor to honor verified requests.

We may need to verify your identity before fulfilling a request and may decline requests where permitted or required by law. We will not discriminate against you for exercising your rights.

11. State Privacy Rights (United States)

Kerdora operates in and serves users in the United States. The following state-specific notices apply where the relevant law applies to you.

Texas (TDPSA). If you are a Texas resident, you have the rights described in Section 10, including the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. Kerdora does not sell personal data and does not engage in targeted advertising or profiling that produces legal or similarly significant effects.

California (CCPA/CPRA). If you are a California resident, you have the rights described in Section 10, including the right to know, delete, correct, and obtain a copy of your personal information; the right to opt out of sale or sharing; and the right to limit use of sensitive personal information. Kerdora does not sell or share personal information as those terms are defined under the CCPA. Categories of personal information we collect, the purposes for which we collect them, and the categories of recipients are described in this Policy.

Other states. Residents of other states with comprehensive consumer privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, Oregon, Montana, and others as those laws come into effect) may have similar rights. To exercise rights, contact us at taylor@kerdora.com.

We do not currently offer the Service outside the United States and do not intentionally market the Service to users outside the United States.

12. Children

The Service is intended for use by financial advisors and their adult clients. We do not knowingly collect personal information from anyone under 18. If we learn we have collected personal information from a person under 18, we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent version. If we make material changes, we will provide notice through the Service, by email, or by posting a notice on our website. Your continued use of the Service after the effective date of an update constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions about this Policy or our privacy practices, or to exercise your rights, contact:

Kerdora Inc. Attn: Privacy 4304 Beaver Run Drive McKinney, Texas 75072 Email: taylor@kerdora.com