Last updated: May 19, 2026
Kova Systems ("Kova," "we," "our," "us," the "Company," the "Data Controller," or the "Service Provider," as applicable and as contextually appropriate within the meaning ascribed to such terms under applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation as incorporated into United Kingdom law by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Oregon Consumer Privacy Act ("OCPA"), the Montana Consumer Data Privacy Act ("MCDPA"), the Iowa Consumer Data Protection Act, the Tennessee Information Protection Act, the Indiana Consumer Data Protection Act, the Delaware Personal Data Privacy Act, the New Jersey Data Privacy Act, the New Hampshire Privacy Act, the Kentucky Consumer Data Protection Act, the Nebraska Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, Brazil's Lei Geral de Protecao de Dados ("LGPD"), Japan's Act on the Protection of Personal Information ("APPI"), South Korea's Personal Information Protection Act ("PIPA"), Singapore's Personal Data Protection Act 2012 ("PDPA"), the Swiss Federal Act on Data Protection ("FADP"), and any other applicable data protection or privacy legislation in any jurisdiction in which the Service is accessed or utilized) operates the Kova application, platform, and associated services accessible at kovasystems.app and any subdomains, mobile applications, application programming interfaces, and ancillary digital properties associated therewith (collectively, the "Service," "Platform," or "Application"). This Privacy Policy (the "Policy," this "Notice," or this "Privacy Statement") constitutes a legally binding agreement between you (the "User," "Data Subject," "Subscriber," "Customer," or "you") and Kova Systems, and it explains in comprehensive detail how we collect, receive, store, process, use, disclose, transfer, share, aggregate, de-identify, anonymize, pseudonymize, retain, archive, delete, destroy, and otherwise handle your personal information, personal data, personally identifiable information, sensitive personal information, and all other categories of data, whether provided directly by you, collected automatically through your use of the Service, derived from third-party sources, inferred through algorithmic or computational analysis, or otherwise obtained by us in connection with the provision of the Service.
By accessing, browsing, registering for, subscribing to, or otherwise using the Service in any manner whatsoever, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions set forth in this Privacy Policy in their entirety. If you do not agree to the terms of this Privacy Policy, you must immediately cease all use of the Service and delete any accounts associated therewith. Your continued use of the Service following the posting of any amendments, modifications, or updates to this Privacy Policy shall constitute your acceptance of and agreement to such changes, whether or not you have reviewed them. We reserve the right, at our sole and absolute discretion, to modify, amend, supplement, or replace this Privacy Policy at any time and for any reason, with or without prior notice to you, subject to applicable legal requirements regarding notification.
For the purposes of this Privacy Policy, unless the context otherwise requires or a different meaning is expressly ascribed herein, the following terms shall have the meanings set forth below, which shall apply equally to the singular and plural forms of such terms:
For the purposes of the GDPR, UK GDPR, and other applicable data protection legislation that requires the identification of a Data Controller, the Data Controller responsible for the Processing of your Personal Data in connection with the Service is:
Kova Systems
Website: kovasystems.app
Email: privacy@kovasystems.app
For any inquiries, requests, complaints, or communications regarding this Privacy Policy, your Personal Data, or the exercise of your data protection rights, you may contact our designated privacy point of contact at the email address set forth above. We shall endeavor to respond to all legitimate inquiries within the timeframes prescribed by applicable data protection legislation, and in any event within thirty (30) calendar days of receipt, unless the complexity or volume of requests necessitates an extension, in which case we shall notify you of such extension and the reasons therefor within the initial thirty (30) day period.
In connection with the provision, operation, maintenance, improvement, and enhancement of the Service, we collect, receive, and process the following categories of Personal Data, which we have organized by category for the purposes of transparency and in compliance with applicable record-keeping and disclosure obligations:
When you create an account on the Service, we collect certain identity and registration data that is necessary for the establishment and administration of your user account, including but not limited to: your full legal name (first name and surname); your electronic mail address; your chosen password (which is stored in hashed and salted form using industry-standard cryptographic algorithms by our authentication infrastructure providers and is never stored in plaintext); and, where applicable, third-party authentication credentials and tokens provided through federated identity providers such as Google OAuth 2.0, including your Google account identifier, display name, email address, and profile photograph URL as made available by the identity provider's authorization scope. We may also collect your preferred display name, account preferences, timezone settings, language preferences, and any other optional profile information you choose to provide.
When you subscribe to a paid plan, upgrade, downgrade, or otherwise engage in financial transactions through the Service, payment processing is handled by Stripe, Inc. ("Stripe"), our third-party payment processor. We do not directly collect, store, process, or have access to your full credit card number, debit card number, bank account number, or other complete payment instrument details. Stripe collects and processes your payment information in accordance with the Payment Card Industry Data Security Standard ("PCI-DSS") Level 1 certification requirements and their own privacy policy, available at stripe.com/privacy. We receive from Stripe, and store in our systems, limited transaction-related data, including: the last four digits of your payment card; the card brand and type; the billing postal code; transaction identifiers; subscription plan identifiers; payment status; invoice amounts; payment dates and timestamps; refund and chargeback status; and subscription lifecycle events (creation, renewal, cancellation, expiration, trial commencement, trial conclusion). This information is necessary for the performance of the contract between us, for our legitimate business interests in maintaining accurate financial records, and for compliance with applicable tax and financial reporting obligations.
We collect comprehensive data regarding your interactions with and use of the Service, which is necessary for the provision of the Service's core functionality, the improvement of user experience, the development of new features, and the maintenance of platform integrity. This usage and activity data includes, without limitation:
When you access the Service through a web browser, mobile device, or other client application, we automatically collect certain technical and device-related information through standard internet protocols, server logs, and client-side data collection mechanisms, including but not limited to: your Internet Protocol (IP) address (both IPv4 and IPv6, as applicable); browser type, version, and configuration; operating system type, version, and configuration; device type, model, and manufacturer; screen resolution, viewport dimensions, and display characteristics; preferred language and locale settings; referring and exit URLs; pages visited, features accessed, and navigation paths within the Service; clickstream data and interaction patterns; session identifiers and session duration; timestamp data for all requests and interactions; HTTP request headers and metadata; and network connection type and speed characteristics. This technical data is collected for the purposes of ensuring the proper functioning and security of the Service, diagnosing technical issues, preventing fraud and abuse, analyzing usage trends and patterns, and optimizing the Service's performance and user experience.
Our lead discovery and business intelligence features utilize the Google Maps Platform, including the Google Places API and associated services, to retrieve publicly available business information from Google's databases and indexes. The data retrieved through these services may include: business names and trade names; telephone numbers and contact information; physical addresses and geographic location data (including latitude and longitude coordinates); business ratings, review counts, and review content; business categories and classifications; operating hours and status; website URLs; photographs and imagery; and place identifiers. This data originates from Google and is subject to Google's Privacy Policy and the Google Maps Platform Terms of Service. We process this data as a controller for the purpose of providing our lead discovery service to you, and we may store, index, and organize this data within our systems in connection with your use of such features.
The Service utilizes browser-based client-side storage mechanisms, including but not limited to HTML5 localStorage, sessionStorage, and IndexedDB (collectively, "Local Storage"), to store certain data on your device for the purposes of enhancing application performance, enabling offline functionality, preserving user preferences and session state, caching frequently accessed data, and reducing server-side data retrieval latency. The categories of data stored in Local Storage may include: user interface preferences and configuration settings; email composition history and draft data; lead notes and annotations; session authentication tokens and refresh tokens; cached lead data and list data; notification preferences; feature flag states; and other operational data necessary for the proper functioning of the Service. Data stored in Local Storage resides on your device and is not transmitted to our servers unless explicitly synced to your account through the Service's synchronization mechanisms or unless such transmission is necessary for the provision of the Service's functionality.
When you contact us for customer support, submit feedback, report issues, or otherwise communicate with us through any channel (including email, in-application messaging, or any other communication medium), we collect and retain the content of such communications, your contact information, and any metadata associated with the communication, including timestamps, communication channel identifiers, and reference numbers. This data is processed for the purposes of responding to your inquiries, resolving issues, improving our support processes, and maintaining records of our communications as may be required by applicable law.
In addition to data collected directly from you or from third-party sources, we may generate, derive, or infer additional data points through computational analysis, statistical modeling, algorithmic processing, or machine learning techniques applied to the data categories described above. Such inferred and derived data may include, without limitation: user behavior patterns and usage trends; feature adoption and engagement scores; predicted user preferences and interests; performance benchmarks and comparative analytics; lead quality scores and conversion probability estimates; churn risk indicators; and other analytical outputs. Inferred and derived data is used solely for the purposes of improving the Service, providing personalized experiences, generating analytics and insights, and supporting our legitimate business interests in product development and optimization.
In accordance with Article 6 of the GDPR, Article 6 of the UK GDPR, and analogous provisions of other applicable data protection legislation, we process your Personal Data only where we have a valid lawful basis for doing so. The lawful bases upon which we rely for each category of Processing activity are set forth below. Where we rely on more than one lawful basis for a particular Processing activity, each such basis independently and sufficiently justifies the Processing in question.
The Processing of your Personal Data is necessary for the performance of the contract between you and Kova Systems (i.e., the Terms of Service governing your use of the Service), or in order to take steps at your request prior to entering into such a contract. This lawful basis applies to the following Processing activities: creation and administration of your user account; authentication and authorization of your access to the Service; provision of the Service's core functionality, including lead management, call tracking, email composition, AI-powered features, list management, and analytics; processing of subscription payments and management of your billing relationship; provision of customer support; and any other Processing that is necessary for us to fulfill our contractual obligations to you or to provide the Service as described in our Terms of Service.
Certain Processing activities are carried out on the basis of our legitimate interests, or the legitimate interests of third parties, provided that such interests are not overridden by your fundamental rights and freedoms. We have conducted legitimate interest assessments ("LIAs") for each Processing activity relying on this lawful basis, and we have determined that the Processing is necessary for the purposes of such legitimate interests and that such interests are not overridden by the interests, rights, or freedoms of the Data Subject, taking into account the reasonable expectations of Data Subjects based on their relationship with us. The legitimate interests upon which we rely include: (a) improving, optimizing, and enhancing the Service and user experience; (b) developing new features, products, and services; (c) analyzing usage patterns and trends to inform product decisions; (d) ensuring the security, integrity, and availability of the Service; (e) preventing, detecting, and investigating fraud, abuse, security incidents, and other harmful or unauthorized activities; (f) enforcing our Terms of Service and other agreements; (g) maintaining internal business records and operational data; (h) conducting internal analytics and business intelligence; (i) communicating with you regarding service-related matters; and (j) establishing, exercising, or defending legal claims. You have the right to object to Processing based on legitimate interests at any time, as described in Section 17 of this Privacy Policy.
Where required by applicable law and where no other lawful basis applies, we will obtain your prior, freely given, specific, informed, and unambiguous Consent before Processing your Personal Data. Where Processing is based on Consent, you have the right to withdraw your Consent at any time, without affecting the lawfulness of Processing based on Consent before its withdrawal. Consent may be relied upon as the lawful basis for Processing in connection with: optional marketing communications (if any); optional participation in surveys, research, or beta programs; the Processing of any Sensitive Personal Data (to the extent collected); and any other Processing activity for which Consent is required under applicable law.
Certain Processing of your Personal Data is necessary for compliance with legal obligations to which Kova Systems is subject, including but not limited to: tax and financial reporting obligations; anti-money laundering and counter-terrorism financing requirements; record-keeping obligations under applicable commercial, tax, and corporate law; obligations to respond to lawful requests from judicial, regulatory, or law enforcement authorities; and any other legal obligations arising under the laws of jurisdictions in which we operate or in which the Service is accessed.
In exceptional circumstances, we may process your Personal Data where such Processing is necessary to protect the vital interests of you or another natural person, such as in emergency situations involving a threat to life or physical safety. We do not anticipate relying on this lawful basis in the ordinary course of the Service's operation, but we reserve the right to do so where circumstances warrant.
We process your Personal Data for the following specific, explicit, and legitimate purposes, and we do not further process your Personal Data in a manner that is incompatible with these purposes, except as permitted by applicable data protection legislation:
We do not sell, rent, lease, trade, or otherwise commercialize your Personal Data to or with third parties for their own independent marketing purposes, and we have not done so in the preceding twelve (12) months. We do not "sell" or "share" (as those terms are defined under the CCPA/CPRA) your Personal Information for cross-context behavioral advertising purposes. We disclose your Personal Data only in the circumstances described below, and only to the extent necessary for the purposes specified herein:
We engage certain trusted third-party service providers, vendors, and sub-processors to perform specific functions and services on our behalf and at our direction, which are necessary for the operation, maintenance, and delivery of the Service. These service providers are contractually bound by data processing agreements ("DPAs") that impose obligations on them with respect to the Processing of Personal Data, including obligations to: process Personal Data only on our documented instructions; ensure that personnel authorized to process Personal Data have committed themselves to confidentiality; implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; not engage another processor without our prior specific or general written authorization; assist us in fulfilling our obligations to respond to Data Subject requests; assist us in ensuring compliance with security, breach notification, impact assessment, and consultation obligations; delete or return all Personal Data to us at the end of the service relationship; and make available to us all information necessary to demonstrate compliance with their obligations. Our current categories of service providers and sub-processors include:
We may disclose your Personal Data to third parties if we believe in good faith that such disclosure is necessary or appropriate to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request, including but not limited to subpoenas, court orders, search warrants, national security letters, and other lawful requests from judicial, regulatory, or law enforcement authorities in any jurisdiction; (b) enforce our Terms of Service, this Privacy Policy, or other applicable agreements, policies, and guidelines, including investigation of potential violations thereof; (c) detect, prevent, investigate, or address fraud, security incidents, technical issues, or other illegal, harmful, or unauthorized activities; (d) protect the rights, property, safety, or security of Kova Systems, our users, our employees, or the public, as required or permitted by applicable law; or (e) establish, exercise, or defend legal claims. Where permitted by law, we will make reasonable efforts to notify you of any such disclosure before or promptly after it occurs, unless notification is prohibited by applicable law or would compromise an investigation or endanger an individual's safety.
In the event that Kova Systems undergoes or is involved in a merger, acquisition, consolidation, restructuring, reorganization, dissolution, sale of assets, financing, public offering of securities, change of control, insolvency, bankruptcy, receivership, assignment for the benefit of creditors, or any other business transfer, corporate transaction, or similar event (collectively, a "Business Transfer"), your Personal Data may be among the assets transferred, assigned, or disclosed in connection with such Business Transfer. In such circumstances, we will make reasonable efforts to ensure that the acquiring or successor entity agrees to be bound by the terms of this Privacy Policy or a privacy policy that is no less protective of your rights than this Privacy Policy. We will notify you via email to the address associated with your account and/or by posting a prominent notice on the Service of any Business Transfer that materially affects the handling of your Personal Data, and we will inform you of any choices you may have regarding your Personal Data in connection therewith.
We may share aggregated, de-identified, anonymized, or pseudonymized data that cannot reasonably be used to identify you with third parties for any lawful purpose, including but not limited to research, analytics, benchmarking, marketing, product development, and business intelligence. Such data may include aggregate usage statistics, aggregate performance metrics, aggregate feature adoption data, industry benchmarks, and other non-personally identifiable information derived from the Processing of Personal Data. We maintain technical and organizational safeguards to prevent the re-identification of de-identified or anonymized data, in accordance with the requirements of applicable data protection legislation. We commit to not attempting to re-identify de-identified data except as necessary to verify the effectiveness of our de-identification processes.
We may share your Personal Data with third parties where you have provided your prior, freely given, specific, informed, and unambiguous Consent to such sharing, or where you have directed us to share your data with a specific third party (for example, through the use of an integration, export feature, or sharing functionality within the Service).
Kova Systems operates globally and may transfer, store, and process your Personal Data in countries and jurisdictions other than the country in which you reside, including but not limited to the United States of America and other countries where our service providers, sub-processors, affiliates, and data center facilities are located. Some of these countries may not have data protection laws that are equivalent to or as comprehensive as the data protection laws of your country of residence, and in particular may not have been the subject of an adequacy decision by the European Commission, the United Kingdom Information Commissioner's Office, or other relevant supervisory authorities.
Where we transfer Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we rely on one or more of the following legally recognized transfer mechanisms to ensure that your Personal Data is afforded an adequate level of protection in accordance with applicable data protection legislation:
In accordance with the EDPB's guidance and the requirements established by the Court of Justice of the European Union in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, commonly referred to as "Schrems II"), we conduct transfer impact assessments ("TIAs") for international data transfers to evaluate: (a) the laws and practices of the destination country, particularly regarding government surveillance and access to data; (b) the effectiveness of the transfer mechanism relied upon; (c) the need for supplementary measures; and (d) the overall level of protection afforded to the transferred Personal Data. We maintain documentation of our TIAs and the conclusions reached therein, and we periodically review and update our TIAs to account for changes in the legal, regulatory, and factual circumstances of the destination countries.
We retain your Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy, and in accordance with our data retention policies and applicable legal requirements. The specific retention periods applicable to each category of Personal Data are determined based on the following criteria: the nature and sensitivity of the Personal Data; the purposes for which it is processed; the minimum retention period required or permitted by applicable law or regulation; the period during which legal claims could be brought or disputes could arise; our legitimate business interests in maintaining accurate records; and any other relevant factors.
Upon the expiration of the applicable retention period, or upon the receipt and verification of a valid deletion request from you (subject to applicable legal exceptions), your Personal Data will be permanently deleted, destroyed, or irreversibly anonymized in accordance with our data deletion and destruction procedures. Our deletion procedures include: the secure deletion of data from active databases, data warehouses, and file storage systems; the removal of data from backup and archival systems within a reasonable timeframe (not to exceed ninety (90) days from the date of deletion from active systems, accounting for the technical constraints of backup rotation schedules); the revocation of access to data by service providers and sub-processors; and the issuance of deletion instructions to service providers and sub-processors that hold copies of the data. We employ industry-standard data sanitization methods to ensure that deleted data cannot be recovered, reconstructed, or otherwise retrieved, including logical deletion through database record removal and, where applicable, cryptographic erasure through the destruction of encryption keys.
We implement and maintain a comprehensive information security program comprising technical, organizational, administrative, and physical safeguards designed to protect the confidentiality, integrity, availability, and resilience of your Personal Data against unauthorized access, use, disclosure, alteration, destruction, loss, or other unlawful or unauthorized forms of Processing. Our security measures are designed to provide a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
Notwithstanding the comprehensive security measures described above, you acknowledge and agree that no method of electronic transmission over the Internet, no method of electronic storage, and no information security system is completely or unconditionally secure. While we strive to use commercially reasonable and industry-standard means to protect your Personal Data, we cannot guarantee its absolute security, and we expressly disclaim, to the fullest extent permitted by applicable law, any representation, warranty, or guarantee, whether express, implied, statutory, or otherwise, regarding the absolute security of your Personal Data or the security of any system or network used in connection with the Service. The transmission of information via the Internet is inherently subject to risks, and you acknowledge that you transmit your Personal Data to us at your own risk.
The Service primarily utilizes browser-based Local Storage mechanisms (including HTML5 localStorage and sessionStorage) for functional purposes, including maintaining session state, storing user preferences, caching application data, and enabling the Service's core functionality. The Service does not utilize traditional HTTP cookies for its own tracking or advertising purposes. However, third-party services integrated into the Service may set their own cookies in accordance with their respective privacy policies and cookie policies.
The Service loads scripts and resources from third-party services that may set cookies or utilize other tracking mechanisms on your device. Specifically:
The Service does not currently employ pixel tracking technologies (also known as "tracking pixels," "web beacons," "clear GIFs," or "pixel tags") for the purpose of tracking user behavior across third-party websites or for serving targeted advertising. In the event that we implement such technologies in the future, we will update this Privacy Policy accordingly and, where required by applicable law, obtain your Consent before deploying such technologies. You should be aware that emails sent through the Service may contain standard email tracking mechanisms if such functionality is enabled, and such mechanisms may record when an email is opened, the IP address from which the email was accessed, and whether links within the email were clicked.
The Service does not currently respond to "Do Not Track" ("DNT") signals transmitted by web browsers, as there is no universally accepted standard for how DNT signals should be interpreted and honored by websites and online services. In the event that a uniform standard for responding to DNT signals is established and adopted, we will reassess our practices and update this Privacy Policy accordingly. Notwithstanding the foregoing, as described in this Section 10, the Service does not engage in cross-site tracking or targeted advertising, and therefore the practical effect of DNT signals on the Service's behavior would be minimal.
We honor and process Global Privacy Control ("GPC") signals as opt-out preference signals where required by applicable law, including the CCPA/CPRA. When we detect a GPC signal from your browser, we will treat it as a valid request to opt out of the sale or sharing of Personal Information and the use of Personal Information for targeted advertising, to the extent such activities are conducted by the Service. You may learn more about GPC and how to enable it in your browser at globalprivacycontrol.org.
The Service collects and analyzes data regarding your interactions with and usage of the Service for the purposes of improving the user experience, identifying feature adoption patterns, diagnosing usability issues, optimizing application performance, and informing product development decisions. Behavioral analytics data may include: pages visited and features accessed within the Service; navigation paths and clickstream data; time spent on specific pages, features, or tasks; interaction patterns with user interface elements (such as clicks, scrolls, form interactions, and keyboard inputs); feature usage frequency and recency; session duration and frequency; and error encounters and recovery paths. This data is processed in aggregate and anonymized form wherever possible, and is not used for the purpose of serving targeted advertising or for making automated decisions that produce legal effects concerning you or similarly significantly affect you.
The Service employs certain forms of automated processing, including algorithmic analysis and computational evaluation, to provide its core functionality. These automated processing activities include, without limitation:
To the extent that any automated processing conducted by the Service constitutes "automated decision-making" or "profiling" within the meaning of Article 22 of the GDPR, Article 22 of the UK GDPR, or analogous provisions of other applicable data protection legislation, we ensure that: (a) such processing is necessary for the performance of a contract between you and us, or is based on your explicit Consent, or is authorized by applicable law; (b) suitable safeguards are in place, including the right to obtain human intervention, to express your point of view, and to contest the decision; and (c) no such processing is based solely on Sensitive Personal Data unless one of the conditions set forth in Article 9(2) of the GDPR is satisfied. You have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except as provided under applicable data protection legislation.
We may create, compile, and use aggregate data sets derived from the Personal Data collected through the Service. Aggregate data is data that has been combined, summarized, or otherwise processed in such a manner that it relates to a group or category of individuals rather than to any specific identifiable individual, and that cannot reasonably be used, either on its own or in combination with other data, to identify, contact, or locate any specific individual. We use aggregate data for various purposes, including: analyzing and reporting on usage trends and patterns; developing and improving the Service and its features; generating industry benchmarks and comparative analytics; conducting market research and business analysis; and producing reports and publications that describe aggregate usage of the Service. Aggregate data is not subject to the restrictions on disclosure set forth in Section 6 of this Privacy Policy, and we may share aggregate data with third parties for any lawful purpose.
Where we de-identify, anonymize, or pseudonymize Personal Data for analytical, statistical, research, or other purposes, we apply rigorous de-identification and anonymization procedures designed to ensure that the resulting data cannot reasonably be used to identify any individual, either on its own or in combination with other available data. Our de-identification procedures include, as applicable and as appropriate based on the nature of the data and the intended use:
In accordance with the principles of data minimization (Article 5(1)(c) of the GDPR) and purpose limitation (Article 5(1)(b) of the GDPR), and analogous principles under other applicable data protection legislation, we are committed to collecting only the minimum amount of Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, and to processing Personal Data only for the specific, explicit, and legitimate purposes for which it was collected, unless further processing for a different purpose is compatible with the original purpose of collection.
Our data minimization practices include: collecting only the data fields that are necessary for the relevant functionality; providing optional fields for data that is not strictly necessary; applying data minimization principles to the design and development of new features and functionality ("privacy by design and by default"); periodically reviewing the categories of data collected and processed to identify and eliminate unnecessary data collection; minimizing the scope of data shared with service providers and sub-processors to the minimum necessary for the performance of their services; and implementing technical measures to limit the retention of data beyond its required retention period.
Our purpose limitation practices include: documenting the specific purposes for each Processing activity in our records of Processing activities; conducting compatibility assessments before Processing Personal Data for a new purpose that is different from the original purpose of collection; obtaining your Consent before Processing your Personal Data for a purpose that is incompatible with the original purpose of collection, unless another lawful basis applies; and implementing technical and organizational measures to prevent the unauthorized use of Personal Data for purposes other than those for which it was collected.
In accordance with Article 35 of the GDPR, Article 35 of the UK GDPR, and analogous provisions of other applicable data protection legislation, we conduct Data Protection Impact Assessments ("DPIAs") for Processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. DPIAs are conducted before the commencement of the relevant Processing activity and include: (a) a systematic description of the envisaged Processing operations and the purposes of the Processing, including, where applicable, the legitimate interest pursued by the Controller; (b) an assessment of the necessity and proportionality of the Processing operations in relation to the purposes; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of Personal Data and to demonstrate compliance with applicable data protection legislation. We maintain documentation of our DPIAs and their outcomes, and we review and update DPIAs as necessary to account for changes in the nature, scope, context, or purposes of the relevant Processing operations.
DPIAs have been conducted or are conducted on an ongoing basis for, inter alia, the following Processing activities: the use of AI and machine learning services for content generation and analytical purposes; the processing of lead data obtained from third-party sources; the implementation of behavioral analytics and usage tracking features; international data transfers to jurisdictions that have not been the subject of an adequacy decision; the introduction of new features or functionality that involve the Processing of new categories of Personal Data or the use of new technologies; and any other Processing activities that, based on our assessment, are likely to result in a high risk to the rights and freedoms of Data Subjects.
In accordance with Article 30 of the GDPR, Article 30 of the UK GDPR, and analogous provisions of other applicable data protection legislation, we maintain comprehensive records of our Processing activities, which include: (a) the name and contact details of the Controller; (b) the purposes of the Processing; (c) a description of the categories of Data Subjects and of the categories of Personal Data; (d) the categories of recipients to whom the Personal Data have been or will be disclosed, including recipients in third countries or international organizations; (e) where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and the transfer mechanism relied upon; (f) where possible, the envisaged time limits for erasure of the different categories of data; and (g) where possible, a general description of the technical and organizational security measures implemented. Our records of Processing activities are maintained in written or electronic form and are made available to supervisory authorities upon request.
With respect to the Personal Data of Users of the Service, Kova Systems acts as the Controller, as we determine the purposes and means of the Processing of such Personal Data. As Controller, we are responsible for: determining the lawful basis for Processing; implementing appropriate technical and organizational measures to ensure and demonstrate that Processing is performed in accordance with applicable data protection legislation; maintaining records of Processing activities; conducting data protection impact assessments; notifying supervisory authorities and Data Subjects of personal data breaches; and fulfilling Data Subject rights requests.
With respect to certain categories of data that Users input into, upload to, or create through the Service (including, for example, lead data pertaining to third-party businesses and individuals that Users manage within the Service), Kova Systems may act as a Processor, processing such data on behalf of and under the instructions of the User, who acts as the Controller with respect to such data. In such cases, the relationship between Kova Systems as Processor and the User as Controller is governed by a Data Processing Agreement ("DPA"), which may be requested by contacting us at the email address set forth in Section 2 of this Privacy Policy. As Processor, we process such data only in accordance with the documented instructions of the Controller (the User), unless we are required to process the data by applicable law, in which case we will inform the Controller of that legal requirement before Processing, unless the law prohibits such notification.
In certain limited circumstances, Kova Systems and one or more third parties may act as Joint Controllers with respect to the Processing of certain categories of Personal Data, where Kova Systems and such third parties jointly determine the purposes and means of the Processing. In such cases, we will enter into a Joint Controller arrangement in accordance with Article 26 of the GDPR, which will set forth the respective responsibilities of each Joint Controller for compliance with data protection obligations, including the exercise of Data Subject rights and the provision of privacy information. The essence of such arrangements will be made available to Data Subjects upon request. As of the date of this Privacy Policy, we have not entered into any Joint Controller arrangements with third parties in connection with the Service.
Depending on your location and the applicable data protection legislation, you may have certain rights with respect to your Personal Data. We are committed to facilitating the exercise of your rights in a timely, transparent, and accessible manner. The rights described below may be subject to certain limitations and exceptions as provided under applicable law. To exercise any of the rights described below, please contact us using the contact information set forth in Section 2 of this Privacy Policy. We may require you to verify your identity before processing your request, to ensure that we do not disclose or delete Personal Data belonging to another individual.
You have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to the Personal Data and the following information: the purposes of the Processing; the categories of Personal Data concerned; the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations; where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request rectification, erasure, restriction of Processing, or to object to Processing; the right to lodge a complaint with a supervisory authority; where the Personal Data are not collected from you, any available information as to their source; and the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you. We shall provide a copy of the Personal Data undergoing Processing, in a commonly used electronic format, free of charge, unless the request is manifestly unfounded or excessive.
You have the right to obtain from us, without undue delay, the rectification of inaccurate Personal Data concerning you. Taking into account the purposes of the Processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
You have the right to obtain from us the erasure of Personal Data concerning you without undue delay where one of the following grounds applies: the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw your Consent on which the Processing is based and where there is no other legal ground for the Processing; you object to the Processing pursuant to Article 21(1) or Article 21(2) of the GDPR and there are no overriding legitimate grounds for the Processing; the Personal Data have been unlawfully processed; the Personal Data have to be erased for compliance with a legal obligation; or the Personal Data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. This right is not absolute and may be subject to exceptions as provided under applicable law, including where Processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for archiving purposes in the public interest.
You have the right to obtain from us the restriction of Processing where one of the following applies: the accuracy of the Personal Data is contested by you, for a period enabling us to verify the accuracy of the Personal Data; the Processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of their use instead; we no longer need the Personal Data for the purposes of the Processing, but they are required by you for the establishment, exercise, or defense of legal claims; or you have objected to Processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override yours.
You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, where the Processing is based on Consent or on a contract, and the Processing is carried out by automated means. In exercising your right to data portability, you have the right to have the Personal Data transmitted directly from us to another controller, where technically feasible.
You have the right to object, on grounds relating to your particular situation, at any time to the Processing of Personal Data concerning you which is based on Article 6(1)(e) or Article 6(1)(f) of the GDPR, including Profiling based on those provisions. We shall no longer process the Personal Data unless we demonstrate compelling legitimate grounds for the Processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. Where Personal Data are processed for direct marketing purposes, you have the right to object at any time to the Processing of Personal Data concerning you for such marketing, which includes Profiling to the extent that it is related to such direct marketing.
You have the right not to be subject to a decision based solely on automated processing, including Profiling, which produces legal effects concerning you or similarly significantly affects you, except where the decision: is necessary for entering into, or performance of, a contract between you and us; is authorized by applicable law; or is based on your explicit Consent. In cases where automated decision-making is permitted, you have the right to obtain human intervention, to express your point of view, and to contest the decision.
Where Processing is based on your Consent, you have the right to withdraw your Consent at any time, without affecting the lawfulness of Processing based on Consent before its withdrawal. You may withdraw your Consent by contacting us using the contact information set forth in Section 2 of this Privacy Policy, or through any other mechanism made available within the Service for this purpose.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the Processing of Personal Data relating to you infringes the GDPR, the UK GDPR, or other applicable data protection legislation.
This section provides additional information and disclosures required under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA/CPRA"), for California residents ("Consumers"). This section supplements, and should be read in conjunction with, the other sections of this Privacy Policy. In the event of a conflict between this section and another section of this Privacy Policy with respect to the rights of California residents, this section shall control.
In the preceding twelve (12) months, we have collected the following categories of Personal Information (as defined by the CCPA/CPRA) from Consumers:
We collect and use the categories of Personal Information identified above for the business and commercial purposes described in Section 5 of this Privacy Policy.
We collect Personal Information from the following categories of sources: directly from the Consumer; automatically from the Consumer's device and interactions with the Service; from our service providers and business partners; and from publicly available sources (including the Google Maps Platform).
We do not "sell" Personal Information as that term is defined under the CCPA/CPRA. We do not "share" Personal Information for cross-context behavioral advertising purposes as defined under the CCPA/CPRA. In the preceding twelve (12) months, we have disclosed Personal Information to the following categories of third parties for business purposes: our cloud infrastructure providers; our authentication service providers; our payment processing provider (Stripe); our AI service providers; the Google Maps Platform; and our hosting and content delivery providers.
As a California resident, you have the following rights under the CCPA/CPRA, subject to verification and applicable exceptions:
To exercise your rights under the CCPA/CPRA, you or your authorized agent may submit a verifiable consumer request to us by contacting us at privacy@kovasystems.app. We will respond to verifiable consumer requests within forty-five (45) calendar days of receipt, unless we require additional time (up to an additional forty-five (45) calendar days), in which case we will notify you of the extension and the reasons therefor. We are not required to respond to requests from a Consumer more than twice in a twelve (12) month period.
We do not currently offer any financial incentive programs, price or service differences, or loyalty programs that involve the collection, retention, or use of Personal Information in a manner that would require disclosure under the CCPA/CPRA. In the event that we offer such programs in the future, we will provide the required disclosures in this Privacy Policy or in separate program-specific notices.
We retain each category of Personal Information for the periods described in Section 8.1 of this Privacy Policy, which have been determined based on the criteria described in Section 8.
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Minnesota, or Maryland, you may have additional rights under your state's data privacy legislation, which may include, subject to applicable exceptions and verification procedures:
To exercise your rights under applicable state privacy legislation, please contact us at privacy@kovasystems.app. If we deny your request, you may appeal our decision by contacting us at the same address with the subject line "Privacy Rights Appeal," and we will respond to your appeal within the timeframe prescribed by applicable law.
If you are a resident of the European Economic Area or the United Kingdom, you have the rights described in Section 17 of this Privacy Policy, which are provided under the GDPR and UK GDPR, respectively. In addition to the information provided elsewhere in this Privacy Policy, we provide the following additional information required under the GDPR and UK GDPR:
If you are a resident of Canada, your Personal Information is subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA") and/or applicable provincial privacy legislation. Under PIPEDA and applicable provincial legislation, you have the right to: access your Personal Information held by us; challenge the accuracy and completeness of your Personal Information and have it amended as appropriate; and withdraw your consent to the collection, use, or disclosure of your Personal Information, subject to legal or contractual restrictions and reasonable notice. To exercise these rights, please contact us at privacy@kovasystems.app. If you are not satisfied with our response to your inquiry or complaint, you may contact the Office of the Privacy Commissioner of Canada or the applicable provincial privacy commissioner.
If you are a resident of Australia, the Processing of your Personal Data is subject to the Australian Privacy Act 1988 and the Australian Privacy Principles ("APPs"). If you are a resident of New Zealand, the Processing of your Personal Data is subject to the New Zealand Privacy Act 2020 and the Information Privacy Principles. Under these frameworks, you have rights to access and correct your Personal Data, and to make complaints regarding our handling of your Personal Data. Australian residents may contact the Office of the Australian Information Commissioner (OAIC) if they are not satisfied with our response to a complaint. New Zealand residents may contact the Office of the Privacy Commissioner. To exercise your rights, please contact us at privacy@kovasystems.app.
If you are a resident of Brazil, the Processing of your Personal Data is subject to Brazil's Lei Geral de Protecao de Dados ("LGPD"). Under the LGPD, you have the right to: confirmation of the existence of Processing; access to your Personal Data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the LGPD; portability of data to another service or product provider; deletion of data processed with your consent; information about public and private entities with which your data has been shared; information about the possibility of denying consent and the consequences thereof; and revocation of consent. To exercise your rights under the LGPD, please contact us at privacy@kovasystems.app.
We maintain a documented incident response plan that establishes procedures for the detection, assessment, containment, remediation, and reporting of personal data breaches and security incidents affecting the confidentiality, integrity, or availability of Personal Data. Our incident response procedures include:
The Service may incorporate, load, or interact with third-party software development kits ("SDKs"), JavaScript libraries, application programming interfaces ("APIs"), and other software components provided by third parties. These third-party components may collect, process, or transmit data independently of our direct control, subject to their own privacy policies, terms of service, and data handling practices. We exercise commercially reasonable due diligence in selecting and vetting third-party components and require that such components comply with applicable data protection legislation and our data processing standards. However, we are not responsible for the privacy practices, data collection activities, or data handling procedures of third-party SDK, library, or API providers. The categories of third-party components currently integrated into or utilized by the Service include:
We periodically review the third-party components used in the Service to assess their compliance with applicable data protection requirements and to evaluate whether they continue to be necessary for the provision of the Service's functionality. We encourage you to review the privacy policies and terms of service of any third-party services with which you interact through or in connection with the Service.
Where Kova Systems transfers Personal Data across national borders to service providers, sub-processors, or affiliates located in jurisdictions that have not been the subject of an adequacy decision by the relevant data protection authority, we ensure that appropriate safeguards are in place to protect the transferred Personal Data in accordance with applicable data protection legislation. As described in Section 7 of this Privacy Policy, we primarily rely on Standard Contractual Clauses ("SCCs") approved by the European Commission, as supplemented by the UK International Data Transfer Addendum where applicable, as the legal mechanism for such transfers. We maintain executed copies of SCCs with all relevant service providers and sub-processors, and we conduct periodic reviews to ensure that such agreements remain current and effective. In the event that we establish or join a corporate group structure, we may adopt Binding Corporate Rules ("BCRs") as an additional or alternative transfer mechanism, subject to approval by the competent supervisory authority. Information regarding the specific transfer mechanisms employed for any particular data transfer is available upon request by contacting us at privacy@kovasystems.app.
The Service is a business-to-business sales platform designed and intended exclusively for use by adults who are at least eighteen (18) years of age, or the age of legal majority in their jurisdiction, whichever is greater. The Service is not designed for, directed to, or intended to attract children under the age of eighteen (18), or under such other age as may be specified by applicable law (including sixteen (16) in certain EEA jurisdictions and thirteen (13) under the U.S. Children's Online Privacy Protection Act ("COPPA")). We do not knowingly collect, solicit, request, or process Personal Data from children under the applicable age threshold. If we become aware that we have inadvertently collected Personal Data from a child under the applicable age threshold without verified parental consent, we will take prompt steps to delete such data from our systems and to terminate any account associated with such child. If you are a parent or guardian and you believe that your child has provided us with Personal Data without your consent, please contact us immediately at privacy@kovasystems.app, and we will take appropriate action to investigate and address your concerns.
The Service may contain hyperlinks, references, or integrations to third-party websites, applications, platforms, and services that are not operated, controlled, or maintained by Kova Systems (collectively, "Third-Party Services"). The inclusion of any hyperlink to or integration with a Third-Party Service does not imply our endorsement, affiliation, sponsorship, or recommendation of such Third-Party Service or its content, products, services, or privacy practices. This Privacy Policy applies solely to the Processing of Personal Data by Kova Systems in connection with the Service and does not apply to the practices of any Third-Party Services. We are not responsible for the content, privacy policies, data collection practices, security measures, or other practices of any Third-Party Services, and we strongly encourage you to review the privacy policies and terms of service of any Third-Party Services before providing any Personal Data to them or allowing them to collect data from your device or browser. Your interactions with Third-Party Services are governed solely by the terms and policies of such Third-Party Services, and any data you provide to or that is collected by Third-Party Services is subject to their respective privacy policies.
We reserve the right to modify, amend, revise, supplement, or replace this Privacy Policy at any time, at our sole and absolute discretion, subject to applicable legal requirements regarding notification. When we make changes to this Privacy Policy, we will update the "Last updated" date at the top of this page. If we make material changes that substantially affect our privacy practices or your rights under this Privacy Policy, we will provide you with additional notice, which may include: posting a prominent notice on the Service; sending a notification to the email address associated with your account; displaying an in-application notification or banner; or taking such other steps as we deem reasonably necessary to inform you of the changes. We encourage you to review this Privacy Policy periodically to stay informed about our data handling practices. Your continued use of the Service following the posting of any changes to this Privacy Policy shall constitute your acknowledgment of such changes and your agreement to the updated terms, to the extent permitted by applicable law. Where applicable law requires your affirmative Consent to material changes in our privacy practices, we will obtain such Consent before implementing the relevant changes.
If any provision, clause, or sub-clause of this Privacy Policy is held to be invalid, illegal, void, or unenforceable by a court of competent jurisdiction or other adjudicative body, such invalidity, illegality, voidness, or unenforceability shall not affect any other provision, clause, or sub-clause of this Privacy Policy, and the remainder of this Privacy Policy shall continue in full force and effect as if such invalid, illegal, void, or unenforceable provision, clause, or sub-clause had not been included herein. To the extent permitted by applicable law, the invalid, illegal, void, or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its original intent, or, if such modification is not possible, it shall be deemed severed from this Privacy Policy without affecting the validity and enforceability of the remaining provisions.
This Privacy Policy, and any disputes arising out of or relating to this Privacy Policy or the Processing of your Personal Data, shall be governed by and construed in accordance with the laws applicable to the jurisdiction in which you reside, to the extent that such laws mandate their application to the Processing of your Personal Data, without regard to conflict of law principles. Nothing in this Privacy Policy shall limit or exclude any rights that you may have under mandatory applicable data protection legislation in your jurisdiction of residence, including the GDPR, the UK GDPR, the CCPA/CPRA, or any other applicable data protection legislation that provides for mandatory consumer or data subject protections that cannot be waived or limited by contract.
This Privacy Policy is drafted in the English language. In the event that this Privacy Policy is translated into any other language, the English language version shall prevail in the event of any inconsistency, ambiguity, or conflict between the English language version and any translated version, except where applicable law requires that the translated version prevail.
This Privacy Policy, together with any supplementary privacy notices, data processing agreements, cookie policies, and other privacy-related documents referenced herein or made available through the Service, constitutes the entire and exclusive statement of our privacy practices with respect to the Processing of your Personal Data in connection with the Service, and supersedes all prior and contemporaneous representations, understandings, statements, and agreements, whether written or oral, with respect to the subject matter hereof.
If you have any questions, concerns, comments, requests, or complaints regarding this Privacy Policy, our data handling practices, or the exercise of your data protection rights, please do not hesitate to contact us through the following channels:
Email: privacy@kovasystems.app
Website: kovasystems.app
We are committed to resolving any privacy-related concerns in a fair, timely, and transparent manner. If you are not satisfied with our response to your inquiry or complaint, you may have the right to escalate your complaint to the relevant data protection supervisory authority in your jurisdiction, as described in Section 17.9 of this Privacy Policy. We will cooperate fully with the relevant supervisory authority in the investigation and resolution of any complaint.
We take our obligations under applicable data protection legislation seriously and are dedicated to maintaining the trust you place in us by entrusting us with your Personal Data. We appreciate your taking the time to read this Privacy Policy in its entirety, and we welcome your feedback on how we can improve our privacy practices.