kova
Legal

Privacy Policy

Last updated: 12 February 2026

1. Controller

The data controller responsible for the processing of your personal data is:

Kova SA
Geneva, Switzerland
privacy@kovagent.com

This Privacy Policy applies to all personal data collected through our website (kovagent.com), our software platform, and any related services (collectively, "Services").

2. Legal Framework

We process personal data in accordance with:

  • The Swiss Federal Act on Data Protection (FADP/DSG), as revised 1 September 2023.
  • The Ordinance on Data Protection (DPO/DSV).
  • The EU General Data Protection Regulation (GDPR), where applicable to data subjects in the European Economic Area.

3. Data We Collect

3.1 Website Visitors

When you visit our website, we may collect:

  • Technical data — IP address, browser type, operating system, screen resolution, referring URL, pages visited, and timestamps.
  • Cookies and similar technologies — See Section 9 below.

3.2 Contact and Inquiries

When you contact us or submit a form:

  • Contact data — Name, email address, phone number, company name, and job title.
  • Communication content — The content of your messages and any files you attach.

3.3 Clients and Platform Users

When you use our Services:

  • Account data — Name, email, role, organization, and authentication credentials.
  • Usage data — Feature usage, Agent interactions, performance metrics, and log files.
  • Client Data — Data you provide to or process through our Agents (emails, documents, files). We process this data solely on your behalf as a data processor.

3.4 Data We Do Not Collect

We do not knowingly collect sensitive personal data (health data, biometric data, political opinions, religious beliefs, etc.) unless explicitly agreed in a Data Processing Agreement. We do not collect data from minors under the age of 18.

4. Purposes and Legal Bases

PurposeLegal Basis
Providing and maintaining our ServicesContract performance
Processing inquiries and demo requestsPre-contractual measures / Legitimate interest
Improving the Services and developing new featuresLegitimate interest
Analytics and website optimizationLegitimate interest / Consent
Compliance with legal obligationsLegal obligation
Security and fraud preventionLegitimate interest
Marketing communications (with consent)Consent

5. Data Sharing

We may share personal data with:

  • Service providers — Hosting providers, analytics tools, and communication platforms that process data on our behalf under written agreements.
  • Professional advisors — Legal, accounting, and auditing firms as necessary.
  • Regulatory authorities — When required by law, regulation, or legal process.

We do not sell personal data to third parties. We do not use Client Data for advertising purposes.

6. International Data Transfers

Your data is primarily stored and processed in Switzerland, which is recognized by the European Commission as providing an adequate level of data protection.

Where we transfer data outside of Switzerland or the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and recognized under Swiss law.
  • Adequacy decisions by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the European Commission.
  • Binding Corporate Rules (BCRs) where applicable.

7. Data Retention

  • Website analytics data — 26 months.
  • Contact and inquiry data — 2 years after last contact, unless a client relationship is established.
  • Client account data — Duration of the contractual relationship plus 10 years (Swiss commercial retention obligations under Art. 958f CO).
  • Client Data processed by Agents — Retained only for the duration necessary to provide the Services. Deleted within 30 days of contract termination upon request.
  • Server logs — 90 days.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Access controls with role-based permissions and multi-factor authentication.
  • Regular security assessments and penetration testing.
  • Incident response procedures with notification within 72 hours of becoming aware of a data breach, in accordance with Art. 24 FADP.
  • Employee confidentiality agreements and regular data protection training.

9. Cookies and Tracking

9.1 Types of Cookies

  • Essential cookies — Required for the website to function (session management, security tokens, theme preferences). No consent required.
  • Analytics cookies — Used to understand how visitors interact with the website. Set only with your consent.

9.2 Third-Party Services

We currently use minimal third-party services on our website:

  • Hosting — Vercel (data processed in the EU/Switzerland).
  • Fonts — Google Fonts (loaded from Google servers; IP address may be transmitted).

We do not use advertising trackers, social media pixels, or retargeting services.

9.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the website.

10. Your Rights

Under the FADP and, where applicable, the GDPR, you have the following rights:

  • Right of access — Request confirmation of whether we process your personal data and obtain a copy.
  • Right to rectification — Request correction of inaccurate personal data.
  • Right to erasure — Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction — Request limitation of processing in certain circumstances.
  • Right to data portability — Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object — Object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@kovagent.com. We will respond within 30 days.

11. Automated Decision-Making

Our AI Agents may process data to generate recommendations, summaries, and draft communications. These outputs are designed to assist human decision-making, not replace it. No automated decision with legal or similarly significant effects is made without human review.

If you believe an automated process has produced an incorrect result, you may request human review by contacting us.

12. Data Processing on Behalf of Clients

When we process Client Data through our Agents, we act as a data processor on your behalf. In this capacity:

  • We process Client Data solely according to your documented instructions.
  • We do not use Client Data for our own purposes (including AI model training) without your explicit written consent.
  • We enter into a Data Processing Agreement (DPA) with each client that specifies the scope, purpose, and duration of processing.
  • Sub-processors are engaged only with your prior notice and agreement, and are bound by equivalent data protection obligations.

13. Children

Our Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern, Switzerland
www.edoeb.admin.ch

If you are located in the EEA, you may also contact your local data protection authority.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or a prominent notice on our website. The "last updated" date at the top of this page reflects the most recent revision.

16. Contact

For any questions or requests related to this Privacy Policy or your personal data:

Kova SA
Geneva, Switzerland
privacy@kovagent.com

See also our Terms of Service.