Privacy Policy

KOVA

Privacy Policy

Effective Date: April 17, 2026

Last Updated: April 17, 2026

Kova ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Kova AI Trading Journal platform available at kovaapps.com and related applications (collectively, the "Service").

By creating an account or using the Service, you agree to the collection and use of your information as described in this Privacy Policy. This policy is incorporated into and forms part of our Terms of Service.

If you do not agree with this Privacy Policy, do not use the Service.

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

When you create an account or use the Service, we collect:

Email address — used for account creation, authentication, and communications.

Password — stored in encrypted form via Supabase authentication. We never store plain-text passwords.

Trade data — including entry/exit prices, symbols, position sizes, dates, P&L, strategy tags, emotions, stress levels, notes, and any other information you log in your journal.

Profile information — any optional profile details you choose to provide.

Support communications — emails or messages you send to support@kovaapps.com.

1.2 Information Collected Automatically

When you use the Service, we automatically collect certain technical information, including:

Device information — device type, operating system, browser type and version.

Usage data — pages visited, features used, clicks, session duration, and interaction patterns within the Service.

IP address — used for security, fraud prevention, and approximate geographic location.

Log data — server logs including access times, error logs, and request data.

Cookies and similar technologies — see Section 5 for full details.

1.3 Information from Third Parties

We may receive limited information from third-party services we integrate with:

Stripe — payment status, subscription tier, and billing history. We do not receive or store your full payment card details.

Supabase — authentication tokens and session information.

Analytics providers — aggregated usage and performance data if analytics tools are enabled.

1.4 Chart Images

When you use the Kova Signals feature, you may upload chart screenshots. These images are transmitted to one or more of our AI providers — Anthropic (for standard Kova Signals and AI Coach), and, when you request Kova Signals Pro, additionally OpenAI and Google (Gemini) for multi-model consensus analysis. Images are transmitted solely to generate responses for you and are not permanently stored by Kova beyond what is necessary to provide the Service and maintain a history of your signal requests within your account. Retention and processing by each AI provider are governed by their respective privacy policies.

2. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

2.1 To Provide and Operate the Service

Create and manage your account.

Process and display your trade journal entries.

Generate AI coaching responses, signals, and behavioral analytics based on your data.

Process subscription payments and manage billing.

Provide customer support and respond to your inquiries.

2.2 To Improve the Service

Analyze usage patterns to improve features and user experience.

Use aggregated, anonymized data for product research and development.

Debug technical issues and monitor Service performance.

We may use aggregated, de-identified, and anonymized data derived from Service usage for internal analytics, product research, and Service improvement. We do not currently use your individually identifiable trade data, chat messages, or chart images to train artificial intelligence models. If this practice changes in the future, we will update this Privacy Policy and notify affected users in advance.

2.3 To Communicate With You

Send transactional emails including account confirmations, password resets, and billing receipts.

Send service updates, security alerts, and important notices related to your account.

Send marketing and promotional communications about Kova features, offers, and updates — but only if you have opted in or where permitted by applicable law.

Send educational content, trading tips, and product announcements where you have not opted out.

2.4 For Marketing and Advertising

Use your email address and usage data to deliver targeted marketing communications from Kova.

Create anonymized audience segments for advertising purposes on third-party platforms such as Meta (Facebook/Instagram), Google, and similar platforms.

Use pixel tracking and similar technologies to measure the effectiveness of our advertising campaigns.

We do NOT sell your personal data to advertisers. We use your data only to market Kova's own products and services to you and to create anonymized lookalike audiences.

You may opt out of marketing communications at any time. See Section 8 for your rights and opt-out options.

2.5 For Legal and Security Purposes

Detect, prevent, and investigate fraud, abuse, and security incidents.

Enforce our Terms of Service and this Privacy Policy.

Comply with applicable legal obligations, court orders, and law enforcement requests.

Protect the rights, property, and safety of Kova, our users, and the public.

3. HOW WE SHARE YOUR INFORMATION

We do not sell your personal data. We share your information only in the following limited circumstances:

3.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service, subject to confidentiality agreements:

Supabase (supabase.com) — database hosting, user authentication, and data storage. Supabase servers are located in the United States.

Stripe (stripe.com) — payment processing. Stripe collects and processes your payment card information directly; we do not see or store your full card details.

Anthropic (anthropic.com) — AI processing for the AI Coach and Kova Signals features. Your chat messages, trade context, and uploaded chart images are transmitted to Anthropic to generate AI responses. Anthropic’s data handling is governed by its own privacy policy and enterprise data processing terms.

OpenAI (openai.com) — AI processing for Kova Signals Pro (multi-model consensus analysis). When you request a Kova Signals Pro analysis, your uploaded chart images and analysis prompts are transmitted to OpenAI. OpenAI’s data handling is governed by its own privacy policy.

Google (google.com) — AI processing for Kova Signals Pro (multi-model consensus analysis) via the Gemini API. When you request a Kova Signals Pro analysis, your uploaded chart images and analysis prompts are transmitted to Google. Google’s data handling is governed by its own privacy policy.

Vercel (vercel.com) — web hosting, serverless function execution, and content delivery. Vercel processes HTTP request and response data including IP addresses for purposes of operating the Service.

Email service providers — for transactional and marketing emails.

Analytics providers — for usage analytics (where applicable).

None of these providers are authorized to use your personal information for any purpose other than providing services to Kova under our instructions.

Chart images and trade data submitted through AI features may be transmitted to one or more of the AI providers listed above (Anthropic, OpenAI, and/or Google) depending on the specific feature used. By using the AI Coach or Kova Signals features, you acknowledge and consent to this transmission.

3.2 Advertising Platforms

For marketing purposes, we may share limited, anonymized data with advertising platforms including Meta (Facebook/Instagram) and Google to deliver targeted advertisements for Kova's services. This is done using hashed email addresses or anonymized audience data. We do not share your trade data, journal entries, or financial information with advertising platforms.

3.3 Business Transfers

If Kova is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

3.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements.

3.5 Protection of Rights

We may disclose your information when we believe disclosure is necessary to protect the rights, property, or safety of Kova, our users, or others, or to enforce our Terms of Service.

3.6 With Your Consent

We may share your information for any other purpose with your explicit consent.

4. DATA STORAGE AND SECURITY

4.1 Where Your Data Is Stored

Your data is stored on Supabase infrastructure, which uses servers located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

4.2 Security Measures

We implement industry-standard security measures to protect your data, including:

Encryption of data in transit using TLS/SSL.

Encryption of passwords using secure hashing algorithms.

Access controls limiting who within Kova can access user data.

Regular security monitoring and vulnerability assessments.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You use the Service at your own risk.

4.3 Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion or termination, we will retain your account data for up to thirty (30) calendar days to allow for account recovery or data export, after which your personal data will be deleted or anonymized, except where longer retention is required by law, necessary for fraud prevention, tax or accounting obligations, dispute resolution, or enforcement of our Terms of Service. Server logs containing IP addresses and access times are retained for up to twelve (12) months for security, fraud prevention, and legal compliance purposes. Payment records retained by our payment processor (Stripe) are governed by Stripe’s own retention practices. You may request expedited deletion at any time by emailing support@kovaapps.com with the subject line “Delete My Data.”

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 What We Use

We and our third-party partners may use the following tracking technologies:

Session cookies — temporary cookies that expire when you close your browser, used to maintain your logged-in session.

Persistent cookies — cookies that remain on your device for a set period, used to remember your preferences.

Local storage — browser-based storage used to save session tokens and app preferences.

Pixel tags and web beacons — used in marketing emails and on our website to measure engagement and advertising effectiveness.

Analytics scripts — used to collect usage data about how the Service is used.

5.2 Third-Party Cookies

Third-party services we use, including Stripe, analytics providers, and advertising platforms, may set their own cookies on your device. We do not control these cookies. Please refer to the respective third-party privacy policies for more information.

5.3 Your Cookie Choices

Most browsers allow you to control cookies through their settings. You may disable cookies, but doing so may affect the functionality of the Service, including your ability to stay logged in. The cookies and tracking technologies we use fall into the following categories: (a) Strictly Necessary (authentication, session management, security) — these cannot be disabled without breaking Service functionality; (b) Functional (user preferences, settings persistence); (c) Analytics (usage measurement); and (d) Advertising (where applicable). You can opt out of interest-based advertising by visiting the Digital Advertising Alliance opt-out page at optout.aboutads.info or the Network Advertising Initiative at optout.networkadvertising.org. We honor Global Privacy Control (GPC) signals transmitted by your browser or browser extension as a valid request to opt out of the “sale” or “sharing” of personal information under California law (Cal. Civ. Code § 1798.135) and equivalent opt-out signals where legally recognized. If you are in the European Union, European Economic Area, or United Kingdom, we will seek your prior consent for non-essential cookies through a cookie consent mechanism in accordance with the ePrivacy Directive, UK PECR Regulations, and GDPR/UK GDPR.

6. CHILDREN'S PRIVACY

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at support@kovaapps.com.

7. INTERNATIONAL USERS

7.1 European Union Users — GDPR

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access — you may request a copy of the personal data we hold about you.

Right to Rectification — you may request correction of inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten") — you may request deletion of your personal data, subject to certain exceptions.

Right to Restriction of Processing — you may request that we limit how we use your data.

Right to Data Portability — you may request a copy of your data in a structured, machine-readable format.

Right to Object — you may object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent — where processing is based on consent, you may withdraw consent at any time.

Our legal bases for processing your data include: performance of a contract (providing the Service), legitimate interests (improving the Service and preventing fraud), compliance with legal obligations, and consent (for marketing communications).

To exercise your GDPR rights, contact us at support@kovaapps.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7.2 California Users — CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know — you may request disclosure of the categories and specific pieces of personal information we have collected about you.

Right to Delete — you may request deletion of your personal information, subject to certain exceptions.

Right to Opt-Out of Sale — we do not sell personal information as defined under CCPA.

Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA/CPRA rights, contact us at support@kovaapps.com with the subject line “California Privacy Request.” We will respond within 45 calendar days (with a one-time 45-day extension if reasonably necessary, with notice). Although we do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act and California Privacy Rights Act, California residents may still submit a “Do Not Sell or Share My Personal Information” request at any time via the link provided in our website footer or by emailing support@kovaapps.com. You may also designate an authorized agent to make a request on your behalf; we may require verification of the agent’s authority and your identity before processing the request.

7.3 United Kingdom Users — UK GDPR and Data Protection Act 2018

If you are located in the United Kingdom, you have the same rights as EU users listed in Section 7.1 above, as provided by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You may also lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk. Our legal bases for processing are the same as listed in Section 7.1.

7.4 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Florida (FDBR), Oregon (OCPA), Montana (MCDPA), Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, and Maryland have the following rights under their respective state privacy laws: (a) right to know or access your personal data; (b) right to correct inaccurate personal data; (c) right to delete personal data; (d) right to data portability; (e) right to opt out of the sale of personal data, targeted advertising, and profiling with legal or similarly significant effects; and (f) right to appeal a denied request. To exercise these rights, email support@kovaapps.com with the subject line indicating your state (e.g., “Virginia Privacy Request”). We will respond within 45 days (with extensions permitted under applicable law). We do not engage in the “sale” of personal data as defined under these laws, nor do we conduct profiling with legal or similarly significant effects on users.

7.5 Canadian Users — PIPEDA and Quebec Law 25

If you are located in Canada, our processing of your personal information is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Act Respecting the Protection of Personal Information in the Private Sector (Law 25). You have rights of access, correction, and withdrawal of consent. You may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d’accès à l’information du Québec (cai.gouv.qc.ca). To exercise your rights, email support@kovaapps.com with the subject line “Canadian Privacy Request.”

7.6 Brazilian Users — LGPD

If you are located in Brazil, your personal information is processed in accordance with Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13.709/2018). You have rights of confirmation, access, correction, anonymization, blocking, deletion, portability, and information about sharing. You may contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd. To exercise your rights, email support@kovaapps.com with the subject line “Brazil LGPD Request.”

7.7 Australian Users

If you are located in Australia, our processing of your personal information is subject to the Privacy Act 1988 and the Australian Privacy Principles (APPs). You have rights of access and correction. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. To exercise your rights, email support@kovaapps.com with the subject line “Australia Privacy Request.”

7.8 International Data Transfers

Kova is based in the United States and our infrastructure and service providers are primarily located in the United States. When you use the Service from outside the United States, your personal data will be transferred to and processed in the United States and potentially in other countries where our service providers operate. For transfers of personal data from the European Union, European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the following lawful transfer mechanisms as applicable: (a) the EU Standard Contractual Clauses (SCCs) adopted by the European Commission in Decision (EU) 2021/914; (b) the UK International Data Transfer Addendum or the International Data Transfer Agreement issued by the UK Information Commissioner; (c) the EU-U.S. Data Privacy Framework or UK-U.S. Data Bridge, where our processors are certified; and (d) your explicit consent or contract performance where permitted under GDPR Article 49. You may request a copy of the relevant data transfer mechanism by emailing support@kovaapps.com.

7.9 Other International Users

If you are located outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. Data protection laws in the United States may differ from those in your country. By using the Service, you consent to this transfer and processing.

8. YOUR RIGHTS AND CHOICES

8.1 Account Information

You may review and update your account information at any time through your account settings or by contacting support@kovaapps.com.

8.2 Marketing Communications

You may opt out of marketing and promotional emails at any time by:

Clicking the "unsubscribe" link in any marketing email we send.

Contacting us at support@kovaapps.com with the subject line "Unsubscribe."

Please note that even if you opt out of marketing emails, we may still send you transactional and service-related communications, such as billing receipts, password resets, and important account notices.

8.3 Data Deletion

You may request deletion of your account and personal data by contacting support@kovaapps.com. We will process your request within a reasonable time. Please note that we may retain certain data as required by law or for legitimate business purposes such as fraud prevention and dispute resolution.

8.4 Data Portability

You may export your trade journal data in CSV format directly from the Service using the Export feature. For additional data export requests, contact support@kovaapps.com.

8.5 Do Not Track and Global Privacy Control

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no industry consensus on how to respond to DNT signals, we do not currently respond to DNT. However, we do honor Global Privacy Control (GPC) signals transmitted by your browser or browser extension as a valid request to opt out of the “sale” or “sharing” of personal information in jurisdictions where such signals are legally recognized (including California under CPRA).

8.6 Automated Decision-Making and Profiling

The Service uses artificial intelligence and automated analysis to generate coaching responses, signals, behavioral analytics, and reports based on the data you provide. These outputs are for educational and informational purposes only, are not the result of profiling with legal or similarly significant effects, and do not result in automated decisions concerning you within the meaning of Article 22 of the GDPR or equivalent provisions in other laws. All substantive decisions regarding your account, subscription, eligibility, or access to the Service are made by humans at Kova, not by automated means alone. You are entitled to express your point of view, contest any such decision, and obtain human review by contacting support@kovaapps.com.

9. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link does not constitute endorsement by Kova.

10. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes (including changes to the categories of data we collect, the purposes for which we process it, the third parties with whom we share it, or users’ rights), we will provide at least thirty (30) calendar days advance notice before the changes take effect by:

Sending an email to the address associated with your account.

Displaying a prominent notice within the Service.

Non-material changes may take effect immediately upon posting. The updated policy will indicate the date of the most recent revision at the top of the document. Where applicable law requires your express consent for particular changes, we will obtain that consent before the changes take effect. Your continued use of the Service after the effective date of material changes constitutes your acceptance of those changes. If you do not agree with the updated policy, you must stop using the Service.

11. DATA BREACH NOTIFICATION

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR and UK GDPR; (b) notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by Article 34 of the GDPR, UK GDPR, and equivalent state and national laws (including U.S. state breach notification statutes); and (c) document all breaches and our response in accordance with applicable law. Our incident response procedures include identification, containment, investigation, notification, and remediation. You should report any suspected security vulnerability or unauthorized access to support@kovaapps.com with the subject line “Security Incident” as soon as possible.

12. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Kova AI Trading Journal

Email: support@kovaapps.com

Website: kovaapps.com

Commonwealth of Massachusetts, United States

For GDPR-specific requests, CCPA requests, or data deletion requests, please include the relevant subject line in your email for prompt handling.

By using Kova, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described herein.